Rating is available when the video has been rented.
This feature is not available right now. Please try again later.
Published on Apr 2, 2017
Slide-deck:https://www.owasp.org/images/9/97/OWA... PostMessage API is a known source of DOM XSS vulnerabilities on web sites. Browser extensions can use messaging too, and if an extension fails to handle incoming messages securely enough it may lead to a universal XSS. This talk will present an analysis of Chrome extensions that aimed at discovering vulnerabilities caused by insecure postMessage listeners in content scripts that are inserted by browser extensions into web pages. The research will demonstrate the examples of vulnerable Chrome extensions and explain the threats which they present to the end-users and how they can be mitigated.