XSS (No, the _other_ 'S') - CSSConf EU 2013

I had the distinct pleasure of talking with folks at this year’s CSSConf EU about the dangers of content-injection attacks. They’re not just for JavaScripters, you see: CSS is dangerous too! They’ve just posted the video, and I think it’s worth a little under a half-hour of your time to skim through. You’ll be shocked to learn that Content Security Policy makes an appearance.

Credit is due to Mario Heiderich, et al. for their excellent paper “Scriptless Attacks - Stealing the Pie Without Touching the Sill”, from which I stole much of the attack-based content. Awesome stuff.

Transcript is coming, but for now, please do enjoy the embedded video and slides below:


The video is 29m long, and up on YouTube for your viewing enjoyment.


The slides are up on Speaker Deck (which is awesome), and I actually used Speaker Deck to present the slides from someone else’s laptop since my computer decided not to connect to the conference’s projector. I love you, Speaker Deck!


Coming soon!