35C3 ChaosWest – Nothing new about XSS in impress.js
https://www.ispeech.org/text.to.speech
https://media.ccc.de/v/35c3chaoswest-17-nothing-new-about-xss-in-impress-js
I built a small demonstrator for Cross-Site-Scripting (XSS) attacks in impress.js. It would be a waste to let it stay on my computer, because I think it could help you giving a brief lecture on XSS. Much more interesting, probably, is my implementation of the whole thing: the cockpit (a header and footer that provide a visual frame, while the viewpoint navigates the 3-dimensional space of your presentation) and the handling of input to modify contents of successive slides.
While I don't think to tell you anything new about cross-site scripting, I hope you are interested in the two features I add to the impress.js examples. Well the XSS-part also is interesting in itself, but I am astonished every time I find this weakness in the wild, because it is not difficult to prevent. Thus, if you also learn about XSS in the progress, I am happy.
Mostly the presentation will show you two new example techniques for presentations with impress.js
The cockpit: just some fixed headers and footer in the layout. But better graphical artists might actually turn this into a real cockpit view. In the end it is only a wee bitty of css, but it is something that turns a 3-d animation into a flight through the slide-space.
Value-transfer: Why using JavaScript to present static slides, it makes no sense to not utilise a fully-fledged, yet tedious, interpreter environment — your web-browser — if you don't make something more dynamic with your slides. For example transferring inputs between slides and execute contents to demonstrate the effects of XSS.
inj4n
https://fahrplan.chaos-west.de/35c3chaoswest/talk/RZ7NWT
2018-12-30 02:45:52
source
Gloss