Hostile Javascript: Attacking And Defending The Browser, a talk by Todd H. Gardener
This great talk from by Todd H. Gardner at NDC London 2023 is a great reminder that we need to be deliberate about assessing what code we allow to run on our websites. My favourite bit is Todd’s realisation that he set out to make a useful targetted debugging tool and accidentally made “cross site scripting as a service”.
Here’s the blurb:
How much JavaScript is on your website? Do you know what it does? No really, have you looked at the code and seen what it does? Probably not.
JavaScript controls the client side environment, and we can use it to compromise users, consume resources, and steal data. Yet many websites continue to add scripts without review, audit, or thought.
Let’s explore what JavaScript can do to a browser, the vectors that JavaScript can get added to websites, and how we can defend against JavaScript attacks.