Room 5 

16:20 - 17:20 


Talk (60 min)

The Last XSS Defense Talk

Why are we still talking about Cross Site Scripting in 2020? Because it is painfully difficult to defend against XSS even to this day.


In this talk we'll address new defensive strategies such as modern JavaScript framework defense in Angular, React, Vue and other frameworks. We'll also look at how CSP deployment has changed in the past 7 years illustrating the progressive use of content security which supports CSP v1, v2 and v3 concurrently.

We will then look at advances in HTML sanitization on both the client and server and focus on sanitizers and defensive libraries that have stood the test of time in terms of maintenance and security. We'll also look at interesting design topics such as how HTML injection is still critical even in the face of rigorous XSS defense, how HTTPOnly cookies are largely ineffective, and how Trusted Types is making your favorite frameworks more secure.

This talk should help developers and security professionals alike build a focused and modern strategy to defend against XSS in modern applications.

Jim Manico

Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for Nucleus Security, BitDiscovery, SecureCircle, and Inspectiv. Jim is a frequent speaker on software security practices, is a member of the Java Champion community, and is the author of "Iron-Clad Java: Building Secure Web Applications" from Oracle Press. Jim also volunteers for the OWASP foundation as the project lead for the OWASP Application Security Verification Standard and the OWASP Cheatsheet Series. For more information, see