Blackbox Reversing Of XSS Filters presented at REcon 2008

by Alexander Sotirov,


Summary : Many of us limit ourselves to what we already know and don't look for new challanges. I've spent a long time reversing x86 code, but there are a lot of other interesting targets out there. Cross site scripting vulnerabilities and web security in general are perceived to not be interesting enough for hardcode reversers, but this talk aims to dispel this notion.
We all know that web apps are the future, but where do we, reversers, fit in this brave new world? I will present the challanges of blackbox reversing and the beauty of reconstructing complicated algorithms based on nothing but some well chosen inputs and outputs. I will demonstrate the tools I've written to make this easier and perhaps drop a few 0days as well :-)