Agenda

• status updates
• csp `unsafe-eval`
• anyone tried https://github.com/toolness/security-adventure ?

Status Updates

• mgoodwin
  • superfish: hotfix to remove the root cert from firefox
  • flag a root ca in the local store to change the EV icon displayed

• freddy
  • b2g themes/l10n
    • http://www.hgi.rub.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf
  • html sanitization with js template strings / quasi literals

var firstName = prompt();
escapingFunction `<a href=# title="${title}"> click me ${linktext} </a>`

// title = "onerror=....
// linktext = <script>....</script>
function escapingFunction(string, variables) {
    string = <a href=# title="1"> click me 2 </a>`
}

• • reader-mode in nightly (spare-time project :))

• ulfr
  • IdFix: https://github.com/jvehent/idfix
  • websec hell: 320 unresolved bugs. 204 of these bugs are not assigned to anybody, with 136 created before 2014.

• psiinon
  • ZAP tweaks
  • simon got accepted into owasp appsec eu :-P

• jeff
  • Working on tweaks to make mongo look like crossfilter for moar realtime updates to things like pie charts, histograms.
  • Got a start at enabling oculus rift in the attacker screen