XSS is dead – Browser Security Features that Eliminate Bug Classes
Unknown
BSides Las Vegas 2025 · Day 1
**Yavan** delivers a fast-paced survey arguing that **cross-site scripting (XSS)** remains a top bug class not because browsers lack defenses, but because organizations remain **reactive**, under-automate secure defaults, and delay adopting **modern browser-enforced controls**. The talk uses **OWASP Proactive Controls** (latest version referenced) to anchor browser features as a first-class practice—specifically **control #8: leverage browser security features**—and uses **Google’s “security signals”** research as a template for **measuring adoption** at scale via **reverse proxies** (e.g., **nginx**, **Cloudflare**). The speaker positions the shift as **defense in depth** that can **eliminate** certain vulnerability classes when deployed strictly, not merely reduce incident frequency.
AI review
A competent AppSec architecture talk: good framing, useful references (OWASP #8, Sec-Fetch, Trusted Types), and a credible enterprise rollout story via reverse proxies. It is not breaking new research, but it packages modern browser mitigations into an actionable program shape.