Princeton University

School of Engineering & Applied Science

The Dropbox XSS Immune System

Devdatta Akhawe, Dropbox
Engineering Quadrangle, Room B205
Tuesday, March 22, 2016 - 11:00am to 12:00pm

Abstract:  Cross-site scripting (XSS) is one of the most common vulnerabilities affecting modern web applications. While there is no silver bullet to prevent all XSS concerns, Dropbox relies on a pretty unique array of mitigations that massively reduce the risk of a successful XSS exploit. Mechanisms include language-based techniques; dynamic analysis; privilege separation. We will discuss how all of these techniques combine to provide a robust, at-scale mitigation against cross-site scripting. We will also discuss modern mitigations like Content Security Policy and the risk introduced by JS frameworks as well as how to mitigate them.
Biography:  Devdatta is a security engineer at Dropbox. Before that, he received a PhD in Computer Science from UC Berkeley, where he was advised by Dawn Song. His graduate research focused on browser and web application security. Before before that, he got a Bachelor's degree in Computer Science from BITS Pilani. During these travels, he interned at Mozilla, Microsoft (MSRC), Yahoo! Labs, and Microsoft Research. He is also the co-editor on the Sub Resource Integrity and Sub Origins specifications at the W3C. More info about him (including how to pronounce his name) is at