conference logo

Playlist "ChaosWest @ 35c3"

Nothing new about XSS in impress.js

inj4n

I built a small demonstrator for Cross-Site-Scripting (XSS) attacks in impress.js. It would be a waste to let it stay on my computer, because I think it could help you giving a brief lecture on XSS. Much more interesting, probably, is my implementation of the whole thing: the cockpit (a header and footer that provide a visual frame, while the viewpoint navigates the 3-dimensional space of your presentation) and the handling of input to modify contents of successive slides.

While I don't think to tell you anything new about cross-site scripting, I hope you are interested in the two features I add to the impress.js examples. Well the XSS-part also is interesting in itself, but I am astonished every time I find this weakness in the wild, because it is not difficult to prevent. Thus, if you also learn about XSS in the progress, I am happy.

Mostly the presentation will show you two new example techniques for presentations with impress.js

The cockpit: just some fixed headers and footer in the layout. But better graphical artists might actually turn this into a real cockpit view. In the end it is only a wee bitty of css, but it is something that turns a 3-d animation into a flight through the slide-space.

Value-transfer: Why using JavaScript to present static slides, it makes no sense to not utilise a fully-fledged, yet tedious, interpreter environment — your web-browser — if you don't make something more dynamic with your slides. For example transferring inputs between slides and execute contents to demonstrate the effects of XSS.