Yesterday my employment contract ended, after more than ten years at a big software company. I feel free now. Weirdly. Cause it’s not like I wasn’t free in my work there. I had a lot of freedom in what I was working on and how I organized my work. And, I was working alongside some great colleagues from all around the world.
I haven’t left on bad terms either. In fact, I might have stayed longer, if it weren’t for some very favorable circumstances. As I’ve written in my good email to co-workers, the company made me an offer that I could not reject. (Not just me, I should mention. Many others got a similar offer, and some accepted it.)
Anyway, this week I finished my last work goal. Well, more of a side-project: I gave a talk about “The Browser’s Same Origin Policy“. For this talk, I’ve shown demos in the XSS Demo App that’s running alongside this blog (as I’ve announced a couple of years ago). For this new talk (but not just for this) I’ve made several improvements to this web-app:
- Hosting on two distinct subdomains, in order to demo cross-origin stuff. Here they are:
- https://xss.meeque.de (same as before)
- https://yss.meeque.de (new)
- Several stand-alone HTML probes and mocks that the XSS Demo App can interact with. Look for new payload presets that make use of these!
- Payload outputs that are based on jQuery code, complementing the existing outputs (pure HTML, DOM APIs, Angular templates). Not sure why I had not added these earlier. Well, under the hood it’s all DOM anyway.
- Numerous library upgrades. Most notably, upgraded Angular across several major release versions.
- Lot’s of refactoring, which has made it much easier to implement the above improvements. Some of the code is still a little awkward. But I guess that’s what you get when you use a sophisticated framework like Angular for a web application that aims to show-case the intricacies of low-level browser behavior.
- And an infinite increase in automated test coverage. Easy to achieve when you start at zero.
There’s also some new ideas that I haven’t implemented yet:
- The style library that I’ve used is causing some pain. I’ll either need to fix the integration, or switch to a different one.
- Some inline documentation would not hurt. For now, I’m the only one who knows how to use all of the app’s capabilities. Explanations for individual payload presets and payload outputs would not hurt either.
- CSP support could be added to show how different policies can help prevent certain XSS attacks.
- Saving custom payload presets could be helpful. Browser storage should be sufficient for this. And maybe some import/export capabilities.
- Add some serious XSS challenges sounds like fun. Should be easy to implement as payload outputs.
Not sure, if any of this will ever materialize. I’m free for this kinda stuff now, at least for the next couple of months. But there’s also some other ideas floating around.