{"guid":"df01776d-607c-598e-917f-2ffd406c4330","title":"Nothing new about XSS in impress.js","subtitle":null,"slug":"35c3chaoswest-17-nothing-new-about-xss-in-impress-js","link":"https://fahrplan.chaos-west.de/35c3chaoswest/talk/RZ7NWT","description":"I built a small demonstrator for Cross-Site-Scripting (XSS) attacks in impress.js. It would be a waste to let it stay on my computer, because I think it could help you giving a brief lecture on XSS. Much more interesting, probably, is my implementation of the whole thing: the cockpit (a header and footer that provide a visual frame, while the viewpoint navigates the 3-dimensional space of your presentation) and the handling of input to modify contents of successive slides.\n\nWhile I don't think to tell you anything new about cross-site scripting, I hope you are interested in the two features I add to the impress.js examples. Well the XSS-part also is interesting in itself, but I am astonished every time I find this weakness in the wild, because it is not difficult to prevent. Thus, if you also learn about XSS in the progress, I am happy.\n\nMostly the presentation will show you two new example techniques for presentations with impress.js\n\nThe cockpit: just some fixed headers and footer in the layout. But better graphical artists might actually turn this into a real cockpit view. In the end it is only a wee bitty of css, but it is something that turns a 3-d animation into a flight through the slide-space.\n\nValue-transfer: Why using JavaScript to present static slides, it makes no sense to not utilise a fully-fledged, yet tedious, interpreter environment — your web-browser — if you don't make something more dynamic with your slides. For example transferring inputs between slides and execute contents to demonstrate the effects of XSS.","original_language":"deu","persons":["inj4n"],"tags":["35c3-chaoswest","17"],"view_count":421,"promoted":false,"date":"2018-12-29T00:00:00.000+01:00","release_date":"2018-12-30T01:00:00.000+01:00","updated_at":"2025-08-06T10:00:03.774+02:00","length":1175,"duration":1175,"thumb_url":"https://static.media.ccc.de/media/congress/35C3-chaoswest/17-hd.jpg","poster_url":"https://static.media.ccc.de/media/congress/35C3-chaoswest/17-hd_preview.jpg","timeline_url":"https://static.media.ccc.de/media/congress/35C3-chaoswest/17-hd.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/congress/35C3-chaoswest/17-hd.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/35c3chaoswest-17-nothing-new-about-xss-in-impress-js","url":"https://api.media.ccc.de/public/events/df01776d-607c-598e-917f-2ffd406c4330","conference_title":"ChaosWest @ 35c3","conference_url":"https://api.media.ccc.de/public/conferences/35C3-chaoswest","related":[{"event_id":6447,"event_guid":"1cc2086d-bfd7-53fd-8ae2-25efc204bcdf","weight":12},{"event_id":6453,"event_guid":"bf490104-3595-5d88-a4b1-f39899e768f7","weight":16},{"event_id":6461,"event_guid":"f42631ca-d3ec-5baf-8642-85c0b1cadc89","weight":17},{"event_id":6504,"event_guid":"b4850756-d05b-5689-818b-b4b3b233244e","weight":16},{"event_id":6505,"event_guid":"c22707f5-d850-5827-9334-c48446f69fd2","weight":18},{"event_id":6510,"event_guid":"5b7a598e-95a6-58fa-b390-96a66a1cd7b5","weight":21},{"event_id":6536,"event_guid":"0a4a43e0-2b8d-424c-aaa3-101c843de75c","weight":16},{"event_id":6539,"event_guid":"0cd6c4d6-5260-53d1-8abe-111907e394a6","weight":15},{"event_id":6540,"event_guid":"0a1a58a4-7700-502b-b8f2-405f3e42c1bc","weight":12},{"event_id":6543,"event_guid":"48ed6dea-e67d-4866-8c35-318e9d892363","weight":14},{"event_id":6545,"event_guid":"400622c5-3754-43fd-aaf3-0ca00e9ad551","weight":5},{"event_id":6555,"event_guid":"208a0d4d-bd15-5795-82aa-563e270001d5","weight":24},{"event_id":6560,"event_guid":"7956605c-adae-5563-ab8c-c97b6781fefa","weight":11},{"event_id":6561,"event_guid":"9a59a736-ef6f-57ec-9261-e632cac8b51c","weight":12},{"event_id":6572,"event_guid":"8de552ac-9a4d-5b37-b4eb-e0576d64dfe5","weight":14},{"event_id":6573,"event_guid":"04c8e1d6-ccde-596c-8d15-1fe758d0bc0e","weight":12},{"event_id":6584,"event_guid":"38b1c87c-d474-5d11-8559-df4a1e18b507","weight":7},{"event_id":6588,"event_guid":"f106b309-ffa8-5800-b9bf-00acb573e48c","weight":13},{"event_id":6589,"event_guid":"afa54ff4-f64e-5426-b822-50342f5d4ce9","weight":21},{"event_id":6600,"event_guid":"68619725-72ae-5645-8b6c-8e645e5d9c47","weight":13},{"event_id":6603,"event_guid":"ea00d1e0-a580-415f-a8cf-f02883d939dc","weight":20},{"event_id":6611,"event_guid":"b1b28bd0-5279-4950-8385-9ee8a57187f9","weight":14}],"recordings":[{"size":null,"length":null,"mime_type":"application/x-subrip","language":"deu","filename":"DRAFT_35c3-chaoswest-17-deu-Nothing_new_about_XSS_in_impressjs.de_DRAFT.srt","state":"todo","folder":"","high_quality":true,"width":null,"height":null,"updated_at":"2024-02-04T19:35:32.624+01:00","recording_url":"https://cdn.media.ccc.de/congress/35C3-chaoswest/DRAFT_35c3-chaoswest-17-deu-Nothing_new_about_XSS_in_impressjs.de_DRAFT.srt","url":"https://api.media.ccc.de/public/recordings/74399","event_url":"https://api.media.ccc.de/public/events/df01776d-607c-598e-917f-2ffd406c4330","conference_url":"https://api.media.ccc.de/public/conferences/35C3-chaoswest"},{"size":null,"length":null,"mime_type":"text/vtt","language":"eng","filename":"df01776d-607c-598e-917f-2ffd406c4330-eng.vtt","state":"todo","folder":"","high_quality":true,"width":null,"height":null,"updated_at":"2021-02-21T20:02:39.540+01:00","recording_url":"https://cdn.media.ccc.de/congress/35C3-chaoswest/df01776d-607c-598e-917f-2ffd406c4330-eng.vtt","url":"https://api.media.ccc.de/public/recordings/51459","event_url":"https://api.media.ccc.de/public/events/df01776d-607c-598e-917f-2ffd406c4330","conference_url":"https://api.media.ccc.de/public/conferences/35C3-chaoswest"},{"size":84,"length":1175,"mime_type":"video/mp4","language":"deu","filename":"35c3-chaoswest-17-deu-Nothing_new_about_XSS_in_impressjs_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2018-12-30T03:40:22.518+01:00","recording_url":"https://cdn.media.ccc.de/congress/35C3-chaoswest/h264-hd/35c3-chaoswest-17-deu-Nothing_new_about_XSS_in_impressjs_hd.mp4","url":"https://api.media.ccc.de/public/recordings/32153","event_url":"https://api.media.ccc.de/public/events/df01776d-607c-598e-917f-2ffd406c4330","conference_url":"https://api.media.ccc.de/public/conferences/35C3-chaoswest"},{"size":17,"length":1157,"mime_type":"audio/mpeg","language":"deu","filename":"35c3-chaoswest-17-deu-Nothing_new_about_XSS_in_impressjs_mp3.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2018-12-30T11:14:35.647+01:00","recording_url":"https://cdn.media.ccc.de/congress/35C3-chaoswest/mp3/35c3-chaoswest-17-deu-Nothing_new_about_XSS_in_impressjs_mp3.mp3","url":"https://api.media.ccc.de/public/recordings/32264","event_url":"https://api.media.ccc.de/public/events/df01776d-607c-598e-917f-2ffd406c4330","conference_url":"https://api.media.ccc.de/public/conferences/35C3-chaoswest"},{"size":31,"length":1175,"mime_type":"video/mp4","language":"deu","filename":"35c3-chaoswest-17-deu-Nothing_new_about_XSS_in_impressjs_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2018-12-30T11:14:58.800+01:00","recording_url":"https://cdn.media.ccc.de/congress/35C3-chaoswest/h264-sd/35c3-chaoswest-17-deu-Nothing_new_about_XSS_in_impressjs_sd.mp4","url":"https://api.media.ccc.de/public/recordings/32265","event_url":"https://api.media.ccc.de/public/events/df01776d-607c-598e-917f-2ffd406c4330","conference_url":"https://api.media.ccc.de/public/conferences/35C3-chaoswest"},{"size":45,"length":1175,"mime_type":"video/webm","language":"deu","filename":"35c3-chaoswest-17-deu-Nothing_new_about_XSS_in_impressjs_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2018-12-30T11:15:22.929+01:00","recording_url":"https://cdn.media.ccc.de/congress/35C3-chaoswest/webm-sd/35c3-chaoswest-17-deu-Nothing_new_about_XSS_in_impressjs_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/32266","event_url":"https://api.media.ccc.de/public/events/df01776d-607c-598e-917f-2ffd406c4330","conference_url":"https://api.media.ccc.de/public/conferences/35C3-chaoswest"},{"size":123,"length":1175,"mime_type":"video/webm","language":"deu","filename":"35c3-chaoswest-17-deu-Nothing_new_about_XSS_in_impressjs_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2018-12-30T11:16:03.215+01:00","recording_url":"https://cdn.media.ccc.de/congress/35C3-chaoswest/webm-hd/35c3-chaoswest-17-deu-Nothing_new_about_XSS_in_impressjs_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/32267","event_url":"https://api.media.ccc.de/public/events/df01776d-607c-598e-917f-2ffd406c4330","conference_url":"https://api.media.ccc.de/public/conferences/35C3-chaoswest"},{"size":12,"length":1157,"mime_type":"audio/opus","language":"deu","filename":"35c3-chaoswest-17-deu-Nothing_new_about_XSS_in_impressjs_opus.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2018-12-30T11:16:09.896+01:00","recording_url":"https://cdn.media.ccc.de/congress/35C3-chaoswest/opus/35c3-chaoswest-17-deu-Nothing_new_about_XSS_in_impressjs_opus.opus","url":"https://api.media.ccc.de/public/recordings/32268","event_url":"https://api.media.ccc.de/public/events/df01776d-607c-598e-917f-2ffd406c4330","conference_url":"https://api.media.ccc.de/public/conferences/35C3-chaoswest"}]}