Saturday, September 08, 2007

barcampBrighton hacking session 11.45

Presenter Tom Shannon

7 deadly sins.

1sql injection
2javascript injection
3cookie injection
4email injection
5file uploads
6corss domain

1, happened UN website, 2 days to notice. basically insert commands in username/password input boxes
.net most prone to this, but php an other happen. You need to watch that data processing and pass around by the application is secure and not intercepted.

2. e.g. myspace worm , ajax code to attract new users took down wholesite.

3. store data on server better than cookie

4. spammer include cc in email box to send out virus.
dont put user email in headers, tip

5. uploads, set proactively the stuff you want.

6 cross domain form submission

risk e.g. one click buying access. or risk for emali apps within socialnetworks, e.g. flickr mail, use token with form to stop.

7 Cross domain api blog url for Tom

No comments: