Upload
lukasz-wojcik
View
261
Download
4
Embed Size (px)
Citation preview
Random facts about
Web Apps SecurityŁukasz Wójcik @ Lumesse
Stealing SESSION (using XSS)
- sending cookies to 3rd party host- using this cookie - we are in :)
Prevention against XSS
- simple solution (<c:out value="${variable} escapeXml="true">)
- sanitize data- store encoded (yyy..?)
Prevention against stealing cookie
- making it HTTP only (and secure)- fingerprint as an implicit 'secret'- token must not by sequential (randomly distributed)
Open redirect
- what and how?
Passwords
- how should we store passwords in DB- MD5 vs SHA1- pros and cons of above
Maybe better… make it BF proof
- make it computation intensive (1024 iteration of calculating SHA1 takes time)
- user better algorithms (BCrypt)- use masking
Last Question:
What is http://3585379724 ?or http://[email protected] ?or even worst http://mbank.pl@3585379724 ??
THX
Sources : https://github.com/muciu/webappsecurity.git