The queue for this session was huge and started outside of the Moscone center. It was interesting and well organized but the characterization “advanced” was not very accurate. Of course you cannot have any “advanced” presentation on a crowd of hundreds and you should give Jeremiah and Joe the credit for keeping a good balance.
Here are some points that are not very trivial:
- You can mess with your friends Google search history with simple basic CSRF
- The OWASP servlet filter is a nice tool
- Mentioned a way to make a double cookie check both on the body and the HTTP headers and said that it was the way DWR works, but didn’t quite elaborate on it.
- They mentioned several times that there is a wrong and right way to use JSON and it would be nice to provide more details but I suppose time was an issue.
- … you might consider using AntiSamy
- With XSS you can grab the secret token and then launch a CSRF
Some things that I feel that should also be added in a similar presentation should be:
- Application layer firewalls like mod_security
- Hacking browser extensions that users typically have like firebug, Greasemonkey, etc.
- Protecting your app from malicious JSON
- Browser standards compliance mode (IE8 ) as a way to protect from attacks that aim at malformed HTML