Explore a comprehensive overview of OWASP's 2014 Top 10 Proactive Web Application Controls in this informative conference talk by Jason Montgomery. Dive into practical examples and solutions for SQL injection attacks, cross-site scripting (XSS) defenses, and input validation techniques. Learn about context-specific XSS protection strategies, encoding libraries, and tools for secure data handling. Discover best practices for file upload validation, access control implementation, and modern password policies. Gain insights into the Universal 2nd Factor (U2F) protocol and the Apache Shiro security framework. Enhance your web application security knowledge with this in-depth presentation from the Central Ohio Infosec 2015 conference.
Overview
Syllabus
Intro
SQL Injection Attack - Example
SQL Injection Attack - Solution
Parameterization References
Anatomy of a XSS Attack
Context Matters!
XSS Defense by Data Type and Context
HTML Body Context
HTML Attribute Context
HTTP GET Parameter Context
URL Context
JavaScript Variable Context
JSON Parsing Context
DOM-Based XSS Defense
Encoding Libraries
Encode Data Tools
Regular Expressions
Validating File Uploads
Input Validation References
Input Validation Tools
CWE "Monster Mitigations"
Conclusion: Ask Two Questions
Apache Shiro Architecture
Code to the Activity with Shiro
Access Control in the Browser
Access Controls References
Access Controls Tools
The Basic Hash is Dead
Password Guidance 3a
Password Guidance 3b
Password Policy
Universal 2nd Factor (U2F) protocol
Related Courses
-
OWASP Top 10 Vulnerabilities Course (How To)
-
Web Application Ethical Hacking - Penetration Testing Course for Beginners
4.1 -
Web Application Penetration Testing: Input Validation
-
OWASP Top 10 - A03:2021 - Injection
-
Top Ten Proactive Controls for Secure Software Development
-
OWASP Top Ten Proactive Controls
