Presenters: Andy Prow, Kirk Jackson
oWasp.org Enumerating usernames - finding valid users Leaking content out to Facebook Threat modelling Counter-measures Text file with HTML in IE can run as HTML. X-Content-Type-Options nosniff Don't sniff any HTML content out of files. Serve content via a handler rather than the web servers file system. E.g. They could upload a ASPX file to the upload folder and potentially run it. Omit Content-Disposition: attachment; filename=%lt;file> Tab Nabbing - Change the Title - Change the favicon - Load the target site over the top of harvesting site.