Monday, August 30, 2010

SEC302 Hack-Ed II: Stop the hacking

Presenters: Andy Prow, Kirk Jackson

Tech.Ed Online

oWasp.org

Enumerating usernames - finding valid users

Leaking content out to Facebook

Threat modelling

Counter-measures

Text file with HTML in IE can run as HTML.
X-Content-Type-Options nosniff
Don't sniff any HTML content out of files.

Serve content via a handler rather than the web servers file system. E.g. They could upload a ASPX file to the upload folder and potentially run it.
Omit Content-Disposition: attachment; filename=%lt;file>

Tab Nabbing
- Change the Title
- Change the favicon
- Load the target site over the top of harvesting site.