This was a popular session. The queue stretched down the hall, out the front door and around the block. It covered the main vulnerabilities bad guys exploit to attack websites. It was a good session given by Joe Walker who also gave the BOF on Comet.

First up was cross-site request forgery or CSRF. This is basically misusing people’s cookies. For example if a user is logged in to bank.com on one tab and then they visit evilsite.com on another tab it is possible to do something like: <iframe src=”bank.com/transfer?amt=all&dest=dr_evil” />. No JavaScript required. The only real way to prevent CSRF attacks is to include some kind of authentication token in every request that is separate from the cookie, like a hash of the user’s session ID. These tokens shouldn’t be in GET requests as they could cause problems with bookmarks, etc and GET requests should be idempotent. So a hidden POST field is better. You can use the OWASP servlet filter to add these hidden fields.

He also covered JSON hijacking and the old favourite, XSS. An interesting point was that if your site has an XSS vulnerability that will allow bypassing of any CSRF protections you may have put in place. One of the biggest problems for preventing XSS is that browsers will render any old crap. Basically the web is broken.