67
edits
WebAppSec/MozSecureWorld: Difference between revisions
→Calendar
| Line 229: | Line 229: | ||
<td> | <td> | ||
* SQL Injection | * SQL Injection | ||
** Only use parametrization, not escaping (it's too weak and inconsistent) | |||
** No false demo (for safety reasons) | |||
** Demo of them typing in, and spitting out the results, be careful to have html entity encoding (done automatically in django, i.e. {{ userdata }} DON'T DO {{ userdata|safe }} ) | |||
* write up / buttons / css everything so far | * write up / buttons / css everything so far | ||
* make wiki more readable | * make wiki more readable | ||
| Line 247: | Line 250: | ||
<td>4. 6/27 - 7/1</td> | <td>4. 6/27 - 7/1</td> | ||
<td> | <td> | ||
* | * Authentication - bcrypt / adaptive captcha | ||
*# Enable default playdoh authentication (remember to switch to bcrypt(use default settings) + nonce (define it in config file!!) ) | |||
*# Set up pages to require auth and other pages that don't require auth (decorator design principle in Django "&" above method) ... login page and logout link (destroy session ID, first check if it's default) | |||
*#* client: cookie expire old one, blank it out | |||
*#* server: invalidate to prevent replay attacks | |||
*#* --> see if it's one method, should be one method that does all of it | |||
*# Captcha stuff | |||
*## Demo how to use captcha like normal (with a form) | |||
*## Look at ratelimiting by jsocol | |||
*##* Target 1 username | |||
*##* From 1 IP | |||
</td> | </td> | ||
<td></td> | <td></td> | ||
| Line 259: | Line 272: | ||
<td>5. 7/3 - 7/8</td> | <td>5. 7/3 - 7/8</td> | ||
<td> | <td> | ||
* | * Content Security Policy | ||
</td> | </td> | ||
<td></td> | <td></td> | ||