Uploaded bySimon Willison

PDF, PPTX13,171 views

Web App Security Horror Stories

This document summarizes Simon Willison's talk on web app security vulnerabilities and lessons learned from past mistakes. It discusses cross-site scripting (XSS) vulnerabilities that allow attackers to steal users' cookies or show fake login pages. It also covers SQL injection attacks, cross-site request forgery (CSRF), and how even features like CSS can be exploited. Past incidents like Samy's MySpace worm and the Google UTF-7 hole are examined to illustrate the dangers if vulnerabilities are left unaddressed. The talk emphasizes following best practices like parameterization and CSRF tokens to prevent common exploits.

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Web App Security Horror Stories

Recommended

PDF

201412 wapples 웹방화벽_시온

by시온시큐리티

PDF

How to create great slides for presentations

PPTX

BAM CEP / Business Activity Monitoring , Complex Event Processingomplex

byLiviu Claudiu Cismaru

PPTX

using Chocolatey for application deployments

PDF

Analysis of mass SQL injection attacks

byMiroslav Stampar

PPT

Web App Security Horror Stories

byFOWADublin2009

PDF

Managing windows with Puppet and Chocolatey

PDF

Zen and the Art of Automated Acceptance Test Suite Maintenance

byJohn Ferguson Smart Limited

PDF

Internet Intelligence

PDF

Internet Intelligence

PDF

I thought you were my friend - Malicious Markup

byMario Heiderich

ODP

Security Testing hands on Workshop Material

PPT

Security and Privacy Brown Bag

PDF

Ch 12 Attacking Users - XSS

PDF

Fight Spam and Hackers!

PPT

Myspace Or Yours

PDF

CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting

PPT

Multimedia01

PPT

Starwest 2008

PPT

My Space Project

PPT

My Space Project

PDF

fissea-conference-2012_srinivasan.pdf

PPT

My Space Whoas & Woes

PPTX

Introduction to Jquery

byAmzad Hossain

PDF

Facebookpdf

byAbhijeet Chopra

PPS

Virin 2008 new ways

PPT

New ways of advertising on social networks

byDigital Agency Interactive Share

PDF

Facebook for Business Owners

byNick Armstrong

PDF

Class-based views with Django

bySimon Willison

PDF

Django Heresies

bySimon Willison

More Related Content

PDF

201412 wapples 웹방화벽_시온

by시온시큐리티

PDF

How to create great slides for presentations

PPTX

BAM CEP / Business Activity Monitoring , Complex Event Processingomplex

byLiviu Claudiu Cismaru

PPTX

using Chocolatey for application deployments

PDF

Analysis of mass SQL injection attacks

byMiroslav Stampar

PPT

Web App Security Horror Stories

byFOWADublin2009

PDF

Managing windows with Puppet and Chocolatey

PDF

Zen and the Art of Automated Acceptance Test Suite Maintenance

byJohn Ferguson Smart Limited

201412 wapples 웹방화벽_시온

by시온시큐리티

How to create great slides for presentations

BAM CEP / Business Activity Monitoring , Complex Event Processingomplex

byLiviu Claudiu Cismaru

using Chocolatey for application deployments

Analysis of mass SQL injection attacks

byMiroslav Stampar

Web App Security Horror Stories

byFOWADublin2009

Managing windows with Puppet and Chocolatey

Zen and the Art of Automated Acceptance Test Suite Maintenance

byJohn Ferguson Smart Limited

Similar to Web App Security Horror Stories

PDF

Internet Intelligence

PDF

Internet Intelligence

PDF

I thought you were my friend - Malicious Markup

byMario Heiderich

ODP

Security Testing hands on Workshop Material

PPT

Security and Privacy Brown Bag

PDF

Ch 12 Attacking Users - XSS

PDF

Fight Spam and Hackers!

PPT

Myspace Or Yours

PDF

CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting

PPT

Multimedia01

PPT

Starwest 2008

PPT

My Space Project

PPT

My Space Project

PDF

fissea-conference-2012_srinivasan.pdf

PPT

My Space Whoas & Woes

PPTX

Introduction to Jquery

byAmzad Hossain

PDF

Facebookpdf

byAbhijeet Chopra

PPS

Virin 2008 new ways

PPT

New ways of advertising on social networks

byDigital Agency Interactive Share

PDF

Facebook for Business Owners

byNick Armstrong

Internet Intelligence

Internet Intelligence

I thought you were my friend - Malicious Markup

byMario Heiderich

Security Testing hands on Workshop Material

Security and Privacy Brown Bag

Ch 12 Attacking Users - XSS

Fight Spam and Hackers!

Myspace Or Yours

CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting

Multimedia01

Starwest 2008

My Space Project

My Space Project

fissea-conference-2012_srinivasan.pdf

My Space Whoas & Woes

Introduction to Jquery

byAmzad Hossain

Facebookpdf

byAbhijeet Chopra

Virin 2008 new ways

New ways of advertising on social networks

byDigital Agency Interactive Share

Facebook for Business Owners

byNick Armstrong

More from Simon Willison

PDF

Class-based views with Django

bySimon Willison

PDF

Django Heresies

bySimon Willison

PDF

Web Security Horror Stories

bySimon Willison

PDF

Cowboy development with Django

bySimon Willison

PDF

Building Things Fast - and getting approval

bySimon Willison

PDF

The Django Web Framework (EuroPython 2006)

bySimon Willison

PDF

Web Services for Fun and Profit

bySimon Willison

PDF

Crowdsourcing with Django

bySimon Willison

PDF

How Lanyrd uses Twitter

bySimon Willison

PDF

Rediscovering JavaScript: The Language Behind The Libraries

bySimon Willison

PDF

Cheap tricks for startups

bySimon Willison

PDF

Building Lanyrd

bySimon Willison

PDF

ScaleFail

bySimon Willison

PDF

Evented I/O based web servers, explained using bunnies

bySimon Willison

PDF

How we bootstrapped Lanyrd using Twitter's social graph

bySimon Willison

PDF

Tricks & challenges developing a large Django application

bySimon Willison

PDF

Advanced Aspects of the Django Ecosystem: Haystack, Celery & Fabric

bySimon Willison

PDF

Building crowdsourcing applications

bySimon Willison

PDF

How Lanyrd does Geo

bySimon Willison

PDF

When Zeppelins Ruled The Earth

bySimon Willison

Class-based views with Django

bySimon Willison

Django Heresies

bySimon Willison

Web Security Horror Stories

bySimon Willison

Cowboy development with Django

bySimon Willison

Building Things Fast - and getting approval

bySimon Willison

The Django Web Framework (EuroPython 2006)

bySimon Willison

Web Services for Fun and Profit

bySimon Willison

Crowdsourcing with Django

bySimon Willison

How Lanyrd uses Twitter

bySimon Willison

Rediscovering JavaScript: The Language Behind The Libraries

bySimon Willison

Cheap tricks for startups

bySimon Willison

Building Lanyrd

bySimon Willison

ScaleFail

bySimon Willison

Evented I/O based web servers, explained using bunnies

bySimon Willison

How we bootstrapped Lanyrd using Twitter's social graph

bySimon Willison

Tricks & challenges developing a large Django application

bySimon Willison

Advanced Aspects of the Django Ecosystem: Haystack, Celery & Fabric

bySimon Willison

Building crowdsourcing applications

bySimon Willison

How Lanyrd does Geo

bySimon Willison

When Zeppelins Ruled The Earth

bySimon Willison

Recently uploaded

PDF

A Brief Introduction About Christopher Elwell Woburn

byChristopher Elwell Woburn

PDF

How to Connect HP LaserJet MFP M234dwe to WiFi

byPrinter Tales

PDF

Azure Identity, Governance, and Monitoring solutions

byVICTOR MAESTRE RAMIREZ

PDF

How Application Performance Monitoring Tools Are Used in Performance Testing

byhenrycavill30521

PDF

What is Voice User Interface (VUI) Definition & Examples.pdf

byDesign Studio UI UX

PDF

Beyond BBB: Practical Alternatives to Posterior Approximation in Bayesian Neu...

byTomasz Kusmierczyk

PDF

splunk-peak-threat-hunting-framework.pdf

PPTX

Information about Trusted Platform Module(TPM)

bynewtoknow techs

PDF

Building Software in the AI Era: Spec-Driven Development with Kiro IDE

PDF

Generating Structured Outputs from Unstructured Content Using LLMs

byEnterprise Knowledge

PDF

Benefits of Using the IAC 500 Sensor for Ambient Conditions

byCS Instruments

PPTX

Document Reconstruction using AI & Deep Learning

PDF

The_Boardroom_Cyber_Playbook_Research_Edition

PDF

apidays Paris 2025 |Turning Exposed Uris Bulletproof: Securing APIs with HAPr...

PPTX

DATALIVA-Presentation-EN_2026 Budgeting SAP Odoo ERP

byMustafa Kuğu

PDF

Artificial Intelligence(AI) full Book.pdf

bydeyanimesh299

PPT

Information and Communication Technologies and Power

PPTX

Cesium formate brine - A brief history - prepared by John Downs in May 2011

PPTX

Route_Inspection_Problem_Presentation.pptx

PDF

Scott M. Graffius' Phases of Team Development - Applied to Human Teams and Hu...

byScott M. Graffius

A Brief Introduction About Christopher Elwell Woburn

byChristopher Elwell Woburn

How to Connect HP LaserJet MFP M234dwe to WiFi

byPrinter Tales

Azure Identity, Governance, and Monitoring solutions

byVICTOR MAESTRE RAMIREZ

How Application Performance Monitoring Tools Are Used in Performance Testing

byhenrycavill30521

What is Voice User Interface (VUI) Definition & Examples.pdf

byDesign Studio UI UX

Beyond BBB: Practical Alternatives to Posterior Approximation in Bayesian Neu...

byTomasz Kusmierczyk

splunk-peak-threat-hunting-framework.pdf

Information about Trusted Platform Module(TPM)

bynewtoknow techs

Building Software in the AI Era: Spec-Driven Development with Kiro IDE

Generating Structured Outputs from Unstructured Content Using LLMs

byEnterprise Knowledge

Benefits of Using the IAC 500 Sensor for Ambient Conditions

byCS Instruments

Document Reconstruction using AI & Deep Learning

The_Boardroom_Cyber_Playbook_Research_Edition

apidays Paris 2025 |Turning Exposed Uris Bulletproof: Securing APIs with HAPr...

DATALIVA-Presentation-EN_2026 Budgeting SAP Odoo ERP

byMustafa Kuğu

Artificial Intelligence(AI) full Book.pdf

bydeyanimesh299

Information and Communication Technologies and Power

Cesium formate brine - A brief history - prepared by John Downs in May 2011

Route_Inspection_Problem_Presentation.pptx

Scott M. Graffius' Phases of Team Development - Applied to Human Teams and Hu...

byScott M. Graffius