Love it, you have to love it. OWASP is one of my favourite “.org” and if you want to know about security, it will become also yours.
Now, this is a late night post and it’s more a reminder for me than something for you: tomorrow I will post some security issues I am working on and, clearly, some freshly baked .NET code to protect your website (and to check if it’s vulnerable or not).
In the meantime i leave you something coming huge these days: ClickJacking (did you hear about “twitter worm” or “facebook like stealer”?). The wikipedia definition is awful, but dear OWI has a good one (https://www.owasp.org/index.php/Clickjacking). Just to make it simple: ClickJacking uses iframe properties to put a mask on top of a specific page and hide the content except some part of the page (usually buttons): the result is that you press what you don’t know you’re pressing [simple enough?]
A beautiful example is here: http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx
As said before, there is no complete protection against the “sleeping giant”, but this way works just fine for 99% of the known cases:
- put a good JS snippet: https://www.owasp.org/index.php/Clickjacking#Best-for-now_implementation
- add X-FRAME-OPTIONS security header.
I have a Vb example for this (you can use a simple UserControl and add it to every page you need)…
(*) every time you see code, you have to substitute what’s contained in bracket with your values… and remember: when you work on existing code, always enable new behavior using a configuration, so you can control regressions!
Easy as that, and for a couple of years you should be ok.
See you tomorrow!