OWASP 2014 Top 10 Proactive Web Application Controls

Explore a comprehensive overview of OWASP's 2014 Top 10 Proactive Web Application Controls in this informative conference talk by Jason Montgomery. Dive into practical examples and solutions for SQL injection attacks, cross-site scripting (XSS) defenses, and input validation techniques. Learn about context-specific XSS protection strategies, encoding libraries, and tools for secure data handling. Discover best practices for file upload validation, access control implementation, and modern password policies. Gain insights into the Universal 2nd Factor (U2F) protocol and the Apache Shiro security framework. Enhance your web application security knowledge with this in-depth presentation from the Central Ohio Infosec 2015 conference.

Intro
SQL Injection Attack - Example
SQL Injection Attack - Solution
Parameterization References
Anatomy of a XSS Attack
Context Matters!
XSS Defense by Data Type and Context
HTML Body Context
HTML Attribute Context
HTTP GET Parameter Context
URL Context
JavaScript Variable Context
JSON Parsing Context
DOM-Based XSS Defense
Encoding Libraries
Encode Data Tools
Regular Expressions
Validating File Uploads
Input Validation References
Input Validation Tools
CWE "Monster Mitigations"
Conclusion: Ask Two Questions
Apache Shiro Architecture
Code to the Activity with Shiro
Access Control in the Browser
Access Controls References
Access Controls Tools
The Basic Hash is Dead
Password Guidance 3a
Password Guidance 3b
Password Policy
Universal 2nd Factor (U2F) protocol