

Attacking Web Applications with Broken Authentication - enablesecurity
http://www.youtube.com/watch?v=n0l7smmKI_s

======
bscofield
Wait, so this guy is recommending against storing predictable user IDs in
cookies, and against pre-filling password fields such that the values can be
read in the source for a page? Brilliant! /facepalm

~~~
enablesecurity
Don't think so.

I'm just showing you how to abuse that without doing much ;)

Seen such behavior on both local ISPs and an Information Security conference
website. Its one of those things that should not be there but every now and
then some webdev decides to include ;)

