XSS&CSRF

Transcript

1. XSS CSRF [email protected]

2. TOOLS

3. http://bit.ly/ 1tMrggU

4. http://bit.ly/ 1jKA1UJ

5. XSS

6. Reflected

7. http://example.com/? q=<script>alert('1') </script>

8. Stored

9. <img src=lalala onerror="alert('1')" />

10. DOM-based

11. http://example.com/ #'><img src=qqq onerror=“alert(‘1’)”>

12. https://xss- game.appspot .com/

13. None
14. None

15. jsfuck.com

16. HtmlEncode

17. innerHTML document.write eval @Html.Raw

18. X-XSS-Protection

19. Content-Security- Policy X-Content-Security- Policy X-WebKit-CSP

20. Content-Security- Policy: default-src 'self'

21. <system.web> <httpRuntime requestValidationMode="4.0" /> </system.web> <system.web> <pages validateRequest="true" /> </system.web>

22. CSRF

23. site.com

24. site.com GET /emails gmail.com

25. site.com GET /emails gmail.com

26. Same Origin Policy

27. protocol://host:port

28. https://site.com http://site.com https://a.site.com https://site.com:9090

29. None

30. Cross-origin writes $.ajax({ type: "POST", url: url, data: {…}, contentType:'text/plain'

    });

31. Cross-origin writes • application/x-www- form-urlencoded • multipart/form- data • text/plain

32. Cross-origin embedding $(‘…’).append( ‘<img src=“…”>’ );

33. Cross-origin reads $.get(url, function(data){ alert(data); });

34. GET evil.com

35. GET evil.com

36. <form method=“POST” action=“https://…/ SaveEmail”> <input type=“hidden” name=“email” value=“[email protected]” /> </form>

37. <form method=“POST” action=“https://…/SaveEmail”> <input type=“hidden” name=“email” value=“[email protected]” /> </form>

38. <script> window.onload = function(){ … form.submit(); } </script>

39. POST /SaveEmail [email protected] GET evil.com

40. candy- csrf.apphb.com

41. None

42. @troyhunt

43. webgoat. github.io

44. https://ctftime.org

45. @ar7z1 [email protected]