Upgrade to Pro — share decks privately, control downloads, hide ads and more …

XSS&CSRF

Avatar for ar7z1 ar7z1
November 17, 2015
140
0

 XSS&CSRF

Внутренний курс по безопасности для разработчиков

Avatar for ar7z1

ar7z1

November 17, 2015

More Decks by ar7z1

See All by ar7z1
Шпора.Безопасность
Avatar for ar7z1 ar7z1
1
74
XSS & CSRF 2.0
Avatar for ar7z1 ar7z1
0
110
HappyDev 2015
Avatar for ar7z1 ar7z1
0
99

Featured

See All Featured
Utilizing Notion as your number one productivity tool
Avatar for Mfonobong Umondia mfonobong
4
320
Self-Hosted WebAssembly Runtime for Runtime-Neutral Checkpoint/Restore in Edge–Cloud Continuum
Avatar for Yuki Nakata chikuwait chikuwait
0
580
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
Avatar for Akash Hashmi akashhashmi
0
370
Odyssey Design
Avatar for Ryan Kendrick rkendrick25
PRO
2
690
The Pragmatic Product Professional
Avatar for Laura Van Doore lauravandoore
37
7.3k
We Are The Robots
Avatar for Honza Javorek honzajavorek
0
240
Future Trends and Review - Lecture 12 - Web Technologies (1019888BNR)
Avatar for Beat Signer signer
PRO
0
3.6k
Being A Developer After 40
Avatar for Adrian Kosmaczewski akosma
91
590k
The Illustrated Children's Guide to Kubernetes
Avatar for Chris Short chrisshort
51
52k
Distributed Sagas: A Protocol for Coordinating Microservices
Avatar for Caitie McCaffrey caitiem20
333
22k
Visual Storytelling: How to be a Superhuman Communicator
Avatar for David Neal reverentgeek
2
560
Performance Is Good for Brains [We Love Speed 2024]
Avatar for Tammy Everts tammyeverts
12
1.7k

Transcript

  1. XSS CSRF [email protected]

  2. TOOLS

  3. http://bit.ly/ 1tMrggU

  4. http://bit.ly/ 1jKA1UJ

  5. XSS

  6. Reflected

  7. http://example.com/? q=<script>alert('1') </script>

  8. Stored

  9. <img src=lalala onerror="alert('1')" />

  10. DOM-based

  11. http://example.com/ #'><img src=qqq onerror=“alert(‘1’)”>

  12. https://xss- game.appspot .com/

  13. None
  14. None

  15. jsfuck.com

  16. HtmlEncode

  17. innerHTML document.write eval @Html.Raw

  18. X-XSS-Protection

  19. Content-Security- Policy X-Content-Security- Policy X-WebKit-CSP

  20. Content-Security- Policy: default-src 'self'

  21. <system.web> <httpRuntime requestValidationMode="4.0" /> </system.web> <system.web> <pages validateRequest="true" /> </system.web>

  22. CSRF

  23. site.com

  24. site.com GET /emails gmail.com

  25. site.com GET /emails gmail.com

  26. Same Origin Policy

  27. protocol://host:port

  28. https://site.com http://site.com https://a.site.com https://site.com:9090

  29. None

  30. Cross-origin writes $.ajax({ type: "POST", url: url, data: {…}, contentType:'text/plain'

    });

  31. Cross-origin writes • application/x-www- form-urlencoded • multipart/form- data • text/plain

  32. Cross-origin embedding $(‘…’).append( ‘<img src=“…”>’ );

  33. Cross-origin reads $.get(url, function(data){ alert(data); });

  34. GET evil.com

  35. GET evil.com

  36. <form method=“POST” action=“https://…/ SaveEmail”> <input type=“hidden” name=“email” value=“[email protected]” /> </form>

  37. <form method=“POST” action=“https://…/SaveEmail”> <input type=“hidden” name=“email” value=“[email protected]” /> </form>

  38. <script> window.onload = function(){ … form.submit(); } </script>

  39. POST /SaveEmail [email protected] GET evil.com

  40. candy- csrf.apphb.com

  41. None

  42. @troyhunt

  43. webgoat. github.io

  44. https://ctftime.org

  45. @ar7z1 [email protected]