Upgrade to Pro — share decks privately, control downloads, hide ads and more …

XSS&CSRF

Avatar for ar7z1 ar7z1
November 17, 2015
0
130

 XSS&CSRF

Внутренний курс по безопасности для разработчиков

Avatar for ar7z1

ar7z1

November 17, 2015
Tweet

More Decks by ar7z1

See All by ar7z1
Шпора.Безопасность
Avatar for ar7z1 ar7z1
1
73
XSS & CSRF 2.0
Avatar for ar7z1 ar7z1
0
110
HappyDev 2015
Avatar for ar7z1 ar7z1
0
95

Featured

See All Featured
B2B Lead Gen: Tactics, Traps & Triumph
Avatar for Sophie Logan marketingsoph
0
55
Digital Ethics as a Driver of Design Innovation
Avatar for Per Axbom axbom
PRO
1
180
Technical Leadership for Architectural Decision Making
Avatar for Kenny Baas-Schwegler baasie
1
240
Dealing with People You Can't Stand - Big Design 2015
Avatar for Cassini Nazir cassininazir
367
27k
A Guide to Academic Writing Using Generative AI - A Workshop
Avatar for Kenji Saito ks91
PRO
0
210
The B2B funnel & how to create a winning content strategy
Avatar for Katarina Dahlin katarinadahlin
PRO
1
270
We Are The Robots
Avatar for Honza Javorek honzajavorek
0
160
Building Flexible Design Systems
Avatar for Yesenia Perez-Cruz yeseniaperezcruz
330
40k
Money Talks: Using Revenue to Get Sh*t Done
Avatar for Nikki Halliwell nikkihalliwell
0
150
Building Experiences: Design Systems, User Experience, and Full Site Editing
Avatar for Michelle Schulp Hunt marktimemedia
0
410
Efficient Content Optimization with Google Search Console & Apps Script
Avatar for Katarina Dahlin katarinadahlin
PRO
1
320
Side Projects
Avatar for Sacha Greif sachag
455
43k

Transcript

  1. XSS CSRF [email protected]

  2. TOOLS

  3. http://bit.ly/ 1tMrggU

  4. http://bit.ly/ 1jKA1UJ

  5. XSS

  6. Reflected

  7. http://example.com/? q=<script>alert('1') </script>

  8. Stored

  9. <img src=lalala onerror="alert('1')" />

  10. DOM-based

  11. http://example.com/ #'><img src=qqq onerror=“alert(‘1’)”>

  12. https://xss- game.appspot .com/

  13. None
  14. None

  15. jsfuck.com

  16. HtmlEncode

  17. innerHTML document.write eval @Html.Raw

  18. X-XSS-Protection

  19. Content-Security- Policy X-Content-Security- Policy X-WebKit-CSP

  20. Content-Security- Policy: default-src 'self'

  21. <system.web> <httpRuntime requestValidationMode="4.0" /> </system.web> <system.web> <pages validateRequest="true" /> </system.web>

  22. CSRF

  23. site.com

  24. site.com GET /emails gmail.com

  25. site.com GET /emails gmail.com

  26. Same Origin Policy

  27. protocol://host:port

  28. https://site.com http://site.com https://a.site.com https://site.com:9090

  29. None

  30. Cross-origin writes $.ajax({ type: "POST", url: url, data: {…}, contentType:'text/plain'

    });

  31. Cross-origin writes • application/x-www- form-urlencoded • multipart/form- data • text/plain

  32. Cross-origin embedding $(‘…’).append( ‘<img src=“…”>’ );

  33. Cross-origin reads $.get(url, function(data){ alert(data); });

  34. GET evil.com

  35. GET evil.com

  36. <form method=“POST” action=“https://…/ SaveEmail”> <input type=“hidden” name=“email” value=“[email protected]” /> </form>

  37. <form method=“POST” action=“https://…/SaveEmail”> <input type=“hidden” name=“email” value=“[email protected]” /> </form>

  38. <script> window.onload = function(){ … form.submit(); } </script>

  39. POST /SaveEmail [email protected] GET evil.com

  40. candy- csrf.apphb.com

  41. None

  42. @troyhunt

  43. webgoat. github.io

  44. https://ctftime.org

  45. @ar7z1 [email protected]