Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web Security
Search
Hooopo
November 29, 2012
Programming
230
4
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Web Security
Web Security
Hooopo
November 29, 2012
More Decks by Hooopo
See All by Hooopo
test
hooopo
2
120
Other Decks in Programming
See All in Programming
「AIで開発し、AIを届ける」をEvalでつなぐ 〜AIネイティブに始めるプロダクト開発の実践〜 / Connecting "Develop with AI, deliver AI" with Eval
rkaga
4
5.4k
生成AI時代にこそ効くGo | Why Go Works in the Age of Generative AI
mom0tomo
8
3.3k
Spec Driven Development | AI Summit Lisbon
danielsogl
PRO
0
210
肥大化するレガシーコードに立ち向かうためのインターフェース分離と依存の逆転 / JJUG CCC 2026 Spring
hirokunimaeta
0
610
AIだと陥りがちなJakarta EE最新技術への移行時の落とし穴と解決策
tnagao7
0
120
IBM Bobを活用したレガシーアプリの最新化
oniak3ibm
PRO
1
210
ふつうのFeature Flag実践入門
irof
8
4.2k
Dataformのリポジトリを立ち上げるときにまずやること / dataform-day0-2026
snhryt
0
180
Language Server 使ってる? 〜VSCode と Zed の場合〜 / Are you using a Language Server? ~For VS Code and Zed~
handlename
0
800
JavaDoc 再入門
nagise
1
410
Oxcを導入して開発体験が向上した話
yug1224
4
340
New "Type" system on PicoRuby
pocke
1
1k
Featured
See All Featured
Visualization
eitanlees
152
17k
Believing is Seeing
oripsolob
1
150
HDC tutorial
michielstock
2
720
Automating Front-end Workflow
addyosmani
1370
210k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
37
6.5k
State of Search Keynote: SEO is Dead Long Live SEO
ryanjones
0
210
Code Reviewing Like a Champion
maltzj
528
40k
A brief & incomplete history of UX Design for the World Wide Web: 1989–2019
jct
2
400
[SF Ruby Conf 2025] Rails X
palkan
2
1.1k
What's in a price? How to price your products and services
michaelherold
247
13k
A Guide to Academic Writing Using Generative AI - A Workshop
ks91
PRO
1
330
WCS-LA-2024
lcolladotor
0
650
Transcript
Web Security
Same Origin Policy 同源策略
同源 • 协议相同 • 域名相同 • 端口相同
同源策略的内容 限制来自不同源的“document”或脚本, 对当前“document”读取或设置某些属 性
浏览器沙箱 • XMLHttpRequest和CURL发起请求有 什么不同? • 同源策略保护当前域还是被请求域? • SRC属性加载外部资源违背同源策略 么? •
第三方Cookie和会话Cookie
如何绕过同源策略 • document.domain = "csdn.net" • Flash的crossdomain.xml • JSONP解决跨域发送请求,带来的问 题?
• P3P解决跨域共享Cookie,带来的问 题?
Cross Site Scriping 跨站脚本攻击
XSS的分类 • 反射型 • 持久型
XSS攻击方式 • Cookie劫持 • XSS钓鱼(诱骗密码) • XSS蠕虫
对抗XSS • HTTP Only Cookie • IE8 XSS Filter •
Firefox的CSP(Content Security Policy) • IE8的X-Content-Type-Options: nosniff
IE8 XSS Filter • X-XSS-Protection: 1; mode=block
Firefox CSP • X-Content-Security-Policy: allow 'self' *.mydomain.com • X-Content-Security-Policy: allow
'self' img-src *;media-src medial. com script-src script.com
Firefox CSP XSS Filter • reflected-xss allow is equivalent to
X- XSS-Protection: 0 • reflected-xss filter is equivalent to X-XSS- Protection: 1 • reflected-xss block is equivalent to X- XSS-Protection: 1; mode=block
Auto HTML Escape能否彻底防御XSS?
Cross Site Request Forgery 跨站伪造请求
CSRF的原理 • 以用户的身份(Cookie)伪造请求
CSRF的危害 • 伪造普通用户的请求 • 伪造管理员的请求 • CSRF蠕虫
使用Post请求能否彻底防御 CSRF?
Referer检测能否正确防御 CSRF? • Flash某些版本可以自定义referer • 页面从HTTPS跳转到HTTP(RFC-2616) • Firefox中有相应参数可以设置是否发送HTTP Referer
CSRF的本质 • 所有请求参数都可以被攻击者猜到
正确的防御CSRF方法 • 不可预测原则 • one csrf token per session •
one csrf token per user
JSONP Hijacking JSONP 劫持
JSONP劫持本质是CSRF
点击劫持(Clickjacking)
点击劫持的防御 • FrameBusting:HTML5 iframe sandbox属性 和IE iframe security属性 • IE8+的
X-Frame-Options: DENY/SAMEORIGIN/Allow-From • Firefox的CSP
图片覆盖攻击(Cross Site Image Overlaying)
P3P头的副作用 IE默认禁止img,iframe,script,link等 标签发送第三方cookie,开启P3P之后会 允许发送第三方cookie
开源软件和CVE • Semantic Versioning
Refs • http://recxltd.blogspot.co.uk/2012/03/seven-web-server-http-headers-that.html • https://blog.whitehatsec.com/x-frame-options/ • http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx • http://homakov.blogspot.com/2012/06/saferweb-with-new-features-come-new.html •
http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx • https://www.owasp.org/index.php/HttpOnly • http://guides.rubyonrails.org/security.html#session-hijacking • http://en.wikipedia.org/wiki/HTTP_cookie#Secure_and_HttpOnly • http://rubylution.herokuapp.com/topics/32 • https://www.owasp.org/index.php/Clickjacking • http://blogs.msdn.com/b/ie/archive/2010/10/26/mime-handling-changes-in-internet- explorer.aspx • http://hi.baidu.com/aullik5/item/da5f5fec1a78c9d5ea34c9f8 • http://seclab.stanford.edu/websec/framebusting/framebust.pdf • http://book.douban.com/subject/10546925/ • http://hi.baidu.com/sysdog/item/4b44b7dd892d9655d63aaeb5 • http://semver.org/