«Свой среди чужих», Антон Лопаницын

December 06, 2019

370

«Свой среди чужих», Антон Лопаницын

Видео https://www.youtube.com/watch?v=JC8hwr9ILQw

Встреча Московского отделения OWASP, 6.12.2019 (https://www.meetup.com/OWASP-Moscow/events/266925142/)

OWASP Moscow

December 06, 2019

Tweet

More Decks by OWASP Moscow

See All by OWASP Moscow

"Evolution of Application Security Programs through OWASP SAMM 2.0", Yan Kravchenko

0

330

«Проекты OWASP: SAMM выпуск 2», Тарас Иващенко, OZON

0

520

«Типичные ошибки реализации SMS-аутентификации», Ramazan (r0hack), DETEACT

0

760

«Dev, Sec, Oops: How Agile Security increases Attack Surface», Денис Макрушин

0

450

«From captcha to RCE. Сложности реализации механизма CAPTCHA в изолированных системах», Виталий Малкин

0

400

«OWASP Сheat Sheet Series. Microservices-based security architecture documentation», Александр Барабанов

0

460

«Проекты OWASP: следим за безопасностью 3rd-party-компонент с помощью Dependency Track», Тарас Иващенко, OZON.

0

450

«Будущее без паролей: про FIDO2/WebAuthN и не только», Сергей Белов, Mail.Ru Group.

0

390

«CTFZone, или как перестать ресёрчить и полюбить CTF», Никита Вдовушкин, BI.ZONE.

1

380

Other Decks in Programming

See All in Programming

HUIT新歓2024「競技プログラミング、やってみませんか？」

1

250

#phpcon_odawara オープン・クローズドなテストフィクスチャを求めて / open closed test fixtures

3

220

PHP8.3の機能を振り返る / Review of PHP 8.3 features

1

110

ONE WEDGE_company_guide

0

380

App Router への移行は「改善」となり得るのか？/ Can migration to App Router be an improvement

8

2.1k

Ruby製社内ツールのGo移行

2

330

PostmanでAPIの動作確認が楽になった話

0

130

4

740

Changed Rules: Architectures with Lightweight Stores

0

230

From Spring Boot 2 to Spring Boot 3 with Java 22 and Jakarta EE

0

910

Doctrine ORMでValue Objectを扱う方法4選 #phpstudy / 4 ways to handle Value Objects with Doctrine ORM

4

110

受託開発でGitLab CI を活用していく

1

270

Featured

See All Featured

個人開発の失敗を避けるイケてる考え方 / tips for indie hackers

60

14k

The Mythical Team-Month

215

42k

Build The Right Thing And Hit Your Dates

23

2k

Helping Users Find Their Own Way: Creating Modern Search Experiences

19

1.9k

[RailsConf 2023] Rails as a piece of cake

22

3.9k

Facilitating Awesome Meetings

41

5.6k

Designing the Hi-DPI Web

276

33k

Web development in the modern age

202

10k

Adopting Sorbet at Scale

67

8.6k

Designing Experiences People Love

136

23k

[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails

1

1.3k

Rails Girls Zürich Keynote

91

13k

Transcript

Свой среди чужих Чужие среди своих
Reverse Proxy
None
X-Forwarded-For: <client>, <proxy> X-Forwarded-For: <fake>, <client>, <proxy>
HTTP-request GET / HTTP/1.1  Host: admin.my.site  Connection: close GET /
HTTP/1.1  Host: admin.my.site  X-Forwarded-For: 123.123.123.123, 192.168.1.1  Connection: close X-Forwarded-For: <client>, <proxy>
XFF/XRI Spooﬁng GET / HTTP/1.1  Host: admin.my.site X-Forwarded-For: 127.0.0.1  Connection:
close GET / HTTP/1.1  Host: admin.my.site  X-Forwarded-For: 127.0.0.1, 123.123.123.123, 192.168.1.1  Connection: close X-Forwarded-For: <fake>, <client>, <proxy>
HTTP-request GET / HTTP/1.1\r\n  Host: admin.my.site\r\n  X-Forwarded-For: 127.0.0.1\r\n  Connection: close\r\n
\r\n X-Forwarded-For: <fake>, <client>, <proxy>
HTTP-request with 0d GET / HTTP/1.1\r\n  Host: admin.my.site\r\n  X-Forwarded-For: 127.0.0.1\r\r\n 
Connection: close\r\n \r\n X-Forwarded-For: <fake>\r, <client>, <proxy>
XFF/XRI Spooﬁng+ GET / HTTP/1.1\r\n  Host: admin.my.site\r\n  X-Forwarded-For: 127.0.0.1\r\r\n  Connection:
close\r\n \r\n GET / HTTP/1.1  Host: admin.my.site  X-Forwarded-For: 127.0.0.1 , 123.123.123.123, 192.168.1.1  Connection: close X-Forwarded-For: <fake> , <client>, <proxy> Tomcat? WebSphere?
Twi: @i_bo0om Site: bo0om.ru Telegram: @webpwn