Your SlideShare is downloading. ×
0
Web App Security: XSS and CSRF
Web App Security: XSS and CSRF
Web App Security: XSS and CSRF
Web App Security: XSS and CSRF
Web App Security: XSS and CSRF
Web App Security: XSS and CSRF
Web App Security: XSS and CSRF
Web App Security: XSS and CSRF
Web App Security: XSS and CSRF
Web App Security: XSS and CSRF
Web App Security: XSS and CSRF
Web App Security: XSS and CSRF
Web App Security: XSS and CSRF
Web App Security: XSS and CSRF
Web App Security: XSS and CSRF
Web App Security: XSS and CSRF
Web App Security: XSS and CSRF
Web App Security: XSS and CSRF
Web App Security: XSS and CSRF
Web App Security: XSS and CSRF
Web App Security: XSS and CSRF
Web App Security: XSS and CSRF
Web App Security: XSS and CSRF
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Web App Security: XSS and CSRF

1,415

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,415
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
59
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. PREVENTING XSS & CSRF Dave Ross • Suburban Chicago PHP & Web Development Meetup
  • 2. 2½ years ago http://www.slideshare.net/csixty4/intro-to-php-security
  • 3. REALITY CHECK
  • 4. “More than half of identity theft cases are inside jobs” Judith Collins, Associate Criminal Justice Professor @ Michigan State University “who recently completed a study of 1,037 such cases”
  • 5. THE WEB IS STILL A NASTY PLACE
  • 6. BROWSER SECURITY IS BETTER
  • 7. PHP IS BETTER
  • 8. REGISTER_GLOBALS IS DEPRECATED IN 5.3.0
  • 9. THREATS:
  • 10. XSS - CROSS SITE SCRIPTING
  • 11. NON-PERSISTENT XSS
  • 12. PARAMETERS ECHOED BACK TO THE USER
  • 13. <IMG SRC=”HTTP://SEARCH.AMAZON.COM?S= <SCRIPT>ALERT(‘TEST’);</SCRIPT>” />
  • 14. PERSISTENT XSS
  • 15. INJECT <IFRAME> & <SCRIPT> INTO CONTENT
  • 16. BLOG COMMENTS, FORUM POSTS
  • 17. STRIP OUT TAGS
  • 18. I RECOMMEND REMOVING TAGS ON DISPLAY, NOT SAVE
  • 19. CSRF - CROSS-SITE REQUEST FORGERY
  • 20. <IMG SRC=”HTTP://TWITTER.COM/POST?TEXT=I’M A BIG FAT DORK” />
  • 21. USE A NONCE.
  • 22. HTTP://HA.CKERS.ORG/XSS.HTML
  • 23. HTTP://WWW.CGISECURITY.COM/CSRF-FAQ.HTML

×