Web App Security: XSS and CSRF

7,464 views
7,365 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
7,464
On SlideShare
0
From Embeds
0
Number of Embeds
24
Actions
Shares
0
Downloads
60
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Web App Security: XSS and CSRF

  1. 1. PREVENTING XSS & CSRF Dave Ross • Suburban Chicago PHP & Web Development Meetup
  2. 2. 2½ years ago http://www.slideshare.net/csixty4/intro-to-php-security
  3. 3. REALITY CHECK
  4. 4. “More than half of identity theft cases are inside jobs” Judith Collins, Associate Criminal Justice Professor @ Michigan State University “who recently completed a study of 1,037 such cases”
  5. 5. THE WEB IS STILL A NASTY PLACE
  6. 6. BROWSER SECURITY IS BETTER
  7. 7. PHP IS BETTER
  8. 8. REGISTER_GLOBALS IS DEPRECATED IN 5.3.0
  9. 9. THREATS:
  10. 10. XSS - CROSS SITE SCRIPTING
  11. 11. NON-PERSISTENT XSS
  12. 12. PARAMETERS ECHOED BACK TO THE USER
  13. 13. <IMG SRC=”HTTP://SEARCH.AMAZON.COM?S= <SCRIPT>ALERT(‘TEST’);</SCRIPT>” />
  14. 14. PERSISTENT XSS
  15. 15. INJECT <IFRAME> & <SCRIPT> INTO CONTENT
  16. 16. BLOG COMMENTS, FORUM POSTS
  17. 17. STRIP OUT TAGS
  18. 18. I RECOMMEND REMOVING TAGS ON DISPLAY, NOT SAVE
  19. 19. CSRF - CROSS-SITE REQUEST FORGERY
  20. 20. <IMG SRC=”HTTP://TWITTER.COM/POST?TEXT=I’M A BIG FAT DORK” />
  21. 21. USE A NONCE.
  22. 22. HTTP://HA.CKERS.ORG/XSS.HTML
  23. 23. HTTP://WWW.CGISECURITY.COM/CSRF-FAQ.HTML

×