Front end-security
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Front end-security

on

  • 430 views

A basic introduction for front-end security including XSS, CSRF and CLickJacking

A basic introduction for front-end security including XSS, CSRF and CLickJacking

Statistics

Views

Total Views
430
Views on SlideShare
430
Embed Views
0

Actions

Likes
0
Downloads
14
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Front end-security Presentation Transcript

  • 1. Web Front End Security Miao Siyu benben772009@hotmail.com
  • 2. Web Front End Hacking  Cross site scripting(XSS)  Cross site request forgery(CSRF)  Hijack Hey, social engineering is as dangerous (or more dangerous ) !
  • 3. Web basic  URL  HTTP protocal & headers blacklist for js setting headers: not every header can be set by js  HTML, DOM & iframe  local data storage & cookies sub domian, path, http-only cookie, secure cookie  javascript: Action with DOM, cookies, form, XMLHttpRequest...  CSS  Actionscript, PDF...
  • 4. Same-origin policy  A combination of protocal, hostname, and port number.  Apply on DOM, Cookie, XMLHttpRequest, robots.txt
  • 5. Same-origin policy Relaxing the same-origin policy:  document.domain property: orders.example.com & catalog.example.com  Cross-Origin Resource Sharing: Origin response header  Cross-document messaging  JSONP: <script> element Access-Control-Allow-
  • 6. XSS: inject client-side scripts into web pages Types:  Non-persistent  Persistent  DOM XSS not nessararilly script, maybe also <img>(encode js as image)...
  • 7. CSRF:unauthorized commands are transmitted from a user that the website trusts  GET: ajax, src (img, iframe...)...  POST: form  JSONP: callback / Array
  • 8. HiJacking: UI redress attack transparent layer + iframe  clickjacking  drag&dropjacking  tapjacking
  • 9. Finding vulnerability (XSS)  Input point, output point, payload & vulnerability scanner  xss filtering  fuzzing: finding DOM vulnerability
  • 10. Finding vulnerability (XSS) "saying the same words using another language"  self decoding: careful about the context html:hex &#xH, decimal &#D, HtmlEncode javascript:Unicode uH, hex xH,  special tag: textarea, iframe, noscipt, noframes, xmp, plaintext  charsets  escape / unescape
  • 11. Html5     new tag new attr history api & short url web worker
  • 12. Web worm  XSS  CSRF  ClickJacking
  • 13. Defending  X-Frame-Options: Limitation on be included by iframe (ClickJacking)  X_XSS_Protection: Detecting attack from url (Reflection XSS)  X_Content-Security-Policy(CSP): divided html,css & script (XSS)  Divided sub domains  HTTPS  HttpOnly Cookie  Captcha  Referer checking  Session time  CSRF token  Frame Busting  NoScript plugin And, not believe anyone easily !
  • 14. Security in Django XSS: protection: Django templates escape specific characters dangerous case: safe, <style class={{ var }}></style> while var = class1 onmouseover = javascript:func()
  • 15. Security in Django CSRF: protection: post form/ajax with csrf_token, csrf_middleware checking the referer
  • 16. Security in Django Clickjacking: protection: X-Frame-Options middleware
  • 17. Security in Django SQL Injection SSL/HTTPS Host Header Validation Session Security ...