Web Front End Security

Miao Siyu
benben772009@hotmail.com
Web Front End Hacking
 Cross site scripting(XSS)
 Cross site request forgery(CSRF)
 Hijack

Hey, social engineering is ...
Web basic
 URL
 HTTP protocal & headers
blacklist for js setting headers: not every header can be set by js

 HTML, DOM...
Same-origin policy

 A combination of protocal, hostname, and
port number.
 Apply on DOM, Cookie, XMLHttpRequest,
robots...
Same-origin policy

Relaxing the same-origin policy:
 document.domain property:

orders.example.com &

catalog.example.co...
XSS: inject client-side scripts into web pages

Types:
 Non-persistent
 Persistent
 DOM XSS
not nessararilly script, ma...
CSRF:unauthorized commands are
transmitted from a user that the website trusts
 GET: ajax, src (img, iframe...)...
 POST...
HiJacking: UI redress attack
transparent layer + iframe
 clickjacking
 drag&dropjacking
 tapjacking
Finding vulnerability (XSS)
 Input point, output point, payload &

vulnerability scanner
 xss filtering
 fuzzing: findi...
Finding vulnerability (XSS)
"saying the same words using another language"

 self decoding: careful about the context
htm...
Html5





new tag
new attr
history api & short url
web worker
Web worm
 XSS
 CSRF
 ClickJacking
Defending
 X-Frame-Options:
Limitation on be included by iframe (ClickJacking)
 X_XSS_Protection:
Detecting attack from ...
Security in Django

XSS:
protection: Django templates escape specific characters
dangerous case: safe, <style class={{ var...
Security in Django

CSRF:
protection: post form/ajax with csrf_token, csrf_middleware
checking the referer
Security in Django

Clickjacking:
protection: X-Frame-Options middleware
Security in Django

SQL Injection
SSL/HTTPS
Host Header Validation
Session Security
...
Upcoming SlideShare
Loading in …5
×

Front end-security

481 views
360 views

Published on

A basic introduction for front-end security including XSS, CSRF and CLickJacking

Published in: Technology, Design
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
481
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
17
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Front end-security

  1. 1. Web Front End Security Miao Siyu benben772009@hotmail.com
  2. 2. Web Front End Hacking  Cross site scripting(XSS)  Cross site request forgery(CSRF)  Hijack Hey, social engineering is as dangerous (or more dangerous ) !
  3. 3. Web basic  URL  HTTP protocal & headers blacklist for js setting headers: not every header can be set by js  HTML, DOM & iframe  local data storage & cookies sub domian, path, http-only cookie, secure cookie  javascript: Action with DOM, cookies, form, XMLHttpRequest...  CSS  Actionscript, PDF...
  4. 4. Same-origin policy  A combination of protocal, hostname, and port number.  Apply on DOM, Cookie, XMLHttpRequest, robots.txt
  5. 5. Same-origin policy Relaxing the same-origin policy:  document.domain property: orders.example.com & catalog.example.com  Cross-Origin Resource Sharing: Origin response header  Cross-document messaging  JSONP: <script> element Access-Control-Allow-
  6. 6. XSS: inject client-side scripts into web pages Types:  Non-persistent  Persistent  DOM XSS not nessararilly script, maybe also <img>(encode js as image)...
  7. 7. CSRF:unauthorized commands are transmitted from a user that the website trusts  GET: ajax, src (img, iframe...)...  POST: form  JSONP: callback / Array
  8. 8. HiJacking: UI redress attack transparent layer + iframe  clickjacking  drag&dropjacking  tapjacking
  9. 9. Finding vulnerability (XSS)  Input point, output point, payload & vulnerability scanner  xss filtering  fuzzing: finding DOM vulnerability
  10. 10. Finding vulnerability (XSS) "saying the same words using another language"  self decoding: careful about the context html:hex &#xH, decimal &#D, HtmlEncode javascript:Unicode uH, hex xH,  special tag: textarea, iframe, noscipt, noframes, xmp, plaintext  charsets  escape / unescape
  11. 11. Html5     new tag new attr history api & short url web worker
  12. 12. Web worm  XSS  CSRF  ClickJacking
  13. 13. Defending  X-Frame-Options: Limitation on be included by iframe (ClickJacking)  X_XSS_Protection: Detecting attack from url (Reflection XSS)  X_Content-Security-Policy(CSP): divided html,css & script (XSS)  Divided sub domains  HTTPS  HttpOnly Cookie  Captcha  Referer checking  Session time  CSRF token  Frame Busting  NoScript plugin And, not believe anyone easily !
  14. 14. Security in Django XSS: protection: Django templates escape specific characters dangerous case: safe, <style class={{ var }}></style> while var = class1 onmouseover = javascript:func()
  15. 15. Security in Django CSRF: protection: post form/ajax with csrf_token, csrf_middleware checking the referer
  16. 16. Security in Django Clickjacking: protection: X-Frame-Options middleware
  17. 17. Security in Django SQL Injection SSL/HTTPS Host Header Validation Session Security ...

×