SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
5.
JSONP (XSSI)
• JSON with padding, Cross site script
include
• X-Content-Type-Options: nosniff
6.
Flash and MS Silverlight
• crossdomain.xml и clientaccesspolicy.xml
• *, *.example.com
7.
Modern CORS
Same Origin Policy для XMLHttpRequest
Origin: https://site1.com
Web-
APP
Server – site1.com
Server – site2.com
Browser
https://site1.com
XMLHttp
9.
WebSockets
• Не проверяется Origin по-умолчанию
10.
postMessage
• Проверка Origin на разработчике
• Уязвимый сайт в <iframe> — защита X-
Frame-Options
• Уязвимый сайт в поп-апе (window.open) —
предупреждения от браузера
• Можно использовать расширения хрома —
OWASP London, доклад Арсения Реутова
(https://raz0r.name/) https://goo.gl/MGrhN9