Web Front End Security

Miao Siyu

benben772009@hotmail.com

Web Front End Hacking

Cross site scripting(XSS) Cross site request forgery(CSRF) Hijack

Hey, social engineering is as dangerous (or more dangerous ) !

Web basic

URL HTTP protocal & headersblacklist for js setting headers: not every header can be set by js

HTML, DOM & iframe local data storage & cookiessub domian, path, http-only cookie, secure cookie

javascript:Action with DOM, cookies, form, XMLHttpRequest...

CSS Actionscript, PDF...

Same-origin policy

A combination of protocal, hostname, and port number.

Apply on DOM, Cookie, XMLHttpRequest, robots.txt

Same-origin policy

Relaxing the same-origin policy:

document.domain property: orders.example.com & catalog.example.com

Cross-Origin Resource Sharing: Access-Control-Allow-Origin response header

Cross-document messaging JSONP: <script> element

XSS: inject client-side scripts into web pages

Types:

Non-persistentPersistentDOM XSS

not nessararilly script, maybe also <img>(encode js as image)...

CSRF:unauthorized commands are transmitted from a user that the website trusts

GET: ajax, src (img, iframe...)...POST: form JSONP: callback / Array

HiJacking: UI redress attack

transparent layer + iframeclickjackingdrag&dropjacking tapjacking

Finding vulnerability (XSS)

Input point, output point, payload & vulnerability scanner

xss filteringfuzzing: finding DOM vulnerability

Finding vulnerability (XSS)

"saying the same words using another language"

self decoding: careful about the context html:hex &#xH, decimal &#D, HtmlEncode javascript:Unicode \uH, hex \xH, \special tag: textarea, iframe, noscipt, noframes, x

mp, plaintextcharsetsescape / unescape

Html5

new tag new attr history api & short url web worker

Web worm

XSS CSRF ClickJacking

Defending

X-Frame-Options: Limitation on be included by iframe (ClickJacking) X_XSS_Protection: Detecting attack from url (Reflection XSS) X_Content-Security-Policy(CSP): divided html,css & script (XSS) Divided sub domains HTTPS HttpOnly Cookie Captcha Referer checking Session time CSRF token Frame Busting NoScript plugin

And, not believe anyone easily !

Security in Django

XSS:

protection: Django templates escape specific characters

dangerous case: safe, <style class={{ var }}></style> while var = class1 onmouseover = javascript:func()

Security in Django

CSRF:

protection: post form/ajax with csrf_token, csrf_middleware checking the referer

Security in Django

Clickjacking:

protection: X-Frame-Options middleware

Security in Django

SQL InjectionSSL/HTTPSHost Header ValidationSession Security...