Front end-security
-
Upload
miao-siyu -
Category
Technology
-
view
248 -
download
0
description
Transcript of Front end-security
![Page 2: Front end-security](https://reader036.fdocuments.in/reader036/viewer/2022082920/554f6d8bb4c905c8088b5355/html5/thumbnails/2.jpg)
Web Front End Hacking
Cross site scripting(XSS) Cross site request forgery(CSRF) Hijack
Hey, social engineering is as dangerous (or more dangerous ) !
![Page 3: Front end-security](https://reader036.fdocuments.in/reader036/viewer/2022082920/554f6d8bb4c905c8088b5355/html5/thumbnails/3.jpg)
Web basic
URL HTTP protocal & headersblacklist for js setting headers: not every header can be set by js
HTML, DOM & iframe local data storage & cookiessub domian, path, http-only cookie, secure cookie
javascript:Action with DOM, cookies, form, XMLHttpRequest...
CSS Actionscript, PDF...
![Page 4: Front end-security](https://reader036.fdocuments.in/reader036/viewer/2022082920/554f6d8bb4c905c8088b5355/html5/thumbnails/4.jpg)
Same-origin policy
A combination of protocal, hostname, and port number.
Apply on DOM, Cookie, XMLHttpRequest, robots.txt
![Page 5: Front end-security](https://reader036.fdocuments.in/reader036/viewer/2022082920/554f6d8bb4c905c8088b5355/html5/thumbnails/5.jpg)
Same-origin policy
Relaxing the same-origin policy:
document.domain property: orders.example.com & catalog.example.com
Cross-Origin Resource Sharing: Access-Control-Allow-Origin response header
Cross-document messaging JSONP: <script> element
![Page 6: Front end-security](https://reader036.fdocuments.in/reader036/viewer/2022082920/554f6d8bb4c905c8088b5355/html5/thumbnails/6.jpg)
XSS: inject client-side scripts into web pages
Types:
Non-persistentPersistentDOM XSS
not nessararilly script, maybe also <img>(encode js as image)...
![Page 7: Front end-security](https://reader036.fdocuments.in/reader036/viewer/2022082920/554f6d8bb4c905c8088b5355/html5/thumbnails/7.jpg)
CSRF:unauthorized commands are transmitted from a user that the website trusts
GET: ajax, src (img, iframe...)...POST: form JSONP: callback / Array
![Page 8: Front end-security](https://reader036.fdocuments.in/reader036/viewer/2022082920/554f6d8bb4c905c8088b5355/html5/thumbnails/8.jpg)
HiJacking: UI redress attack
transparent layer + iframeclickjackingdrag&dropjacking tapjacking
![Page 9: Front end-security](https://reader036.fdocuments.in/reader036/viewer/2022082920/554f6d8bb4c905c8088b5355/html5/thumbnails/9.jpg)
Finding vulnerability (XSS)
Input point, output point, payload & vulnerability scanner
xss filteringfuzzing: finding DOM vulnerability
![Page 10: Front end-security](https://reader036.fdocuments.in/reader036/viewer/2022082920/554f6d8bb4c905c8088b5355/html5/thumbnails/10.jpg)
Finding vulnerability (XSS)
"saying the same words using another language"
self decoding: careful about the context html:hex &#xH, decimal &#D, HtmlEncode javascript:Unicode \uH, hex \xH, \special tag: textarea, iframe, noscipt, noframes, x
mp, plaintextcharsetsescape / unescape
![Page 11: Front end-security](https://reader036.fdocuments.in/reader036/viewer/2022082920/554f6d8bb4c905c8088b5355/html5/thumbnails/11.jpg)
Html5
new tag new attr history api & short url web worker
![Page 12: Front end-security](https://reader036.fdocuments.in/reader036/viewer/2022082920/554f6d8bb4c905c8088b5355/html5/thumbnails/12.jpg)
Web worm
XSS CSRF ClickJacking
![Page 13: Front end-security](https://reader036.fdocuments.in/reader036/viewer/2022082920/554f6d8bb4c905c8088b5355/html5/thumbnails/13.jpg)
Defending
X-Frame-Options: Limitation on be included by iframe (ClickJacking) X_XSS_Protection: Detecting attack from url (Reflection XSS) X_Content-Security-Policy(CSP): divided html,css & script (XSS) Divided sub domains HTTPS HttpOnly Cookie Captcha Referer checking Session time CSRF token Frame Busting NoScript plugin
And, not believe anyone easily !
![Page 14: Front end-security](https://reader036.fdocuments.in/reader036/viewer/2022082920/554f6d8bb4c905c8088b5355/html5/thumbnails/14.jpg)
Security in Django
XSS:
protection: Django templates escape specific characters
dangerous case: safe, <style class={{ var }}></style> while var = class1 onmouseover = javascript:func()
![Page 15: Front end-security](https://reader036.fdocuments.in/reader036/viewer/2022082920/554f6d8bb4c905c8088b5355/html5/thumbnails/15.jpg)
Security in Django
CSRF:
protection: post form/ajax with csrf_token, csrf_middleware checking the referer
![Page 16: Front end-security](https://reader036.fdocuments.in/reader036/viewer/2022082920/554f6d8bb4c905c8088b5355/html5/thumbnails/16.jpg)
Security in Django
Clickjacking:
protection: X-Frame-Options middleware
![Page 17: Front end-security](https://reader036.fdocuments.in/reader036/viewer/2022082920/554f6d8bb4c905c8088b5355/html5/thumbnails/17.jpg)
Security in Django
SQL InjectionSSL/HTTPSHost Header ValidationSession Security...