Web Front End Hacking
Cross site scripting(XSS) Cross site request forgery(CSRF) Hijack
Hey, social engineering is as dangerous (or more dangerous ) !
Web basic
URL HTTP protocal & headersblacklist for js setting headers: not every header can be set by js
HTML, DOM & iframe local data storage & cookiessub domian, path, http-only cookie, secure cookie
javascript:Action with DOM, cookies, form, XMLHttpRequest...
CSS Actionscript, PDF...
Same-origin policy
A combination of protocal, hostname, and port number.
Apply on DOM, Cookie, XMLHttpRequest, robots.txt
Same-origin policy
Relaxing the same-origin policy:
document.domain property: orders.example.com & catalog.example.com
Cross-Origin Resource Sharing: Access-Control-Allow-Origin response header
Cross-document messaging JSONP: <script> element
XSS: inject client-side scripts into web pages
Types:
Non-persistentPersistentDOM XSS
not nessararilly script, maybe also <img>(encode js as image)...
CSRF:unauthorized commands are transmitted from a user that the website trusts
GET: ajax, src (img, iframe...)...POST: form JSONP: callback / Array
HiJacking: UI redress attack
transparent layer + iframeclickjackingdrag&dropjacking tapjacking
Finding vulnerability (XSS)
Input point, output point, payload & vulnerability scanner
xss filteringfuzzing: finding DOM vulnerability
Finding vulnerability (XSS)
"saying the same words using another language"
self decoding: careful about the context html:hex &#xH, decimal &#D, HtmlEncode javascript:Unicode \uH, hex \xH, \special tag: textarea, iframe, noscipt, noframes, x
mp, plaintextcharsetsescape / unescape
Html5
new tag new attr history api & short url web worker
Web worm
XSS CSRF ClickJacking
Defending
X-Frame-Options: Limitation on be included by iframe (ClickJacking) X_XSS_Protection: Detecting attack from url (Reflection XSS) X_Content-Security-Policy(CSP): divided html,css & script (XSS) Divided sub domains HTTPS HttpOnly Cookie Captcha Referer checking Session time CSRF token Frame Busting NoScript plugin
And, not believe anyone easily !
Security in Django
XSS:
protection: Django templates escape specific characters
dangerous case: safe, <style class={{ var }}></style> while var = class1 onmouseover = javascript:func()
Security in Django
CSRF:
protection: post form/ajax with csrf_token, csrf_middleware checking the referer
Security in Django
Clickjacking:
protection: X-Frame-Options middleware
Security in Django
SQL InjectionSSL/HTTPSHost Header ValidationSession Security...
Top Related