SlideShare a Scribd company logo

Front end-security

Download as PPT, PDF
Miao Siyu
Miao Siyu

The document discusses security issues that can occur on the web front end, including cross-site scripting (XSS), cross-site request forgery (CSRF), and hijacking. It covers how the same-origin policy works and can be relaxed through mechanisms like document.domain and CORS. Specific types of XSS like persistent and DOM-based XSS are described. The document also discusses CSRF, hijacking techniques like clickjacking, and methods for finding vulnerabilities like XSS filtering and fuzzing. Defensive techniques like X-Frame-Options, Content Security Policy, HTTPS, and CSRF tokens are recommended.

1 of 17
Web Front End Security Miao Siyu benben772009@hotmail.com
Web Front End Hacking  Cross site scripting(XSS)  Cross site request forgery(CSRF)  Hijack Hey, social engineering is as dangerous (or more dangerous ) !
Web basic  URL  HTTP protocal & headers blacklist for js setting headers: not every header can be set by js  HTML, DOM & iframe  local data storage & cookies sub domian, path, http-only cookie, secure cookie  javascript: Action with DOM, cookies, form, XMLHttpRequest...  CSS  Actionscript, PDF...
Same-origin policy  A combination of protocal, hostname, and port number.  Apply on DOM, Cookie, XMLHttpRequest, robots.txt
Same-origin policy Relaxing the same-origin policy:  document.domain property: orders.example.com & catalog.example.com  Cross-Origin Resource Sharing: Origin response header  Cross-document messaging  JSONP: <script> element Access-Control-Allow-
XSS: inject client-side scripts into web pages Types:  Non-persistent  Persistent  DOM XSS not nessararilly script, maybe also <img>(encode js as image)...
CSRF:unauthorized commands are transmitted from a user that the website trusts  GET: ajax, src (img, iframe...)...  POST: form  JSONP: callback / Array
HiJacking: UI redress attack transparent layer + iframe  clickjacking  drag&dropjacking  tapjacking
Finding vulnerability (XSS)  Input point, output point, payload & vulnerability scanner  xss filtering  fuzzing: finding DOM vulnerability
Finding vulnerability (XSS) "saying the same words using another language"  self decoding: careful about the context html:hex &#xH, decimal &#D, HtmlEncode javascript:Unicode uH, hex xH,  special tag: textarea, iframe, noscipt, noframes, xmp, plaintext  charsets  escape / unescape
Html5     new tag new attr history api & short url web worker
Web worm  XSS  CSRF  ClickJacking
Defending  X-Frame-Options: Limitation on be included by iframe (ClickJacking)  X_XSS_Protection: Detecting attack from url (Reflection XSS)  X_Content-Security-Policy(CSP): divided html,css & script (XSS)  Divided sub domains  HTTPS  HttpOnly Cookie  Captcha  Referer checking  Session time  CSRF token  Frame Busting  NoScript plugin And, not believe anyone easily !
Security in Django XSS: protection: Django templates escape specific characters dangerous case: safe, <style class={{ var }}></style> while var = class1 onmouseover = javascript:func()
Security in Django CSRF: protection: post form/ajax with csrf_token, csrf_middleware checking the referer
Security in Django Clickjacking: protection: X-Frame-Options middleware
Security in Django SQL Injection SSL/HTTPS Host Header Validation Session Security ...

More Related Content

Front end-security

  • 1. Web Front End Security Miao Siyu benben772009@hotmail.com
  • 2. Web Front End Hacking  Cross site scripting(XSS)  Cross site request forgery(CSRF)  Hijack Hey, social engineering is as dangerous (or more dangerous ) !
  • 3. Web basic  URL  HTTP protocal & headers blacklist for js setting headers: not every header can be set by js  HTML, DOM & iframe  local data storage & cookies sub domian, path, http-only cookie, secure cookie  javascript: Action with DOM, cookies, form, XMLHttpRequest...  CSS  Actionscript, PDF...
  • 4. Same-origin policy  A combination of protocal, hostname, and port number.  Apply on DOM, Cookie, XMLHttpRequest, robots.txt
  • 5. Same-origin policy Relaxing the same-origin policy:  document.domain property: orders.example.com & catalog.example.com  Cross-Origin Resource Sharing: Origin response header  Cross-document messaging  JSONP: <script> element Access-Control-Allow-
  • 6. XSS: inject client-side scripts into web pages Types:  Non-persistent  Persistent  DOM XSS not nessararilly script, maybe also <img>(encode js as image)...
  • 7. CSRF:unauthorized commands are transmitted from a user that the website trusts  GET: ajax, src (img, iframe...)...  POST: form  JSONP: callback / Array
  • 8. HiJacking: UI redress attack transparent layer + iframe  clickjacking  drag&dropjacking  tapjacking
  • 9. Finding vulnerability (XSS)  Input point, output point, payload & vulnerability scanner  xss filtering  fuzzing: finding DOM vulnerability
  • 10. Finding vulnerability (XSS) "saying the same words using another language"  self decoding: careful about the context html:hex &#xH, decimal &#D, HtmlEncode javascript:Unicode uH, hex xH,  special tag: textarea, iframe, noscipt, noframes, xmp, plaintext  charsets  escape / unescape
  • 12. Web worm  XSS  CSRF  ClickJacking
  • 13. Defending  X-Frame-Options: Limitation on be included by iframe (ClickJacking)  X_XSS_Protection: Detecting attack from url (Reflection XSS)  X_Content-Security-Policy(CSP): divided html,css & script (XSS)  Divided sub domains  HTTPS  HttpOnly Cookie  Captcha  Referer checking  Session time  CSRF token  Frame Busting  NoScript plugin And, not believe anyone easily !
  • 14. Security in Django XSS: protection: Django templates escape specific characters dangerous case: safe, <style class={{ var }}></style> while var = class1 onmouseover = javascript:func()
  • 15. Security in Django CSRF: protection: post form/ajax with csrf_token, csrf_middleware checking the referer
  • 16. Security in Django Clickjacking: protection: X-Frame-Options middleware
  • 17. Security in Django SQL Injection SSL/HTTPS Host Header Validation Session Security ...