The document discusses security issues that can occur on the web front end, including cross-site scripting (XSS), cross-site request forgery (CSRF), and hijacking. It covers how the same-origin policy works and can be relaxed through mechanisms like document.domain and CORS. Specific types of XSS like persistent and DOM-based XSS are described. The document also discusses CSRF, hijacking techniques like clickjacking, and methods for finding vulnerabilities like XSS filtering and fuzzing. Defensive techniques like X-Frame-Options, Content Security Policy, HTTPS, and CSRF tokens are recommended.
Report
Share
Report
Share
1 of 17
More Related Content
Front end-security
1. Web Front End Security
Miao Siyu
benben772009@hotmail.com
2. Web Front End Hacking
Cross site scripting(XSS)
Cross site request forgery(CSRF)
Hijack
Hey, social engineering is as dangerous (or more dangerous ) !
3. Web basic
URL
HTTP protocal & headers
blacklist for js setting headers: not every header can be set by js
HTML, DOM & iframe
local data storage & cookies
sub domian, path, http-only cookie, secure cookie
javascript:
Action with DOM, cookies, form, XMLHttpRequest...
CSS
Actionscript, PDF...
4. Same-origin policy
A combination of protocal, hostname, and
port number.
Apply on DOM, Cookie, XMLHttpRequest,
robots.txt
6. XSS: inject client-side scripts into web pages
Types:
Non-persistent
Persistent
DOM XSS
not nessararilly script, maybe also <img>(encode js as image)...
13. Defending
X-Frame-Options:
Limitation on be included by iframe (ClickJacking)
X_XSS_Protection:
Detecting attack from url (Reflection XSS)
X_Content-Security-Policy(CSP):
divided html,css & script (XSS)
Divided sub domains
HTTPS
HttpOnly Cookie
Captcha
Referer checking
Session time
CSRF token
Frame Busting
NoScript plugin
And, not believe anyone easily !
14. Security in Django
XSS:
protection: Django templates escape specific characters
dangerous case: safe, <style class={{ var }}></style> while var =
class1 onmouseover = javascript:func()