URL n URL n n n n n
- Slides: 45
URL地址栏欺骗 n 点击URL欺骗 n 浏览器通性 n n 浏览器差异 n n n HTML 5 push. State(),20%,long 20%,空格,? 浏览器自身特性…… 拖放URL欺骗 n Chrome,Firefox,IE,Safari n n n Onclick(),Onmouseup(),Onmousedown() DEMO ondragstart event. data. Transfer. set. Data('url type', 'url')
新老状态栏对比 老的Chrome, FF, IE 新的Chrome, FF, IE
local. Storage() 浏览器 大小 格式 加密 Firefox 3. 0+ 5 M SQLite 明文 C: UsersuserApp. DataRoamingMozillaFirefoxProfilest yraqe 3 f. defaultwebappsstore. sqlite Chrome 4. 0+ 5 M SQLite 明文 C: UsersuserApp. DataLocalGoogleChromeUser DataDefaultLocal Storage IE 8. 0+ 5 M XML C: UsersuserApp. DataLocalMicrosoftInternet ExplorerDOMStore Safari 4. 0+ 5 M SQLite 明文 C: UsersuserApp. DataLocalApple ComputerSafariLocal. Storage Opera 10. 5+ 5 M XML C: UsersuserApp. DataRoamingOperapstorage 明文 BASE 64 存储路径
绕过XSS防御 n XSS filter n n IE 8+,Chrome 4+,Safari 5+,FF(noscript) 各种代码变型 n n n 双参数:p 1=<script>prompt(1); /*&p 2=*/</script> 注释: <script>/*///*/alert(1); </script> 自动闭合: <img src="noexist" onerror=alert(); // UTF-7: +ADw-script+AD 4 data URIs: data: [mediatype][; base 64], data 更多:ha. ckers. org/xss. html,html 5 sec. org
绕过SOP n n Flash&Silverlight- crossdomain. xml HTML 5 –Postmessage,CORS n n n Drag. And. Drop. Jacking n n n CSRF with CORS bypass SOP Webworkers+CORS+Websocket=Web Botnet 获取数据 绕过CSRF防御 浏览器自身特性缺陷导致绕过 n 扩展插件
绕过Http. Only n Apache http. Only Cookie Disclosure n n CVE: 2012 -0053 Apache Cookie >4 K 页面返回 400错误,其中包含Cookie 攻击 n 通过XSS漏洞 n n 设置>4 KCookie 从返回页面中筛选出Cookie 发送Cookie到攻击者服务器 成功绕过Http. Only
绕过X-Frame-Options n 界面伪装 n n 方法:([Click][Drag&Drop][Tap])jacking 过程:点/拖/摸的对象是隐藏在其下方的对象 技术:隐藏层+Frame包含 绕过X-Frame-Options n n 构造多个页面 history. forward(),history. back() 实例:http: //lcamtuf. coredump. cx/clickit/ 此攻击方式设计复杂,且需高交互
绕过Sandbox n Pwn 2 Own 2012 n n n 奖金最高 6 W美金 成功绕过Chrome沙箱 花费了6个不同类型bug 绕过沙箱所有保护,将越来越难 更多: http: //blog. chromium. org/2012/05/tale-oftwo-pwnies-part-1. html
官方隐私声明 Chrome:www. google. com/chrome/intl/zh. CN/privacy. html n Safari: www. apple. com/safari/features. ht ml#security n Firefox: www. mozilla. org/en. US/legal/privacy/ n Opera:www. opera. com/privacy/ n IE:windows. microsoft. com/zh. CN/internet-explorer/products/ie 9/windows-internet-explorer-9 -privacyn
HTML 5支持对比 n http: //html 5 test. com
URL编码差异 n http: //code. google. com/p/browsersec/
浏览器安全特性对比 n http: //www. browserscope. org
官方安全链接 Chrome: blog. chromium. org/ n Firefox: mozilla. org/security/ n Opera: opera. com/security/ n IE: www. microsoft. com/zhcn/security/pc-security/ie 9. aspx n Safari: www. apple. com/safari/features. html#security n
JUST FOR FUN
Thanks n Q&A
- Bebo application
- How to find url of image
- Url
- Proofpoint sandbox
- Accenture delivery suite (or ads)
- How do i get an image url
- Text fist
- Ncbi
- Url
- Transaction launcher in sap crm
- Urllow
- Brand elements memorability
- List crawers
- Failed to execute 'fetch' on 'window': failed to parse url
- Language
- Url
- Raven tools url builder
- Isaac electronic logbook
- Wix アンカー url
- Text preprocessing steps
- Url
- Request 69
- No escape from reality
- O que e uri
- Condeco car parking
- Ame=http://www.youtube.com/watch?v=6h3lmhmg020
- Url stands for
- Boolean connectors
- Url code
- Yandex url
- Query string url
- N url
- What are reciprocal links
- Instant indexing
- How do i get an image url
- Sql injection lab
- Vertical align css
- Penanganan url dalam android meliputi
- Hkmc-vpn
- Url image
- Url(/images/studyanswers/blurredtext-medium.png)
- Url ppt
- Iwf url list
- Ncontrol nfon
- Googlechrome://navigate?url=