Web Douglas Crockford Security in Frontend Security in
Web前端安全防范 安全问题是互联网的头号大问题 ——Douglas Crockford Security in Frontend
Security in Frontend
CSRF – 原理篇 无辜的 受害者 m. qzone. qq. com taotao. qq. com <a href=“http: //hacker. org? uin=受害者的QQ”>(诱人的内容)</a> <form action=“http: //taotao. qq. com/cgi-bin/. . . ”> … //黑客定义的发布内容或其它特定写操作 </form> 黑客主机 Security in Frontend
CSRF – 防御篇 • • • GET POST (好的开始) Referrer (不可信赖) ID verification (比较弱) Verification code (很强可…) Anti-CSRF token (这个不错) • Take care of XSS… Security in Frontend
什么是XSS? • • Cross Site Script 注入HTML/Javascript alert(/XSS/) Exploit (利用) 前端透明 为什么要XSS? 如何XSS? Security in Frontend
XSS类型 • 本地XSS – htm/html/hta – chm/mht • 非存储(Non-stored)XSS – 反射式(Reflection)XSS • 可存储(Stored)XSS – XSS蠕虫 Security in Frontend
XSS - 检测篇 • 依然是体力活! – 检查输入 & 输出 – XSS cheat sheet • 具 – Ratproxy – Tamper. IE from Google Security in Frontend
Security Source • • http: //www. owasp. org http: //www. 80 sec. com/ http: //en. wikipedia. org/wiki/Cross-site_scripting http: //www. houbysoft. com/papers/xss. php http: //ha. ckers. org/xss. html http: //ajaxian. com/archives/csrf-report http: //huaidan. org/archives/1462. html http: //www 4. it 168. com/jtzt/shenlan/safe/xss/ Security in Frontend
Thank you! Security in Frontend
- Slides: 20