From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Front end-security
1. Web Front End Security
Miao Siyu
benben772009@hotmail.com
2. Web Front End Hacking
Cross site scripting(XSS)
Cross site request forgery(CSRF)
Hijack
Hey, social engineering is as dangerous (or more dangerous ) !
3. Web basic
URL
HTTP protocal & headers
blacklist for js setting headers: not every header can be set by js
HTML, DOM & iframe
local data storage & cookies
sub domian, path, http-only cookie, secure cookie
javascript:
Action with DOM, cookies, form, XMLHttpRequest...
CSS
Actionscript, PDF...
4. Same-origin policy
A combination of protocal, hostname, and
port number.
Apply on DOM, Cookie, XMLHttpRequest,
robots.txt
6. XSS: inject client-side scripts into web pages
Types:
Non-persistent
Persistent
DOM XSS
not nessararilly script, maybe also <img>(encode js as image)...
13. Defending
X-Frame-Options:
Limitation on be included by iframe (ClickJacking)
X_XSS_Protection:
Detecting attack from url (Reflection XSS)
X_Content-Security-Policy(CSP):
divided html,css & script (XSS)
Divided sub domains
HTTPS
HttpOnly Cookie
Captcha
Referer checking
Session time
CSRF token
Frame Busting
NoScript plugin
And, not believe anyone easily !
14. Security in Django
XSS:
protection: Django templates escape specific characters
dangerous case: safe, <style class={{ var }}></style> while var =
class1 onmouseover = javascript:func()