csrf + clickjacking
TRANSCRIPT
![Page 1: CSRF + clickjacking](https://reader035.vdocuments.mx/reader035/viewer/2022062316/58eff87b1a28ab05088b45f5/html5/thumbnails/1.jpg)
1
http://abirtone.com/formacion/hacking-web-owasp-top-10/
@R_a_ff_a_e_ll_o
Hacking Web
CSRF + Clickjacking
![Page 2: CSRF + clickjacking](https://reader035.vdocuments.mx/reader035/viewer/2022062316/58eff87b1a28ab05088b45f5/html5/thumbnails/2.jpg)
@R_a_ff_a_e_ll_o
• ¿Qué es esto?oUna muestra de cómo se
imparte la formación en Abirtone
oNo es una charlaoSiempre enfoque práctico
[Intro]
![Page 3: CSRF + clickjacking](https://reader035.vdocuments.mx/reader035/viewer/2022062316/58eff87b1a28ab05088b45f5/html5/thumbnails/3.jpg)
@R_a_ff_a_e_ll_o
![Page 4: CSRF + clickjacking](https://reader035.vdocuments.mx/reader035/viewer/2022062316/58eff87b1a28ab05088b45f5/html5/thumbnails/4.jpg)
@R_a_ff_a_e_ll_o
• Que nadie se asuste… lo explicaremos mejor durante el curso
[CSRF]
![Page 5: CSRF + clickjacking](https://reader035.vdocuments.mx/reader035/viewer/2022062316/58eff87b1a28ab05088b45f5/html5/thumbnails/5.jpg)
@R_a_ff_a_e_ll_o
…consists of deceiving a web user into interacting (in most cases by clicking) with something different to what the user believes they are interacting with…
[Clickjacking]
![Page 6: CSRF + clickjacking](https://reader035.vdocuments.mx/reader035/viewer/2022062316/58eff87b1a28ab05088b45f5/html5/thumbnails/6.jpg)
@R_a_ff_a_e_ll_o
[Clickjacking]
![Page 7: CSRF + clickjacking](https://reader035.vdocuments.mx/reader035/viewer/2022062316/58eff87b1a28ab05088b45f5/html5/thumbnails/7.jpg)
@R_a_ff_a_e_ll_o
[Clickjacking]
Quiero hacer una Transferencia
bank.com?param1=111¶m2
bank.com
Confirmar
Confirmar transferencia
![Page 8: CSRF + clickjacking](https://reader035.vdocuments.mx/reader035/viewer/2022062316/58eff87b1a28ab05088b45f5/html5/thumbnails/8.jpg)
@R_a_ff_a_e_ll_o
[Clickjacking]
Quiero hacer una Transferencia
bank.com?param1=111¶m2
bank.com
Confirmar
Confirmar transferencia
[CSRF Token]
[CSRF Token][CSRF Token]
![Page 9: CSRF + clickjacking](https://reader035.vdocuments.mx/reader035/viewer/2022062316/58eff87b1a28ab05088b45f5/html5/thumbnails/9.jpg)
@R_a_ff_a_e_ll_o
[Clickjacking]
Quiero hacer una Transferencia
bank.com?param1=111¶m2
bank.com
ConfirmarConfirmar transferen-
cia
[CSRF Token]
[CSRF Token][CSRF Token]
![Page 10: CSRF + clickjacking](https://reader035.vdocuments.mx/reader035/viewer/2022062316/58eff87b1a28ab05088b45f5/html5/thumbnails/10.jpg)
@R_a_ff_a_e_ll_o
[Clickjacking]
![Page 11: CSRF + clickjacking](https://reader035.vdocuments.mx/reader035/viewer/2022062316/58eff87b1a28ab05088b45f5/html5/thumbnails/11.jpg)
@R_a_ff_a_e_ll_o
[Abirtone BANK]
![Page 12: CSRF + clickjacking](https://reader035.vdocuments.mx/reader035/viewer/2022062316/58eff87b1a28ab05088b45f5/html5/thumbnails/12.jpg)
@R_a_ff_a_e_ll_o
[Abirtone BANK]
![Page 13: CSRF + clickjacking](https://reader035.vdocuments.mx/reader035/viewer/2022062316/58eff87b1a28ab05088b45f5/html5/thumbnails/13.jpg)
@R_a_ff_a_e_ll_o
[Clickjacking]
• Protección
![Page 14: CSRF + clickjacking](https://reader035.vdocuments.mx/reader035/viewer/2022062316/58eff87b1a28ab05088b45f5/html5/thumbnails/14.jpg)
@R_a_ff_a_e_ll_o
[Clickjacking]
X-Frame-Options Header
• DENY, prevents any domain from framing the content.• SAMEORIGIN, which only allows the current site to frame the
content.• ALLOW-FROM uri, which permits the specified 'uri' to frame this
page. (e.g., ALLOW-FROM http://www.example.com)
![Page 15: CSRF + clickjacking](https://reader035.vdocuments.mx/reader035/viewer/2022062316/58eff87b1a28ab05088b45f5/html5/thumbnails/15.jpg)
@R_a_ff_a_e_ll_o
Nos vemos el 1 de Febrero en…