# Escaping the Web of Insecurities - Alexander Khovansky ###### tags: `jsdc2019` {%hackmd @JSDC-tw/2019-announcement %} [講者＠github](https://github.com/khovansky-al) [toc] ## XSS > Cross-Site scripting - Reflected - Stored - 網站會把輸入的東西儲存到 Server，利用這個機制把惡意的 JavaScript 代碼存起來 - DOM based - Santilized characters (<>^"') - 使用 Framework 是否安全？React / Vue 有 dangerouslySetInnerHTML / v-html - ==DON'T SANITIZE HTML WITH REGULAR EXPRESSION== - Content Security Policy (CSP) - ref: [Content-Security-Policy - HTTP Headers 的資安議題 (2)](https://devco.re/blog/2014/04/08/security-issues-of-http-headers-2-content-security-policy/) - Truted Types - ==別使用黑名單== ## SSRF > Server-Side Request Forgery USER> APP > SERVER **Malicious actor** - 駭客會侵入到 metadata endpoint - 不要用黑名單 - 駭客可以用 URL parse 跳過檢查 - Prevention - Whitelist: validate domain name - Blacklist: 別讓進入的 IP 是 local intranet - validate protocol (eq. ~~file://~~) ## IDORs > Insecure direct object reference 將奇怪的內容附著在 request 的訊息上 eq. 猜 ID ``` { userId: 1234, text: 'Some text', attachments: ['1111', '1999'(future message id)] } ``` Prevention - ID non-enmerable - context when accessing DB Objects - Code review, again! ## Timing attacks > string comparisons are not that harmless 用不同參數測量不同 request 的時間，猜測資料 - Token-based - Forget password prevence: acheive consant time - Conversion to hash ```javascript= // Node crypto.timeingSafeEqual ``` ## File uploads Blacklists are bad Whitelist is good :smiley: eq. SVG 內含 script，避免使用 分離不同的 origin ## Business logic Errors 很難定義 eq. 金流串接時對第三方支付的 redirect 漏洞：取得部份資料然後，然後偽造！ 錯誤訊息也可以是駭客入侵的線索 ## What we learned - All external input is malicious by default (別信任前端來的資料) - ==Blacklists are bad== ## Links - [OWASP Wiki](https://www.owasp.org) - [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) - [Trusted types](https://developers.google.com/web/updates/2019/02/trusted-types) ## Q&A 1. Experience server take too many requests ? - Keep same request in server