“These courses expects a high standard of professionalism from its students with regard to how security testing is conducted. We expect all students to act in good faith at all times […]”
TL;DR Don’t be mean
✅ Report 1
teehee report 2 is out
What is an origin?
http://www.website.com:80
origin = scheme + host + port
What is a site?
http://www.website.com:80
https://mobile.website.com:443
ftp://f.website.com:21
site = private_domain + public_suffix
http://www.website.com:80
origin = scheme + host + port
site = private_domain + public_suffix
site = domain
Access-Control-*
headers“Only pages from the same origin are allowed to use the response content”
"If I need to be on the allow list, then will my Python / Node.js / etc script still work?“
JSON with Padding
// http://website.com/request?callbackName=response //
response({data...})
Let’s make a server ~
Q. Does every program respect CORS?
(A. no)
“Heyyyy, look here 🥺 👉👈”
Tricking a user into performing an operation that they don’t intend
e.g Lecture Slide 25
Stop CSRF attempts by supplying the user with a single-use ‘nonce’ value.
Can’t forge a request if you don’t know the nonce before hand… sort of…
CSRF vs XSS
Generally XSS is performed in the background
(since it’s a script exploit)
Click
on
?
🙄
An overlay (possibly hidden or transparent) with a higher z-index
than a form control (i.e. submit button)
When the user “clicks” on the button, they instead click on something else.
Or maybe the other way around?
A fake form that sits on top of a form. Causes the user to unintentionally interact with the legitimate form.
i.e. switch the Yes / No buttons around?
(pointer-events
)
Note: The legitimate form can be in an iframe
Some extensions / JS magic can help to prevent clickjacking attempts.
X-Frame-Options
XSS
HTML Injection
<script>
–> JS injectionSome element tags are paired - <div>...</div>
Some are not… <img>
What if just added <s>
without closing it?
Mitigation?
Nothing for this week :)