csrfdangerdetectiondefenses-全文預(yù)覽
【正文】 ? Tune the recorded test case ? Run test case with exported HTML document ? Test case alternatives ? AutoPosting Forms ? Evil iFrame ? IMG Tag ? XMLHTTPRequest ? Link 7 OWASP DEMO: OWASP CSRFTester 8 OWASP What Can Attackers Do with CSRF? ? Anything an authenticated user can do ? Click links ? Fill out and submit forms ? Follow all the steps of a wizard interface ? No restriction from same origin policy, except… ? Attackers cannot read responses from other origins ? Limited on what can be done with data ? Severe impact on accountability ? Log entries reflect the actions a victim was tricked into executing 9 OWASP Using CSRF to Attack Internal Pages 10 Allowed! CSRF Internal Site TAG internal browser OWASP Misconceptions – Defenses That Don’t Work ? Only accept POST ? Stops simple linkbased attacks (IMG, frames, etc.) ? But hidden POST requests can be created with frames, scripts,
研究報(bào)告相關(guān)推薦
鄂ICP備17016276號(hào)-1