50
,
. Wooyun HackerOne
The Pennsylvania State University - www.psu.edu
~ 50%The Pennsylvania State University - www.psu.edu
, The Pennsylvania State University - www.psu.edu
PR -
QA
QA vs Dev
web-
XSSSQL Inj
Top-3
The Pennsylvania State University - www.psu.edu
?
Some Origin Policy
DOM-
Some Origin Policy . ,
(CSRF)GOODSITE
BAD SITE
CSRF video example
(CSRF)
CSRF : -
BruteForce
/ email
4 -?
BruteForce
2016-05-16 14:48:532016-05-16 14:57:41Code is - 3845; password:
new_password)
SSL
SSL
SSL
Man-in-the-middle - ,
X
Injections
Injections (Content Spoofing)
Cross-Site Scripting
Cross-Site Scripting
Cross-Site Scripting
Cross-Site ScriptingXSS , XSS , BEF Metasploit
Open Redirect (URL Redirector Abuse )
Clickjacking
Clickjacking
callbackhunter,onlineconsultant,social plugins,
.
HTTPS HTTP-header Strict-Transport-Security: max-age=31536000; :
www.chromium.org/hsts HTTPS SSL (, , - www.ssllabs.com/ssltest/
)
?
(https://github.com/dropbox/zxcvbn - ) . : email / - Captcha, ,
Google ReCaptcha 3-5 (www.free-ocr.com)Timeout 13-15 , POST HTTP =
200 (; IP; ; ; )
(XSS magic string - ';!--"=&{()}) HTTP header Cache-Control:
private, no-cache, no-store, max-age=0
(Capability URLs)
URL (, UUID)UUID md5(username)UUID (, )UUID URL HTTPS URL
https://w3ctag.github.io/capability-urls/
-CSRF POST ( GET), -CSRF
clickjacking X-Frame-Options Deny , / ? , .
Injections
SQL: , , sqlmapXSS: , , OWASP Xenotix
XSS
Content-Security-Policy: script-src self' Set-Cookie: ; secure;
HttpOnly X-XSS-Protection: 1; mode=block
x-content-type-options:nosniff
www.securityheaders.io
OWASP Authentication Cheat Sheet
(https://www.owasp.org/index.php/Authentication_Cheat_Sheet)Dos and
Donts of Client Authentication on the Web
(https://pdos.csail.mit.edu/papers/webauth:sec10.pdf)http://www.webappsec.orghttp://seclists.orghttps://www.seekurity.comhttp://hackerone.com
?
[email protected]/zavarovkv+7 968
6120490?
