(in)seguridad en componentes cliente de aplicaciones web - uma hackers week 2015
TRANSCRIPT
![Page 1: (In)seguridad en componentes cliente de aplicaciones web - UMA Hackers Week 2015](https://reader030.vdocuments.site/reader030/viewer/2022032617/55ad3b611a28abb97b8b46dc/html5/thumbnails/1.jpg)
(In)seguridad en componentes cliente de aplicaciones web
UMA Hackers WeekMálaga, 24 de marzo de 2015
Enrique Rando González
![Page 2: (In)seguridad en componentes cliente de aplicaciones web - UMA Hackers Week 2015](https://reader030.vdocuments.site/reader030/viewer/2022032617/55ad3b611a28abb97b8b46dc/html5/thumbnails/2.jpg)
Antes
![Page 3: (In)seguridad en componentes cliente de aplicaciones web - UMA Hackers Week 2015](https://reader030.vdocuments.site/reader030/viewer/2022032617/55ad3b611a28abb97b8b46dc/html5/thumbnails/3.jpg)
Ahora...
![Page 4: (In)seguridad en componentes cliente de aplicaciones web - UMA Hackers Week 2015](https://reader030.vdocuments.site/reader030/viewer/2022032617/55ad3b611a28abb97b8b46dc/html5/thumbnails/4.jpg)
Antes...
Fuente: http://reports.its.uiowa.edu/farewell-old-friend
![Page 5: (In)seguridad en componentes cliente de aplicaciones web - UMA Hackers Week 2015](https://reader030.vdocuments.site/reader030/viewer/2022032617/55ad3b611a28abb97b8b46dc/html5/thumbnails/5.jpg)
Ahora...
![Page 6: (In)seguridad en componentes cliente de aplicaciones web - UMA Hackers Week 2015](https://reader030.vdocuments.site/reader030/viewer/2022032617/55ad3b611a28abb97b8b46dc/html5/thumbnails/6.jpg)
Entorno cliente
<script> for(var i = 1; i<p.size;i++) {
……...
}</script>
![Page 7: (In)seguridad en componentes cliente de aplicaciones web - UMA Hackers Week 2015](https://reader030.vdocuments.site/reader030/viewer/2022032617/55ad3b611a28abb97b8b46dc/html5/thumbnails/7.jpg)
Y aquí comienzan los problemas
![Page 8: (In)seguridad en componentes cliente de aplicaciones web - UMA Hackers Week 2015](https://reader030.vdocuments.site/reader030/viewer/2022032617/55ad3b611a28abb97b8b46dc/html5/thumbnails/8.jpg)
HTTP (1)
GET http://webserver.example.com/aplicacion/mensajes.php?orden=carga_mensaje&id=7 HTTP/1.1Accept: */*Referer: http://webserver.example.com/aplicacion/mensajes.phpAccept-Language: es-ESUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoProxy-Connection: Keep-AliveDNT: 1Cookie: PHPSESSID=aaltjlqrnj63452rq5skj1fvf0Host: webserver.example.com
![Page 9: (In)seguridad en componentes cliente de aplicaciones web - UMA Hackers Week 2015](https://reader030.vdocuments.site/reader030/viewer/2022032617/55ad3b611a28abb97b8b46dc/html5/thumbnails/9.jpg)
HTTP (2)
HTTP/1.1 200 OKDate: Thu, 12 Mar 2015 23:39:09 GMTServer: Apache/2.4.10 (Win32) OpenSSL/1.0.1i PHP/5.6.3X-Powered-By: PHP/5.6.3Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheContent-Length: 431Content-Type: text/html; charset=UTF-8
{"id":"7","remite":"El usuario malicioso","asunto":"Cambio de fondo de escritorio","texto":"Hola. Hay un nuevo fondo de escritorio corporativo. Por favor visita el enlac...
![Page 10: (In)seguridad en componentes cliente de aplicaciones web - UMA Hackers Week 2015](https://reader030.vdocuments.site/reader030/viewer/2022032617/55ad3b611a28abb97b8b46dc/html5/thumbnails/10.jpg)
DemoAltas / Bajas / Modificaciones
Ataques de diccionarioSOP - onload
![Page 11: (In)seguridad en componentes cliente de aplicaciones web - UMA Hackers Week 2015](https://reader030.vdocuments.site/reader030/viewer/2022032617/55ad3b611a28abb97b8b46dc/html5/thumbnails/11.jpg)
Protecciones
● Pedir constantemente la contraseña● Constantes mensajes de aviso● Uso de cabeceras
…● Tokens anti CSRF
![Page 12: (In)seguridad en componentes cliente de aplicaciones web - UMA Hackers Week 2015](https://reader030.vdocuments.site/reader030/viewer/2022032617/55ad3b611a28abb97b8b46dc/html5/thumbnails/12.jpg)
Demo 4Logos corporativos
Alta de admins
![Page 13: (In)seguridad en componentes cliente de aplicaciones web - UMA Hackers Week 2015](https://reader030.vdocuments.site/reader030/viewer/2022032617/55ad3b611a28abb97b8b46dc/html5/thumbnails/13.jpg)
Protecciones
No te dejes meter en un IFRAME
● Scripts
● Cabeceras HTTP
● Avisos
if (self != top) {top.location.href = self.location.href;
}
X-Frame-Options: SAMEORIGIN // DENY // ALLOW FROM uri
![Page 14: (In)seguridad en componentes cliente de aplicaciones web - UMA Hackers Week 2015](https://reader030.vdocuments.site/reader030/viewer/2022032617/55ad3b611a28abb97b8b46dc/html5/thumbnails/14.jpg)
![Page 15: (In)seguridad en componentes cliente de aplicaciones web - UMA Hackers Week 2015](https://reader030.vdocuments.site/reader030/viewer/2022032617/55ad3b611a28abb97b8b46dc/html5/thumbnails/15.jpg)
DemoHola, mundoAlmacenando
DOMAcceso a datosNotas finales
![Page 16: (In)seguridad en componentes cliente de aplicaciones web - UMA Hackers Week 2015](https://reader030.vdocuments.site/reader030/viewer/2022032617/55ad3b611a28abb97b8b46dc/html5/thumbnails/16.jpg)
ProteccionesContent Security Policy
Content-Security-Policy: "default-src 'none'; script-src 'self' webserver1.example.com; object-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src 'self' *.youtube.com; frame-src 'self'; font-src 'self'; connect-src 'self'"
Programar bien...
![Page 17: (In)seguridad en componentes cliente de aplicaciones web - UMA Hackers Week 2015](https://reader030.vdocuments.site/reader030/viewer/2022032617/55ad3b611a28abb97b8b46dc/html5/thumbnails/17.jpg)
Muchas gracias