CORS, XSS, CSRF, SQL injection #BackToTheBasics

Adrien Pessu (adrien@pessu.net)

Cross Origin Resource Sharing

Avant

avant

CORS

clientserveur

CORS

clientserveur

Pre flight

clientserveur

En-têtes de requête

    Origin
    Access-Control-Request-Methođ
    Access-Control-Request-Headers

En-têtes de réponse

    Access-Control-Allow-Origin
    Access-Control-Allow-Credentials
    Access-Control-Expose-Headers
    Access-Control-Max-Age
    Access-Control-Allow-Methods
    Access-Control-Allow-Headers

config

    Origin: *




    😨

Config

    Origin: *google.com




    🤔

Config

    Origin: *google.com



    Origin: notgoogle.com
    😨

Config

    Origin: google.com*





    🤔

Config

    Origin: google.com*




    Origin: google.com.evil.com
    😨

What’s the point?

Cross Site Scripting

exemple simple

exemple reacts / angular / vue

Attaque possible

Moyens de se défendre

Content Security Policy

Cross-Site Request Forgery

clientserveur

SQL injection

Form

form

<input/>

    INSERT INTO subscriber VALUES (\'' + input.subscriber + '\');

<input/>

    a@a.a'); DELETE FROM subscriber; SELECT ('1

<input/>

    INSERT INTO subscriber VALUES ('a@a.a');
    DELETE FROM subscriber;
    SELECT ('1');

Merci à vous