SlideShare una empresa de Scribd logo

Security "for free" through HTTP headers

A
Andre N. Klingsheim
1 de 37
1
2
3
4
5
6
7 - XSS (Cross Site Scripting) Prevention Cheat Sheet - OWASP Top 10 for JavaScript – A2: Cross Site Scripting – XSS
8
9
10
11
12
13
14
15
16
17
18 Evil site Click me! Vulnerable site Delete something!
20
21 Attacker Target
22
23 http://www.thoughtcrime.org/software/sslstrip/
24 www.onlinebank.com (unprotected) Redirect: https://www.onlinebank.com (unprotected) https://www.onlinebank.com (protected) Online bank
25 www.onlinebank.com (unprotected) Response (unprotected) https://www.onlinebank.com (protected) Online bankAttacker Response (protected) http://www.onlinebank.com (unprotected) https://www.onlinebank.com (protected) Response (protected) Response (unprotected)
26
27
28
29
30
31
32
33
34
35
36
37
38

Recomendados

Денис Жевнер: “Aliens in da web: XSS explained”
Денис Жевнер: “Aliens in da web: XSS explained”Денис Жевнер: “Aliens in da web: XSS explained”
Денис Жевнер: “Aliens in da web: XSS explained”Dakiry
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Daniel Tumser
 
Ver rmbv en_linux_centos
Ver rmbv en_linux_centosVer rmbv en_linux_centos
Ver rmbv en_linux_centosJames Jara
 
What is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsWhat is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsZiv Ginsberg
 
laboratorio
laboratoriolaboratorio
laboratoriozantytaz2012
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanAkash Mahajan
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersdevObjective
 

Recomendados

Денис Жевнер: “Aliens in da web: XSS explained”
Денис Жевнер: “Aliens in da web: XSS explained”Денис Жевнер: “Aliens in da web: XSS explained”
Денис Жевнер: “Aliens in da web: XSS explained”Dakiry
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Daniel Tumser
 
Ver rmbv en_linux_centos
Ver rmbv en_linux_centosVer rmbv en_linux_centos
Ver rmbv en_linux_centosJames Jara
 
What is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsWhat is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsZiv Ginsberg
 
laboratorio
laboratoriolaboratorio
laboratoriozantytaz2012
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanAkash Mahajan
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersdevObjective
 
HABILIDADES DE COMUNICACION EN LA EMPRESA.
HABILIDADES DE COMUNICACION EN LA EMPRESA. HABILIDADES DE COMUNICACION EN LA EMPRESA.
HABILIDADES DE COMUNICACION EN LA EMPRESA. Carolina Ruiz Amo
 
HTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English versionHTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English versionMichal Špaček
 
AI = SE , giip system manage automation with A.I
AI = SE , giip system manage automation with A.IAI = SE , giip system manage automation with A.I
AI = SE , giip system manage automation with A.ILowy Shin
 
Facebook Anonymous Publisher
Facebook Anonymous PublisherFacebook Anonymous Publisher
Facebook Anonymous PublisherChang Yu-Sheng
 
10a daniel felipe peña creación de un videojuego
10a daniel felipe peña creación de un videojuego10a daniel felipe peña creación de un videojuego
10a daniel felipe peña creación de un videojuegoNicole2411
 
Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headersAndre N. Klingsheim
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
 
WhiteHat Security Presentation
WhiteHat Security PresentationWhiteHat Security Presentation
WhiteHat Security Presentationmarkgmeyer
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers한익 주
 
Plantas electricas fallas en los transformadores
Plantas electricas fallas en los transformadoresPlantas electricas fallas en los transformadores
Plantas electricas fallas en los transformadoresnorenelson
 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyDr. Emin İslam Tatlı
 
Persamaan Kuadrat
Persamaan KuadratPersamaan Kuadrat
Persamaan KuadratDinar Nirmalasari
 
How to secure your web applications with NGINX
How to secure your web applications with NGINXHow to secure your web applications with NGINX
How to secure your web applications with NGINXWallarm
 
Clase 2 para continuar
Clase 2 para continuarClase 2 para continuar
Clase 2 para continuarMaribel Gaviria Castiblanco
 
El folklor boliviano
El folklor bolivianoEl folklor boliviano
El folklor bolivianoJulio De La Cruz
 
Tarea seminario 2, búsqueda en pubmed
Tarea seminario 2, búsqueda en pubmedTarea seminario 2, búsqueda en pubmed
Tarea seminario 2, búsqueda en pubmedandresespinosalopez
 
Security HTTP Headers
Security HTTP HeadersSecurity HTTP Headers
Security HTTP HeadersChang Yu-Sheng
 
Material didactico estudio_grupo -3
Material didactico estudio_grupo -3Material didactico estudio_grupo -3
Material didactico estudio_grupo -3Marvin Aguilar
 
Presentación maltrato infantil
Presentación maltrato infantilPresentación maltrato infantil
Presentación maltrato infantilJesús Ángel Ruiz Moreno
 
Lectura ironman 1
Lectura ironman 1Lectura ironman 1
Lectura ironman 1Ester Jiménez Tomás
 

Más contenido relacionado

Destacado

HABILIDADES DE COMUNICACION EN LA EMPRESA.
HABILIDADES DE COMUNICACION EN LA EMPRESA. HABILIDADES DE COMUNICACION EN LA EMPRESA.
HABILIDADES DE COMUNICACION EN LA EMPRESA. Carolina Ruiz Amo
 
HTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English versionHTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English versionMichal Špaček
 
AI = SE , giip system manage automation with A.I
AI = SE , giip system manage automation with A.IAI = SE , giip system manage automation with A.I
AI = SE , giip system manage automation with A.ILowy Shin
 
Facebook Anonymous Publisher
Facebook Anonymous PublisherFacebook Anonymous Publisher
Facebook Anonymous PublisherChang Yu-Sheng
 
10a daniel felipe peña creación de un videojuego
10a daniel felipe peña creación de un videojuego10a daniel felipe peña creación de un videojuego
10a daniel felipe peña creación de un videojuegoNicole2411
 
Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headersAndre N. Klingsheim
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
 
WhiteHat Security Presentation
WhiteHat Security PresentationWhiteHat Security Presentation
WhiteHat Security Presentationmarkgmeyer
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers한익 주
 
Plantas electricas fallas en los transformadores
Plantas electricas fallas en los transformadoresPlantas electricas fallas en los transformadores
Plantas electricas fallas en los transformadoresnorenelson
 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyDr. Emin İslam Tatlı
 
How to secure your web applications with NGINX
How to secure your web applications with NGINXHow to secure your web applications with NGINX
How to secure your web applications with NGINXWallarm
 
Tarea seminario 2, búsqueda en pubmed
Tarea seminario 2, búsqueda en pubmedTarea seminario 2, búsqueda en pubmed
Tarea seminario 2, búsqueda en pubmedandresespinosalopez
 
Material didactico estudio_grupo -3
Material didactico estudio_grupo -3Material didactico estudio_grupo -3
Material didactico estudio_grupo -3Marvin Aguilar
 

Destacado (20)

HABILIDADES DE COMUNICACION EN LA EMPRESA.
HABILIDADES DE COMUNICACION EN LA EMPRESA. HABILIDADES DE COMUNICACION EN LA EMPRESA.
HABILIDADES DE COMUNICACION EN LA EMPRESA.
 
HTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English versionHTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English version
 
AI = SE , giip system manage automation with A.I
AI = SE , giip system manage automation with A.IAI = SE , giip system manage automation with A.I
AI = SE , giip system manage automation with A.I
 
Facebook Anonymous Publisher
Facebook Anonymous PublisherFacebook Anonymous Publisher
Facebook Anonymous Publisher
 
10a daniel felipe peña creación de un videojuego
10a daniel felipe peña creación de un videojuego10a daniel felipe peña creación de un videojuego
10a daniel felipe peña creación de un videojuego
 
Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headers
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
 
WhiteHat Security Presentation
WhiteHat Security PresentationWhiteHat Security Presentation
WhiteHat Security Presentation
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers
 
Plantas electricas fallas en los transformadores
Plantas electricas fallas en los transformadoresPlantas electricas fallas en los transformadores
Plantas electricas fallas en los transformadores
 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in Turkey
 
Persamaan Kuadrat
Persamaan KuadratPersamaan Kuadrat
Persamaan Kuadrat
 
How to secure your web applications with NGINX
How to secure your web applications with NGINXHow to secure your web applications with NGINX
How to secure your web applications with NGINX
 
Clase 2 para continuar
Clase 2 para continuarClase 2 para continuar
Clase 2 para continuar
 
El folklor boliviano
El folklor bolivianoEl folklor boliviano
El folklor boliviano
 
Tarea seminario 2, búsqueda en pubmed
Tarea seminario 2, búsqueda en pubmedTarea seminario 2, búsqueda en pubmed
Tarea seminario 2, búsqueda en pubmed
 
Security HTTP Headers
Security HTTP HeadersSecurity HTTP Headers
Security HTTP Headers
 
Material didactico estudio_grupo -3
Material didactico estudio_grupo -3Material didactico estudio_grupo -3
Material didactico estudio_grupo -3
 
Presentación maltrato infantil
Presentación maltrato infantilPresentación maltrato infantil
Presentación maltrato infantil
 
Lectura ironman 1
Lectura ironman 1Lectura ironman 1
Lectura ironman 1
 

Security "for free" through HTTP headers