Aaron Bloomfield (aaron@virginia.edu)
@github | ↑ |
<!doctype html>
<html>
<head>
<title>Basic page</title>
<link rel="stylesheet" href="style.css">
<script src="scripts.js"></script>
</head>
<body>
<p>Hello world!</p>
</body>
</html>
body {
background-color: rgb(80,130,190);
}
p {
text-align: justify;
text-decoration: underline;
}
XMLHttpRequest()
function:<VirtualHost *:80>
DocumentRoot /var/www/html/
</VirtualHost>
<VirtualHost *:80>
ServerName example.com
DocumentRoot /var/www/example.com/
</VirtualHost>
GET /path/to/index.php?userid=mst3k&which=1&value=no HTTP/1.1
Host: www.example.com
...
POST /path/to/index.php HTTP/1.1
Host: www.example.com
...
userid=mst3k & which=1 & value=no
HTTP/1.0 200 OK
Content-type: text/html
Set-Cookie: name=Chris
Set-Cookie: account=123456
GET /account.html HTTP/1.1
Host: www.example.com
Cookie: name=Chris; account=123456
REMOTE_USER
session cookieWhen an HTML page is parsed, the DOM tree is formed; Javascript interacts with the DOM
function loadDoc() {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById("demo").innerHTML =
this.responseText;
}
};
xhttp.open("GET", "ajax_info.txt", true);
xhttp.send();
}
XMLHttpRequest()
Access-Content-Allow-Origin: https://www.example.com
<!doctype html>
<html>
<head>
<title>Basic page</title>
</head>
<body>
<p>Hello world!</p>
</body>
</html>
<!doctype html>
<html>
<head>
<title>Basic web page</title>
<script>
var balance=1;
</script>
</head>
<body>
<p>Hello Aaron!</p> <!-- name from user input -->
<p>Your account balance is
<!-- newly added code follows -->
<script>
document.write(balance);
</script>
</p>
</body>
</html>
Output: Hello, Aaron! Your account balance is 1
http://www.nowhere.abc/printinfo.php?name=Aaron
<script>\nbalance=1000000;\n</script>Aaron
\n
), which can also be represented as '%0a'<!doctype html>
<html>
<head>
<title>Basic web page</title>
<script>
var balance=1;
</script>
</head>
<body>
<p>Hello <script>
balance=1000000;
</script>Aaron!</p>
<p>Your account balance is
<script>
document.write(balance);
</script>
</p>
</body>
</html>
Output: Hello Aaron! Your account balance is 1000000
http://www.nowhere.abc/printinfo.php?name=<script>\nbalance=1000000;\n</script>Aaron
<!DOCTYPE html>
<html><head>
<title>Target desitnation page</title>
</head>
<body>
<h2>Target destination page</h2>
<p>The GET variables are:</p>
<ul>
<?php
$keys = array_keys($_GET);
asort($keys);
foreach ($keys as $k)
echo "<li><b>$k:</b> " . $_GET[$k] . "</li>";
?>
</ul>
<p>The POST variables are:</p>
<ul>
<?php $keys = array_keys($_POST); asort($keys); foreach ($keys as $k) echo "<li><b>$k:</b> " . $_POST[$k] . "</li>"; ?>
</ul>
<p>The SERVER variables are:</p>
<ul>
<?php $keys = array_keys($_SERVER); asort($keys); foreach ($keys as $k) echo "<li><b>$k:</b> " . $_SERVER[$k] . "</li>"; ?>
</ul>
</body></html>
<iframe id="A" style="width:100%;height:400px"
src="//www.xkcd.com"></iframe>
<iframe id="A" style="width:100%;height:400px"
src="//www.xkcd.com"></iframe>
We can stack one iframe on top of another:
<style>
#A { width:100%; height:600px;
max-height:unset; max-width:unset;
position:absolute; left:100px; top:100px; }
#B { width:100%; height:600px;
max-height:unset; max-width:unset;
position:absolute; left:200px; top:200px; }
</style>
<iframe id="A" src="//www.xkcd.com"></iframe>
<iframe id="B" src="//nasa.gov"></iframe>
<iframe><html><body><p>hello world</p></body></html></iframe>
<
with %3c, and >
with %3edata:text/html;charset=utf-8,%3chtml%3e%3cbody%3e%3cp%3ehello world%3c/p%3e%3c/body%3e%3c/html%3e
<iframe src="..."></iframe>
<form action='//www.cs.virginia.edu/~asb2t/target.php?get_param=foo'
method='POST'>
<input type='hidden' id='post_param' name='postparam' value='bar'>
<input type='submit' value='click me! click me!'>
</form>
frame-ancestors
directiveX-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors <source>;
Content-Security-Policy: frame-ancestors <space separated list of sources>;
<form action="https://example.com/post.php" method="post">
<input type="hidden" name="title" value="abcd">
<input type="hidden" name="content"
value="Lorem.ipsum">
<input type="submit" value="Submit">
</form>
With an included CSRF token:
<form action="/form.php">
First name: <input type="text" name="firstname">
Last name: <input type="text" name="lastname"><br>
<input type="hidden" name="csrf_token"
value="5AEF1xArSLLcoQQJrNkuaRs9tsSb8C8aFm">
<input type="submit" value="Submit">
</form>
csrf_token
from the previous slide was based on what Django providesautomated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program
- Wikipedia
git clone https://github.com/google/AFL
pip3 install python-afl
import sys, afl, os
def testFunctionThatCouldCrash(x,y):
# define function here that could crash
pass
afl.init()
# read in x,y from input
testFunction(a,b,c)
os._exit(0)
int f() {
...
y = read();
z = y * 2;
if (z == 12) {
fail();
} else {
printf("OK");
}
}
y
(and thus z
) can have any value