Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Tema 2:
Protocolo HTTP RFC 2616
HTTP
▪ HEAD
▪ GET
▪ POST
▪ PUT
▪ DELETE
▪ TRACE
▪ CONNECT
Fuente: https://plataforma.josedomingo.org/pledin/cursos/flask/curso/u01/
Fuentes: https://hackxcrack.net/foro/defacing/cross-site-tracing-(xst)/
https://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
Fuentes: https://hackxcrack.net/foro/defacing/cross-site-tracing-(xst)/
https://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
www.example.com?... ?...
▪ top:0px;left:0px;width:99%;height:95%;margin:0
px;paddin g:0px. Estos parámetros permiten
tomar todo el ancho de una página y que se
acople a sus márgenes para que la cubra
totalmente
Cabecera X-Frame-Options:
deny, sameorigin allow-from uri,
SOP no prohíbe:
▪ Código javascript con <script src="..."></script>
▪ X-Frame-Options
X-Frame-Options: deny
▪ X-Content-Type-Options
X-Content-Type-Options: nosniff
▪ Content-Security-Policy
Content-Security-Policy: script-src 'self'
Respuesta:
Access-Control-Allow-Origin
Access-Control-Allow-Credentials
Access-Control-Expose-Headers
Access-Control-Max-Age
Access-Control-Allow-Methods
Access-Control-Allow-Headers
Petición:
Origin
Access-Control-Request-Method
Access-Control-Request-Headers
Petición:
OPTIONS /user
Origin: http://www.example.com
Access-Control-Request-Method: GET
Access-Control-Request-Headers: Authorization
Respuesta:
Access-Control-Allow-Origin: http://www.example.com
Access-Control-Allow-Headers: AUTHORIZATION
Access-Control-Allow-Methods: GET
▪ Métodos HTTP
▪ XST (TRACE)
▪ CSRF
▪ Cabeceras de seguridad