Scrum - Günlük Toplantılar (Daily Standup)

Giriş
Şeklen şöyle

Aslında bu toplantının yapısı ekip tarafından belirlenir. Açıklaması şöyle

The structure of the meeting is set by the Development Team and can be conducted in different ways if it focuses on progress toward the Sprint Goal. Some Development Teams will use questions, some will be more discussion based.

Ancak genellikle şu hale geliyor. Günlük toplantıların amacı şu 3 maddedir.

1. Dün ne yaptım
2. Bugün ne yapacağım
3. Beni engelleyen bir şey var mı

İngilizcesi şöyle

1. What have I done yesterday?
2. What will I do today?
3. What are my impediments?

Bu konular scrum board'daki her madde üzerinden giderek konuşulabilir veya genel olabilir.

Neden 15 Dakika?
Jeff Sutherland'in kendi cümleleri şöyle

[...] the meeting couldn’t last more than fifteen minutes. We wanted it to be crisp, direct, and to the point. If something required further discussion, we noted it and met further after the daily meeting. The idea was to get the most actionable and valuable information in the least amount of time.

Bugün Ne Yapacağım
Bugün ne yapacağımın amacı yeni şeyleri paylaşmak  olabilir. Yeni şey bir problem, bir fikir olabilir.

Günlük toplantıda aynı zamanda Scrum Board'da açılır.

Mikro Yönetim (Micromanagement)
Günlük toplantılar mikro yönetime dönerse sonuç berbat olabilir. Açıklaması şöyle.

Which micro-managers wouldn’t want everyone to give a status report at 9:00 am every day? Who wouldn’t want to see all work broken down to pieces for which NAMED individuals could be held accountable? And why wouldn’t they want to make a shocked face and send a very clear “that is not acceptable” message every time an estimate was high?

Visibility becomes a tool of blame.

Ayrıca zor problemlerde uğraşılmaması da sanki hiç ilerleme olmuyormuş gibi görünmesi de olabilir. Açıklaması şöyle

Scrum is a way to take a below average or poor developer and turn them into an average developer. It's also great at taking great developers and turning them into average developers.

Everyone just wants to take something easy off the board that you can get done in a day so you have something to report in tomorrow's daily scrum. It's just everyone trying to pick the low hanging fruit. There's no incentive to be smart and to take time to think about solutions, if nothing is moving across what are you even doing? You're letting the team down! The velocity is falling!

I think if you have hard problems to solve you solve them by giving them to smart people then leaving them alone. You don't constantly harass them every day demanding to know what they did yesterday and what they plan to do today. With daily updates where is the incentive for the smart people to work on the hard problems? They now have the same incentive as the junior developer; find the easiest tickets to move across the board.

Sometimes I will want to just be alone and think about a solution for a few days. If I do that though I'd have nothing to say at the scrum. So instead I'll pick the user story where the colour on a front end was the wrong shade of green or a spelling mistake! See, I knocked out 2 stories in one day, before lunch! Go me!

Product Owner
Product Owner'ın günlük toplantılara katılması şart değildir. Geliştirme ekibini bölmeyecek şekilde daha sonra girdi sağlamak üzere gözlemci olarak katılabilir.

Toplantı Süresi
Toplantıların kesinlikle uzamaması gerekir. Scrum Master uzayan toplantılara müdahil olup kısa kesilmesini sağlamalıdır. İnsanların aklına takılan sorular toplantıdan sonraya bırakılmalı. Açıklaması şöyle

If more detailed discussions needs to happen, individual (or a group) team members should meet immediately after the Daily Scrum to discuss those issues in more depth. This will allow you to adapt or change the rest of the work in the Sprint.

Özellikle geleneksel rollerin devam ettiği ekiplerde, proje müdürü günlük toplantıyı, "rapor alma", "sorgulama" toplantılarına çevirebiliyor.

Bireysel yapılan projelerde günlük toplantılar pek faydalı değildir.

Scrum'u Faydasız Yapan Şeyler
Bazı maddeler şöyle. Sanırım beni de en çok sıkan şey anlatılan şey ile benim yaptığım işin hiç bir bağlantısının olmaması

- The information being shared never pertains or affects me in any way.
- Absence of team ownership and everyone always working on their own projects.
- Absence of team communication outside the standup.
- Lack of visible or communicated progress.
- Absence of information to share.

Scrum'ın İşe Yaradığının Göstergesi
Günlük toplantılardan sonra insanlar çıkışta akıllarına takılan konuları görüşmek için bir araya geliyorlarsa Scrum işe yaramış demektir.

Ortak Kararlar
Ortak karar alabilmek için insanları ikna etmek gerekir. İkna edebilmek için ise saygılarını kazanmak gerekir. Açıklaması şöyle.

...but the heart and soul of the problem is your subjective opinions about what is best have to be seen as relevant. For that you have to earn and maintain their respect. Do that and this is much easier. Fail to do that and no tool or practice will save you.

İnsanlara bu işi böyle yapıyoruz çünkü dokümantasyonda böyle böyle yazıyor tutumu pek faydalı değil. Açıklaması şöyle.

The best way to do that is communicate early. Don't tell me "we don't use strings for our DB types in this shop" 6 months after I settled on the idea. Telling me it's been buried in the documentation for 2 years is no justification for letting me do that.

Onun yerine kötü örnekleri vermek daha iyi olabilir. Açıklaması şöyle.

Reduce the things you care about to their underlying principles. Rather then hit me with a list of 101 rules to follow give me the 10 principles that they all violate so I can figure out what rule 102 should be on my own.

Empower me to impose my own vision by helping me see yours and we'll get along great.

Wifi - Genel Bilgiler

Wifi ne demek
Aslında Wifi hiç bir şeyin kısaltması değil. 1999 yılında uydurulan bir kelime.

Wi-Fi doesn't stand for anything. It is not an acronym. There is no meaning.

Wireless Fidelity kelimesi ise sonradan çıkarılmış.

The current confusion seems to stem from a brief period early in the days of the Wi-Fi Alliance when a regrettable tag line was added that stated, "The Standard for Wireless Fidelity." This was not part of the original name and was not created by Interbrand, but it was added as an afterthought in an attempt to help users make sense of the new and somewhat nonsensical word, "Wi-Fi."...

OSI Mimarisi
Wifi, 802.11 ailesine ait protokolleri kullanır. Bu protokoller hakkında daha detaylı bilgi için IEEE 802.11 yazısına bakabilirsiniz.

 OSI mimarisinde Layer 1 ve Layer 2'yi tanımlar. Hızı Bluetooth'a göre çok daha fazladır.

Layer 3 ve üstünü tanımlamadığı için TCP ve diğer protokollerle gelen overhead yani header to payload ratio tanımlı değildir.

Wifi Layer 3 ve üstünü tanımlamasa bile Access Point "hotspot" olarak kullanılabilir. Yani ağa girmek isteyenlere DHCP ile IP adresi verebilir.

Dual band hem 2.4 hem de 5 GHz ile çalışabilen cihaz anlamına gelir. Bu cihazda iki tane alıcı/verici bulunur.

Wifi Her Yerde
Wifi çok enerji tükettiği için elektrik şebekesine bağlı cihazlarda tercih ediliyor. Pil ile çalışan akıllı cihazlarda tercih edilmiyor. Açıklaması şöyle

"Wi-Fi is a whole-home network,” says Chris Coley, principle engineer and architect with Logitech. Primarily used for media streaming, browsing the web, and other data-heavy activities, it’s a high-bandwidth network that’s power-intensive — just watch how fast your laptop battery dies when you’re watching a video on Netflix.

Many smart home products eschew Wi-Fi-connectivity because it would require their devices to have a dedicated power source or a long-lasting battery.

Wifi ilginç bir şekilde uçakların içinde yolcuların hizmetinde. Boeing 787'de araca (802.11 b/g) bazı yazılım bileşenlerini ve Electronic Flight Bag bilgisini yüklemek için kullanılıyor.

Wifi-Direct
Aynı Bluetooth gibi noktadan noktaya çalışan Wifi anlamına gelir.

Wifi Mesafe
Wifi mesafesi örneğin LTE'ye (Long Term Evolution) göre daha kısa. Açıklaması şöyle.

As with any radio receiver, if it can handle a higher data rate, then it is usually burdened with having a higher RF bandwidth and this inevitably means more received background noise i.e. a wider BW lets in more noise and hence, you need a higher received signal level to operate with a decent SNR (signal to noise ratio).

Therefore WiFi is at a significant disadvantage because it has a wider RF bandwidth than LTE (normally) and needs a higher signal level to operate at a decent bit-error-rate (BER).

Throughput - Net Yük

Bir soru ve cevap şöyle. Modülasyon içinde point. gönderiliyor. Her point içinde belli sayıda bit var. Ayrıca MIMO ile farklı antenler kullanılıyor.

Q : How is Wi-Fi throughput so high?
A : You're correct that the actual bandwidth for a single WiFi stream is rather narrow, ranging between 20 MHz for older specs and 160 MHz for 802.11ax. However, the spectral efficiency of WiFi is often significantly more than 1 (bit/sec)/Hz.

For example, take the fastest modulation option of 802.11ax, which is 1024QAM on a 160MHz channel. 1024QAM implies that the constellation diagram of the modulation contains 1024 points, meaning that there are 1024 possible symbols and each symbol carries 10 bits. Assuming that the level of noise and interference is low enough, this is fairly plausible to achieve. In practice, this yields up to 1134 MBps after considering error correction, guard intervals, etc.

Furthermore, WiFi is able to take advantage of MIMO (multiple-input, multiple-output), where separate streams, each carrying up to 1024QAM constellations with up to 160 MHz of bandwidth, are simultaneously transmitted from multiple antennas that are separated in space.

While the two streams do "interfere" and add with each other, sophisticated signal processing techniques are able to pick the two streams apart from each other, since they arrive slightly differently at the multiple antennas that the receiver is using to receive the streams.

In doing this, you've doubled the achievable performance, with a 2x2 MIMO system handling up to 1134 MBps * 2 as long as the signal-to-noise ratio is good enough to sustain that rate without unacceptable bit error.

On the other hand, if things aren't looking good (e.g. high noise, low signal power, unable to pick out the two MIMO streams), the router and your wireless card will happily fall back to lower speeds by using a smaller constellation, shutting off MIMO, or using a more powerful but higher-overhead error correction code. You may find that depending on your home, your neighbors' WiFi use, and your specific devices, you may only be able to achieve the maximum performance in some cases.

Wifi Modülasyon
Modülasyonu anlatan basit bir şekil şöyle

2.4 GHz
Wifi 2.4 GHz taşıyıcı frekansını kullanır. Yani 2.4 GHz ve 2.5 GHz aralığındadır. Bandın dalgaboyu 12.5 cm civarındadır. Kanallar arasındaki aralık (Channal Spacing) 5 MHz büyüklüğündedir.
Bant 14 kanala bölünmüştür. Her kanalın genişliği 22 MHz'dir. Dolayısıyla bazı kanallar üst üste binerler. Birbirleri ile hiç çakışmayan kanallar 1,6,11 ve 14'tür. Aşağıdaki şekilde 1,6, ve 11 koyu renk ile gösteriliyor.

Kanal Seçimi
Çoğu cihaz en uygun kanalı seçmek için uğraşmıyor. Açıklaması şöyle.

-Most only pick a channel at boot time, but a channel that was good when the AP was last rebooted may have become a poor choice days, weeks, or months later.

-Most do not want to delay booting by spending long enough to truly evaluate every channel, so they use poor heuristics like "just pick the channel where we see the fewest APs", which doesn't necessarily correlate to which channel will provide the best throughput and reliability. Even worse, these oversimplified heuristics can cause problems like choosing a channel that partially overlaps with channels other APs are on, which will cause APs to interfere with each other without being able to cooperate with each other like they would if they were on the exact same channel.

-Most don't even have the spectrum analyzer hardware necessary to truly evaluate the RF interference on each channel; they have Wi-Fi radios and focus on interference from other Wi-Fi devices, and are fairly ignorant of interference caused by non-Wi-Fi devices such as Bluetooth, microwave ovens, cordless phones, wireless subwoofers, baby monitors, wireless cameras, and more.

-Creating an AP that has the hardware and the algorithms to choose channels well not just at boot, but to keep re-evaluating the channel choices later, and change channels when there would be benefit to do so, is both expensive and fraught with potential interop problems. Not all clients are great at honoring channel switch announcements from the AP, so an AP that changes channels on the fly risks having clients fall off the network every time it does so.

Guard Boşluğu
22 MHz genişliğin sadece 20 MHz'si veri taşır. 2 MHz guard içindir. Açıklaması şöyle.

Wifi Channel 6 is centered at 2437Mhz and is 22Mhz large, so ranging from 2426 to 2448 as you stated (well that would rather be 23Mhz large, so not sure if it is 2427-2448 or 2426-2447).

But data is actually transmitted along a 20 MHz bandwidth, the remaining 2Mhz are used as a guard band so there's enough attenuation along the edge channel.

So there's no data transmitted at 2426 Mhz when using Wifi Channels 1 or 6 (1, 6 and 11 are the most used since they are non-overlapping)

List of WLAN channels bağlantısında bant genişliği görsel ve tablo olarak bulunabilir. Diğer özellikleri şöyle.

• indoor range: 15m
• outdoor range: 40m
• frequency: 2.4GHz
• power consumption: 100mW
• throughput: 5Mbps

5 GHz
Kanallar arasındaki aralık (Channal Spacing) 20 MHz büyüklüğündedir. 5 GHZ aralığındaki U-NII-2B bandı (5350- 5470) kullanılmaz.

Neden Bluetooth ve Wifi 2.4 GHz'yi Kullanıyor?
2.4 GHz Industrial, Scientific and Scientific (ISM) bandıdır. Bu bandın lisansı yoktur ve dünyanın her yerinde kullanımı serbesttir. WiMax ise özel izne tabi frekansları kullanır. Açıklaması şöyle

WiMax operates in spectra that needs to be licensed from the FCC (or the corresponding body if you're not in the US). Depending on the frequency in use the licensing process may- or may not- be an issue, but it's not a situation where you can simply buy the gear and start using it the same day.

In contrast, the 802.11 standards operate in unlicensed frequencies and don't require a special license.

ABD'de WiMax sağlayıcısı olarak sadece Spring var ve o da bu hizmeti yavaş yavaş kapatıyor.

Wifi Sağlığa Zararlı mı ?
Wifi non-ionasing radition denilen dalga türünde. Kullandığı dalga boyu itibariyle mutfaktaki mikrodalga cihazına ve cep telefonlarına yakın. Bu tür dalgalar ısınma etkisi yaratıyor. Wifi sinyalinin enerjisi düşük olduğu için ısınma etkisi az ama ölçülebilir. Sağlığa zarar verip vermediği, veriyorsa ne kadar verdiği halen araştırılıyor. Burada ve burada linkler var.

Mikrodalga ve görünür ışığı (visible light) karşılaştıran bir açıklama şöyle.

Microwaves do not have less energy than visible light per se. They only have less energy per photon, as per the Planck–Einstein relation, E=hf. In other words, you can raise the power of electromagnetic radiation to a dangerous level at any wavelength, if only you generate enough photons – as your microwave oven does.

Wifi sinyali ve diğer sinyalleri karşılatıran bir tablo şöyle.

+----------------+-----------+-----------+
|     Source     | Power (W) | Frequency |
+----------------+-----------+-----------+
| Sun            | 1000/m^2  | optical   |
| Light bulb     | 2.5       | optical   |
| Cell phone     | 1         | microwave |
| WiFi router    | 0.1       | microwave |
| Microwave oven | 700       | microwave |
+----------------+-----------+-----------+

CSMA/CA
CSMA/CA yazısına taşıdım.

Wifi Regular Mode veya Infrastructure Mode
A (STA - Station) ve B konuşmak isterse, A önce paketi Access Point'e (AP) gönderir. AP daha sonra B'ye gönderir. Paketin multicast veya broadcast olması fark etmez. Tüm paketler AP üzerinden geçer. Açıklaması şöyle.

The CSMA/CA algorithm requires the AP to "coordinate" all the clients. If clients talked with other APs or with each other, it would be impossible to prevent interference.

Açıklaması şöyle.

Wi-Fi has an infrastructure mode, where all frames must pass through the WAP, and an ad hoc mode, where frames are sent directly to another host. You must use one or the other.

Wifi Promiscuous Mode

Wifi cihazını bu moda geçirirsek cihaz ağa dahil olur yani STA - Station kabul edilir ve duyabildiği tüm paketleri okuyabiliriz.

Wifi Monitor Mode

Wifi cihazı ağa dahil olmadan tüm paketleri okuyabilir. Paketler muhtemelen şifreli olacaktır.

Wifi Multicast

Henüz gerçek anlamda multicast yok. Multicast olarak gönderilen mesajlar, AP tarafından unicast olarak dağıtılır. 802.11aa ile multicast kullanıma girecek. Açıklaması şöyle

Unfortunately, multicast or broadcast on Wi-Fi is a problem. Your WAP will send multicast and broadcast at the lowest possible rate. This is part of the Wi-Fi standard. There is a proposed standard that is supposed to fix some of the problems with multicast on Wi-Fi, but nothing currently supports it, as far as I can tell.

For example, if you have a WAP that supports 802.11b , it will send multicast traffic at 1 Mbps.
...
From the perspective of layer-2 (what the WAP works with), you don't have many options for prioritizing traffic. The WAP, like a switch, does not look at the packets, only the frames. It doesn't matter what marking you have on the packets if the devices doesn't look at the packets in order to treat the packets differently.

SSID Nedir
Açıklaması şöyle. Ağı belirten isim anlamına gelir.

The Service Set Identifier (SSID) defines what is thought of as the wireless network. So if you have an SSID that is called Apple and your neighbor’s SSID is called Orange, people can connect to either the Apple or Orange wireless network.

Bazı Wifi cihazları 2 tane SSID tanımlanmasına izin verir. 

Gizli SSID
Gizli SSID bir güvenlik önlemi değil. Wifi ağının herkese görünmesi gerekmediği bazı durumlarda kullanılıyor. Açıklaması şöyle. 

It would be unsafe to rely on hidden SSID as your primary security mechanism instead of WPA2.

...

Hidden SSID is more appropriately used for point-to-point links where the client devices are statically configured for a specific network and having it show up in everyone's network list would only be unnecessary clutter (e.g. in a city there might be 10-20 Wi-Fi-based PtP links running above your head).

BSSID Nedir
Açıklaması şöyle. Aynı ağ içinde farklı Access Point'leri belirtmek için kullanılır.

Most often, there are different BSSIDs on an access point for each WLAN configured on a radio. ...

Açıklaması şöyle. Eğer ağ gizli ise Wifi kartımız bildiği BSSID'leri sürekli sorgular.

If you have previously connected to a "hidden" wireless network, your NIC may continuously broadcast their BSSID's in hopes of connecting to them. It's the only way to "automatically" connect to a hidden network, because there is otherwise no way for the card to know when it is in range to a known hidden network.

Bu durum şöyle görünür.

Hello, 'Home Network'? Are you there?
Hello, 'Office W-Lan'? Are you there?
Hello, 'Home Network'? Are you there?
Hello, 'Office W-Lan'? Are you there
...

Wifi'da kullanılan Mesajlar Nelerdir
Management Frame, Control Frame ve Data Frame olmak üzere 3 tip frame var.

a. Management Frame'ler
Wifi Management Frameleri yazısına taşıdım.

b. Control Frame'ler şöyle
1. Request to Send (RTS) frames
2. Clear to Send (CTS) frames
3. Acknowledgement (ACK) frames

c. Data Frame şöyle
1. Data Frame

Data Frame
802.11 her türlü zorlu koşulda çalışmak üzere tasarlanmıştır. Bu yüzden Her data frame için acknowledgement bekler. Aynı TCP gibi acknowledgement alınmayan frame'ler bir daha gönderilir. Online oyun oynayanlar için wifi kötü bir seçim olabilir. Eğer gönderilen paket broadcast ise sadece Access Point, ACK gönderir. Geri kalan alıcılar ACK göndermezler.

Request To Sent - Control Frame
Açıklaması şöyle

If you lower RTS threshold value too much, you can introduce more latency into the network, as Requests to Send are increased so much that the shared medium is reserved more often than necessary

Cross Site Scripting - XSS - Saldırı Amaçlı Bir Girdi Verilir

Giriş
XSS aslında bir anlamda SQL Injection'a benziyor. Amaç saldırganın saldırı amaçlı bir script'i girdi olarak vermesi. Açıklaması şöyle

XSS is a vulnerability where an attacker can inject malicious code (usually JavaScript) into a web page, potentially allowing them to steal sensitive data or perform actions on behalf of the user. This vulnerability can be mitigated by sanitizing user input and encoding output to prevent the execution of malicious scripts.

Bir başka açıklama şöyle. 

Anatomy of an XSS attack
XSS happens whenever an attacker can execute malicious scripts on a victim’s browser.

Applications often use user input to construct web pages. For example, a site might have a search functionality where the user can input a search term, and the search results page will include the term at the top of the results page. If a user searches “abc”, the source code for that page might look like this:

<h2>You searched for abc; here are the results!</h2>

But what if that application cannot tell the difference between user input and the legitimate code that makes up the original web page?

Attackers might be able to submit executable scripts and get that script embedded on a victim’s webpage. These malicious scripts can be used to steal cookies, leak personal information, change site contents, or redirect the user to a malicious site.

3 çeşit XSS saldırısı var. Bunlardan Stored XSS ve ReflectedXSS bağlantılı. 

- Stored XSS güvenli olmayan bir kaynaktan gelen bilginin saklanması

- Reflected XSS ise bu saklanan bilginin bir başka kullanıcıya gönderilmesi anlamına gelir. Açıklaması şöyle.

An XSS vulnerability usually consists of two components: A backend which reflects user-provided strings without filtering them and a frontend which puts that input into a HTML document without filtering it.

1. Reflected XSS - Kullanıcı Girdisince Zararlı Script Vardır

Açıklaması şöyle

A reflected XSS, or reflected cross site scripting, is the process of adding malicious scripts that is activated through a link. The request then sends the user to somewhere else.

For example, a reflected XSS can be embedded to blend in with the rest of the site in a user comment section. The user may click on it and end up going to a 3rd party site and then redirected back to the original site.

Whilst at the 3rd party, malicious activities such as cookie or session stealing may occur. Although it is hard to monitor reflected XSS, spam filters on links submitted can help reduce the frequency.

Örnek

Şöyle yaparız

For example, if the application also allows users to search via URLs:
https://example.com/search?q=abc

If an attacker can trick victims into visiting this URL:

https://example.com/search?q=<script> some malicious script</script>

The script in the URL will become embedded in the page the victim is visiting, making the victim’s browser run the JS code contained within the <script> tags. This is called a “reflected XSS” attack.

<h2>You searched for <script> some malicious script</script>; here are the results!</h2>

2. Stored XSS - Veri tabanına Zararlı Scrip Koyulur

Açıklaması şöyle

A stored XSS, or persistent XSS attack takes place when an attacker injects a script into the content of a website or app. Unlike reflected XSS where third party links are embedded, store XSS is more dangerous in that it doesn’t require the user to interact with it.

Açıklaması şöyle

During a stored XSS attack, the attacker places the malicious script into a database before it gets returned to the victim. Let’s say that example.com also allows users to post status updates for others to see. An attacker can post this status update:

POST /status/updatestatus=<script> some malicious script </script>

This malicious script will become embedded on the attacker’s profile page, attacking anyone who visits the attacker’s profile page.

3.  DOM Based XSS 

Açıklama şöyle

DOM Based XSS can arise when the application contains some client-side JavaScript that processes data from an untrusted source in an unsafe way, usually by writing the data back to the DOM.

Açıklaması şöyle

Finally, DOM-based XSS is similar to reflected XSS, except that in DOM-based XSS, the user input never leaves the user’s browser. Since the malicious input is never sent to the server, this type of XSS is harder to detect and prevent.

As in reflected XSS, attackers submit DOM-based XSS payloads via the victim’s user input. Unlike reflected XSS, a DOM-based XSS script doesn’t require server involvement, because it executes when user input modifies the source code of the page in the browser directly. Say a website allows the user to change their locale by submitting it via a URL parameter:


https://example.com?locale=north+america

The URL parameter isn’t submitted to the server. Instead, it’s used to change the language of the webpage by a client-side script of the application. But if the website doesn’t validate the user-submitted parameter, an attacker can trick victims into visiting a URL like this one:


https://example.com?locale=<script> some malicious script </script>

The site will embed the payload on the user’s web page, and the victim’s browser will execute the malicious script.

StringEscapeUtils

StringEscapeUtils sınıfı kullanılarak bazı tedbirler alınabilir.

Http Cevabında X-XSS-Protection  Alanı

Açıklaması şöyle

Some browsers have built in support for filtering out reflected XSS attacks. This is by no means full proof, but does assist in XSS protection. Below HTTP response header just ensures it is enabled and instructs the browser to block when a XSS attack is detected.

X-XSS-Protection: 1; mode=block

Spring security automatically adds this header by default. We do not need to make any changes in our application to get this.

Http Cevabında Content-Security-Policy Alanı

Açıklaması şöyle

A Content Security Policy(CSP) compatible browser will only execute scripts loaded in source files received from our “allow” listed domains, ignoring all other scripts such as inline scripts.

To enable this feature, the browser needs to receive the below HTTP response header

Content-Security-Policy: script-src 'self'

We can accomplish by adding below line in our Spring Boot app

headers().contentSecurityPolicy("script-src 'self'")

Sunucuya JavaScript Gönderilmesi

Örnek
Şöyle yaparız

http://test.com/%3Cscript%3Ealert(%E2%80%98XSS%E2%80%99)%3C/script%3E

Örnek

Elimizde şöyle bir kod olsunn ve bir post isteği gönderilim

@PostMapping("/books")
public void createBook(@RequestBody Book book) {
  bookService.save(book);
}

POST /books
{
  "id" : 3,
  "name" : "Harry Potter",
  "type" : "<script>alert(document.cookie)</script>"
}

Get isteği gönderilince bu javascript çalıştırılabilir.

Tarayıcıya JavaScript Gönderilmesi
Açıklaması şöyle.

In XSS, an attacker can maliciously inject Javascript into an application running on the victim’s browser. The injected code reads and transmits auth tokens to the attacker .

This can be prevented fairly easily by using HttpOnly or Secure cookies to store auth tokens. Do not use localStorage to store auth tokens, as they are accessible by javascript.

Yapılabilecek şeylerin listesi şöyle.

Ad-Jacking - If you manage to get stored XSS on a website, just inject your ads in it to make money ;)



Click-Jacking - You can create a hidden overlay on a page to hijack clicks of the victim to perform malicious actions.

Session Hijacking - HTTP cookies can be accessed by JavaScript if the HTTP ONLY flag is not present in the cookies.

Content Spoofing - JavaScript has full access to client side code of a web app and hence you can use it show/modify desired content.

Credential Harvesting - The most fun part. You can use a fancy popup to harvest credentials. WiFi firmware has been updated, re-enter your credentials to authenticate. Forced Downloads - So the victim isn’t downloading your malicious flash player from absolutely-safe.com? Don’t worry, you will have more luck trying to force a download from the trusted website your victim is visiting.

Crypto Mining - Yes, you can use the victim’s CPU to mine some bitcoin for you!

Bypassing CSRF protection - You can make POST requests with JavaScript, you can collect and submit a CSRF token with JavaScript, what else do you need?

Keylogging - You know what this is.

Recording Audio - It requires authorization from the user but you access victim’s microphone. Thanks to HTML5 and JavaScript.

Taking pictures - It requires authorization from the user but you access victim’s webcam. Thanks to HTML5 and JavaScript.

Geo-location - It requires authorization from the user but you access victim’s Geo-location. Thanks to HTML5 and JavaScript. Works better with devices with GPS.

Stealing HTML5 web storage data - HTML5 introduced a new feature, web storage. Now a website can store data in the browser for later use and of course, JavaScript can access that storage via window.localStorage() and window.webStorage() Browser & System

Fingerprinting - JavaScript makes it a piece of cake to find your browser name, version, installed plugins and their versions, your operating system, architecture, system time, language and screen resolution.

Network Scanning - Victim’s browser can be abused to scan ports and hosts with JavaScript.

Crashing Browsers - Yes! You can crash browser with flooding them with….stuff.

Stealing Information - Grab information from the webpage and send it to your server. Simple!

Redirecting - You can use javascript to redirect users to a webpage of your choice.

Tabnapping - Just a fancy version of redirection. For example, if no keyboard or mouse events have been received for more than a minute, it could mean that the user is afk and you can sneakily replace the current webpage with a fake one.

Capturing Screenshots - Thanks to HTML5 again, now you can take screenshot of a webpage. Blind XSS detection tools have been doing this before it was cool.

Perform Actions - You are controlling the browser,

Örnek
Json tipinden cevaplar XSS saldırısına uygun değildir. Elimizde şöyle bir cevap olsun

curl -i  'https://myservice.example.com/<script>alert(1)</script>'
HTTP/2 401
server: nginx
date: Tue, 19 May 2020 15:02:20 GMT
content-type: application/json;charset=UTF-8
content-length: 167
strict-transport-security: max-age=31536000 ; includeSubDomains
www-authenticate: Basic realm="Spring"

{"..."}%

Açıklaması şöyle.

This isn't vulnerable to XSS since the Content-Type is set to application/json and thus no Javascript will be executed by all major modern browsers. If you do some fancy Javascript stuff with the JSON response, it could become a DOM XSS

Örnek

Elimizde şöyle bir URL olsun.

http://www.example.com/apage?filename=malicious.js

Kullanıcılar en çok bir linke tıklayarak bir tür saldırılara maruz kalıyorlar.

Örnek - Source URL
Elimizde arama için kullanılan bir URL olsun. Bu URL'ye kendi script'imizi gönderebiliriz. Şöyle yaparız.

https://www.example.com/search?data=<script src="..."></script>

Örnek - Source URL
Elimizde şöyle bir HTML olsun

<html>
<body>
<script>
  url = new URLSearchParams(location.search);
  x = url.get('x');
  document.write(x);
</script>
</body>
</html>

Bu URL'ye kendi script'imizi gönderebiliriz. Şöyle yaparız

http://example.com/test.html?x=<script>alert(1)</script>

Örnek
Elimizde şöyle bir kod olsun. Bu kodda isim <travis> olduğu için render edilmez.

<html>
  <head><title>HI</title></head>
  <body>
    <h1>WEBSITE</h1>
     Hey my name is <travis>.
  </body>
</html>

HTTP parameter pollution attack
Açıklaması şöyle.

This isn't a regular problem in modern web applications because parameter parsing is done by the framework usually, in (modern versions of) php for example, $_GET["postuid"] would contain the same value for both code fragments, making a HTTP PP attack useless.

HTTP PP used to be a big problem (and still is, whenever this is the case) when parameters are parsed "by hand", i.e. on the application logic layer. That opens the door for different people implementing this parsing differently.

Örnek
Beklenen URL şöyle olsun

https://security.stackexchange.com/editpost/?postuid=19348

Saldırı için şöyle bir URL gönderelim.

https://security.stackexchange.com/editpost/?postuid=19348&postuid=1