HappyDev 2015

Transcript

1. ПОЧЕМУ БРАУЗЕРЫ ОТДАЮТ ВАШИ ДАННЫЕ ХАКЕРАМ? Артем Зиненко СКБ Контур

   <[email protected]>

2. XSS CSRF UNVALIDATED REDIRECT CLICKJACKING

3. None

4. ПЛАН

5. None

6. GET /index.html

7. GET /index.html

8. GET /index.html GET /image.png

9. GET /index.html GET /image.png

10. CROSS DOMAIN REQUESTS

11. site.com

12. site.com GET /emails gmail.com

13. site.com GET /emails gmail.com

14. Same Origin Policy

15. protocol://host:port

16. https://site.com http://site.com https://a.site.com https://site.com:9090

17. CROSS ORIGIN RESOURCE SHARING

18. GET HEAD POST METHODS

19. Accept Accept-Language Content-Language Content-Type HEADERS

20. application/x-www- form-urlencoded multipart/form- data text/plain CONTENT-TYPE

21. var r = new XMLHttpRequest(); r.open('GET', ‘http://site2.com’, true); r.send();

22. GET / HTTP/1.1 Host: site2.com Origin: http://site1.com/

23. HTTP/1.1 200 OK Access-Control- Allow-Origin: http://site1.com [Data]

24. var r = new XMLHttpRequest(); r.open('GET', ‘http:// site2.com’, true); r.withCredentials

    = true; r.send();

25. GET / HTTP/1.1 Host: site2.com Origin: http://site1.com/ Cookie: token=ab7…

26. HTTP/1.1 200 OK Access-Control-Allow- Origin: http:// site1.com Access-Control-Allow- Credentials: true

    [Data]

27. PREFLIGHTED REQUESTS

28. var r = new XMLHttpRequest(); r.open('POST', ‘http:// site2.com’, true); r.setRequestHeader(‘Content-

    Type’,'application/json'); r.setRequestHeader('X-HEADER', 'lalala'); r.send(data);

29. OPTIONS / HTTP/1.1 Host: site2.com Origin: http://site1.com/ Access-Control-Request- Method: POST

    Access-Control-Request- Headers: X-HEADER

30. HTTP/1.1 200 OK Access-Control-Allow-Origin: http://site1.com Access-Control-Allow- Methods: POST, GET, OPTIONS

    Access-Control-Allow- Headers: X-HEADER

31. POST / HTTP/1.1 Host: site2.com Origin: http://site1.com/ X-HEADER: lalala Content-Type:

    application/json [Data]

32. HTTP/1.1 200 OK Access-Control- Allow-Origin: http://site1.com [Data]

33. None

34. Cross-origin reads var r = new XMLHttpRequest(); r.open('GET', ‘http:// site2.com’,

    true); r.withCredentials = true; r.send();

35. Cross-origin writes var c = new XMLHttpRequest(); c.withCredentials = true;

    c.open("POST", ...); c.setRequestHeader("Content- Type", “...”); c.send(...);

36. Cross-origin embedding $(‘…’).append( ‘<img src=“…”>’ );

37. Bad CORS

38. Access-Control- Allow-Origin: * Access-Control- Allow- Credentials: true

39. HACKED

40. CHANGE PASSWORD

41. None

42. POST /profile password:78330… retypedPassword:2c84…

43. None
44. None

45. GET evil.com

46. GET evil.com

47. <form method=“POST” action=“http:// service.com/profile”> <input type=“hidden” name=“password” value=“78330…” /> <input

    type=“hidden” name=“retypedPassword” value=“2c84…” /> </form>

48. <form method=“POST” action=“http://service.com/profile”> <input type=“hidden” name=“password” value=“78330…”/> <input type=“hidden” name=“retypedPassword”

    value=“2c84…”/> </form>

49. <script> window.onload = function(){ … form.submit(); } </script>

50. POST /profile password, retypedPassword GET evil.com

51. HACKED

52. Cross Site Request FORGERY

53. CHANGE EMAIL

54. None
55. None
56. None
57. None

58. POST /user email: [email protected]

59. PASSWORD???

60. <img src=“https://... /confirm? code=67a50…” />

61. HACKED

62. UNVALIDATED REDIRECT

63. None

64. https:// a.site.com/login? back=https%3A%2F %2Fqqq.site.com SUBDOMAIN

65. HTTP/1.1 302 Found Location: https:// qqq.site.com/ Set-Cookie:token=djnD…; domain=.site.com;

66. https:// site.com/login? back=https%3A%2F %2Fqqq-site.com ANOTHER DOMAIN

67. HTTP/1.1 302 Found Location: https:// qqq-site.com/? token=djnD…

68. HACKED

69. None

70. https://speakerdeck.com /ar7z1/happydev-2015