XSS using dirty Content Type in cloud era

944VTJOHEJSUZ$POUFOU5ZQF JODMPVEFSB B[BSB !B@[BSB@O FJ !FJ 'MBUU4FDVSJUZJOD

*OUSPEVDUJPO ͋ͳͨ͸حոͳ$POUFOU5ZQFΛཧղͰ͖·͔͢ $BOZPVVOEFSTUBOEUIFDVSJPVT$POUFOU5ZQF

JNBHFQOH )PXJTJUJOUFSQSFUFECZUIFCSPXTFS

JNBHFQOH 1/(GJMF ˣ )PXJTJUJOUFSQSFUFECZUIFCSPXTFS

UFYUIUNM )PXJTJUJOUFSQSFUFECZUIFCSPXTFS

UFYUIUNM )5.-GJMF ˣ )PXJTJUJOUFSQSFUFECZUIFCSPXTFS

UFYUIUNMJNBHFQOH )PXJTJUJOUFSQSFUFECZUIFCSPXTFS

UFYUIUNMJNBHFQOH ˣ )PXJTJUJOUFSQSFUFECZUIFCSPXTFS

UFYUIUNMJNBHFQOH )5.-GJMF ˣ )PXJTJUJOUFSQSFUFECZUIFCSPXTFS

UFYUIUNMJNBHFQOH 4XJUDI )PXJTJUJOUFSQSFUFECZUIFCSPXTFS

JNBHFQOHUFYUIUNM 1/(GJMF ˣ )PXJTJUJOUFSQSFUFECZUIFCSPXTFS

UFYUIUNM B

UFYUIUNM B JNBHFQOHYB UFYUIUNM

UFYUIUNM B JNBHFQOHYB UFYUIUNM YZ YZ YZ YZ YZ
YZ YZ UFYUIUNM

UFYUIUNM B JNBHFUFYUIUNM JNBHFQOHYB UFYUIUNM YZ YZ YZ YZ
YZ YZ YZ UFYUIUNM

YZ YZ YZ UFYUIUNM JNBHF UFYUaIUNMQOH

YZ YZ YZ UFYUIUNM JNBHF UFYUaIUNMQOH 🤔 ....?

YZ YZ YZ UFYUIUNM JNBHF UFYUaIUNMQOH 🤔)5.-GJMF

YZ YZ YZ UFYUIUNM JNBHF UFYUaIUNMQOH 🤔)5.-GJMF ⭕

YZ YZ YZ UFYUIUNM JNBHF UFYUaIUNMQOH 😱

◦ 3FTFBSDITVSSPVOEJOH$POUFOU5ZQFBOE944 ◦ /FXBUUBDLWFDUPSTFNFSHFXJUIUIFBEWFOUPGUIFDMPVE ◦ 4QFDJGJDBUJPOPG$POUFOU5ZQFBOE7BMJEBUJPO#ZQBTT5FDI ◦ &YBNQMFPGDBSSJFSXBWF3VCZMJCSBSZ ◦ $7&BOE$7&
◦ 4FDVSJUZNFBTVSFTJOJNQMFNFOUBUJPO ◦ 4JEF4UPSZʜ -FUTUBMLBCPVUUIFSFBMBOEJNNFEJBUFUISFBUTXFGBDF BGUFS#4JEFT5PLZP PWFSESJOLTBUUIFBGUFSQBSUZ 5PQJDT

ຊ୊ʹೖΔલʹࣗݾ঺հΛ 4FMG*OUSPEVDUJPO

/PSJIJEF4BJUPB[BSB !B@[BSB@O ɹ೥ʹגࣜձࣾ'MBUU4FDVSJUZʹೖࣾ ͠ɺ8FCΞϓϦέʔγϣϯ΍ύϒϦοΫΫϥ ΢υΛର৅ͱͨ͠ϓϩϑΣογϣφϧαʔϏ εۀ຿ʹैࣄɻ ɹ*40(+8(ͳͲͷ֎෦ஂମͰͷ׆ಈ΍ɺ +4"$ ɺ"84%FW%BZ
ɺ 4FDVSJUZ+"84%":4 Ͱͷొஃɾϫʔ Ϋγϣοϓ։࠵ͳͲΛ௨͠ɺύϒϦοΫΫϥ ΢υͱ8FCΞϓϦέʔγϣϯʹ͓͚ΔηΩϡ ϦςΟʹؔ͢Δܒ໤ͳͲͷ׆ಈΛߦ͏ɻ 4FMGJOUSPEVDUJPO &JKJ.PSJFJ !FJ ɹࣛࣇౡେֶେֶӃमྃޙɺ೥݄ʹג ࣜձࣾ'MBUU4FDVSJUZʹೖࣾɻηΩϡϦςΟ ΤϯδχΞͱͯ͠ɺओʹ8FCΞϓϦέʔγϣ ϯ਍அͱεϚʔτϑΥϯΞϓϦέʔγϣϯ਍ அΛ୲౰͍ͯ͠Δɻ ɹաڈʹηΩϡϦςΟΩϟϯϓؔ࿈Πϕϯτ ʹؔΘ͍ͬͯͨͨΊɺϋʔυ΢ΣΞ͔Βιϑ τ΢ΣΞ·Ͱ෯޿͘ڵຯ͕͋Δɻझຯ͸੬ऑ ੑௐࠪͱےτϨɻ

◦ .BOZ944TBSFOPXTFFOUBLJOHBEWBOUBHFPGUIFDIBSBDUFSJTUJDT PG0CKFDU4UPSBHFBOEQFSJQIFSBMJNQMFNFOUBUJPOT ◦ *ODSFEJCMF$POUFOU5ZQF.PWFNFOU*EFOUJGJFEJO $7&BOE0UIFS7VMOFSBCJMJUJFT ◦ *ODSFBTFEUISFBUTEVFUPUIFJODSFBTFJO944BUUBDLWFDUPSTBOE UIFSFTVMUJOHFBTFPG944 ◦
1PTTJCJMJUZUPPCUBJO5PLFOTTVDIBT"DDFTT5PLFOBOE*E 5PLFOGSPNUIFCSPXTFS ◦ #FDPNFBOBUUBDLHBEHFUGPSTFSWJDFTUIBUJTTVF $SFEFOUJBMT TVDIBT"NB[PO$PHOJUP*EFOUJUZ1PPM "MJUUMFCBDLHSPVOEPOIPXXFDBNFUP CFHJOUIJT3FTFBSDI

$POUFOU5ZQF΍ͦͷपลΛऔΓר͘ݚڀͱ944ʹ͍ͭͯ 3FTFBSDITVSSPVOEJOH$POUFOU5ZQFBOE944

944PSJHJOBUJOHGSPNCSPXTFSCFIBWJPSBOE DIBSBDUFSFODPEJOH IUUQTXXXEPDTXFMMDPNTIBTFHBXB-77(;Q झຯͱ࣮ӹͷ੬ऑੑൃݟ.S:PTVLF)BTFHBXB IUUQTXXXEPDTXFMMDPNTPDLFHIFN;91PXBTQ จࣈίʔυͷ੬ऑੑ͸͜ͷ೥ؒͰͲͷఔ౓ରࡦ͞Ε͔ͨ .S)JSPTIJ5PLVNBSV

IUUQTXXXEPDTXFMMDPNTIBTFHBXB-77(;Q झຯͱ࣮ӹͷ੬ऑੑൃݟ.S:PTVLF)BTFHBXB IUUQTXXXEPDTXFMMDPNTIBTFHBXB-77(;Q จࣈίʔυͷ੬ऑੑ͸͜ͷ೥ؒͰͲͷఔ౓ରࡦ͞Ε͔ͨ .S)JSPTIJ5PLVNBSV 8JUIUIFBEWFOUPG99441SPUFDUJPOBOEBXBSFOFTT PGUIFSFMFWBOUNFUIPET 'JYFTBOEDPVOUFSNFBTVSFTXJMMCFJNQMFNFOUFE 944PSJHJOBUJOHGSPNCSPXTFSCFIBWJPSBOE
DIBSBDUFSFODPEJOH

944QBUIXBZEVFUPJOQVUWBMVFT $POWFOUJPOBMBUUBDLQBUIT 6TFSJOQVUFYJTUTBOEJTPVUQVU 4UPSFEWJBPOFPGUIFTFSWFST 3FOEFSFECZBUFSNJOBMTVDIBTBCSPXTFS %BUB4UPSF

%BUB4UPSF 944QBUIXBZEVFUPJOQVUWBMVFT

%BUB4UPSF $POUFOU5ZQFIBEUPCFBTQFDJGJD .JNF5ZQFTVDIBTUFYUIUNM 944QBUIXBZEVFUPJOQVUWBMVFT

%BUB4UPSF 4BOJUJ[BUJPOBOEFTDBQJOHBMTPJODSFBTFUIF PVUQVU 944QBUIXBZEVFUPJOQVUWBMVFT

944QBUIXBZDBVTFECZGJMFVQMPBET %JTL4UPSBHF

%JTL4UPSBHF 944QBUIXBZDBVTFECZGJMFVQMPBET

%JTL4UPSBHF &YUFOTJPO QOHKQH $POUFOU5ZQF JNBHFQOHJNBHFKQH BOEPUIFSWBMJEBUJPO
944QBUIXBZDBVTFECZGJMFVQMPBET

7BMJEBUJPO&YBNQMF'JMF6QMPBE

%JTL4UPSBHF *GOPUBMMPXFE SFUVSOBWBMVF FHBQQMJDBUJPOPDUFUTUSFBN PSB WBMJEBUJPOFSSPSUPFOTVSFTBGFIBOEMJOH 944QBUIXBZDBVTFECZGJMFVQMPBET

944QBUIXBZDBVTFECZGJMFVQMPBET %JTL4UPSBHF $POUFOU5ZQFUFYUIUNM

%JTL4UPSBHF $POUFOU5ZQFUFYUIUNMJTJOWBMJE ˠ7BMJEBUJPO&SSPS 944QBUIXBZDBVTFECZGJMFVQMPBET

%JTL4UPSBHF 944QBUIXBZDBVTFECZGJMFVQMPBET

8BT944BNBKPSGBDUPSJOUSBEJUJPOBMGJMFVQMPBET ◦ 8IFOTUPSJOHGJMFTPOEJTLTUPSBHFPSEFMJWFSJOHUIFN UIF$POUFOU 5ZQFXBTTOJGGFECZUIFNJEEMFXBSFPSBQQMJDBUJPO BOEUIFBUUBDLFS DPVMEOPUEJSFDUMZTQFDJGZUIF$POUFOU5ZQF ◦ 7BMJEBUJPOXBTCFJOHEPOFBUVQMPBEUJNFJOUIFBQQMJDBUJPOBOE
NJEEMFXBSF BOEUIFZOFFEFEUPCFCZQBTTFE #FDBVTFPGUIFBCPWFUXPQPJOUT GJMFVQMPBETJOUIFGPSNPGEJTLTUPSBHF XFSFPGUFONPSFEJGGJDVMUUPDBVTF944BTUIFZFBSTXFOUCZ 944QBUIXBZDBVTFECZGJMFVQMPBET

3FTFBSDIPO$POUFOU5ZQF IUUQTHJUIVCDPN#MBDL'BODPOUFOUUZQFSFTFBSDICMPCNBTUFS944NE $POUFOU5ZQF3FTFBSDICZ.S#MBDL'BO 1SFDFEFOUTJOUIJT3FTFBSDI

1SFDFEFOUTJOUIJT3FTFBSDI 3FTFBSDIPO$POUFOU5ZQF IUUQTHJUIVCDPN#MBDL'BODPOUFOUUZQFSFTFBSDICMPCNBTUFS944NE $POUFOU5ZQF3FTFBSDICZ.S#MBDL'BO 5IFJOUFSQSFUBUJPOPG$POUFOU5ZQFXBTOPUUIFNBJOUPQJDPGUIF TUVEZ BTUSBEJUJPOBMBQQMJDBUJPOJNQMFNFOUBUJPOTIBWFMJNJUFE NFUIPETGPSTQFDJGZJOHBSCJUSBSZ$POUFOU5ZQFTBOESFUSJFWJOH UIFNGSPNUIFSFTQPOTF

Ϋϥ΢υͱ৽͍͠߈ܸͷ଍৔0CKFDU4UPSBHF /FXBUUBDLWFDUPSTFNFSHFXJUIUIFBEWFOU

$MPVE MJGUcTJGUcGJSTU DBVTFEDIBOHFTJO BQQMJDBUJPOTUSVDUVSF $%/'SPOU4FSWFS #BDLFOE$MPVE

#BDLFOE$MPVE $MPVE MJGUcTJGUcGJSTU DBVTFEDIBOHFTJO BQQMJDBUJPOTUSVDUVSF $%/'SPOU4FSWFS

8IBUJT0CKFDU4UPSBHF

'JMF6QMPBEJODMPVE %JTLTUPSBHF 0CKFDUTUPSBHF

0CKFDU%BUB #JOBSZ .FUBEBUB ◦ .FUBEBUBDBOCFGSFFMZDPOGJHVSFEVTJOHUIF"1* ◦ $POUFOU5ZQFJOGPSNBUJPODBOBMTPCFBEEFEBTNFUBEBUB ◦ 6TFDBTFT
◦ 'JMF4UPSBHFGPS6QMPBEFEGJMF ◦ 'JMF%FMJWFSZ 8IBU0CKFDU4UPSBHF

'JMF6QMPBE.FUIPET 4FSWFS4JEF6QMPBE GPS4%, $MJFOU4JEF6QMPBE GPS1SF4JHOFE63- $MJFOU4JEF6QMPBE GPS10451PMJDZ

4FSWFS4JEF6QMPBEGPS4%,

4FSWFS4JEF6QMPBEGPS4%, 4UPSFE

4FSWFS4JEF6QMPBEGPS4%,

$MJFOU4JEF6QMPBEGPS1SF4JHOFE63-

$MJFOU4JEF6QMPBEGPS1SF4JHOFE63- 4UPSFE

$MJFOU4JEF6QMPBEGPS10451PMJDZ

$MJFOU4JEF6QMPBEGPS1SF4JHOFE63- 4UPSFE

0CKFDU4UPSBHF944

0CKFDU%BUB #JOBSZ .FUBEBUB ◦ .FUBEBUBDBOCFGSFFMZDPOGJHVSFEVTJOHUIF"1* ◦ $POUFOU5ZQFJOGPSNBUJPODBOBMTPCFBEEFEBTNFUBEBUB ◦ 6TFDBTFT
◦ 'JMF4UPSBHFGPS6QMPBEFEGJMF ◦ 'JMF%FMJWFSZ 0CKFDU4UPSBHF

0CKFDU4UPSBHFPG6QMPBE.FUIPET 4FSWFS4JEF6QMPBE GPS4%, $MJFOU4JEF6QMPBE GPS1SF4JHOFE63- $MJFOU4JEF6QMPBE GPS10451PMJDZ

0CKFDU4UPSBHFPG6QMPBE.FUIPET 4FSWFS4JEF6QMPBE GPS4%, $MJFOU4JEF6QMPBE GPS1SF4JHOFE63- $MJFOU4JEF6QMPBE GPS10451PMJDZ 7BMJEBUJPOCFGPSFVQMPBEJOHJOUIFSFBMXPSME &YUFOTJPO$IFDL
BMMPXQOHKQFHHJGʜNPSFTBGFFYUFOTJPOT ˠ 🙆 'JMF)FBEFS$IFDLˠ 🙆 $POUFOU5ZQF$IFDLˠ 🤔

4FSWFS4JEF6QMPBEGPS4%,944 5IF4%,XJMMFYQMJDJUMZHJWFQSFGFSFODFUPUIFVTFSQBTTJOH B$POUFOU5ZQF PUIFSXJTFJUXJMMTQFDJGZBTQFDJGJD $POUFOU5ZQF

4FSWFS4JEF6QMPBEGPS4%,944 4%,͸໌ࣔతʹϢʔβʔ͕$POUFOU5ZQFΛ౉͢৔߹ʹ͸༏ઌ͠ɺ ͦ͏Ͱͳ͍৔߹ʹ͸ಛఆͷ$POUFOU5ZQFΛࢦఆ͢Δ

4FSWFS4JEF6QMPBEGPS4%,944 $POUFOU5ZQFUFYUIUNM

4FSWFS4JEF6QMPBEGPS4%,944 &YUFOTJPO$IFDLˠDIFDL 🙆 'JMF)FBEFS$IFDLˠDIFDL 🙆 $POUFOU5ZQF$IFDLˠʜOPDIFDL
😴

4FSWFS4JEF6QMPBEGPS4%,944 4UPSFE

4FSWFS4JEF6QMPBEGPS4%,944 #SPXTFSTSFOEFSXJUIUIF$POUFOU 5ZQFTQFDJGJFECZUIFTFSWFS ˠ944

$MJFOU4JEF6QMPBE944 5IF4%,XJMMFYQMJDJUMZHJWFQSFGFSFODFUPUIFVTFSQBTTJOH B$POUFOU5ZQF PUIFSXJTFJUXJMMTQFDJGZBTQFDJGJD $POUFOU5ZQF

$MJFOU4JEF6QMPBE944 4%,͸໌ࣔతʹϢʔβʔ͕$POUFOU5ZQFΛ౉͢৔߹ʹ͸༏ઌ͠ɺ ͦ͏Ͱͳ͍৔߹ʹ͸ಛఆͷ$POUFOU5ZQFΛࢦఆ͢Δ

$MJFOU4JEF6QMPBE944

$MJFOU4JEF6QMPBE944 &YUFOTJPO$IFDLBOE4JHOFEˠ0,🙆 'JMF)FBEFS$IFDLBOE4JHOFEˠ0,🙆 $POUFOU5ZQF$IFDLBOE4JHOFEˠʜOP😴

$MJFOU4JEF6QMPBE944

$MJFOU4JEF6QMPBE944 $IBOHF $POUFOU5ZQFUFYUIUNM *O1SPYZ

$MJFOU4JEF6QMPBE944 4UPSFE

$MJFOU4JEF6QMPBE944 )5513FTQPOTF)FBEFS l$POUFOU5ZQFUFYUIUNMz

$MJFOU4JEF6QMPBE944 #SPXTFSTSFOEFSXJUIUIF$POUFOU 5ZQFTQFDJGJFECZUIFTFSWFS ˠ944

4QFDJGJDBUJPOPG$POUFOU5ZQF

4QFDJGJDBUJPOPG$POUFOU5ZQF 8)"58('FUDITUBOEBSE )551QSPUPDPMBOE 4FNBOUJDT 3'$ 3'$ 3'$ BOENPSF

4QFDJGJDBUJPOPG$POUFOU5ZQF 3'$)5514FNBOUJDTBOE$POUFOU 3'$4USVDUVSFE'JFME7BMVFTGPS)551 3'$)5514FNBOUJDT 8)"58('FUDITUBOEBSE

4QFDJGJDBUJPOPG$POUFOU5ZQF 3'$)5514FNBOUJDTBOE$POUFOU $POUFOU5ZQF NFEJBUZQF NFEJBUZQF UZQFTVCUZQF 084084
QBSBNFUFS UPLFO UPLFORVPUFETUSJOH RVPUFETUSJOH %2605& REUFYURVPUFEQBJS %2605& REUFYU )5"#41YY#Y%&PCTUFYU PCTUFYU Y''

4QFDJGJDBUJPOPG$POUFOU5ZQF 3'$)5514FNBOUJDTBOE$POUFOU 8.3.1. Considerations for New Header Fields Whether
the field is a single value or whether it can be a list (delimited by commas; see Section 3.2 of [RFC7230]). If it does not use the list syntax, document how to treat messages where the field occurs multiple times (a sensible default would be to ignore the field, but this might not always be the right choice). Note that intermediaries and software libraries might combine multiple header field instances into a single one, despite the field's definition not allowing the list syntax. A robust format enables recipients to discover these situations (good example: "Content-Type", as the comma can only appear inside quoted strings; bad example: "Location", as a comma can occur inside a URI).

4QFDJGJDBUJPOPG$POUFOU5ZQF 3'$)5514FNBOUJDTBOE$POUFOU Note that intermediaries and software libraries might
combine multiple header field instances into a single one, despite the field's definition not allowing the list syntax. A robust format enables recipients to discover these situations (good example: "Content-Type", as the comma can only appear inside quoted strings; bad example: "Location", as a comma can occur inside a URI). (PPE&YBNQMF $POUFOU5ZQFJNBHFQOHIPHFlGVHB UFYUIUNMz ˠNFEJB5ZQFJNBHFQOH ˠQBSBNFUFST ◦ IPHFlGVHB UFYUIUNMz

4QFDJGJDBUJPOPG$POUFOU5ZQF 3'$)5514FNBOUJDTBOE$POUFOU Note that intermediaries and software libraries might
combine multiple header field instances into a single one, despite the field's definition not allowing the list syntax. A robust format enables recipients to discover these situations (good example: "Content-Type", as the comma can only appear inside quoted strings; bad example: "Location", as a comma can occur inside a URI). 1PJOUTUPDPOTJEFS $POUFOU5ZQFJNBHFQOHIPHFGVHB UFYUIUNM ˠNFEJB5ZQFJNBHFQOH ˠQBSBNFUFST ◦ IPHFGVHB ˠ UFYUIUNM 🤔 -PPLBUPUIFSTQFDJGJDBUJPOT

4QFDJGJDBUJPOPG$POUFOU5ZQF 3'$4USVDUVSFE'JFME7BMVFTGPS)551 3.1 Lists Lists are arrays of zero
or more members, each of which can be an Item (Section 3.3) or an Inner List (Section 3.1.1), both of which can be Parameterized (Section 3.1.2). 4QFD TGMJTUMJTUNFNCFS 084 084MJTUNFNCFS MJTUNFNCFSTGJUFNJOOFSMJTU &YBNQMF &YBNQMF-JTUTVHBS UFB SVN

🤔 4QFDJGJDBUJPOPG$POUFOU5ZQF 3'$)5514FNBOUJDTBOE$POUFOU Note that intermediaries and software libraries
might combine multiple header field instances into a single one, despite the field's definition not allowing the list syntax. A robust format enables recipients to discover these situations (good example: "Content-Type", as the comma can only appear inside quoted strings; bad example: "Location", as a comma can occur inside a URI). 1PJOUTUPDPOTJEFS $POUFOU5ZQFJNBHFQOHIPHFGVHB UFYUIUNM ˠNFEJB5ZQFJNBHFQOH UFYUIUNM ˠQBSBNFUFST ◦ IPHFGVHB UFYUIUNMDPVMECFTFUUP.FEJB5ZQFʜ

4QFDJGJDBUJPOPG$POUFOU5ZQF 3'$)5514FNBOUJDT $POUFOU5ZQF NFEJBUZQF NFEJBUZQF UZQFTVCUZQF 084084
QBSBNFUFS UPLFO UPLFORVPUFETUSJOH RVPUFETUSJOH %2605& REUFYURVPUFEQBJS %2605& REUFYU )5"#41YY#Y%&PCTUFYU PCTUFYU Y''

4QFDJGJDBUJPOPG$POUFOU5ZQF 3'$)5514FNBOUJDT $POUFOU5ZQF NFEJBUZQF NFEJBUZQF UZQFTVCUZQF 084084
QBSBNFUFS UPLFO UPLFORVPUFETUSJOH RVPUFETUSJOH %2605& REUFYURVPUFEQBJS %2605& REUFYU )5"#41YY#Y%&PCTUFYU PCTUFYU Y'' %FGJOJUJPOJOIFSJUFEGSPN 3'$ )5514FNBOUJDTBOE$POUFOU

4QFDJGJDBUJPOPG$POUFOU5ZQF 3'$)5514FNBOUJDT 5.6.2. Tokens Many HTTP field values are
defined using common syntax components, separated by whitespace or specific delimiting characters. Delimiters are chosen from the set of US-ASCII visual characters not allowed in a token (DQUOTE and "(),/:;<=>?@\[\\]{}"). %2605&BOE l !a<aa>\^ 👀 $POUFOU5ZQF7BMVFJTOPUFYQMJDJUMZNBSLFE l.645/05PS4)06-%/05 ˠ-JTU5ZQF7BMVFNBZCFBWBJMBCMF

4QFDJGJDBUJPOPG$POUFOU5ZQF 8)"58('FUDITUBOEBSE 1BSTF-PHJDGPS$POUFOU5ZQF -FUDIBSTFUCFOVMM -FUFTTFODFCFOVMM -FUNJNF5ZQFCFOVMM
-FUWBMVFTCFUIFSFTVMUPGHFUUJOH EFDPEJOH BOETQMJUUJOH$POUFOU5ZQFGSPNIFBEFST *GWBMVFTJTOVMM UIFOSFUVSOGBJMVSF 'PSFBDIWBMVFPGWBMVFT -FUUFNQPSBSZ.JNF5ZQFCFUIFSFTVMUPGQBSTJOHWBMVF *GUFNQPSBSZ.JNF5ZQFJTGBJMVSFPSJUTFTTFODFJT UIFODPOUJOVF 4FUNJNF5ZQFUPUFNQPSBSZ.JNF5ZQF *GNJNF5ZQF`TFTTFODFJTOPUFTTFODF UIFO 4FUDIBSTFUUPOVMM *GNJNF5ZQF`TQBSBNFUFST<DIBSTFU>FYJTUT UIFOTFUDIBSTFUUPNJNF5ZQF`TQBSBNFUFST<lDIBSTFU> 4FUFTTFODFUPNJNF5ZQF`TFTTFODF 0UIFSXJTF JGNJNF5ZQF`TQBSBNFUFST<DIBSTFU>EPFTOPUFYJTU BOEDIBSTFUJTOPOOVMM TFUNJNF5ZQF`T QBSBNFUFST<DIBSTFU>UPDIBSTFU *GNJNF5ZQFJTOVMM UIFOSFUVSOGBJMVSF 3FUVSONJNF5ZQF

4QFDJGJDBUJPOPG$POUFOU5ZQF 8)"58('FUDITUBOEBSE 7BSJBCMFTSFMBUFEUP NJNF5ZQFBSFNVUBCMF TP UIFZBSFPWFSXSJUUFOCZ'PS MPPQ 1TFVEPJNQMFNFOUBUJPOXJUI5ZQF4DSJQU

4QFDJGJDBUJPOPG$POUFOU5ZQF 8)"58('FUDITUBOEBSE 1BSTF-PHJDGPS)FBEFS7BMVFT -FUJOQVUCFUIFSFTVMUPGJTPNPSQIJDEFDPEJOHWBMVF -FUQPTJUJPOCFBQPTJUJPOWBSJBCMFGPSJOQVU JOJUJBMMZQPJOUJOHBUUIFTUBSUPGJOQVU
-FUWBMVFTCFBMJTUPGTUSJOHT JOJUJBMMZFNQUZ -FUUFNQPSBSZ7BMVFCFUIFFNQUZTUSJOH 8IJMFQPTJUJPOJTOPUQBTUUIFFOEPGJOQVU "QQFOEUIFSFTVMUPGDPMMFDUJOHBTFRVFODFPGDPEFQPJOUTUIBUBSFOPU6 PS6 $ GSPNJOQVU HJWFO QPTJUJPO UPUFNQPSBSZ7BMVF *GQPTJUJPOJTOPUQBTUUIFFOEPGJOQVU UIFO *GUIFDPEFQPJOUBUQPTJUJPOXJUIJOJOQVUJT6 UIFO "QQFOEUIFSFTVMUPGDPMMFDUJOHBO)551RVPUFETUSJOHGSPNJOQVU HJWFOQPTJUJPO UP UFNQPSBSZ7BMVF *GQPTJUJPOJTOPUQBTUUIFFOEPGJOQVU UIFODPOUJOVF 0UIFSXJTF "TTFSUUIFDPEFQPJOUBUQPTJUJPOXJUIJOJOQVUJT6 $ "EWBODFQPTJUJPOCZ 3FNPWFBMM)551UBCPSTQBDFGSPNUIFTUBSUBOEFOEPGUFNQPSBSZ7BMVF "QQFOEUFNQPSBSZ7BMVFUPWBMVFT 4FUUFNQPSBSZ7BMVFUPUIFFNQUZTUSJOH 3FUVSOWBMVFT

4QFDJGJDBUJPOPG$POUFOU5ZQF 8)"58('FUDITUBOEBSE $PNNB JTVTFEBTUIF DIBSBDUFSVTFEGPSEJWJTJPO 1TFVEPJNQMFNFOUBUJPOXJUI5ZQF4DSJQU

*OUFSQSFUBUJPO%JGGFSFODFGPS4QFDJGJDBUJPO 4FNJDPMPO 1TFVEPJNQMFNFOUBUJPOXJUI5ZQF4DSJQU 3'$ $POUFOU5ZQFJNBHFQOHUFYUIUNM 8)"58( $POUFOU5ZQFJNBHFQOHUFYUIUNM

*OUFSQSFUBUJPO%JGGFSFODFGPS4QFDJGJDBUJPO 4FNJDPMPO 1TFVEPJNQMFNFOUBUJPOXJUI5ZQF4DSJQU 3'$ $POUFOU5ZQFJNBHFQOHUFYUIUNM 8)"58( $POUFOU5ZQFJNBHFQOHUFYUIUNM .JNF5ZQFJTJNBHFQOH
.JNF5ZQFJTJNBHFQOH

.JNF5ZQFJTJNBHFQOH 4FNJDPMPO JTVTFEUP EFMJNJUQBSBNFUFST TPUIF

*OUFSQSFUBUJPO%JGGFSFODFGPS4QFDJGJDBUJPO $PNNB 1TFVEPJNQMFNFOUBUJPOXJUI5ZQF4DSJQU 3'$ $POUFOU5ZQFJNBHFQOH UFYUIUNM 8)"58( $POUFOU5ZQFJNBHFQOH UFYUIUNM

6OEFGJOFE $POUFOU5ZQFJTEFGJOFEBTTJOHVMBS .JNF5ZQFJTUFYUIUNM

6OEFGJOFE $POUFOU5ZQFJTEFGJOFEBTTJOHVMBS .JNF5ZQFJTUFYUIUNM 5SFBUTWBMVFTBTTJOHVMBSEVFUPMBDLPG JOUFSQSFUBUJPOEFGJOJUJPO

&YBNQMFPGDPEFXJUIJOBEFRVBUF JNQMFNFOUBUJPO $PEF*NQMFNFOUBUJPO "MMPXJNBHFQOH 1SFGJYNBUDI 4VGGJYNBUDI 3FHFYNBUDI JNBHFQOH UFYUIUNM
UFYUIUNMJNBHFQOH JNBHFQOH UFYUIUNM #ZQBTT&YBNQMF *ODMVEF UFYUIUNMJNBHFQOH

$7&BOE$7&

$7&BOE$7& $7&IUUQTHJUIVCDPNDBSSJFSXBWFVQMPBEFSDBSSJFSXBWFTFDVSJUZBEWJTPSJFT()4"HYIYHGRIK $7&IUUQTHJUIVCDPNDBSSJFSXBWFVQMPBEFSDBSSJFSXBWFTFDVSJUZBEWJTPSJFT()4"WGNWKGDQKKX

$BSSJFSXBWF - 'JMF6QMPBE - 'JMF7BMJEBUJPO - FUD

$BSSJFSXBWF $POUFOU5ZQFXBTSFHJTUFSFEJOUIF NFUBEBUBXIFOUIFPCKFDUXBTVQMPBEFE 4UPSFE

GFBUVSFPG7BMJEBUJPO

$7&TPNFUIJOHXBTEJTDPWFSFE

$7&$POGJSNBUJPOPGJNQMFNFOUBUJPO

JNBHFQOH $7&$POGJSNBUJPOPGJNQMFNFOUBUJPO 3FTQPOTFˠ0,

UFYUIUNM 3FTQPOTFˠ/PU'PVOE $7&$POGJSNBUJPOPGJNQMFNFOUBUJPO

BJNBHFQOH 3FTQPOTFˠ0, $7&$POGJSNBUJPOPGJNQMFNFOUBUJPO

$7&$POGJSNBUJPOPGJNQMFNFOUBUJPO

$7&$POGJSNBUJPOPGJNQMFNFOUBUJPO 🤔 *XBOUUIFCSPXTFSUP SFOEFSJUBTUFYUIUN M

.JNF5ZQFJTJNBHFQOH 4FNJDPMPO JTVTFEUP EFMJNJUQBSBNFUFST TPUIF

3FTQPOTFˠ0, UFYUIUNMJNBHFQOH $7&$POGJSNBUJPOPGJNQMFNFOUBUJPO

$7&&SSPOFPVT'JY1SPQPTBM .ZTJODFSFBQPMPHJFT

$7&'JY1SPQPTBMBGUFS4QFDJGJDBUJPOTVSWFZ a"\JUFN^ 4UBSUT8JUINVDI JNBHFQOH UFYUIUNM *DBO#ZQBTTJU

JNBHFQOH UFYUIUNM 3FTQPOTFˠ0, 😰 $7&'JY1SPQPTBMBGUFS4QFDJGJDBUJPOTVSWFZ

$7&'JY

$POUFOU5ZQFJNBHFQOH UFYUIUNM $7&'JY

$POUFOU5ZQFJNBHFQOH UFYUIUNM DIBOHFEUPJNBHFQOHCZ .BSDFM.JNFUZQF $7&'JY

4UPSFE $7&'JY .FUBEBUBJTTFUUPBTBGF$POUFOU5ZQF

ରࡦ 4FDVSJUZNFBTVSFTJOJNQMFNFOUBUJPO

4FDVSJUZNFBTVSFTJOJNQMFNFOUBUJPO 6TF6TFS*OQVU 'PS$POUFOU5ZQF 4FU.FDIBOJDBMMZEFUFSNJOFE7BMVF 'PS$POUFOU5ZQF ◦ $POUFOU5ZQFJTBOFYBDUNBUDI ◦ /PQBSUJBMNBUDIFTBSFVTFE
◦ /PTUBSUT8JUI ◦ /PFOET8JUI ◦ /PJODMVEFT ◦ #FDBSFGVMPGVOJOUFOEFETUSJOH NBUDIFTXIFOVTJOHSFHVMBS FYQSFTTJPOT ◦ ?JNBHF QOHcKQFHcKQHcHJG ◦ %FUFSNJOFUIFWBMVFPG$POUFOU UZQFCBTFEPOUIFJOGPSNBUJPOJO UIFGJMF ◦ 'JMF)FBEFS ◦ &YUFOTJPO ◦ 7BMJEBUJPOPGUIFEFUFSNJOFEWBMVF

4FDVSJUZNFBTVSFTJOJNQMFNFOUBUJPO 7BMJEBUJPOXJUIGJYFEWBMVFT &YBNQMF4FSWFS4JEF

4FDVSJUZNFBTVSFTJOJNQMFNFOUBUJPO &YBNQMF4FSWFS4JEF

4FDVSJUZNFBTVSFTJOJNQMFNFOUBUJPO $POUFOU5ZQFUFYUIUNM &YBNQMF4FSWFS4JEF

4FDVSJUZNFBTVSFTJOJNQMFNFOUBUJPO 9 &YBNQMF4FSWFS4JEF

5IFBMMPXFE$POUFOU5ZQFT FHJNBHFQOH BSFQSFEFUFSNJOFE 4FDVSJUZNFBTVSFTJOJNQMFNFOUBUJPO &YBNQMF$MJFOU4JEF

4FDVSJUZNFBTVSFTJOJNQMFNFOUBUJPO

&YBNQMF$MJFOU4JEF 4FDVSJUZNFBTVSFTJOJNQMFNFOUBUJPO

&YBNQMF$MJFOU4JEF 4JHOXJUIB$POUFOU5ZQF)FBEFS XJUI7BMJEBUJPOBOEEFUFSNJOFE WBMVFT 4FDVSJUZNFBTVSFTJOJNQMFNFOUBUJPO

$IBOHFUP $POUFOU5ZQFUFYUIUNM *O1SPYZ 4FDVSJUZNFBTVSFTJOJNQMFNFOUBUJPO

7FSJGZTJHOBUVSFTBOESFKFDUJG EJGGFSFOU 4FDVSJUZNFBTVSFTJOJNQMFNFOUBUJPO

4JEF4UPSZ.JNF5ZQF4OJGGJOH

YZ YZ YZ UFYUIUNM JNBHF UFYUaIUNMQOH 🤔

YZ YZ YZ UFYUIUNM JNBHF UFYUaIUNMQOH 🤔 VOLOPXOUZQF

YZ YZ YZ UFYUIUNM JNBHF UFYUaIUNMQOH 😊 VOLOPXOUZQF ⭕

YZ YZ YZ UFYUIUNM JNBHF UFYUaIUNMQOH .JNF5ZQFTOJGGFS )J 😊

YZ YZ YZ UFYUIUNM JNBHF UFYUaIUNMQOH .JNF5ZQFTOJGGFS 5IJTJTBOPUIFSTUPSZ

5IBOLZPVGPSZPVSBUUFOUJPOʂ

3FGFSFODF

◦ $POUFOU4FDVSJUZ1PMJDZ ◦ IUUQTEFWFMPQFSNP[JMMBPSHKBEPDT8FC)551)FBEFST$POUFOU4FDVSJUZ1PMJDZ ◦ "NB[PO4 ◦ IUUQTBXTBNB[PODPNKQT ◦ BXTTELKTW
◦ IUUQTHJUIVCDPNBXTBXTTELKTW ◦ TJHOFE63- ◦ IUUQTEPDTBXTBNB[PODPNKB@KQ*".MBUFTU6TFS(VJEFDSFBUFTJHOFESFRVFTUIUNM ◦ $BSSJFSXBWF ◦ IUUQTHJUIVCDPNDBSSJFSXBWFVQMPBEFSDBSSJFSXBWF ◦ 3'$ ◦ IUUQTEBUBUSBDLFSJFUGPSHEPDIUNMSGD ◦ 3'$ ◦ IUUQTEBUBUSBDLFSJFUGPSHEPDIUNMSGD ◦ 3'$ ◦ IUUQTEBUBUSBDLFSJFUGPSHEPDIUNMSGD ◦ 'FUDI4UBOEBSE ◦ IUUQTGFUDITQFDXIBUXHPSH ◦ #ZQBTTJOHBOEFYQMPJUJOH#VDLFU6QMPBE1PMJDJFTBOE4JHOFE63-T ◦ IUUQTMBCTEFUFDUJGZDPNXSJUFVQTCZQBTTJOHBOEFYQMPJUJOHCVDLFUVQMPBEQPMJDJFTBOETJHOFEVSMT ◦ $POUFOU5ZQFBMMPXMJTUCZQBTTWVMOFSBCJMJUZ QPTTJCMZMFBEJOHUP944 ◦ IUUQTHJUIVCDPNDBSSJFSXBWFVQMPBEFSDBSSJFSXBWFTFDVSJUZBEWJTPSJFT()4"HYIYHGRIK 3FGFSFODF

XSS using dirty Content Type in cloud era

XSS using dirty Content Type in cloud era

More Decks by Flatt Security

Other Decks in Technology

Featured

Transcript