"Gimme a bit!" - Exploring Attacks in the "Post-XSS" World

(JNNFBCJU &YQMPSJOH"UUBDLTJOUIF1PTU9448PSME 5BLBTIJ:POFVDIJ !MNU@TXBMMPX %FQBSUNFOUPG*OGPSNBUJPO4DJFODF 'BDVMUZPG4DJFODF UIF6OJWFSTJUZPG5PLZP IUUQTTIJGUKTJOGP

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC 5BLBTIJ:POFVDIJ ‣ !MNU@TXBMMPX !ZOVDIZ ‣ %FQBSUNFOUPG*OGPSNBUJPO4DJFODF 'BDVMUZ
PG4DJFODF UIF6OJWFSTJUZPG5PLZP ‣ *ὑ8FC ‣ 4&$$0/#FHJOOFSTDUGC ‣ 4FDVSJUZ$BNQTFDDBNQ ‣ 54(EPEPEPEP ‣ 4FFIUUQTTIJGUKTJOGP

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC 0VUMJOF ‣ 1PTU9448PSME ‣ 2VFTUJPO8IBUDPNFTBGUFS944
‣ *OUSPEVDUJPOUP94-FBLTBOE944FBSDI ‣ 0WFSWJFX ‣ &YBNQMFT ‣ 'SBNF$PVOU ‣ 5JNJOH*OGPSNBUJPO ‣ &⒎FDUT.JUJHBUJPO ‣ $PODMVTJPO

1PTU9448PSME

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC 944 3PBENBQUP1PTU9448PSME .JUJHBUJPO 944FBSDI 94-FBL
4DSJQUMFTT  "UUBDL 4DSJQU  (BEHFUT

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC $SPTT4JUF4DSJQUJOH  944 BDPNNPOqBXJO8FCBQQMJDBUJPOT ‣ .BOZEFWFMPQFSTBOESFTFBSDIFSTIBWFTUSVHHMFEXJUI944
‣ .PEFSO8FCGSBNFXPSLTQSPWJEFQSFWFOUJPO ‣ "VUPNBUJDFTDBQJOH ‣ 'PPMQSPPG FHEBOHFSPVTMZ4FU*OOFS)5.- ‣ 8FCCSPXTFSTBMTPIBWFEFGFOTFMJOFT ‣ $POUFOU4FDVSJUZ1PMJDZ $41 ‣ 944"VEJUPS <?= $_GET['q'] ?>

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC 944 .JUJHBUJPO 944FBSDI 94-FBL 4DSJQUMFTT 
"UUBDL 4DSJQU  (BEHFUT 3PBENBQUP1PTU9448PSME

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC $POUFOU4FDVSJUZ1PMJDZ  &YBNQMFTPG$MJFOUTJEF.JUJHBUJPOPG944 ‣ $POUFOU4FDVSJUZ1PMJDZ $41 ‣
4QFDJpDBUJPOIUUQTXXXXPSH53$41JOUSP ‣ *USFEVDFTUIFIBSNDBVTFECZDPOUFOUJOKFDUJPOBUUBDLT ‣ "QQSPQSJBUFQPMJDJFTSFRVJSFBUUBDLFSTUPNBLFBCVODIPG F⒎PSUTUPFYFDVUF+4TVDDFTTGVMMZ Content-Security-Policy: script-src 'nonce-4g34...34r' <script nonce="4g34...34r">alert('Hello, CSP!')</script>

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC 944"VEJUPS  &YBNQMFTPG$MJFOUTJEF.JUJHBUJPOPG944 ‣ 99441SPUFDUJPOIFBEFS EFpOFTUIFBDUJPOXIFO 3FqFDUFE 944JTGPVOE
‣ 5IFSFBSFUXPNPEFT ‣ pMUFS ‣ CMPDL ‣ 3FTFBSDIFSTIBWFUBDLMFEXJUI CZQBTTJOHPG944"VEJUPS

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC 944 .JUJHBUJPO 944FBSDI 94-FBL 4DSJQUMFTT 
"UUBDL 4DSJQU  (BEHFUT 3PBENBQUP1PTU9448PSME

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC &WPMVUJPOPG944  4DSJQU(BEHFUT$PEFSFVTJOHTJNJMBSUP301 ‣ &OUIVTJBTUTPG944IBWFUSJFEUPCZQBTT$41 ‣ 0OFPG4PMVUJPOT4DSJQU(BEHFUT -FLJFTFUBM
‣ *EFBSFVTFUSVTUFE MFHJUJNBUF TPVSDFDPEFTUPFYFDVUF BSCJUSBSZTDSJQUT DGSFUVSOPSJFOUFEQSPHSBNNJOH 301 <script src="https://ajax.googleapis.com/ajax/libs/ angularjs/1.0.8/angular.js"></script> <div ng-app ng-csp ng-mouseover=$event.view.alert('XSS')>

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC 4DSJQUMFTT"UUBDLT  /PUPOMZ+4 CVUBMTP$44IFMQTBUUBDLFST ‣ 3FTFBSDI2VFTUJPO  *G+4FYFDVUJPOJTSFTUSJDUFE XIBUDBOBUUBDLFSTEP
‣ 0OFPG"OTXFST4DSJQUMFTT"UUBDLT )FJEFSJDIFUBM ‣ #BDLJOIJTUPSZ UIJTDMBTTPGBUUBDLTIBTCFFOJOWFTUJHBUFECZ SFTFBSDIFST BOEXBTPGUFOSFEJTDPWFSFE ‣ 8FMMLOPXO"UUSJCVUFSFBEJOH 'POUMJHBUVSFUFDIOJRVF GPOU SBOHFUFDIOJRVF FUD ‣ /FXSFTFBSDIMJOFJNQPSUSFDVSTJPOUFDIOJRVFT 1FQF7JMB IUUQTWX[ROFUTMJEFTT@DTT@JOKFDUJPO@BUUBDLTQEG

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC 94-FBLT944FBSDI  "UUBDLTBJNJOHUIFQPTU944XPSME ‣ 3FTFBSDI2VFTUJPO  *TUIFSFZFUBOPUIFSBUUBDLJOHUFDIOJRVFXIFOBEWFSTBSJFT IBWFOPDPOUFOUJOKFDUJPOWVMOFSBCJMJUJFTJOUBSHFUT
‣ "OTXFS:FT ‣ *EFBEBUBUPXIJDIDSPTTPSJHJOBDDFTTJTHSBOUFEIFMQTPOF FTUJNBUFUIFGFBUVSFT DIBSBDUFSJTUJDT PGB)551SFTQPOTF ‣ &YBNQMF FYQMBJOFEMBUFS ‣ $SPTTTJUF-FBLT 94-FBLT ‣ $SPTTTJUF4FBSDI 944FBSDI

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC #"%/0/$&  54($5' "EEJUJPOBM/PUFT <?php session_start();
$nonce = md5(session_id()); $_SESSION['count'] = isset($_SESSION['count']) ? $_SESSION['count'] + 1 : 0; if ($_SESSION['count'] > 3){ setcookie('flag', null, -1, '/'); } ?> <head><meta http-equiv="Content-Security-Policy" content="script-src 'nonce-<?= $nonce ?>';"></head> <body><script nonce=<?= $nonce ?>>/* ... */</script> <?= $_GET['q'] ?> </body> UIFOPODFJTpYFE :PVIBWFUPMFBLDPPLJFT XJUIPOMZUXPSFR

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC /PUFT  1PTU9448PSME ‣ *O .JDIBFM;BMFXTLJ !MDBNUVG OPUFEUIBUUIF
DPMMFDUJPOPGBUUBDLTBMUFSOBUJWFUP944IFQSPWJEFEIBWF BMNPTUTBNFDBQBCJMJUJFTBT944  1PTUDBSETGSPNUIFQPTU944XPSMEIUUQMDBNUVGDPSFEVNQDYQPTUYTT ‣ FH3FSPVUJOHPGFYJTUJOHGPSNT ‣ FHIJKBDLSFMBUJWF63-TXJUICBTF ‣ DG3FMBUJWF1BUI0WFSXSJUF ‣ 4FF"STIBE GPSUIFSFBMBOBMZTJT-BSHFTDBMFBOBMZTJTPG TUZMFJOKFDUJPOCZSFMBUJWFQBUIPWFSXSJUF  IUUQTEMBDNPSHDJUBUJPODGN JE

*OUSPEVDUJPOUP  94-FBLTBOE944FBSDI

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC $SPTTTJUF-FBLT  BLB94-FBLT ‣ $SPTTTJUFMFBLT 94-FBL BSFBGBNJMZPGCSPXTFSTJEF DIBOOFMUFDIOJRVFT
‣ 94-FBLBUUBDLTBJNUPDJSDVNWFOUTFDVSJUZDPOUSPMTJO8FC CSPXTFSTCZUXPTUFQT ‣ 3FRVFTUJOH ‣ FHFNCFEEJOHBDSPTTTJUFDPOUFOU FHJGSBNF ‣ 0CTFSWJOHCSPXTFSTJEFDIBOOFMT ‣ FHBCVTJOHGFBUVSFTPG8FCCSPXTFST FH944"VEJUPS ‣ 0OFPGUIFVTBHFT$SPTTTJUF4FBSDI 944FBSDI

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC $SPTTTJUF4FBSDI  BLB944FBSDI ‣ $SPTTTJUFTFBSDI 944FBSDI
BUUBDLJTBLJOEPGBUUBDLT XIJDIBTLTTPNFRVFTUJPOTWJDUJNGSPNBVTFSTCSPXTFSUP B8FCFOEQPJOU ‣ FH*TUIFSFBFNBJMXIJDIDPOUBJOTUIFXPSEBQQMFJOUIF CPEZ GPSBOFNBJMTFSWJDF ‣ FH*OUIFSFBQMBOUPHPTPNFXIFSFUIJTXFFLFOE GPSB DBMFOEBSTFSWJDF ‣ 5IFBOTXFSPGUIFTFSWFSXJMMCFPCUBJOFECZVTJOH94 -FBLT FHSFTQPOTFTJ[FFTUJNBUJPO FUD

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC 0VUMJOF944FBSDI /05&)FSFJTTBNFOPUBUJPOBT(FMFSOUFS VTFE %VNNZ3FRVFTU 3FTQPOTF
$IBMMFOHF3FRVFTU 3FTQPOTF 7JDUJN 4FSWJDF 7JDUJN 6TFS "UUBDLFS *OJUJBUF $PMMFDU  3FTVMUT

$IBMMFOHF3FRVFTU 3FTQPOTF 7JDUJN 4FSWJDF 7JDUJN 6TFS "UUBDLFS *OJUJBUF $PMMFDU  3FTVMUT "OBUUBDLFSMVSFTBVTFSUPB QBHFUIBUJOJUJBUFTSFRVFTUT UPBTFSWJDF

$IBMMFOHF3FRVFTU 3FTQPOTF 7JDUJN 4FSWJDF 7JDUJN 6TFS "UUBDLFS *OJUJBUF $PMMFDU  3FTVMUT /FYU "OBEWFSTBSZJOJUJBUFT EVNNZSFRVFTUTXIPTF SFTQPOTFTBSFLOPXOJOBEWBODF &YBNQMFBSFRVFTUXJUIBTFBSDI RVFSZXIPTFSFTVMUDBOOPUFYJTU

$IBMMFOHF3FRVFTU 3FTQPOTF 7JDUJN 4FSWJDF 7JDUJN 6TFS "UUBDLFS *OJUJBUF $PMMFDU  3FTVMUT "GUFSSFRVFTUJOHEVNNJFT BOBEWFSTBSZTUBSUTUP JOJUJBUFSFRVFTUTXJUI BDUVBMTFBSDIRVFSJFT %J⒎CFUXFFOEBUB FYQPTFECZ94-FBLGPS EVNNJFTBOEPOFGPS DIBMMFOHFTDPSSFTQPOETUIF EJ⒎CFUXFFOSFTQPOTFT

$IBMMFOHF3FRVFTU 3FTQPOTF 7JDUJN 4FSWJDF 7JDUJN 6TFS "UUBDLFS *OJUJBUF $PMMFDU  3FTVMUT "OBEWFSTBSZSFQFBUTUIF QSPDFTTBOE

$IBMMFOHF3FRVFTU 3FTQPOTF 7JDUJN 4FSWJDF 7JDUJN 6TFS "UUBDLFS *OJUJBUF $PMMFDU  3FTVMUT "OBEWFSTBSZTFOETUIF DPMMFDUFESFTVMUTGSPN WJDUJNTCSPXTFSTUPJUT PXOTFSWFS

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC 6NN JTJUSFBMJTUJD   8IBU94-FBLT944FBSDIHJWFTVT ‣
6OMJLF944 94-FBLT944FBSDI ‣ EPFTOPUQSPWJEFBDUVBMDPOUFOUTPGEBUB ‣ EVFUP4BNF0SJHJO1PMJDZ ‣ EPQSPWJEFGFBUVSFT DIBSBDUFSJTUJDT PGEBUB ‣ FH8IFUIFSUIFEBUBDPOUBJOTBTQFDJpDWBMVFPSOPU ‣ 3FTQPOTFTXJUITFBSDISFTVMUTIBWFMPOHFSMFOHUIUIBOPOFXJUI OPSFTVMUT ‣ FH8IFUIFSUIFEBUBIBTDPNQMFYJUZPSOPU ‣ $PNQMFYJUZPGUFOSFTVMUTJOMPOHFSQSPDFTTJOHUJNF

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC )JTUPSZ94-FBLT /PXBEBZT BCVODIPG1P$TBSFCFDPNJOHBWBJMBCMFJOPOMJOF )551$BDIF$SPTT4JUF-FBLT  IUUQTJSEBSDLDBUCMPHTQPUDPNIUUQDBDIFDSPTTTJUFMFBLTIUNM
$SPTT4JUF$POUFOUBOE4UBUVT5ZQFT-FBLBHF  IUUQTNFEJVNDPNCVHCPVOUZXSJUFVQDSPTTTJUFDPOUFOUBOETUBUVTUZQFTMFBLBHFFGEBCB &WBOTQSFTFOUFEUIFQSJNJUJWFGPSNPG944FBSDIXJUI JNHMPBEUJNJOH &WBOT   $SPTTEPNBJOTFBSDIUJNJOH  IUUQTTDBSZCFBTUTFDVSJUZCMPHTQPUDPNDSPTTEPNBJOTFBSDIUJNJOHIUNM (FMFSOUFSFUBMHBWFUIFTPQIJTUJDBUFEBUUBDLTGPSTJUFTXJUI TFBSDIFOHJOFTOBNFE944FBSDI (FMFSOUFSFUBM

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC /PUFT 94-FBLT944FBSDI ‣ 94-FBLTIBWFBUUSBDUFEBUUFOUJPO CVUOPUFOPVHI ‣ #PUIBDDVSBDZBOEF⒎FDUJWFOFTTIBWFCFFOJNQSPWFE
‣ 3FGFSFODFT ‣ /PUFYTMFBLTYTMFBLTIBTBDPNQSFIFOTJWFTVSWFZQBHF  IUUQTHJUIVCDPNYTMFBLTYTMFBLTXJLJ-JOLT ‣ ':*/FX94-FBLUFDIOJRVFTSFWFBMGSFTIXBZTUPFYQPTFVTFS JOGPSNBUJPOCZ1PSU4XJHHFS  IUUQTQPSUTXJHHFSOFUEBJMZTXJHOFXYTMFBLUFDIOJRVFTSFWFBMGSFTIXBZTUPFYQPTFVTFSJOGPSNBUJPO ‣ ':*94-FBLTBOE944FBSDICZ(PPHMF  IUUQTTJUFTHPPHMFDPNTJUFCVHIVOUFSVOJWFSTJUZOPOWVMOYTMFBLT

&YBNQMF  'SBNF$PVOU

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC XJOEPXMFOHUI  "VTFGVMQSPQFSUZGPSDSPTTPSJHJOBUUBDLFST ‣ XJOEPXMFOHUI XJOEPXGSBNFTMFOHUI SFUVSOTUIF OVNCFSPGGSBNFTJOUIFXJOEPX 
2VPUFEIUUQTEFWFMPQFSNP[JMMBPSHFO64EPDT8FC"1* 8JOEPXMFOHUI ‣ $SPTTPSJHJOBDDFTTUP XJOEPXMFOHUIJTBMMPXFEVOEFS TBNFPSJHJOQPMJDZ 401   4FFIUUQTEFWFMPQFSNP[JMMBPSHFO64EPDT8FC4FDVSJUZ4BNF PSJHJO@QPMJDZ ‣ $BOUIJTQSPQFSUZCFVUJMJ[FEGPS TPNFLJOETPGBUUBDLT

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC 944"VEJUPS  "HPPEGSJFOEGPS944NBOJB ‣ 944"VEJUPS ‣ 99441SPUFDUJPOIFBEFS EFpOFTUIFBDUJPOXIFO
3FqFDUFE 944JTGPVOE ‣ 5IFSFBSFUXPNPEFT  pMUFSCMPDL ‣ 3FTFBSDIFSTIBWFUBDLMFEXJUI CZQBTTJOHPG944"VEJUPS

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC 944"VEJUPS XJOEPXMFOHUI ‣ 8IFOUIFSFJTTQFDJpDDPOUFOUUIBUDBOXBLF944"VEJUPSJO BQBHFBOEUIFQBHFIBT BUMFBTUPOF JGSBNF
‣ 8IFO944"VEJUPSCMPDLT XJOEPXMFOHUI ‣ 8IFOOPU XJOEPXMFOHUI ‣ 8FDBOHFUBCJUXIFUIFSUIFTQFDJpDDPOUFOUJT JODMVEFEPSOPUCZUIFQBHFBTMPOHBTUIFDPOUFOUDBO XBLF944"VEJUPS:BZ <iframe src="..."></iframe> <script>let secret_flag = true;</script>

%&.054($5'  3&$0/ /05&.PSFTJNQMZ XFDBOEFUFDUUIFXBLFPG944"VEJUPSCZPCTFSWJOHIPX NBOZUJNFTJGSBNFTPOMPBEFWFOUPDDVST  &YBNQMFD$5'pMFNBOBHFS  IUUQTHJTUHJUIVCDPNMXJPBFBBFBBDEBDEDBE

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC 4JEF&⒎FDUTPG#MPDLJOH  8IBU944"VEJUPSDBVTFT ‣ *G944"VEJUPSCMPDLT ‣ TPNFQSPQFSUJFTNBZTFFNTUPCFEJ⒎FSFOUGSPNUIFWBMVFT
XIFOUIFQBHFJTTIPXOVTVBMMZ ‣ *G944"VEJUPSpMUFST ‣ 1BHFTUSVDUVSFT FTQFDJBMMZUIFqPXPGBQQSPQSJBUF+4 FYFDVUJPOqPX DBOCFCSPLFO ‣ &YBNQMF9944/JHIUNBSFNPEFBUUBDL944"UUBDLT &YQMPJUJOH944'JMUFS !NBTBUPLJOVHBXB   IUUQTXXXTMJEFTIBSFOFUNBTBUPLJOVHBXBYYOFO ‣ ':**OGPSNBUJPOUIFGUBUUBDLTBCVTJOHCSPXTFST944pMUFS  IUUQTXXXNCTEKQCMPHIUNM

&YBNQMF  5JNJOH*OGPSNBUJPO

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC 5JNJOH"UUBDL 8FC   "LJOEPGTJEFDIBOOFMBUUBDLT ‣
3FTFBSDI2VFTUJPO  8IBUBUUBDLFSTDBOEPXJUIUJNJOHJOGPSNBUJPO ‣ 'JSTU*EFB 'FMUFOBOE4DIOFJEFS ‣ #SPXTFSTDBDIFIBTF⒎FDUTPOUIFMPBEJOHUJNFPGSFTPVSDFT ‣ $BDIFTBSFPGUFOBWBJMBCMFGPSSFTPVSDFTBDDFTTFESFDFOUMZ ‣ )FODF UIFMPBEJOHUJNFSFqFDUTCSPXTJOHIJTUPSZ ‣ 5IFSFBSFUXPWJFXQPJOUT ‣ $POOFDUJWJUZEJSFDUPSDSPTTTJUF ‣ 5BSHFU5JNJOHTFSWFSTJEFUJNJOHPSDMJFOUTJEFUJNJOH

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC %JSFDU5JNJOH"UUBDL  #PSU[BOE#POFI $SPTCZFUBM ‣
$POEJUJPOT*OGPSNBUJPOUIBUBUUBDLFSTXBOUUPMFBLB⒎FDUTUP TJUFXJEFCFIBWJPS ‣ "UUBDLT ‣ )JEEFOCPPMFBOWBMVFTEBUBTJ[FDBOCFFTUJNBUFEXJUI NFBTVSJOHQSPDFTTJOHUJNF #PSU[BOE#POFI ‣ 5PUIFCFTUPGNZLOPXMFEHF UIFZBSFUIFpSTUXIPEFTDSJCFEUIF DPODFQUPGEJSFDUUJNJOHBUUBDL ‣ &WFOSFNPUFUJNJOHBUUBDLT BQQSPQSJBUFTUBUJTUJDBMNFUIPET HJWFBUUBDLFSTBDDVSBUFBOBMZTJT $SPTCZFUBM ‣ 5IFCPYUFTUUIFZQSFTFOUFEBSFPGUFOVTFEJOPUIFSSFTFBSDI

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC $SPTTTJUF5JNJOH"UUBDL  #PSU[BOE#POFI ‣ "UUBDLT
‣ 8JUITFSWFSTJEFUJNJOH ‣ *OJUJBMDPODFQUPG944FBSDIJTCBTFEPOTFSWFSTJEFUJNJOH ‣ &WBOT NFOUJPOFECFGPSF ‣ (FMFSOUFSFUBM NFOUJPOFECFGPSF ‣ 8JUIDMJFOUTJEFUJNJOH ‣ BMTPLOPXOBTCSPXTFSCBTFEUJNJOHBUUBDLT ‣ &YBNQMFT ‣ $BDIF'FMUFOBOE4DIOFJEFS 7BO(PFUIFNFUBM ‣ $444UPOF ,PUDIFSFUBM 4NJUIFUBM FUD

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC $MJFOUTJEF5JNJOH   BLB#SPXTFSCBTFE5JNJOH"UUBDL ‣
*EFB ‣ $BDIFTIBWFF⒎FDUTPOQSPDFTTJOHUJNF ‣ "UUBDLT ‣ 5IFpSTUDPODFQUPGUJNJOHBUUBDLJOUIF8FCEFSJWFTGSPN DBDIFCBTFEBUUBDLT 'FMUFOBOE4DIOFJEFS ‣ 'FBUVSFTJOUSPEVDFEPONPEFSOCSPXTFSTDBOCFOFXTJEF DIBOOFMTUIBUMFUBEWFSTBSJFTNFBTVSFNPSFBDDVSBUFUJNJOH 7BO(PFUIFNFUBM ‣ FH$BDIF"1* PG4FSWJDF8PSLFS ‣ FH"QQMJDBUJPO$BDIF

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC $MJFOUTJEF5JNJOH   BLB#SPXTFSCBTFE5JNJOH"UUBDL ‣
*EFB ‣ 3FOEFSJOHIBTBUJHIUSFMBUJPOXJUIBDPOUFOUUPCFSFOEFSFE ‣ &WFOEBUBXIJDIDBOOPUCFUPVDIFEGSPN+4DBOCFSFOEFSFE ‣ "UUBDLT ‣ 1JYFMQFSGFDUUJNJOHBUUBDLT 4UPOF   IUUQTXXXDPOUFYUJTDPNNFEJBEPXOMPBET1JYFM@1FSGFDU@5JNJOH@"UUBDLT@XJUI@)5.-@8IJUFQBQFSQEG ‣ 1JYFMTUFBMJOHUJNJOHBUUBDLT ,PUDIFSFUBM   IUUQTEMBDNPSHDJUBUJPODGN JE ‣ "CVTFPG1BJOU"1* %5SBOTGPSNT BOE47(T 4NJUIFUBM   IUUQTXXXVTFOJYPSHDPOGFSFODFXPPUQSFTFOUBUJPOTNJUI

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC .PSF4PQIJTUJDBUFE0OFT  1PTTJCMFBUUBDLTXBUDIJOHZPVSFOWJSPONFOUT ‣ 4PGUXBSFCBTFENJDSPBSDIJUFDUVSBMBUUBDLT ‣ 4PGUXBSFCBTFENJDSPBSDIJUFDUVSBMTJEFDIBOOFMBUUBDLT FYQMPJUUJNJOHBOECFIBWJPSEJ⒎FSFODFTUIBUBSF
QBSUJBMMZ DBVTFEUISPVHINJDSPBSDIJUFDUVSBM PQUJNJ[BUJPOT JF EJ⒎FSFODFTUIBUBSFOPUBSDIJUFDUVSBMMZ EPDVNFOUFE  4PGUXBSFCBTFE.JDSPBSDIJUFDUVSBM"UUBDLTIUUQTBSYJWPSHBCT ‣ 3FTFBSDI2VFTUJPOT+BWB4DSJQU XIJDIJTFYFDVUFEJOUIF TBOECPY JTFOPVHIUPCFVTFEGPSNJDSPBSDIJUFDUVSBM BUUBDLT

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC 'SPN+44BOECPY  4PGUXBSFCBTFENJDSPBSDIJUFDUVSBMBUUBDLT ‣ 3FTVMUT ‣ 5JNFSTBWBJMBCMFJO+BWB4DSJQUJTFOPVHIGPSBUUBDLFSTUP QFSGPSNNJDSPBSDIJUFDUVSBMBUUBDLT
4DIXBS[FM   'BOUBTUJD5JNFSTBOE8IFSFUP'JOE5IFN)JHI3FTPMVUJPO.JDSPBSDIJUFDUVSBM"UUBDLTJO+BWB4DSJQU IUUQTHSVTTDDpMFTGBOUBTUJDUJNFSTQEG ‣ 5IFZEFNPOTUSBUFEBOFX%3".CBTFEDPWFSUDIBOOFMXJUI+4 ‣ ,FZTUSPLFUJNJOHBUUBDLTJOTBOECPYFE+4 -JQQFUBM   1SBDUJDBM,FZTUSPLF5JNJOH"UUBDLTJO4BOECPYFE+BWB4DSJQUIUUQTMJOLTQSJOHFSDPNDIBQUFS @ ‣ +45FNQMBUF"UUBDLT 4DIXBS[FUBM   +BWB4DSJQU5FNQMBUF"UUBDLT"VUPNBUJDBMMZ*OGFSSJOH)PTU*OGPSNBUJPOGPS5BSHFUFE&YQMPJUTIUUQT XXXOETTTZNQPTJVNPSHXQDPOUFOUVQMPBETOETT@#@4DIXBS[@QBQFSQEG ‣ /05&4JUF*TPMBUJPOBOEEJTBCMJOH4IBSFE"SSBZ#V⒎FS DVSSFOUMZ NJUJHBUFUIPTFBUUBDLT

&⒎FDUT.JUJHBUJPO

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC &⒎FDUTPG94-FBLT  94MFBLTQSPWJEFBQBSUPGJOGPSNBUJPO OPUUIFXIPMF ‣ &WFOTFDVSF8FCTJUFTIBWFBQPUFOUJBMUPCFUBSHFUFE
‣ &WFOJG)551IFBEFSTBSFTFUTFDVSFMZ ‣ FH3FRVFTUBOE$PORVFS&YQPTJOH$SPTT0SJHJO3FTPVSDF4J[F  IUUQTUPNWHQBQFSTSFRVFTU@BOE@DPORVFS@VTFOJYQEG ‣ DG6944 ‣ *UOFFETBMPUPGF⒎PSUTUPNJUJHBUFDPNQMFUFMZ ‣ )BWFZPVFWFSCFFOUIPVHIUBCPVUEBUBMFBLBHFGSPNUJNJOH JOGPSNBUJPO ‣ /FXQPMJDJFTUPNJUJHBUFUIFNIBWFCFFOEJTDVTTFE CVU

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC .JUJHBUJPO  8IBUDBOXFEPGPSUIPTFBUUBDLT ‣ "MPUPGTFDVSJUZIFBEFSTBUUSJCVUFT ‣ 4BNFTJUF$PPLJF ‣
9'SBNF0QUJPOT GSBNFBODFTUPST PG$41 ‣ $SPTT0SJHJO0QFOFS1PMJDZ $001 ‣ $SPTT0SJHJO3FTPVSDF1PMJDZ $031 ‣ $SPTT0SJHJO3FTPVSDF#MPDLJOH $03# ‣ 'FUDI.FUBEBUB ‣ 4PNFPGUIFNIBWFCFFOTUJMMEJTDVTTFE ‣ ,FFQXBUDIJOHXDXFCBQQTFD JO(JU)VC

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC 4BNFTJUF$PPLJF  3FTUSJDUJPOPGDPPLJFTVTBHFBUDSPTTTJUFSFRVFTUJOH ‣ 1SPCMFN$SPTTPSJHJOSFRVFTUTXJUIDPPLJFTPGUFODBVTFUIF TFDVSJUZJTTVFTTVDIBT$43' ‣ 4PMVUJPO4BNFTJUF$PPLJF
‣ #Z4BNF4JUFBUUSJCVUFTPGDPPLJF TJUFPXOFSTDBOQSPIJCJUT CSPXTFSTGSPNTFOEJOHDSPTTTJUFSFRVFTUTXJUIDPPLJFT ‣ 4BNF4JUF-BY0OMZUPQMFWFMOBWJHBUJPOTJTBMMPXFE ‣ 4BNF4JUF4USJDU/PDSPTTTJUFSFRVFTUXJUIDPPLJFTJTBMMPXFE ‣ 4FF4BNF4JUFDPPLJFTFYQMBJOFE  IUUQTXFCEFWTBNFTJUFDPPLJFTFYQMBJOFE

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC 'SBNJOH3FTUSJDUJPO  9'SBNF0QUJPOT GSBNFBODFTUPST PG$41 ‣ (FOFSBM1SPCMFN  3FBM8PSME&YBNQMFTPGUFOSFMJFTPOXJOEPXMFOHUI 
IUUQTHJUIVCDPNYTMFBLTYTMFBLTXJLJ3FBM8PSME&YBNQMFT ‣ $BTFXIFOBQBHFJTGSBNFE CPUIPGUIFQBHF DIJME BOE JUTQBSFOUIBWFSFGFSFODFTUPAXJOEPXAUPFBDIPUIFS ‣ GSPNDIJMEUPQBSFOUXJOEPXQBSFOUPSXJOEPXUPQ ‣ GSPNQBSFOUUPDIJME GSBNF@FMNFOU DPOUFOU8JOEPX ‣ 4PMVUJPOT9'SBNF0QUJPOT GSBNFBODFTUPST PG$41 ‣ 3FTUSJDUJOHDSPTTTJUFGSBNJOHSFEVDFTBUUBDLTVSGBDFT

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC $SPTT0SJHJO0QFOFS1PMJDZ  3FTUSJDUJPOPGVTJOHAXJOEPXASFGFSFODFGSPNPQFOFST ‣ $BTFXIFOXJOEPXPQFOJTFYFDVUFE UIFPQFOFEXJOEPX DBOBDDFTTUPAXJOEPXAPGJUTPQFOFS ‣
XJOEPXPQFOFSMPDBUJPOIUUQFWJMDPN ‣ 4PMVUJPO$SPTT0SJHJO0QFOFS1PMJDZ $001 ‣ $SPTT0SJHJO0QFOFS1PMJDZIFBEFSEFpOFTXIFO AXJOEPXPQFOFSAJTBWBJMBCMF ‣ 4FFBOOFWLDPPQNE BTFNJGPSNBMEFpOJUPOPG$001   IUUQTHJTUHJUIVCDPNBOOFWLGEEDDGGCEBDGF

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC $SPTT0SJHJO3FTPVSDF1PMJDZ  3FTUSJDUJPOPGUIFBWBJMBCMFPSJHJOPGSFTPVSDFT ‣ 1SPCMFN$SPTTPSJHJOOPDPSTSFRVFTUTDBVTFTFDVSJUZ JTTVFTTVDIBTTJEFDIBOOFMBUUBDLT ‣ DG4FSWJDF8PSLFSBCVTF
7BO(PFUIFNFUBM ‣ 4PMVUJPO$SPTT0SJHJO3FTPVSDF1PMJDZ $031 ‣ 5IJTIFBEFSQSFWFOUCSPXTFSTGSPNMPBEJOHSFTPVSDFTGFUDIFE CZDSPTT TJUFcPSJHJO OPDPSTSFRVFTUT ‣ /05&GPSNFSMZ UIJTJTDBMMFE'SPN0SJHJO Cross-Origin-Resource-Policy: same-site | same-origin

TIJGUKTJOGP (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC 'FUDI.FUBEBUB  *OGPUIBUIFMQTTFSWFSEFUFDUVOVTVBMSFRVFTUTGPSSFTPVSDFT ‣ 1SPCMFN ‣ 4FSWFSTDBOOPULOPXIPXUIFJSSFTPVSDFTXJMMCFVTFE ‣
4PMVUJPO'FUDI.FUBEBUB ‣ *UXPVMECFIFMQGVMJGTFSWFSTDPVMENBLFNPSFJOUFMMJHFOU EFDJTJPOTBCPVUXIFUIFSPSOPUUPSFTQPOEUPBHJWFO SFRVFTUCBTFEPOUIFXBZUIBUJU`TNBEF IUUQT NJLFXFTUHJUIVCJPTFDNFUBEBUB ‣ 1SPWJEFEXJUI4FD'FUDI IFBEFST

5IBOLZPVGPS-JTUFOJOH !MNU@TXBMMPX !ZOVDIZ IUUQTTIJGUKTJOGP

"Gimme a bit!" - Exploring Attacks in the "Post...

"Gimme a bit!" - Exploring Attacks in the "Post-XSS" World

More Decks by Takashi Yoneuchi

Other Decks in Technology

Featured

Transcript