$30 off During Our Annual Pro Sale. View Details »

"Gimme a bit!" - Exploring Attacks in the "Post-XSS" World

Takashi Yoneuchi
May 16, 2019
Technology
9
5.4k

"Gimme a bit!" - Exploring Attacks in the "Post-XSS" World

Presented at: https://shibuyaxss.connpass.com/event/128168/

Takashi Yoneuchi

May 16, 2019
Tweet

More Decks by Takashi Yoneuchi

See All by Takashi Yoneuchi
プロダクトセキュリティの「共通言語」を作る ― 技術教育と Policy as Code を例に / "Language" for Product Security
lmt_swallow
0
150
SREを以てセキュリティエンジニアリングを制す / SRE, Security Engineering, and You
lmt_swallow
5
1.7k
Eliminating ReDoS with Ruby 3.2
lmt_swallow
0
37
ソフトウェアサプライチェーンのこれから / Securing Software Supply Chain
lmt_swallow
1
110
AWSのセキュリティ管理をPolicy as Codeで加速する ― 最高のCSPM体験を目指して / Unleashing Policy as Code on AWS CSPM
lmt_swallow
4
1.5k
実践 SpiceDB - クライドネイティブ時代をサバイブできるパーミッション管理の実装を目指して / Practical SpiceDB
lmt_swallow
0
870
Developer-First Security という考え方 / Introduction to Developer-First Security
lmt_swallow
6
8.1k
ちいさな Web ブラウザを作ってみよう(オンライン講義版) / Build Your Own Web Browser
lmt_swallow
17
10k
Go をセキュアに書き進めるための
「ガードレール」を整備しよう / Let's Build Security Guardrails For Your Go Programs!
lmt_swallow
4
5k

Other Decks in Technology

See All in Technology
技術的負債あるある早く言いたい〜/RookiesLT-link-and-motivation
lmi
0
1.9k
FRONTEND CONFERENCE OKINAWA 2023 スポンサーセッション発表スライド/frontend-okinawa
nikkei_engineer_recruiting
1
2.1k
負債と言わないことが負債と向き合うこと
kenchan
4
1.8k
コロプラ_SRE_LCE_ゲームバックエンド_性能との戦い
colopl
0
120
⾃律的な開発チームを⽀えるためのSLO運⽤
sansantech
PRO
5
850
CI/CDプロセスの拡充からはじめる技術的負債の解消/Eliminate technical debt, starting with expanding CI/CD processes
onecareer_tech
0
130
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
1.2k
GraphQLクライアントの技術選定 2023冬
kazukihayase
6
2.7k
DMMオンラインサロン エンジニア採用資料/ for-software-engineers
onlinesalon
0
3.6k
「極意本」サンプルコードをクラウド上で動かそう
upura
0
150
EventStormingとRDRA2.0で大規模レガシーシステムのフルリニューアルPJに挑む
leveragestech
0
1.1k
実装がすべてではない、開発者の周りから考える Web プロダクトセキュリティ
oldbigbuddha
0
200

Featured

See All Featured
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
24
2k
Stop Working from a Prison Cell
hatefulcrawdad
264
18k
Building an army of robots
kneath
299
41k
Reflections from 52 weeks, 52 projects
jeffersonlam
342
19k
Become a Pro
speakerdeck
PRO
8
3.6k
Debugging Ruby Performance
tmm1
68
11k
Done Done
chrislema
178
15k
Faster Mobile Websites
deanohume
296
29k
Optimizing for Happiness
mojombo
368
68k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.9k
Typedesign – Prime Four
hannesfritz
35
1.8k

Transcript

  1. (JNNFBCJU
    &YQMPSJOH"UUBDLTJOUIF1PTU9448PSME
    5BLBTIJ:POFVDIJ !MNU@TXBMMPX

    %FQBSUNFOUPG*OGPSNBUJPO4DJFODF 'BDVMUZPG4DJFODF UIF6OJWFSTJUZPG5PLZP
    IUUQTTIJGUKTJOGP

    View Slide

  2. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    5BLBTIJ:POFVDIJ
    ‣ !MNU@TXBMMPX !ZOVDIZ
    ‣ %FQBSUNFOUPG*OGPSNBUJPO4DJFODF 'BDVMUZ
    PG4DJFODF UIF6OJWFSTJUZPG5PLZP
    ‣ *ὑ8FC
    ‣ 4&$$0/#FHJOOFSTDUGC
    ‣ 4FDVSJUZ$BNQTFDDBNQ
    ‣ 54(EPEPEPEP
    ‣ 4FFIUUQTTIJGUKTJOGP



    View Slide

  3. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    0VUMJOF


    ‣ 1PTU9448PSME
    ‣ 2VFTUJPO8IBUDPNFTBGUFS944
    ‣ *OUSPEVDUJPOUP94-FBLTBOE944FBSDI
    ‣ 0WFSWJFX
    ‣ &YBNQMFT
    ‣ 'SBNF$PVOU
    ‣ 5JNJOH*OGPSNBUJPO
    ‣ &⒎FDUT.JUJHBUJPO
    ‣ $PODMVTJPO

    View Slide

  4. 1PTU9448PSME

    View Slide

  5. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC

    944
    3PBENBQUP1PTU9448PSME
    .JUJHBUJPO
    944FBSDI
    94-FBL
    4DSJQUMFTT

    "UUBDL
    4DSJQU

    (BEHFUT

    View Slide

  6. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    $SPTT4JUF4DSJQUJOH

    944 BDPNNPOqBXJO8FCBQQMJDBUJPOT


    ‣ .BOZEFWFMPQFSTBOESFTFBSDIFSTIBWFTUSVHHMFEXJUI944
    ‣ .PEFSO8FCGSBNFXPSLTQSPWJEFQSFWFOUJPO
    ‣ "VUPNBUJDFTDBQJOH
    ‣ 'PPMQSPPG FHEBOHFSPVTMZ4FU*OOFS)5.-

    ‣ 8FCCSPXTFSTBMTPIBWFEFGFOTFMJOFT
    ‣ $POUFOU4FDVSJUZ1PMJDZ $41

    ‣ 944"VEJUPS
    = $_GET['q'] ?>

    View Slide

  7. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC

    944
    .JUJHBUJPO
    944FBSDI
    94-FBL
    4DSJQUMFTT

    "UUBDL
    4DSJQU

    (BEHFUT
    3PBENBQUP1PTU9448PSME

    View Slide

  8. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    $POUFOU4FDVSJUZ1PMJDZ

    &YBNQMFTPG$MJFOUTJEF.JUJHBUJPOPG944
    ‣ $POUFOU4FDVSJUZ1PMJDZ $41

    ‣ 4QFDJpDBUJPOIUUQTXXXXPSH53$41JOUSP
    ‣ *USFEVDFTUIFIBSNDBVTFECZDPOUFOUJOKFDUJPOBUUBDLT
    ‣ "QQSPQSJBUFQPMJDJFTSFRVJSFBUUBDLFSTUPNBLFBCVODIPG
    F⒎PSUTUPFYFDVUF+4TVDDFTTGVMMZ


    Content-Security-Policy: script-src 'nonce-4g34...34r'
    alert('Hello, CSP!')

    View Slide

  9. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    944"VEJUPS

    &YBNQMFTPG$MJFOUTJEF.JUJHBUJPOPG944
    ‣ 99441SPUFDUJPOIFBEFS
    EFpOFTUIFBDUJPOXIFO
    3FqFDUFE
    944JTGPVOE
    ‣ 5IFSFBSFUXPNPEFT
    ‣ pMUFS
    ‣ CMPDL
    ‣ 3FTFBSDIFSTIBWFUBDLMFEXJUI
    CZQBTTJOHPG944"VEJUPS


    View Slide

  10. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC

    944
    .JUJHBUJPO
    944FBSDI
    94-FBL
    4DSJQUMFTT

    "UUBDL
    4DSJQU

    (BEHFUT
    3PBENBQUP1PTU9448PSME

    View Slide

  11. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    &WPMVUJPOPG944

    4DSJQU(BEHFUT$PEFSFVTJOHTJNJMBSUP301
    ‣ &OUIVTJBTUTPG944IBWFUSJFEUPCZQBTT$41
    ‣ 0OFPG4PMVUJPOT4DSJQU(BEHFUT -FLJFTFUBM

    ‣ *EFBSFVTFUSVTUFE MFHJUJNBUF
    TPVSDFDPEFTUPFYFDVUF
    BSCJUSBSZTDSJQUT DGSFUVSOPSJFOUFEQSPHSBNNJOH 301






    View Slide

  12. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    4DSJQUMFTT"UUBDLT

    /PUPOMZ+4 CVUBMTP$44IFMQTBUUBDLFST

    ‣ 3FTFBSDI2VFTUJPO

    *G+4FYFDVUJPOJTSFTUSJDUFE XIBUDBOBUUBDLFSTEP
    ‣ 0OFPG"OTXFST4DSJQUMFTT"UUBDLT )FJEFSJDIFUBM

    ‣ #BDLJOIJTUPSZ UIJTDMBTTPGBUUBDLTIBTCFFOJOWFTUJHBUFECZ
    SFTFBSDIFST BOEXBTPGUFOSFEJTDPWFSFE
    ‣ 8FMMLOPXO"UUSJCVUFSFBEJOH 'POUMJHBUVSFUFDIOJRVF GPOU
    SBOHFUFDIOJRVF FUD
    ‣ /FXSFTFBSDIMJOFJNQPSUSFDVSTJPOUFDIOJRVFT 1FQF7JMB

    IUUQTWX[ROFUTMJEFTT@DTT@JOKFDUJPO@BUUBDLTQEG


    View Slide

  13. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    94-FBLT944FBSDI

    "UUBDLTBJNJOHUIFQPTU944XPSME
    ‣ 3FTFBSDI2VFTUJPO

    *TUIFSFZFUBOPUIFSBUUBDLJOHUFDIOJRVFXIFOBEWFSTBSJFT
    IBWFOPDPOUFOUJOKFDUJPOWVMOFSBCJMJUJFTJOUBSHFUT
    ‣ "OTXFS:FT
    ‣ *EFBEBUBUPXIJDIDSPTTPSJHJOBDDFTTJTHSBOUFEIFMQTPOF
    FTUJNBUFUIFGFBUVSFT DIBSBDUFSJTUJDT
    PGB)551SFTQPOTF
    ‣ &YBNQMF FYQMBJOFEMBUFS

    ‣ $SPTTTJUF-FBLT 94-FBLT

    ‣ $SPTTTJUF4FBSDI 944FBSDI



    View Slide

  14. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    #"%/0/$&

    54($5' "EEJUJPOBM/PUFT


    session_start();
    $nonce = md5(session_id());
    $_SESSION['count'] = isset($_SESSION['count']) ?
    $_SESSION['count'] + 1 : 0;
    if ($_SESSION['count'] > 3){
    setcookie('flag', null, -1, '/');
    }
    ?>
    content="script-src 'nonce-= $nonce ?>';">
    >/* ... */
    = $_GET['q'] ?>

    UIFOPODFJTpYFE
    :PVIBWFUPMFBLDPPLJFT
    XJUIPOMZUXPSFR

    View Slide

  15. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    /PUFT

    1PTU9448PSME
    ‣ *O .JDIBFM;BMFXTLJ !MDBNUVG
    OPUFEUIBUUIF
    DPMMFDUJPOPGBUUBDLTBMUFSOBUJWFUP944IFQSPWJEFEIBWF
    BMNPTUTBNFDBQBCJMJUJFTBT944

    1PTUDBSETGSPNUIFQPTU944XPSMEIUUQMDBNUVGDPSFEVNQDYQPTUYTT

    ‣ FH3FSPVUJOHPGFYJTUJOHGPSNT
    ‣ FHIJKBDLSFMBUJWF63-TXJUICBTF
    ‣ DG3FMBUJWF1BUI0WFSXSJUF
    ‣ 4FF"STIBE GPSUIFSFBMBOBMZTJT-BSHFTDBMFBOBMZTJTPG
    TUZMFJOKFDUJPOCZSFMBUJWFQBUIPWFSXSJUF

    IUUQTEMBDNPSHDJUBUJPODGN JE


    View Slide

  16. *OUSPEVDUJPOUP

    94-FBLTBOE944FBSDI

    View Slide

  17. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    $SPTTTJUF-FBLT

    BLB94-FBLT
    ‣ $SPTTTJUFMFBLT 94-FBL
    BSFBGBNJMZPGCSPXTFSTJEF
    DIBOOFMUFDIOJRVFT
    ‣ 94-FBLBUUBDLTBJNUPDJSDVNWFOUTFDVSJUZDPOUSPMTJO8FC
    CSPXTFSTCZUXPTUFQT
    ‣ 3FRVFTUJOH
    ‣ FHFNCFEEJOHBDSPTTTJUFDPOUFOU FHJGSBNF

    ‣ 0CTFSWJOHCSPXTFSTJEFDIBOOFMT
    ‣ FHBCVTJOHGFBUVSFTPG8FCCSPXTFST FH944"VEJUPS

    ‣ 0OFPGUIFVTBHFT$SPTTTJUF4FBSDI 944FBSDI



    View Slide

  18. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    $SPTTTJUF4FBSDI

    BLB944FBSDI


    ‣ $SPTTTJUFTFBSDI 944FBSDI
    BUUBDLJTBLJOEPGBUUBDLT
    XIJDIBTLTTPNFRVFTUJPOTWJDUJNGSPNBVTFSTCSPXTFSUP
    B8FCFOEQPJOU
    ‣ FH*TUIFSFBFNBJMXIJDIDPOUBJOTUIFXPSEBQQMFJOUIF
    CPEZ GPSBOFNBJMTFSWJDF
    ‣ FH*OUIFSFBQMBOUPHPTPNFXIFSFUIJTXFFLFOE GPSB
    DBMFOEBSTFSWJDF
    ‣ 5IFBOTXFSPGUIFTFSWFSXJMMCFPCUBJOFECZVTJOH94
    -FBLT FHSFTQPOTFTJ[FFTUJNBUJPO FUD

    View Slide

  19. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    0VUMJOF944FBSDI
    /05&)FSFJTTBNFOPUBUJPOBT(FMFSOUFS VTFE


    %VNNZ3FRVFTU
    3FTQPOTF
    $IBMMFOHF3FRVFTU
    3FTQPOTF
    7JDUJN
    4FSWJDF
    7JDUJN
    6TFS
    "UUBDLFS
    *OJUJBUF
    $PMMFDU

    3FTVMUT

    View Slide

  20. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    0VUMJOF944FBSDI
    /05&)FSFJTTBNFOPUBUJPOBT(FMFSOUFS VTFE


    %VNNZ3FRVFTU
    3FTQPOTF
    $IBMMFOHF3FRVFTU
    3FTQPOTF
    7JDUJN
    4FSWJDF
    7JDUJN
    6TFS
    "UUBDLFS
    *OJUJBUF
    $PMMFDU

    3FTVMUT
    "OBUUBDLFSMVSFTBVTFSUPB
    QBHFUIBUJOJUJBUFTSFRVFTUT
    UPBTFSWJDF

    View Slide

  21. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    0VUMJOF944FBSDI
    /05&)FSFJTTBNFOPUBUJPOBT(FMFSOUFS VTFE


    %VNNZ3FRVFTU
    3FTQPOTF
    $IBMMFOHF3FRVFTU
    3FTQPOTF
    7JDUJN
    4FSWJDF
    7JDUJN
    6TFS
    "UUBDLFS
    *OJUJBUF
    $PMMFDU

    3FTVMUT
    /FYU "OBEWFSTBSZJOJUJBUFT
    EVNNZSFRVFTUTXIPTF
    SFTQPOTFTBSFLOPXOJOBEWBODF
    &YBNQMFBSFRVFTUXJUIBTFBSDI
    RVFSZXIPTFSFTVMUDBOOPUFYJTU

    View Slide

  22. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    0VUMJOF944FBSDI
    /05&)FSFJTTBNFOPUBUJPOBT(FMFSOUFS VTFE


    %VNNZ3FRVFTU
    3FTQPOTF
    $IBMMFOHF3FRVFTU
    3FTQPOTF
    7JDUJN
    4FSWJDF
    7JDUJN
    6TFS
    "UUBDLFS
    *OJUJBUF
    $PMMFDU

    3FTVMUT
    "GUFSSFRVFTUJOHEVNNJFT
    BOBEWFSTBSZTUBSUTUP
    JOJUJBUFSFRVFTUTXJUI
    BDUVBMTFBSDIRVFSJFT
    %J⒎CFUXFFOEBUB
    FYQPTFECZ94-FBLGPS
    EVNNJFTBOEPOFGPS
    DIBMMFOHFTDPSSFTQPOETUIF
    EJ⒎CFUXFFOSFTQPOTFT

    View Slide

  23. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    0VUMJOF944FBSDI
    /05&)FSFJTTBNFOPUBUJPOBT(FMFSOUFS VTFE


    %VNNZ3FRVFTU
    3FTQPOTF
    $IBMMFOHF3FRVFTU
    3FTQPOTF
    7JDUJN
    4FSWJDF
    7JDUJN
    6TFS
    "UUBDLFS
    *OJUJBUF
    $PMMFDU

    3FTVMUT
    "OBEWFSTBSZSFQFBUTUIF
    QSPDFTTBOE

    View Slide

  24. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    0VUMJOF944FBSDI
    /05&)FSFJTTBNFOPUBUJPOBT(FMFSOUFS VTFE


    %VNNZ3FRVFTU
    3FTQPOTF
    $IBMMFOHF3FRVFTU
    3FTQPOTF
    7JDUJN
    4FSWJDF
    7JDUJN
    6TFS
    "UUBDLFS
    *OJUJBUF
    $PMMFDU

    3FTVMUT
    "OBEWFSTBSZTFOETUIF
    DPMMFDUFESFTVMUTGSPN
    WJDUJNTCSPXTFSTUPJUT
    PXOTFSWFS

    View Slide

  25. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    6NN JTJUSFBMJTUJD 

    8IBU94-FBLT944FBSDIHJWFTVT


    ‣ 6OMJLF944 94-FBLT944FBSDI
    ‣ EPFTOPUQSPWJEFBDUVBMDPOUFOUTPGEBUB
    ‣ EVFUP4BNF0SJHJO1PMJDZ
    ‣ EPQSPWJEFGFBUVSFT DIBSBDUFSJTUJDT
    PGEBUB
    ‣ FH8IFUIFSUIFEBUBDPOUBJOTBTQFDJpDWBMVFPSOPU
    ‣ 3FTQPOTFTXJUITFBSDISFTVMUTIBWFMPOHFSMFOHUIUIBOPOFXJUI
    OPSFTVMUT
    ‣ FH8IFUIFSUIFEBUBIBTDPNQMFYJUZPSOPU
    ‣ $PNQMFYJUZPGUFOSFTVMUTJOMPOHFSQSPDFTTJOHUJNF

    View Slide

  26. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    )JTUPSZ94-FBLT


    /PXBEBZT BCVODIPG1P$TBSFCFDPNJOHBWBJMBCMFJOPOMJOF
    )551$BDIF$SPTT4JUF-FBLT

    IUUQTJSEBSDLDBUCMPHTQPUDPNIUUQDBDIFDSPTTTJUFMFBLTIUNM
    $SPTT4JUF$POUFOUBOE4UBUVT5ZQFT-FBLBHF

    IUUQTNFEJVNDPNCVHCPVOUZXSJUFVQDSPTTTJUFDPOUFOUBOETUBUVTUZQFTMFBLBHFFGEBCB
    &WBOTQSFTFOUFEUIFQSJNJUJWFGPSNPG944FBSDIXJUI
    JNHMPBEUJNJOH &WBOT

    $SPTTEPNBJOTFBSDIUJNJOH

    IUUQTTDBSZCFBTUTFDVSJUZCMPHTQPUDPNDSPTTEPNBJOTFBSDIUJNJOHIUNM
    (FMFSOUFSFUBMHBWFUIFTPQIJTUJDBUFEBUUBDLTGPSTJUFTXJUI
    TFBSDIFOHJOFTOBNFE944FBSDI (FMFSOUFSFUBM

    View Slide

  27. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    /PUFT
    94-FBLT944FBSDI
    ‣ 94-FBLTIBWFBUUSBDUFEBUUFOUJPO CVUOPUFOPVHI
    ‣ #PUIBDDVSBDZBOEF⒎FDUJWFOFTTIBWFCFFOJNQSPWFE
    ‣ 3FGFSFODFT
    ‣ /PUFYTMFBLTYTMFBLTIBTBDPNQSFIFOTJWFTVSWFZQBHF

    IUUQTHJUIVCDPNYTMFBLTYTMFBLTXJLJ-JOLT
    ‣ ':*/FX94-FBLUFDIOJRVFTSFWFBMGSFTIXBZTUPFYQPTFVTFS
    JOGPSNBUJPOCZ1PSU4XJHHFS

    IUUQTQPSUTXJHHFSOFUEBJMZTXJHOFXYTMFBLUFDIOJRVFTSFWFBMGSFTIXBZTUPFYQPTFVTFSJOGPSNBUJPO

    ‣ ':*94-FBLTBOE944FBSDICZ(PPHMF

    IUUQTTJUFTHPPHMFDPNTJUFCVHIVOUFSVOJWFSTJUZOPOWVMOYTMFBLT


    View Slide

  28. &YBNQMF

    'SBNF$PVOU

    View Slide

  29. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    XJOEPXMFOHUI

    "VTFGVMQSPQFSUZGPSDSPTTPSJHJOBUUBDLFST
    ‣ XJOEPXMFOHUI
    XJOEPXGSBNFTMFOHUI
    SFUVSOTUIF
    OVNCFSPGGSBNFTJOUIFXJOEPX

    2VPUFEIUUQTEFWFMPQFSNP[JMMBPSHFO64EPDT8FC"1*
    8JOEPXMFOHUI
    ‣ $SPTTPSJHJOBDDFTTUP
    XJOEPXMFOHUIJTBMMPXFEVOEFS
    TBNFPSJHJOQPMJDZ 401

    4FFIUUQTEFWFMPQFSNP[JMMBPSHFO64EPDT8FC4FDVSJUZ4BNF
    PSJHJO@QPMJDZ

    ‣ $BOUIJTQSPQFSUZCFVUJMJ[FEGPS
    TPNFLJOETPGBUUBDLT



    View Slide

  30. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    944"VEJUPS

    "HPPEGSJFOEGPS944NBOJB

    ‣ 944"VEJUPS
    ‣ 99441SPUFDUJPOIFBEFS
    EFpOFTUIFBDUJPOXIFO
    3FqFDUFE
    944JTGPVOE
    ‣ 5IFSFBSFUXPNPEFT

    pMUFSCMPDL
    ‣ 3FTFBSDIFSTIBWFUBDLMFEXJUI
    CZQBTTJOHPG944"VEJUPS



    View Slide

  31. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    944"VEJUPSXJOEPXMFOHUI
    ‣ 8IFOUIFSFJTTQFDJpDDPOUFOUUIBUDBOXBLF944"VEJUPSJO
    BQBHFBOEUIFQBHFIBT BUMFBTUPOF
    JGSBNF
    ‣ 8IFO944"VEJUPSCMPDLT XJOEPXMFOHUI
    ‣ 8IFOOPU XJOEPXMFOHUI
    ‣ 8FDBOHFUBCJUXIFUIFSUIFTQFDJpDDPOUFOUJT
    JODMVEFEPSOPUCZUIFQBHFBTMPOHBTUIFDPOUFOUDBO
    XBLF944"VEJUPS:BZ



    let secret_flag = true;

    View Slide

  32. %&.054($5'

    3&$0/
    /05&.PSFTJNQMZ XFDBOEFUFDUUIFXBLFPG944"VEJUPSCZPCTFSWJOHIPX
    NBOZUJNFTJGSBNFTPOMPBEFWFOUPDDVST

    &YBNQMFD$5'pMFNBOBHFS

    IUUQTHJTUHJUIVCDPNMXJPBFBBFBBDEBDEDBE

    View Slide

  33. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    4JEF&⒎FDUTPG#MPDLJOH

    8IBU944"VEJUPSDBVTFT
    ‣ *G944"VEJUPSCMPDLT
    ‣ TPNFQSPQFSUJFTNBZTFFNTUPCFEJ⒎FSFOUGSPNUIFWBMVFT
    XIFOUIFQBHFJTTIPXOVTVBMMZ
    ‣ *G944"VEJUPSpMUFST
    ‣ 1BHFTUSVDUVSFT FTQFDJBMMZUIFqPXPGBQQSPQSJBUF+4
    FYFDVUJPOqPX
    DBOCFCSPLFO
    ‣ &YBNQMF9944/JHIUNBSFNPEFBUUBDL944"UUBDLT
    &YQMPJUJOH944'JMUFS !NBTBUPLJOVHBXB

    IUUQTXXXTMJEFTIBSFOFUNBTBUPLJOVHBXBYYOFO
    ‣ ':**OGPSNBUJPOUIFGUBUUBDLTBCVTJOHCSPXTFST944pMUFS

    IUUQTXXXNCTEKQCMPHIUNM


    View Slide

  34. &YBNQMF

    5JNJOH*OGPSNBUJPO

    View Slide

  35. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    5JNJOH"UUBDL 8FC

    "LJOEPGTJEFDIBOOFMBUUBDLT


    ‣ 3FTFBSDI2VFTUJPO

    8IBUBUUBDLFSTDBOEPXJUIUJNJOHJOGPSNBUJPO
    ‣ 'JSTU*EFB 'FMUFOBOE4DIOFJEFS

    ‣ #SPXTFSTDBDIFIBTF⒎FDUTPOUIFMPBEJOHUJNFPGSFTPVSDFT
    ‣ $BDIFTBSFPGUFOBWBJMBCMFGPSSFTPVSDFTBDDFTTFESFDFOUMZ
    ‣ )FODF UIFMPBEJOHUJNFSFqFDUTCSPXTJOHIJTUPSZ
    ‣ 5IFSFBSFUXPWJFXQPJOUT
    ‣ $POOFDUJWJUZEJSFDUPSDSPTTTJUF
    ‣ 5BSHFU5JNJOHTFSWFSTJEFUJNJOHPSDMJFOUTJEFUJNJOH

    View Slide

  36. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    %JSFDU5JNJOH"UUBDL

    #PSU[BOE#POFI $SPTCZFUBM


    ‣ $POEJUJPOT*OGPSNBUJPOUIBUBUUBDLFSTXBOUUPMFBLB⒎FDUTUP
    TJUFXJEFCFIBWJPS
    ‣ "UUBDLT
    ‣ )JEEFOCPPMFBOWBMVFTEBUBTJ[FDBOCFFTUJNBUFEXJUI
    NFBTVSJOHQSPDFTTJOHUJNF #PSU[BOE#POFI

    ‣ 5PUIFCFTUPGNZLOPXMFEHF UIFZBSFUIFpSTUXIPEFTDSJCFEUIF
    DPODFQUPGEJSFDUUJNJOHBUUBDL
    ‣ &WFOSFNPUFUJNJOHBUUBDLT BQQSPQSJBUFTUBUJTUJDBMNFUIPET
    HJWFBUUBDLFSTBDDVSBUFBOBMZTJT $SPTCZFUBM

    ‣ 5IFCPYUFTUUIFZQSFTFOUFEBSFPGUFOVTFEJOPUIFSSFTFBSDI

    View Slide

  37. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    $SPTTTJUF5JNJOH"UUBDL

    #PSU[BOE#POFI


    ‣ "UUBDLT
    ‣ 8JUITFSWFSTJEFUJNJOH
    ‣ *OJUJBMDPODFQUPG944FBSDIJTCBTFEPOTFSWFSTJEFUJNJOH
    ‣ &WBOT NFOUJPOFECFGPSF

    ‣ (FMFSOUFSFUBM NFOUJPOFECFGPSF

    ‣ 8JUIDMJFOUTJEFUJNJOH
    ‣ BMTPLOPXOBTCSPXTFSCBTFEUJNJOHBUUBDLT
    ‣ &YBNQMFT
    ‣ $BDIF'FMUFOBOE4DIOFJEFS 7BO(PFUIFNFUBM
    ‣ $444UPOF ,PUDIFSFUBM 4NJUIFUBM FUD

    View Slide

  38. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    $MJFOUTJEF5JNJOH

    BLB#SPXTFSCBTFE5JNJOH"UUBDL


    ‣ *EFB
    ‣ $BDIFTIBWFF⒎FDUTPOQSPDFTTJOHUJNF
    ‣ "UUBDLT
    ‣ 5IFpSTUDPODFQUPGUJNJOHBUUBDLJOUIF8FCEFSJWFTGSPN
    DBDIFCBTFEBUUBDLT 'FMUFOBOE4DIOFJEFS

    ‣ 'FBUVSFTJOUSPEVDFEPONPEFSOCSPXTFSTDBOCFOFXTJEF
    DIBOOFMTUIBUMFUBEWFSTBSJFTNFBTVSFNPSFBDDVSBUFUJNJOH
    7BO(PFUIFNFUBM

    ‣ FH$BDIF"1* PG4FSWJDF8PSLFS

    ‣ FH"QQMJDBUJPO$BDIF

    View Slide

  39. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    $MJFOUTJEF5JNJOH

    BLB#SPXTFSCBTFE5JNJOH"UUBDL


    ‣ *EFB
    ‣ 3FOEFSJOHIBTBUJHIUSFMBUJPOXJUIBDPOUFOUUPCFSFOEFSFE
    ‣ &WFOEBUBXIJDIDBOOPUCFUPVDIFEGSPN+4DBOCFSFOEFSFE
    ‣ "UUBDLT
    ‣ 1JYFMQFSGFDUUJNJOHBUUBDLT 4UPOF

    IUUQTXXXDPOUFYUJTDPNNFEJBEPXOMPBET1JYFM@1FSGFDU@5JNJOH@"UUBDLT@XJUI@)5.-@8IJUFQBQFSQEG

    ‣ 1JYFMTUFBMJOHUJNJOHBUUBDLT ,PUDIFSFUBM

    IUUQTEMBDNPSHDJUBUJPODGN JE
    ‣ "CVTFPG1BJOU"1* %5SBOTGPSNT BOE47(T 4NJUIFUBM


    IUUQTXXXVTFOJYPSHDPOGFSFODFXPPUQSFTFOUBUJPOTNJUI

    View Slide

  40. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    .PSF4PQIJTUJDBUFE0OFT

    1PTTJCMFBUUBDLTXBUDIJOHZPVSFOWJSPONFOUT
    ‣ 4PGUXBSFCBTFENJDSPBSDIJUFDUVSBMBUUBDLT
    ‣ 4PGUXBSFCBTFENJDSPBSDIJUFDUVSBMTJEFDIBOOFMBUUBDLT
    FYQMPJUUJNJOHBOECFIBWJPSEJ⒎FSFODFTUIBUBSF
    QBSUJBMMZ
    DBVTFEUISPVHINJDSPBSDIJUFDUVSBM
    PQUJNJ[BUJPOT JF EJ⒎FSFODFTUIBUBSFOPUBSDIJUFDUVSBMMZ
    EPDVNFOUFE

    4PGUXBSFCBTFE.JDSPBSDIJUFDUVSBM"UUBDLTIUUQTBSYJWPSHBCT

    ‣ 3FTFBSDI2VFTUJPOT+BWB4DSJQU XIJDIJTFYFDVUFEJOUIF
    TBOECPY JTFOPVHIUPCFVTFEGPSNJDSPBSDIJUFDUVSBM
    BUUBDLT


    View Slide

  41. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    'SPN+44BOECPY

    4PGUXBSFCBTFENJDSPBSDIJUFDUVSBMBUUBDLT
    ‣ 3FTVMUT
    ‣ 5JNFSTBWBJMBCMFJO+BWB4DSJQUJTFOPVHIGPSBUUBDLFSTUP
    QFSGPSNNJDSPBSDIJUFDUVSBMBUUBDLT 4DIXBS[FM

    'BOUBTUJD5JNFSTBOE8IFSFUP'JOE5IFN)JHI3FTPMVUJPO.JDSPBSDIJUFDUVSBM"UUBDLTJO+BWB4DSJQU
    IUUQTHSVTTDDpMFTGBOUBTUJDUJNFSTQEG

    ‣ 5IFZEFNPOTUSBUFEBOFX%3".CBTFEDPWFSUDIBOOFMXJUI+4
    ‣ ,FZTUSPLFUJNJOHBUUBDLTJOTBOECPYFE+4 -JQQFUBM

    1SBDUJDBM,FZTUSPLF5JNJOH"UUBDLTJO4BOECPYFE+BWB4DSJQUIUUQTMJOLTQSJOHFSDPNDIBQUFS
    @

    ‣ +45FNQMBUF"UUBDLT 4DIXBS[FUBM

    +BWB4DSJQU5FNQMBUF"UUBDLT"VUPNBUJDBMMZ*OGFSSJOH)PTU*OGPSNBUJPOGPS5BSHFUFE&YQMPJUTIUUQT
    XXXOETTTZNQPTJVNPSHXQDPOUFOUVQMPBETOETT@#@4DIXBS[@QBQFSQEG
    ‣ /05&4JUF*TPMBUJPOBOEEJTBCMJOH4IBSFE"SSBZ#V⒎FS
    DVSSFOUMZ
    NJUJHBUFUIPTFBUUBDLT


    View Slide

  42. &⒎FDUT.JUJHBUJPO

    View Slide

  43. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    &⒎FDUTPG94-FBLT

    94MFBLTQSPWJEFBQBSUPGJOGPSNBUJPO OPUUIFXIPMF


    ‣ &WFOTFDVSF8FCTJUFTIBWFBQPUFOUJBMUPCFUBSHFUFE
    ‣ &WFOJG)551IFBEFSTBSFTFUTFDVSFMZ
    ‣ FH3FRVFTUBOE$PORVFS&YQPTJOH$SPTT0SJHJO3FTPVSDF4J[F

    IUUQTUPNWHQBQFSTSFRVFTU@BOE@DPORVFS@VTFOJYQEG
    ‣ DG6944
    ‣ *UOFFETBMPUPGF⒎PSUTUPNJUJHBUFDPNQMFUFMZ
    ‣ )BWFZPVFWFSCFFOUIPVHIUBCPVUEBUBMFBLBHFGSPNUJNJOH
    JOGPSNBUJPO
    ‣ /FXQPMJDJFTUPNJUJHBUFUIFNIBWFCFFOEJTDVTTFE CVU

    View Slide

  44. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    .JUJHBUJPO

    8IBUDBOXFEPGPSUIPTFBUUBDLT
    ‣ "MPUPGTFDVSJUZIFBEFSTBUUSJCVUFT
    ‣ 4BNFTJUF$PPLJF
    ‣ 9'SBNF0QUJPOT GSBNFBODFTUPST PG$41

    ‣ $SPTT0SJHJO0QFOFS1PMJDZ $001

    ‣ $SPTT0SJHJO3FTPVSDF1PMJDZ $031

    ‣ $SPTT0SJHJO3FTPVSDF#MPDLJOH $03#

    ‣ 'FUDI.FUBEBUB
    ‣ 4PNFPGUIFNIBWFCFFOTUJMMEJTDVTTFE
    ‣ ,FFQXBUDIJOHXDXFCBQQTFDJO(JU)VC


    View Slide

  45. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    4BNFTJUF$PPLJF

    3FTUSJDUJPOPGDPPLJFTVTBHFBUDSPTTTJUFSFRVFTUJOH
    ‣ 1SPCMFN$SPTTPSJHJOSFRVFTUTXJUIDPPLJFTPGUFODBVTFUIF
    TFDVSJUZJTTVFTTVDIBT$43'
    ‣ 4PMVUJPO4BNFTJUF$PPLJF
    ‣ #Z4BNF4JUFBUUSJCVUFTPGDPPLJF TJUFPXOFSTDBOQSPIJCJUT
    CSPXTFSTGSPNTFOEJOHDSPTTTJUFSFRVFTUTXJUIDPPLJFT
    ‣ 4BNF4JUF-BY0OMZUPQMFWFMOBWJHBUJPOTJTBMMPXFE
    ‣ 4BNF4JUF4USJDU/PDSPTTTJUFSFRVFTUXJUIDPPLJFTJTBMMPXFE
    ‣ 4FF4BNF4JUFDPPLJFTFYQMBJOFE

    IUUQTXFCEFWTBNFTJUFDPPLJFTFYQMBJOFE


    View Slide

  46. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    'SBNJOH3FTUSJDUJPO

    9'SBNF0QUJPOT GSBNFBODFTUPST PG$41

    ‣ (FOFSBM1SPCMFN

    3FBM8PSME&YBNQMFTPGUFOSFMJFTPOXJOEPXMFOHUI

    IUUQTHJUIVCDPNYTMFBLTYTMFBLTXJLJ3FBM8PSME&YBNQMFT
    ‣ $BTFXIFOBQBHFJTGSBNFE CPUIPGUIFQBHF DIJME
    BOE
    JUTQBSFOUIBWFSFGFSFODFTUPAXJOEPXAUPFBDIPUIFS
    ‣ GSPNDIJMEUPQBSFOUXJOEPXQBSFOUPSXJOEPXUPQ
    ‣ GSPNQBSFOUUPDIJME GSBNF@FMNFOU
    DPOUFOU8JOEPX
    ‣ 4PMVUJPOT9'SBNF0QUJPOT GSBNFBODFTUPST PG$41

    ‣ 3FTUSJDUJOHDSPTTTJUFGSBNJOHSFEVDFTBUUBDLTVSGBDFT



    View Slide

  47. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    $SPTT0SJHJO0QFOFS1PMJDZ

    3FTUSJDUJPOPGVTJOHAXJOEPXASFGFSFODFGSPNPQFOFST
    ‣ $BTFXIFOXJOEPXPQFOJTFYFDVUFE UIFPQFOFEXJOEPX
    DBOBDDFTTUPAXJOEPXAPGJUTPQFOFS
    ‣ XJOEPXPQFOFSMPDBUJPOIUUQFWJMDPN
    ‣ 4PMVUJPO$SPTT0SJHJO0QFOFS1PMJDZ $001

    ‣ $SPTT0SJHJO0QFOFS1PMJDZIFBEFSEFpOFTXIFO
    AXJOEPXPQFOFSAJTBWBJMBCMF
    ‣ 4FFBOOFWLDPPQNE BTFNJGPSNBMEFpOJUPOPG$001

    IUUQTHJTUHJUIVCDPNBOOFWLGEEDDGGCEBDGF


    View Slide

  48. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    $SPTT0SJHJO3FTPVSDF1PMJDZ

    3FTUSJDUJPOPGUIFBWBJMBCMFPSJHJOPGSFTPVSDFT
    ‣ 1SPCMFN$SPTTPSJHJOOPDPSTSFRVFTUTDBVTFTFDVSJUZ
    JTTVFTTVDIBTTJEFDIBOOFMBUUBDLT
    ‣ DG4FSWJDF8PSLFSBCVTF 7BO(PFUIFNFUBM

    ‣ 4PMVUJPO$SPTT0SJHJO3FTPVSDF1PMJDZ $031

    ‣ 5IJTIFBEFSQSFWFOUCSPXTFSTGSPNMPBEJOHSFTPVSDFTGFUDIFE
    CZDSPTT TJUFcPSJHJO
    OPDPSTSFRVFTUT
    ‣ /05&GPSNFSMZ UIJTJTDBMMFE'SPN0SJHJO


    Cross-Origin-Resource-Policy: same-site | same-origin

    View Slide

  49. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    'FUDI.FUBEBUB

    *OGPUIBUIFMQTTFSWFSEFUFDUVOVTVBMSFRVFTUTGPSSFTPVSDFT
    ‣ 1SPCMFN
    ‣ 4FSWFSTDBOOPULOPXIPXUIFJSSFTPVSDFTXJMMCFVTFE
    ‣ 4PMVUJPO'FUDI.FUBEBUB
    ‣ *UXPVMECFIFMQGVMJGTFSWFSTDPVMENBLFNPSFJOUFMMJHFOU
    EFDJTJPOTBCPVUXIFUIFSPSOPUUPSFTQPOEUPBHJWFO
    SFRVFTUCBTFEPOUIFXBZUIBUJU`TNBEF IUUQT
    NJLFXFTUHJUIVCJPTFDNFUBEBUB

    ‣ 1SPWJEFEXJUI4FD'FUDIIFBEFST


    View Slide

  50. 5IBOLZPVGPS-JTUFOJOH

    !MNU@TXBMMPX !ZOVDIZ
    IUUQTTIJGUKTJOGP

    View Slide