Upgrade to Pro — share decks privately, control downloads, hide ads and more …

"Gimme a bit!" - Exploring Attacks in the "Post-XSS" World

Takashi Yoneuchi
May 16, 2019
Technology
9
5.3k

"Gimme a bit!" - Exploring Attacks in the "Post-XSS" World

Presented at: https://shibuyaxss.connpass.com/event/128168/

Takashi Yoneuchi

May 16, 2019
Tweet

More Decks by Takashi Yoneuchi

See All by Takashi Yoneuchi
実践 SpiceDB - クライドネイティブ時代をサバイブできるパーミッション管理の実装を目指して / Practical SpiceDB
lmt_swallow
0
390
Developer-First Security という考え方 / Introduction to Developer-First Security
lmt_swallow
6
7.4k
ちいさな Web ブラウザを作ってみよう(オンライン講義版) / Build Your Own Web Browser
lmt_swallow
17
9.8k
Go をセキュアに書き進めるための
「ガードレール」を整備しよう / Let's Build Security Guardrails For Your Go Programs!
lmt_swallow
4
4.7k
すこしだけマクロな視点から捉える Web セキュリティ / Web Security from the Macro Perspective (Short Version)
lmt_swallow
2
2.7k
マクロな視点から捉える Web セキュリティ / Web Security from the Macro Perspective
lmt_swallow
14
5.4k
Web クライアントサイドの攻防 / Attacks and Defenses in Web Browsers
lmt_swallow
2
2.9k
正規表現とセキュリティ / Regular Expressions and Their Security-Related Aspects
lmt_swallow
17
5.6k
2019 年度 CPU 実験 余興: Linux が動く RISC-V CPUを作る
lmt_swallow
3
24k

Other Decks in Technology

See All in Technology
カンファレンススタッフはいいぞ
muno92
PRO
1
140
IBM Cloud PLUS - #3 IBM PowerVS 入門と最新情報
6onoda
0
110
チームで定期的にブログを書けるようにした / Tips for writing regular technical blog posts with your team
nttcom
0
150
オブジェクト指向に基づいた ユニットテストのメリット#PHPerKaigi2023
mako5656
0
130
ChatGPTをプロダクトに入れる開発が"毎日がAfter GPT"だった件/ChatGPT LT Link and Motivation
lmi
1
3.3k
Win Testing Trophy Easily / テスティングトロフィーを獲得する / PHPerKaigi 2023
k1low
2
220
レコメンドコンペ入門
t88
0
410
Concevoir son API pour le futur
tgalopin
1
530
Cloudflare WorkersとKVで キャッシュを非同期に更新する | Cloudflare Meetup Nagoya
aiji42
0
130
ビギナー向け エッジランタイムのすすめ | エッジランタイムを意識した開発をはじめよう
aiji42
1
720
WebGLやCanvasを使ったデータ可視化コンテンツ開発/nikkei-tech-talk5-3
nikkei_engineer_recruiting
0
150
ITエンジニアとして大切にしている3つのこと
korodroid
1
620

Featured

See All Featured
Scaling GitHub
holman
453
140k
Writing Fast Ruby
sferik
613
58k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
239
19k
We Have a Design System, Now What?
morganepeng
37
6k
Statistics for Hackers
jakevdp
785
210k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
Debugging Ruby Performance
tmm1
67
11k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
270
12k
Building a Scalable Design System with Sketch
lauravandoore
451
31k
Put a Button on it: Removing Barriers to Going Fast.
kastner
56
2.6k
Facilitating Awesome Meetings
lara
34
4.7k
A designer walks into a library…
pauljervisheath
199
16k

Transcript

  1. (JNNFBCJU
    &YQMPSJOH"UUBDLTJOUIF1PTU9448PSME
    5BLBTIJ:POFVDIJ [email protected]

    %FQBSUNFOUPG*OGPSNBUJPO4DJFODF 'BDVMUZPG4DJFODF UIF6OJWFSTJUZPG5PLZP
    IUUQTTIJGUKTJOGP

    View Slide

  2. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    5BLBTIJ:POFVDIJ
    [email protected] !ZOVDIZ
    ‣ %FQBSUNFOUPG*OGPSNBUJPO4DJFODF 'BDVMUZ
    PG4DJFODF UIF6OJWFSTJUZPG5PLZP
    ‣ *ὑ8FC
    ‣ 4&$$0/#FHJOOFSTDUGC
    ‣ 4FDVSJUZ$BNQTFDDBNQ
    ‣ 54(EPEPEPEP
    ‣ 4FFIUUQTTIJGUKTJOGP



    View Slide

  3. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    0VUMJOF


    ‣ 1PTU9448PSME
    ‣ 2VFTUJPO8IBUDPNFTBGUFS944
    ‣ *OUSPEVDUJPOUP94-FBLTBOE944FBSDI
    ‣ 0WFSWJFX
    ‣ &YBNQMFT
    ‣ 'SBNF$PVOU
    ‣ 5JNJOH*OGPSNBUJPO
    ‣ &⒎FDUT.JUJHBUJPO
    ‣ $PODMVTJPO

    View Slide

  4. 1PTU9448PSME

    View Slide

  5. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC

    944
    3PBENBQUP1PTU9448PSME
    .JUJHBUJPO
    944FBSDI
    94-FBL
    4DSJQUMFTT

    "UUBDL
    4DSJQU

    (BEHFUT

    View Slide

  6. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    $SPTT4JUF4DSJQUJOH

    944 BDPNNPOqBXJO8FCBQQMJDBUJPOT


    ‣ .BOZEFWFMPQFSTBOESFTFBSDIFSTIBWFTUSVHHMFEXJUI944
    ‣ .PEFSO8FCGSBNFXPSLTQSPWJEFQSFWFOUJPO
    ‣ "VUPNBUJDFTDBQJOH
    ‣ 'PPMQSPPG FHEBOHFSPVTMZ4FU*OOFS)5.-

    ‣ 8FCCSPXTFSTBMTPIBWFEFGFOTFMJOFT
    ‣ $POUFOU4FDVSJUZ1PMJDZ $41

    ‣ 944"VEJUPS
    = $_GET['q'] ?>

    View Slide

  7. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC

    944
    .JUJHBUJPO
    944FBSDI
    94-FBL
    4DSJQUMFTT

    "UUBDL
    4DSJQU

    (BEHFUT
    3PBENBQUP1PTU9448PSME

    View Slide

  8. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    $POUFOU4FDVSJUZ1PMJDZ

    &YBNQMFTPG$MJFOUTJEF.JUJHBUJPOPG944
    ‣ $POUFOU4FDVSJUZ1PMJDZ $41

    ‣ 4QFDJpDBUJPOIUUQTXXXXPSH53$41JOUSP
    ‣ *USFEVDFTUIFIBSNDBVTFECZDPOUFOUJOKFDUJPOBUUBDLT
    ‣ "QQSPQSJBUFQPMJDJFTSFRVJSFBUUBDLFSTUPNBLFBCVODIPG
    F⒎PSUTUPFYFDVUF+4TVDDFTTGVMMZ


    Content-Security-Policy: script-src 'nonce-4g34...34r'
    alert('Hello, CSP!')

    View Slide

  9. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    944"VEJUPS

    &YBNQMFTPG$MJFOUTJEF.JUJHBUJPOPG944
    ‣ 99441SPUFDUJPOIFBEFS
    EFpOFTUIFBDUJPOXIFO
    3FqFDUFE
    944JTGPVOE
    ‣ 5IFSFBSFUXPNPEFT
    ‣ pMUFS
    ‣ CMPDL
    ‣ 3FTFBSDIFSTIBWFUBDLMFEXJUI
    CZQBTTJOHPG944"VEJUPS


    View Slide

  10. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC

    944
    .JUJHBUJPO
    944FBSDI
    94-FBL
    4DSJQUMFTT

    "UUBDL
    4DSJQU

    (BEHFUT
    3PBENBQUP1PTU9448PSME

    View Slide

  11. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    &WPMVUJPOPG944

    4DSJQU(BEHFUT$PEFSFVTJOHTJNJMBSUP301
    ‣ &OUIVTJBTUTPG944IBWFUSJFEUPCZQBTT$41
    ‣ 0OFPG4PMVUJPOT4DSJQU(BEHFUT -FLJFTFUBM

    ‣ *EFBSFVTFUSVTUFE MFHJUJNBUF
    TPVSDFDPEFTUPFYFDVUF
    BSCJUSBSZTDSJQUT DGSFUVSOPSJFOUFEQSPHSBNNJOH 301






    View Slide

  12. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    4DSJQUMFTT"UUBDLT

    /PUPOMZ+4 CVUBMTP$44IFMQTBUUBDLFST

    ‣ 3FTFBSDI2VFTUJPO

    *G+4FYFDVUJPOJTSFTUSJDUFE XIBUDBOBUUBDLFSTEP
    ‣ 0OFPG"OTXFST4DSJQUMFTT"UUBDLT )FJEFSJDIFUBM

    ‣ #BDLJOIJTUPSZ UIJTDMBTTPGBUUBDLTIBTCFFOJOWFTUJHBUFECZ
    SFTFBSDIFST BOEXBTPGUFOSFEJTDPWFSFE
    ‣ 8FMMLOPXO"UUSJCVUFSFBEJOH 'POUMJHBUVSFUFDIOJRVF GPOU
    SBOHFUFDIOJRVF FUD
    ‣ /FXSFTFBSDIMJOFJNQPSUSFDVSTJPOUFDIOJRVFT 1FQF7JMB

    IUUQTWX[[email protected]@[email protected]


    View Slide

  13. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    94-FBLT944FBSDI

    "UUBDLTBJNJOHUIFQPTU944XPSME
    ‣ 3FTFBSDI2VFTUJPO

    *TUIFSFZFUBOPUIFSBUUBDLJOHUFDIOJRVFXIFOBEWFSTBSJFT
    IBWFOPDPOUFOUJOKFDUJPOWVMOFSBCJMJUJFTJOUBSHFUT
    ‣ "OTXFS:FT
    ‣ *EFBEBUBUPXIJDIDSPTTPSJHJOBDDFTTJTHSBOUFEIFMQTPOF
    FTUJNBUFUIFGFBUVSFT DIBSBDUFSJTUJDT
    PGB)551SFTQPOTF
    ‣ &YBNQMF FYQMBJOFEMBUFS

    ‣ $SPTTTJUF-FBLT 94-FBLT

    ‣ $SPTTTJUF4FBSDI 944FBSDI



    View Slide

  14. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    #"%/0/$&

    54($5' "EEJUJPOBM/PUFT


    session_start();
    $nonce = md5(session_id());
    $_SESSION['count'] = isset($_SESSION['count']) ?
    $_SESSION['count'] + 1 : 0;
    if ($_SESSION['count'] > 3){
    setcookie('flag', null, -1, '/');
    }
    ?>
    content="script-src 'nonce-= $nonce ?>';">
    >/* ... */
    = $_GET['q'] ?>

    UIFOPODFJTpYFE
    :PVIBWFUPMFBLDPPLJFT
    XJUIPOMZUXPSFR

    View Slide

  15. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    /PUFT

    1PTU9448PSME
    ‣ *O .JDIBFM;BMFXTLJ !MDBNUVG
    OPUFEUIBUUIF
    DPMMFDUJPOPGBUUBDLTBMUFSOBUJWFUP944IFQSPWJEFEIBWF
    BMNPTUTBNFDBQBCJMJUJFTBT944

    1PTUDBSETGSPNUIFQPTU944XPSMEIUUQMDBNUVGDPSFEVNQDYQPTUYTT

    ‣ FH3FSPVUJOHPGFYJTUJOHGPSNT
    ‣ FHIJKBDLSFMBUJWF63-TXJUICBTF
    ‣ DG3FMBUJWF1BUI0WFSXSJUF
    ‣ 4FF"STIBE GPSUIFSFBMBOBMZTJT-BSHFTDBMFBOBMZTJTPG
    TUZMFJOKFDUJPOCZSFMBUJWFQBUIPWFSXSJUF

    IUUQTEMBDNPSHDJUBUJPODGN JE


    View Slide

  16. *OUSPEVDUJPOUP

    94-FBLTBOE944FBSDI

    View Slide

  17. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    $SPTTTJUF-FBLT

    BLB94-FBLT
    ‣ $SPTTTJUFMFBLT 94-FBL
    BSFBGBNJMZPGCSPXTFSTJEF
    DIBOOFMUFDIOJRVFT
    ‣ 94-FBLBUUBDLTBJNUPDJSDVNWFOUTFDVSJUZDPOUSPMTJO8FC
    CSPXTFSTCZUXPTUFQT
    ‣ 3FRVFTUJOH
    ‣ FHFNCFEEJOHBDSPTTTJUFDPOUFOU FHJGSBNF

    ‣ 0CTFSWJOHCSPXTFSTJEFDIBOOFMT
    ‣ FHBCVTJOHGFBUVSFTPG8FCCSPXTFST FH944"VEJUPS

    ‣ 0OFPGUIFVTBHFT$SPTTTJUF4FBSDI 944FBSDI



    View Slide

  18. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    $SPTTTJUF4FBSDI

    BLB944FBSDI


    ‣ $SPTTTJUFTFBSDI 944FBSDI
    BUUBDLJTBLJOEPGBUUBDLT
    XIJDIBTLTTPNFRVFTUJPOTWJDUJNGSPNBVTFSTCSPXTFSUP
    B8FCFOEQPJOU
    ‣ FH*TUIFSFBFNBJMXIJDIDPOUBJOTUIFXPSEBQQMFJOUIF
    CPEZ GPSBOFNBJMTFSWJDF
    ‣ FH*OUIFSFBQMBOUPHPTPNFXIFSFUIJTXFFLFOE GPSB
    DBMFOEBSTFSWJDF
    ‣ 5IFBOTXFSPGUIFTFSWFSXJMMCFPCUBJOFECZVTJOH94
    -FBLT FHSFTQPOTFTJ[FFTUJNBUJPO FUD

    View Slide

  19. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    0VUMJOF944FBSDI
    /05&)FSFJTTBNFOPUBUJPOBT(FMFSOUFS VTFE


    %VNNZ3FRVFTU
    3FTQPOTF
    $IBMMFOHF3FRVFTU
    3FTQPOTF
    7JDUJN
    4FSWJDF
    7JDUJN
    6TFS
    "UUBDLFS
    *OJUJBUF
    $PMMFDU

    3FTVMUT

    View Slide

  20. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    0VUMJOF944FBSDI
    /05&)FSFJTTBNFOPUBUJPOBT(FMFSOUFS VTFE


    %VNNZ3FRVFTU
    3FTQPOTF
    $IBMMFOHF3FRVFTU
    3FTQPOTF
    7JDUJN
    4FSWJDF
    7JDUJN
    6TFS
    "UUBDLFS
    *OJUJBUF
    $PMMFDU

    3FTVMUT
    "OBUUBDLFSMVSFTBVTFSUPB
    QBHFUIBUJOJUJBUFTSFRVFTUT
    UPBTFSWJDF

    View Slide

  21. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    0VUMJOF944FBSDI
    /05&)FSFJTTBNFOPUBUJPOBT(FMFSOUFS VTFE


    %VNNZ3FRVFTU
    3FTQPOTF
    $IBMMFOHF3FRVFTU
    3FTQPOTF
    7JDUJN
    4FSWJDF
    7JDUJN
    6TFS
    "UUBDLFS
    *OJUJBUF
    $PMMFDU

    3FTVMUT
    /FYU "OBEWFSTBSZJOJUJBUFT
    EVNNZSFRVFTUTXIPTF
    SFTQPOTFTBSFLOPXOJOBEWBODF
    &YBNQMFBSFRVFTUXJUIBTFBSDI
    RVFSZXIPTFSFTVMUDBOOPUFYJTU

    View Slide

  22. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    0VUMJOF944FBSDI
    /05&)FSFJTTBNFOPUBUJPOBT(FMFSOUFS VTFE


    %VNNZ3FRVFTU
    3FTQPOTF
    $IBMMFOHF3FRVFTU
    3FTQPOTF
    7JDUJN
    4FSWJDF
    7JDUJN
    6TFS
    "UUBDLFS
    *OJUJBUF
    $PMMFDU

    3FTVMUT
    "GUFSSFRVFTUJOHEVNNJFT
    BOBEWFSTBSZTUBSUTUP
    JOJUJBUFSFRVFTUTXJUI
    BDUVBMTFBSDIRVFSJFT
    %J⒎CFUXFFOEBUB
    FYQPTFECZ94-FBLGPS
    EVNNJFTBOEPOFGPS
    DIBMMFOHFTDPSSFTQPOETUIF
    EJ⒎CFUXFFOSFTQPOTFT

    View Slide

  23. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    0VUMJOF944FBSDI
    /05&)FSFJTTBNFOPUBUJPOBT(FMFSOUFS VTFE


    %VNNZ3FRVFTU
    3FTQPOTF
    $IBMMFOHF3FRVFTU
    3FTQPOTF
    7JDUJN
    4FSWJDF
    7JDUJN
    6TFS
    "UUBDLFS
    *OJUJBUF
    $PMMFDU

    3FTVMUT
    "OBEWFSTBSZSFQFBUTUIF
    QSPDFTTBOE

    View Slide

  24. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    0VUMJOF944FBSDI
    /05&)FSFJTTBNFOPUBUJPOBT(FMFSOUFS VTFE


    %VNNZ3FRVFTU
    3FTQPOTF
    $IBMMFOHF3FRVFTU
    3FTQPOTF
    7JDUJN
    4FSWJDF
    7JDUJN
    6TFS
    "UUBDLFS
    *OJUJBUF
    $PMMFDU

    3FTVMUT
    "OBEWFSTBSZTFOETUIF
    DPMMFDUFESFTVMUTGSPN
    WJDUJNTCSPXTFSTUPJUT
    PXOTFSWFS

    View Slide

  25. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    6NN JTJUSFBMJTUJD 

    8IBU94-FBLT944FBSDIHJWFTVT


    ‣ 6OMJLF944 94-FBLT944FBSDI
    ‣ EPFTOPUQSPWJEFBDUVBMDPOUFOUTPGEBUB
    ‣ EVFUP4BNF0SJHJO1PMJDZ
    ‣ EPQSPWJEFGFBUVSFT DIBSBDUFSJTUJDT
    PGEBUB
    ‣ FH8IFUIFSUIFEBUBDPOUBJOTBTQFDJpDWBMVFPSOPU
    ‣ 3FTQPOTFTXJUITFBSDISFTVMUTIBWFMPOHFSMFOHUIUIBOPOFXJUI
    OPSFTVMUT
    ‣ FH8IFUIFSUIFEBUBIBTDPNQMFYJUZPSOPU
    ‣ $PNQMFYJUZPGUFOSFTVMUTJOMPOHFSQSPDFTTJOHUJNF

    View Slide

  26. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    )JTUPSZ94-FBLT


    /PXBEBZT BCVODIPG1P$TBSFCFDPNJOHBWBJMBCMFJOPOMJOF
    )551$BDIF$SPTT4JUF-FBLT

    IUUQTJSEBSDLDBUCMPHTQPUDPNIUUQDBDIFDSPTTTJUFMFBLTIUNM
    $SPTT4JUF$POUFOUBOE4UBUVT5ZQFT-FBLBHF

    IUUQTNFEJVNDPNCVHCPVOUZXSJUFVQDSPTTTJUFDPOUFOUBOETUBUVTUZQFTMFBLBHFFGEBCB
    &WBOTQSFTFOUFEUIFQSJNJUJWFGPSNPG944FBSDIXJUI
    JNHMPBEUJNJOH &WBOT

    $SPTTEPNBJOTFBSDIUJNJOH

    IUUQTTDBSZCFBTUTFDVSJUZCMPHTQPUDPNDSPTTEPNBJOTFBSDIUJNJOHIUNM
    (FMFSOUFSFUBMHBWFUIFTPQIJTUJDBUFEBUUBDLTGPSTJUFTXJUI
    TFBSDIFOHJOFTOBNFE944FBSDI (FMFSOUFSFUBM

    View Slide

  27. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    /PUFT
    94-FBLT944FBSDI
    ‣ 94-FBLTIBWFBUUSBDUFEBUUFOUJPO CVUOPUFOPVHI
    ‣ #PUIBDDVSBDZBOEF⒎FDUJWFOFTTIBWFCFFOJNQSPWFE
    ‣ 3FGFSFODFT
    ‣ /PUFYTMFBLTYTMFBLTIBTBDPNQSFIFOTJWFTVSWFZQBHF

    IUUQTHJUIVCDPNYTMFBLTYTMFBLTXJLJ-JOLT
    ‣ ':*/FX94-FBLUFDIOJRVFTSFWFBMGSFTIXBZTUPFYQPTFVTFS
    JOGPSNBUJPOCZ1PSU4XJHHFS

    IUUQTQPSUTXJHHFSOFUEBJMZTXJHOFXYTMFBLUFDIOJRVFTSFWFBMGSFTIXBZTUPFYQPTFVTFSJOGPSNBUJPO

    ‣ ':*94-FBLTBOE944FBSDICZ(PPHMF

    IUUQTTJUFTHPPHMFDPNTJUFCVHIVOUFSVOJWFSTJUZOPOWVMOYTMFBLT


    View Slide

  28. &YBNQMF

    'SBNF$PVOU

    View Slide

  29. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    XJOEPXMFOHUI

    "VTFGVMQSPQFSUZGPSDSPTTPSJHJOBUUBDLFST
    ‣ XJOEPXMFOHUI
    XJOEPXGSBNFTMFOHUI
    SFUVSOTUIF
    OVNCFSPGGSBNFTJOUIFXJOEPX

    2VPUFEIUUQTEFWFMPQFSNP[JMMBPSHFO64EPDT8FC"1*
    8JOEPXMFOHUI
    ‣ $SPTTPSJHJOBDDFTTUP
    XJOEPXMFOHUIJTBMMPXFEVOEFS
    TBNFPSJHJOQPMJDZ 401

    4FFIUUQTEFWFMPQFSNP[JMMBPSHFO64EPDT8FC4FDVSJUZ4BNF
    [email protected]

    ‣ $BOUIJTQSPQFSUZCFVUJMJ[FEGPS
    TPNFLJOETPGBUUBDLT



    View Slide

  30. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    944"VEJUPS

    "HPPEGSJFOEGPS944NBOJB

    ‣ 944"VEJUPS
    ‣ 99441SPUFDUJPOIFBEFS
    EFpOFTUIFBDUJPOXIFO
    3FqFDUFE
    944JTGPVOE
    ‣ 5IFSFBSFUXPNPEFT

    pMUFSCMPDL
    ‣ 3FTFBSDIFSTIBWFUBDLMFEXJUI
    CZQBTTJOHPG944"VEJUPS



    View Slide

  31. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    944"VEJUPSXJOEPXMFOHUI
    ‣ 8IFOUIFSFJTTQFDJpDDPOUFOUUIBUDBOXBLF944"VEJUPSJO
    BQBHFBOEUIFQBHFIBT BUMFBTUPOF
    JGSBNF
    ‣ 8IFO944"VEJUPSCMPDLT XJOEPXMFOHUI
    ‣ 8IFOOPU XJOEPXMFOHUI
    ‣ 8FDBOHFUBCJUXIFUIFSUIFTQFDJpDDPOUFOUJT
    JODMVEFEPSOPUCZUIFQBHFBTMPOHBTUIFDPOUFOUDBO
    XBLF944"VEJUPS:BZ



    let secret_flag = true;

    View Slide

  32. %&.054($5'

    3&$0/
    /05&.PSFTJNQMZ XFDBOEFUFDUUIFXBLFPG944"VEJUPSCZPCTFSWJOHIPX
    NBOZUJNFTJGSBNFTPOMPBEFWFOUPDDVST

    &YBNQMFD$5'pMFNBOBHFS

    IUUQTHJTUHJUIVCDPNMXJPBFBBFBBDEBDEDBE

    View Slide

  33. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    4JEF&⒎FDUTPG#MPDLJOH

    8IBU944"VEJUPSDBVTFT
    ‣ *G944"VEJUPSCMPDLT
    ‣ TPNFQSPQFSUJFTNBZTFFNTUPCFEJ⒎FSFOUGSPNUIFWBMVFT
    XIFOUIFQBHFJTTIPXOVTVBMMZ
    ‣ *G944"VEJUPSpMUFST
    ‣ 1BHFTUSVDUVSFT FTQFDJBMMZUIFqPXPGBQQSPQSJBUF+4
    FYFDVUJPOqPX
    DBOCFCSPLFO
    ‣ &YBNQMF9944/JHIUNBSFNPEFBUUBDL944"UUBDLT
    &YQMPJUJOH944'JMUFS !NBTBUPLJOVHBXB

    IUUQTXXXTMJEFTIBSFOFUNBTBUPLJOVHBXBYYOFO
    ‣ ':**OGPSNBUJPOUIFGUBUUBDLTBCVTJOHCSPXTFST944pMUFS

    IUUQTXXXNCTEKQCMPHIUNM


    View Slide

  34. &YBNQMF

    5JNJOH*OGPSNBUJPO

    View Slide

  35. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    5JNJOH"UUBDL 8FC

    "LJOEPGTJEFDIBOOFMBUUBDLT


    ‣ 3FTFBSDI2VFTUJPO

    8IBUBUUBDLFSTDBOEPXJUIUJNJOHJOGPSNBUJPO
    ‣ 'JSTU*EFB 'FMUFOBOE4DIOFJEFS

    ‣ #SPXTFSTDBDIFIBTF⒎FDUTPOUIFMPBEJOHUJNFPGSFTPVSDFT
    ‣ $BDIFTBSFPGUFOBWBJMBCMFGPSSFTPVSDFTBDDFTTFESFDFOUMZ
    ‣ )FODF UIFMPBEJOHUJNFSFqFDUTCSPXTJOHIJTUPSZ
    ‣ 5IFSFBSFUXPWJFXQPJOUT
    ‣ $POOFDUJWJUZEJSFDUPSDSPTTTJUF
    ‣ 5BSHFU5JNJOHTFSWFSTJEFUJNJOHPSDMJFOUTJEFUJNJOH

    View Slide

  36. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    %JSFDU5JNJOH"UUBDL

    #PSU[BOE#POFI $SPTCZFUBM


    ‣ $POEJUJPOT*OGPSNBUJPOUIBUBUUBDLFSTXBOUUPMFBLB⒎FDUTUP
    TJUFXJEFCFIBWJPS
    ‣ "UUBDLT
    ‣ )JEEFOCPPMFBOWBMVFTEBUBTJ[FDBOCFFTUJNBUFEXJUI
    NFBTVSJOHQSPDFTTJOHUJNF #PSU[BOE#POFI

    ‣ 5PUIFCFTUPGNZLOPXMFEHF UIFZBSFUIFpSTUXIPEFTDSJCFEUIF
    DPODFQUPGEJSFDUUJNJOHBUUBDL
    ‣ &WFOSFNPUFUJNJOHBUUBDLT BQQSPQSJBUFTUBUJTUJDBMNFUIPET
    HJWFBUUBDLFSTBDDVSBUFBOBMZTJT $SPTCZFUBM

    ‣ 5IFCPYUFTUUIFZQSFTFOUFEBSFPGUFOVTFEJOPUIFSSFTFBSDI

    View Slide

  37. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    $SPTTTJUF5JNJOH"UUBDL

    #PSU[BOE#POFI


    ‣ "UUBDLT
    ‣ 8JUITFSWFSTJEFUJNJOH
    ‣ *OJUJBMDPODFQUPG944FBSDIJTCBTFEPOTFSWFSTJEFUJNJOH
    ‣ &WBOT NFOUJPOFECFGPSF

    ‣ (FMFSOUFSFUBM NFOUJPOFECFGPSF

    ‣ 8JUIDMJFOUTJEFUJNJOH
    ‣ BMTPLOPXOBTCSPXTFSCBTFEUJNJOHBUUBDLT
    ‣ &YBNQMFT
    ‣ $BDIF'FMUFOBOE4DIOFJEFS 7BO(PFUIFNFUBM
    ‣ $444UPOF ,PUDIFSFUBM 4NJUIFUBM FUD

    View Slide

  38. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    $MJFOUTJEF5JNJOH

    BLB#SPXTFSCBTFE5JNJOH"UUBDL


    ‣ *EFB
    ‣ $BDIFTIBWFF⒎FDUTPOQSPDFTTJOHUJNF
    ‣ "UUBDLT
    ‣ 5IFpSTUDPODFQUPGUJNJOHBUUBDLJOUIF8FCEFSJWFTGSPN
    DBDIFCBTFEBUUBDLT 'FMUFOBOE4DIOFJEFS

    ‣ 'FBUVSFTJOUSPEVDFEPONPEFSOCSPXTFSTDBOCFOFXTJEF
    DIBOOFMTUIBUMFUBEWFSTBSJFTNFBTVSFNPSFBDDVSBUFUJNJOH
    7BO(PFUIFNFUBM

    ‣ FH$BDIF"1* PG4FSWJDF8PSLFS

    ‣ FH"QQMJDBUJPO$BDIF

    View Slide

  39. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    $MJFOUTJEF5JNJOH

    BLB#SPXTFSCBTFE5JNJOH"UUBDL


    ‣ *EFB
    ‣ 3FOEFSJOHIBTBUJHIUSFMBUJPOXJUIBDPOUFOUUPCFSFOEFSFE
    ‣ &WFOEBUBXIJDIDBOOPUCFUPVDIFEGSPN+4DBOCFSFOEFSFE
    ‣ "UUBDLT
    ‣ 1JYFMQFSGFDUUJNJOHBUUBDLT 4UPOF

    [email protected]@[email protected]"[email protected]@)[email protected]

    ‣ 1JYFMTUFBMJOHUJNJOHBUUBDLT ,PUDIFSFUBM

    IUUQTEMBDNPSHDJUBUJPODGN JE
    ‣ "CVTFPG1BJOU"1* %5SBOTGPSNT BOE47(T 4NJUIFUBM


    IUUQTXXXVTFOJYPSHDPOGFSFODFXPPUQSFTFOUBUJPOTNJUI

    View Slide

  40. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    .PSF4PQIJTUJDBUFE0OFT

    1PTTJCMFBUUBDLTXBUDIJOHZPVSFOWJSPONFOUT
    ‣ 4PGUXBSFCBTFENJDSPBSDIJUFDUVSBMBUUBDLT
    ‣ 4PGUXBSFCBTFENJDSPBSDIJUFDUVSBMTJEFDIBOOFMBUUBDLT
    FYQMPJUUJNJOHBOECFIBWJPSEJ⒎FSFODFTUIBUBSF
    QBSUJBMMZ
    DBVTFEUISPVHINJDSPBSDIJUFDUVSBM
    PQUJNJ[BUJPOT JF EJ⒎FSFODFTUIBUBSFOPUBSDIJUFDUVSBMMZ
    EPDVNFOUFE

    4PGUXBSFCBTFE.JDSPBSDIJUFDUVSBM"UUBDLTIUUQTBSYJWPSHBCT

    ‣ 3FTFBSDI2VFTUJPOT+BWB4DSJQU XIJDIJTFYFDVUFEJOUIF
    TBOECPY JTFOPVHIUPCFVTFEGPSNJDSPBSDIJUFDUVSBM
    BUUBDLT


    View Slide

  41. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    'SPN+44BOECPY

    4PGUXBSFCBTFENJDSPBSDIJUFDUVSBMBUUBDLT
    ‣ 3FTVMUT
    ‣ 5JNFSTBWBJMBCMFJO+BWB4DSJQUJTFOPVHIGPSBUUBDLFSTUP
    QFSGPSNNJDSPBSDIJUFDUVSBMBUUBDLT 4DIXBS[FM

    'BOUBTUJD5JNFSTBOE8IFSFUP'JOE5IFN)JHI3FTPMVUJPO.JDSPBSDIJUFDUVSBM"UUBDLTJO+BWB4DSJQU
    IUUQTHSVTTDDpMFTGBOUBTUJDUJNFSTQEG

    ‣ 5IFZEFNPOTUSBUFEBOFX%3".CBTFEDPWFSUDIBOOFMXJUI+4
    ‣ ,FZTUSPLFUJNJOHBUUBDLTJOTBOECPYFE+4 -JQQFUBM

    1SBDUJDBM,FZTUSPLF5JNJOH"UUBDLTJO4BOECPYFE+BWB4DSJQUIUUQTMJOLTQSJOHFSDPNDIBQUFS
    @

    ‣ +45FNQMBUF"UUBDLT 4DIXBS[FUBM

    +BWB4DSJQU5FNQMBUF"UUBDLT"VUPNBUJDBMMZ*OGFSSJOH)PTU*OGPSNBUJPOGPS5BSHFUFE&YQMPJUTIUUQT
    [email protected]#@4DIXBS[@QBQFSQEG
    ‣ /05&4JUF*TPMBUJPOBOEEJTBCMJOH4IBSFE"SSBZ#V⒎FS
    DVSSFOUMZ
    NJUJHBUFUIPTFBUUBDLT


    View Slide

  42. &⒎FDUT.JUJHBUJPO

    View Slide

  43. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    &⒎FDUTPG94-FBLT

    94MFBLTQSPWJEFBQBSUPGJOGPSNBUJPO OPUUIFXIPMF


    ‣ &WFOTFDVSF8FCTJUFTIBWFBQPUFOUJBMUPCFUBSHFUFE
    ‣ &WFOJG)551IFBEFSTBSFTFUTFDVSFMZ
    ‣ FH3FRVFTUBOE$PORVFS&YQPTJOH$SPTT0SJHJO3FTPVSDF4J[F

    [email protected]@[email protected]
    ‣ DG6944
    ‣ *UOFFETBMPUPGF⒎PSUTUPNJUJHBUFDPNQMFUFMZ
    ‣ )BWFZPVFWFSCFFOUIPVHIUBCPVUEBUBMFBLBHFGSPNUJNJOH
    JOGPSNBUJPO
    ‣ /FXQPMJDJFTUPNJUJHBUFUIFNIBWFCFFOEJTDVTTFE CVU

    View Slide

  44. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    .JUJHBUJPO

    8IBUDBOXFEPGPSUIPTFBUUBDLT
    ‣ "MPUPGTFDVSJUZIFBEFSTBUUSJCVUFT
    ‣ 4BNFTJUF$PPLJF
    ‣ 9'SBNF0QUJPOT GSBNFBODFTUPST PG$41

    ‣ $SPTT0SJHJO0QFOFS1PMJDZ $001

    ‣ $SPTT0SJHJO3FTPVSDF1PMJDZ $031

    ‣ $SPTT0SJHJO3FTPVSDF#MPDLJOH $03#

    ‣ 'FUDI.FUBEBUB
    ‣ 4PNFPGUIFNIBWFCFFOTUJMMEJTDVTTFE
    ‣ ,FFQXBUDIJOHXDXFCBQQTFDJO(JU)VC


    View Slide

  45. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    4BNFTJUF$PPLJF

    3FTUSJDUJPOPGDPPLJFTVTBHFBUDSPTTTJUFSFRVFTUJOH
    ‣ 1SPCMFN$SPTTPSJHJOSFRVFTUTXJUIDPPLJFTPGUFODBVTFUIF
    TFDVSJUZJTTVFTTVDIBT$43'
    ‣ 4PMVUJPO4BNFTJUF$PPLJF
    ‣ #Z4BNF4JUFBUUSJCVUFTPGDPPLJF TJUFPXOFSTDBOQSPIJCJUT
    CSPXTFSTGSPNTFOEJOHDSPTTTJUFSFRVFTUTXJUIDPPLJFT
    ‣ 4BNF4JUF-BY0OMZUPQMFWFMOBWJHBUJPOTJTBMMPXFE
    ‣ 4BNF4JUF4USJDU/PDSPTTTJUFSFRVFTUXJUIDPPLJFTJTBMMPXFE
    ‣ 4FF4BNF4JUFDPPLJFTFYQMBJOFE

    IUUQTXFCEFWTBNFTJUFDPPLJFTFYQMBJOFE


    View Slide

  46. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    'SBNJOH3FTUSJDUJPO

    9'SBNF0QUJPOT GSBNFBODFTUPST PG$41

    ‣ (FOFSBM1SPCMFN

    3FBM8PSME&YBNQMFTPGUFOSFMJFTPOXJOEPXMFOHUI

    IUUQTHJUIVCDPNYTMFBLTYTMFBLTXJLJ3FBM8PSME&YBNQMFT
    ‣ $BTFXIFOBQBHFJTGSBNFE CPUIPGUIFQBHF DIJME
    BOE
    JUTQBSFOUIBWFSFGFSFODFTUPAXJOEPXAUPFBDIPUIFS
    ‣ GSPNDIJMEUPQBSFOUXJOEPXQBSFOUPSXJOEPXUPQ
    ‣ GSPNQBSFOUUPDIJME [email protected]
    DPOUFOU8JOEPX
    ‣ 4PMVUJPOT9'SBNF0QUJPOT GSBNFBODFTUPST PG$41

    ‣ 3FTUSJDUJOHDSPTTTJUFGSBNJOHSFEVDFTBUUBDLTVSGBDFT



    View Slide

  47. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    $SPTT0SJHJO0QFOFS1PMJDZ

    3FTUSJDUJPOPGVTJOHAXJOEPXASFGFSFODFGSPNPQFOFST
    ‣ $BTFXIFOXJOEPXPQFOJTFYFDVUFE UIFPQFOFEXJOEPX
    DBOBDDFTTUPAXJOEPXAPGJUTPQFOFS
    ‣ XJOEPXPQFOFSMPDBUJPOIUUQFWJMDPN
    ‣ 4PMVUJPO$SPTT0SJHJO0QFOFS1PMJDZ $001

    ‣ $SPTT0SJHJO0QFOFS1PMJDZIFBEFSEFpOFTXIFO
    AXJOEPXPQFOFSAJTBWBJMBCMF
    ‣ 4FFBOOFWLDPPQNE BTFNJGPSNBMEFpOJUPOPG$001

    IUUQTHJTUHJUIVCDPNBOOFWLGEEDDGGCEBDGF


    View Slide

  48. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    $SPTT0SJHJO3FTPVSDF1PMJDZ

    3FTUSJDUJPOPGUIFBWBJMBCMFPSJHJOPGSFTPVSDFT
    ‣ 1SPCMFN$SPTTPSJHJOOPDPSTSFRVFTUTDBVTFTFDVSJUZ
    JTTVFTTVDIBTTJEFDIBOOFMBUUBDLT
    ‣ DG4FSWJDF8PSLFSBCVTF 7BO(PFUIFNFUBM

    ‣ 4PMVUJPO$SPTT0SJHJO3FTPVSDF1PMJDZ $031

    ‣ 5IJTIFBEFSQSFWFOUCSPXTFSTGSPNMPBEJOHSFTPVSDFTGFUDIFE
    CZDSPTT TJUFcPSJHJO
    OPDPSTSFRVFTUT
    ‣ /05&GPSNFSMZ UIJTJTDBMMFE'SPN0SJHJO


    Cross-Origin-Resource-Policy: same-site | same-origin

    View Slide

  49. ˜TIJGUKTJOGP
    (JNNFCJU BUMFBTU&YQMPSJOH5FDIOJRVFTPOCJU-FBLBHFJOUIF8FC
    'FUDI.FUBEBUB

    *OGPUIBUIFMQTTFSWFSEFUFDUVOVTVBMSFRVFTUTGPSSFTPVSDFT
    ‣ 1SPCMFN
    ‣ 4FSWFSTDBOOPULOPXIPXUIFJSSFTPVSDFTXJMMCFVTFE
    ‣ 4PMVUJPO'FUDI.FUBEBUB
    ‣ *UXPVMECFIFMQGVMJGTFSWFSTDPVMENBLFNPSFJOUFMMJHFOU
    EFDJTJPOTBCPVUXIFUIFSPSOPUUPSFTQPOEUPBHJWFO
    SFRVFTUCBTFEPOUIFXBZUIBUJU`TNBEF IUUQT
    NJLFXFTUHJUIVCJPTFDNFUBEBUB

    ‣ 1SPWJEFEXJUI4FD'FUDIIFBEFST


    View Slide

  50. 5IBOLZPVGPS-JTUFOJOH

    [email protected] !ZOVDIZ
    IUUQTTIJGUKTJOGP

    View Slide