在「When Security Generates Insecurity」這篇文章裡,介紹了如何利用 Content-Security-Policy
攻擊網站。
首先,我想要知道是不是有登入 Facebook 或是 Google:
Interest piqued by the
report-uri
feature, I looked into abusing it to glean information about user state, my idea was this: when a user is not logged into Google Calendar, accessing calendar.google.com redirects them to accounts.google.com via aLocation
header. If I whitelisted calendar.google.com but not accounts.google.com, accessing that resource within my web page would break CSP, subsequently sending me a message telling me whether they were logged into Google.
也就是說,利用 CSP 的 report-uri
以及重導的特性,可以分辨出使用者是否有登入。以 Facebook 以及 Google 的例子:
The implementation was like this: I had a single image on the page
<img src="http://calendar.google.com"/>
, and I sent theContent-Security-Policy
headerContent-Security-Policy: image-src calendar.google.com
. The test was a success, I was able to detect login on Google. The same extended to Facebook;apps.facebook.com
would redirect towww.facebook.com
only if the user was logged in.
另外,由於實務上可以偵測 path,所以可以去「猜測」使用者是不是某個特定的人,在文章裡假設的是美國總統 Barack Obama:
By using CSP to whitelist facebook.com/me and facebook.com/barackobama and embedding http://facebook.com/me as an image, I can conditionally create a CSP report only if the current user on Facebook is not Barack Obama.
很有趣的安全性問題...