CSP data exfiltration

Step 2

Now, you are on a tokenized page (so victim is identifiable by the attacker).
This page holds the following Content-Security-Policy header:
header("Content-Security-Policy:" . "default-src 'self' https://github.com;" . "report-uri /mdn/csp/exfiltrate-data-poc/csp-receiver.php");
This means that the browser will allow the current page to load any resource from https://github.com or from the attacker's origin ('self'), but browser will refuse to load anything else (like https://help.github.com).

So, attacker puts an image below with the URL https://github.com/login?return_to=%2Fhelp.
If user is logged into GitHub, then this page will issue a redirection to another origin (https://help.github.com), which is not allowed by the attacker's CSP. So the browser will refuse to request this redirection, and it will send a report to the URL specified by report-uri directive. The body of the requets to this URL will contain the attacker's page URL (document-uri) with the victim's unique token so when the attacker receive such report, it means this user is logged into GitHub.
If user is not logged into GitHub, then the https://github.com page will be loaded and browser will try to show it in image tag (and fail to, but we don't case). Since no CSP violation occured, browser will not send any report, so attacker will know user is not logged into GitHub.

The (GitHub) image

GitHub image is loaded below. Check you browser console to see CSP violation report requests.

github picture (broken on purpose: we don't care)

Attacker's received report

For this POC, the attacker's received reports is accessible from here).

Awaiting to receive report...

Browser-dependant infos

Another interesting thing is that browsers send different uris in the report:
Firefox sends the original image's uri "blocked-uri": "https:\/\/github.com\/login?return_to=%2Fhelp", meaning you're not able to leak a lot of data from the GitHub's rediction itself
But Chroms sends the redirected uri "blocked-uri": "https:\/\/help.github.com", meaning that if your targeted website (here, GitHub) shows important information in the redirection URL (say, user's account name or email), then you could access this information too.

← Back to step 1

Check the other showcases