Senior Security Engineer
a.k.a., I'm a hacker
Slack is used by millions of people every day – we need engineers who want to make that experience as secure and enjoyable as possible.
frowning.wtfURLs are fake.
I want to take over accounts on your website.
Let's find out.
Cross site scripting
Cross-Site Request Forgery More at: owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
By default, cookies are included in requests sent cross domain.
www.frowning.wtf- contains your frontend + any monolith code
www.frowning.wtf/admin- administrator site
That cookie is probably scoped to
For those of you who don't do frontend work:
XHR is an API called
It lets you transfer data between a web browser running JS
and a server without reloading the page.
That token gets stored on the server as well.
When the form is submitted, the token is sent with the form data and validated on the server.
The API cookie can have the secure and HTTPonly flags set.
Secure means that cookie will only be sent over HTTPS
HTTPonly means js can't touch it
Yes, the names are confusing, so remember: for HTTPonly, only HTTP requests can access the cookie.
multipart/form-data, can go cross origin
text/plain, can go cross origin
application/x-www-url-form-encoded, can go cross origin
application/json, can't go cross origin without CORS
application/xml, can't go cross origin without CORS
We care about CORS because of the protection offered by the Same Origin Policy (SOP).
Lots of requests can't be made from URL1 to URL2 if they differ on the following things:
API isn't running js.
www could still be vulnerable, and the site could send requests through XHR.
window.postMessage()enables cross-origin communication through DOM-based events.
Windows can send and receive messages from each other through events.
if (event.origin !== www.frowning.wtf)
// .. otherwise do some stuff
Modern browsers don't let you set your own origin header.
iFrames and websockets both have trustworthy origins in the browser.
By dropping all requests to API that aren't
You can't completely.
Not unless you're sure you can prevent XSS.
Tell me why XSS is worse in all these cases.
Leigh Honeywell @tallpoppy
The latacora team
The Product Security teams @Slack