Defeating Cross-Site Scripting with Content Security Policy

Transcript

1. Defeating cross-site scripting with Content Security Policy Francois Marier <[email protected]>

2. what is a cross-site scripting (aka “XSS”) attack?

3. None
4. None
5. None
6. None

7. preventing XSS attacks

8. print <<<EOF <html> <h1>$title</h1> </html> EOF;

9. $title = escape($title); print <<<EOF <html> <h1>$title</h1> </html> EOF;

10. templating system

11. page.tpl: <html> <h1>{title}</h1> </html> page.php: render(“page.tpl”, $title);

12. auto-escaping turned ON

13. page.tpl: <html> <h1>{title|raw}</h1> </html> page.php: render(“page.tpl”, $title);

14. auto-escaping turned ON != escaping always ON

15. browser default = allow all the real problem:

16. None

17. a way to get the browser to enforce the restrictions

    you want on your site

18. $ curl --head https://www.libravatar.org/ X-Content-Security-Policy: default-src 'self' ; img-src 'self'

    data

19. $ curl --head https://www.libravatar.org/account/login/ X-Content-Security-Policy: default-src 'self' ; img-src 'self'

    data ; frame-src 'self' https://browserid.org ; script-src 'self' https://browserid.org

20. $ curl --head http://fmarier.org/ X-Content-Security-Policy: default-src 'none' ; img-src 'self'

    ; style-src 'self' ; font-src 'self'

21. <object> <script> <style> <img> <audio> & <video> <frame> & <iframe>

    <font> WebSocket & XMLHttpRequest

22. >= 4 >= 13 >= 10 >= 5

23. what does a CSP-enabled website look like?

24. None
25. None

26. unless explicitly allowed by your policy inline scripts are not

    executed
27. None
28. None

29. unless explicitly allowed by your policy external resources are not

    loaded

30. preparing your website for CSP (aka things you can do

    today)

31. eliminate inline scripts and styles

32. <script> do_stuff(); </script>

33. <script src=”do_stuff.js”> </script>

34. eliminate javascript: URIs

35. <a href=”javascript:go()”> Go! </a>

36. <a id=”go-button” href=”#”> Go! </a> var button = document.getElementById('go-button'); button.onclick

    = go;

37. add headers in web server config

38. <Location /some/page> Header set X-Content-Security-Policy "default-src 'self' ; script-src 'self'

    http://example.org" </Location>

39. not a replacement for proper XSS hygiene

40. great tool to increase the depth of your defenses

41. Spec: http://www.w3.org/TR/CSP/ HOWTO: https://developer.mozilla.org/en/Security/CSP Copyright © 2012 François Marier Released

    under the terms of the Creative Commons Attribution Share Alike 3.0 Unported Licence fmarier fmarier

42. Credits: Biohazard wallpaper: http://www.flickr.com/photos/rockyx/4273385120/ Under Construction: https://secure.flickr.com/photos/aguichard/6864586905/