Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Defeating Cross-Site Scripting with Content Sec...

Francois Marier
March 07, 2012
Programming
1
130

Defeating Cross-Site Scripting with Content Security Policy

How a new proposed HTTP response header can help increase the depth of your web application defenses.

Francois Marier

March 07, 2012
Tweet

More Decks by Francois Marier

See All by Francois Marier
Security and Privacy settings for Firefox Power Users
fmarier
0
290
Getting Browsers to Improve the Security of Your Webapp
fmarier
0
260
Hardening Firefox for Privacy and Security
fmarier
0
990
Security and Privacy on the Web in 2016
fmarier
0
200
Privacy and Tracking Protection in Firefox
fmarier
0
270
Security and Privacy on the Web in 2015
fmarier
0
240
Security and Privacy on the Web in 2015
fmarier
0
180
Integrity protection for third-party JavaScript
fmarier
1
760
URL to HTML
fmarier
1
280

Other Decks in Programming

See All in Programming
Realtime API 入門
riofujimon
0
150
C++でシェーダを書く
fadis
6
4.1k
cmp.Or に感動した
otakakot
2
140
とにかくAWS GameDay!AWSは世界の共通言語! / Anyway, AWS GameDay! AWS is the world's lingua franca!
seike460
PRO
1
860
ふかぼれ!CSSセレクターモジュール / Fukabore! CSS Selectors Module
petamoriken
0
150
Click-free releases & the making of a CLI app
oheyadam
2
110
WebフロントエンドにおけるGraphQL(あるいはバックエンドのAPI)との向き合い方 / #241106_plk_frontend
izumin5210
4
1.4k
見せてあげますよ、「本物のLaravel批判」ってやつを。
77web
7
7.7k
A Journey of Contribution and Collaboration in Open Source
ivargrimstad
0
900
Jakarta Concurrencyによる並行処理プログラミングの始め方 (JJUG CCC 2024 Fall)
tnagao7
1
290
EventSourcingの理想と現実
wenas
6
2.3k
初めてDefinitelyTypedにPRを出した話
syumai
0
400

Featured

See All Featured
What's in a price? How to price your products and services
michaelherold
243
12k
Bash Introduction
62gerente
608
210k
Writing Fast Ruby
sferik
627
61k
Imperfection Machines: The Place of Print at Facebook
scottboms
265
13k
Into the Great Unknown - MozCon
thekraken
32
1.5k
KATA
mclloyd
29
14k
Happy Clients
brianwarren
98
6.7k
Optimizing for Happiness
mojombo
376
70k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
Code Reviewing Like a Champion
maltzj
520
39k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k
Building an army of robots
kneath
302
43k

Transcript

  1. Defeating cross-site scripting with Content Security Policy Francois Marier <[email protected]>

  2. what is a cross-site scripting (aka “XSS”) attack?

  3. None
  4. None
  5. None
  6. None

  7. preventing XSS attacks

  8. print <<<EOF <html> <h1>$title</h1> </html> EOF;

  9. $title = escape($title); print <<<EOF <html> <h1>$title</h1> </html> EOF;

  10. templating system

  11. page.tpl: <html> <h1>{title}</h1> </html> page.php: render(“page.tpl”, $title);

  12. auto-escaping turned ON

  13. page.tpl: <html> <h1>{title|raw}</h1> </html> page.php: render(“page.tpl”, $title);

  14. auto-escaping turned ON != escaping always ON

  15. browser default = allow all the real problem:

  16. None

  17. a way to get the browser to enforce the restrictions

    you want on your site

  18. $ curl --head https://www.libravatar.org/ X-Content-Security-Policy: default-src 'self' ; img-src 'self'

    data

  19. $ curl --head https://www.libravatar.org/account/login/ X-Content-Security-Policy: default-src 'self' ; img-src 'self'

    data ; frame-src 'self' https://browserid.org ; script-src 'self' https://browserid.org

  20. $ curl --head http://fmarier.org/ X-Content-Security-Policy: default-src 'none' ; img-src 'self'

    ; style-src 'self' ; font-src 'self'

  21. <object> <script> <style> <img> <audio> & <video> <frame> & <iframe>

    <font> WebSocket & XMLHttpRequest

  22. >= 4 >= 13 >= 10 >= 5

  23. what does a CSP-enabled website look like?

  24. None
  25. None

  26. unless explicitly allowed by your policy inline scripts are not

    executed
  27. None
  28. None

  29. unless explicitly allowed by your policy external resources are not

    loaded

  30. preparing your website for CSP (aka things you can do

    today)

  31. eliminate inline scripts and styles

  32. <script> do_stuff(); </script>

  33. <script src=”do_stuff.js”> </script>

  34. eliminate javascript: URIs

  35. <a href=”javascript:go()”> Go! </a>

  36. <a id=”go-button” href=”#”> Go! </a> var button = document.getElementById('go-button'); button.onclick

    = go;

  37. add headers in web server config

  38. <Location /some/page> Header set X-Content-Security-Policy "default-src 'self' ; script-src 'self'

    http://example.org" </Location>

  39. not a replacement for proper XSS hygiene

  40. great tool to increase the depth of your defenses

  41. Spec: http://www.w3.org/TR/CSP/ HOWTO: https://developer.mozilla.org/en/Security/CSP Copyright © 2012 François Marier Released

    under the terms of the Creative Commons Attribution Share Alike 3.0 Unported Licence fmarier fmarier

  42. Credits: Biohazard wallpaper: http://www.flickr.com/photos/rockyx/4273385120/ Under Construction: https://secure.flickr.com/photos/aguichard/6864586905/