Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Defeating Cross-Site Scripting with Content Sec...

Francois Marier
January 29, 2013
Programming
0
620

Defeating Cross-Site Scripting with Content Security Policy (updated)

How a new HTTP response header can help increase the depth of your web application defenses.

Also includes a few slides on HTTP Strict Transport Security, a header which helps protects HTTPS sites from sslstrip attacks.

Francois Marier

January 29, 2013
Tweet

More Decks by Francois Marier

See All by Francois Marier
Security and Privacy settings for Firefox Power Users
fmarier
0
290
Getting Browsers to Improve the Security of Your Webapp
fmarier
0
260
Hardening Firefox for Privacy and Security
fmarier
0
990
Security and Privacy on the Web in 2016
fmarier
0
200
Privacy and Tracking Protection in Firefox
fmarier
0
270
Security and Privacy on the Web in 2015
fmarier
0
240
Security and Privacy on the Web in 2015
fmarier
0
180
Integrity protection for third-party JavaScript
fmarier
1
760
URL to HTML
fmarier
1
280

Other Decks in Programming

See All in Programming
3rd party scriptでもReactを使いたい! Preact + Reactのハイブリッド開発
righttouch
PRO
1
600
ふかぼれ!CSSセレクターモジュール / Fukabore! CSS Selectors Module
petamoriken
0
150
とにかくAWS GameDay!AWSは世界の共通言語! / Anyway, AWS GameDay! AWS is the world's lingua franca!
seike460
PRO
1
860
Jakarta EE meets AI
ivargrimstad
0
130
CSC509 Lecture 09
javiergs
PRO
0
140
タクシーアプリ『GO』のリアルタイムデータ分析基盤における機械学習サービスの活用
mot_techtalk
4
1.4k
PHP でアセンブリ言語のように書く技術
memory1994
PRO
1
170
C++でシェーダを書く
fadis
6
4.1k
聞き手から登壇者へ: RubyKaigi2024 LTでの初挑戦が 教えてくれた、可能性の星
mikik0
1
130
Hotwire or React? ~アフタートーク・本編に含めなかった話~ / Hotwire or React? after talk
harunatsujita
1
120
レガシーシステムにどう立ち向かうか 複雑さと理想と現実/vs-legacy
suzukihoge
14
2.2k
카카오페이는 어떻게 수천만 결제를 처리할까? 우아한 결제 분산락 노하우
kakao
PRO
0
110

Featured

See All Featured
Faster Mobile Websites
deanohume
305
30k
Keith and Marios Guide to Fast Websites
keithpitt
409
22k
How GitHub (no longer) Works
holman
310
140k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
Statistics for Hackers
jakevdp
796
220k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k
A Tale of Four Properties
chriscoyier
156
23k
Unsuck your backbone
ammeep
668
57k
Being A Developer After 40
akosma
86
590k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
16
2.1k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
Designing for humans not robots
tammielis
250
25k

Transcript

  1. Defeating cross-site scripting with Content Security Policy François Marier –

    @fmarier

  2. what is a cross-site scripting (aka “XSS”) attack?

  3. None
  4. None
  5. None
  6. None

  7. preventing XSS attacks

  8. print <<<EOF <html> <h1>$title</h1> </html> EOF;

  9. $title = escape($title); print <<<EOF <html> <h1>$title</h1> </html> EOF;

  10. templating system

  11. page.tpl: <html> <h1>{title}</h1> </html> page.php: render(“page.tpl”, $title);

  12. auto-escaping turned ON

  13. page.tpl: <html> <h1>{title|raw}</h1> </html> page.php: render(“page.tpl”, $title);

  14. auto-escaping turned ON escaping always ON

  15. browser default = allow all the real problem:

  16. None

  17. a way to get the browser to enforce the restrictions

    you want on your site

  18. $ curl --head http://example.com/ Content-Security-Policy: default-src 'self' ; img-src 'self'

    data ;

  19. $ curl --head https://example.com/login Content-Security-Policy: default-src 'self' ; img-src 'self'

    data ; frame-src 'self' https://login.persona.org ; script-src 'self' https://login.persona.org

  20. $ curl --head http://fmarier.org/ Content-Security-Policy: default-src 'none' ; img-src 'self'

    ; style-src 'self' ; font-src 'self'

  21. <object>, <applet> & <embed> <script> <style> & <link> <img> <audio>,

    <video>, <source> & <track> <frame> & <iframe> @font-face WebSocket, EventSource, & XMLHttpRequest

  22. >= 10 >= 6

  23. what does a CSP-enabled website look like?

  24. None
  25. None

  26. unless explicitly allowed by your policy inline scripts are not

    executed
  27. None
  28. None

  29. unless explicitly allowed by your policy external resources are not

    loaded

  30. preparing your website for CSP (aka things you can do

    today)

  31. eliminate inline scripts and styles

  32. <script> do_stuff(); </script>

  33. <script src=”do_stuff.js”> </script>

  34. eliminate javascript: URIs

  35. <a href=”javascript:go()”> Go! </a>

  36. <a id=”go-button” href=”#”> Go! </a> var button = document.getElementById('go-button'); button.onclick

    = go;

  37. rolling out CSP

  38. start with a loose policy

  39. default-src 'self' *.example.com data;

  40. default-src 'self' *.example.com data; options unsafe-inline

  41. work towards a stricter policy

  42. default-src 'self'; img-src 'self' static.example.com data; style-src static.example.com; script-src static.example.com

  43. use the reporting mode

  44. Content-Security-Policy-Report-Only: default-src 'none' ; report-uri http://example.com/report.cgi

  45. { "csp-report": { "document-uri": "http://example.com/page.html", "referrer": "http://evil.example.com/haxor.html", "blocked-uri": "http://evil.example.com/foo.png", "violated-directive":

    "default-src 'none'", "original-policy": "default-src 'none' ... " } }

  46. add headers in web server config

  47. <Location /some/page> Header set Content-Security-Policy "default-src 'self' ; script-src 'self'

    http://example.org" </Location>

  48. not a replacement for proper XSS hygiene

  49. great tool to increase the depth of your defenses

  50. @fmarier http://fmarier.org Spec: http://www.w3.org/TR/CSP/ HOWTO: https://developer.mozilla.org/en/Security/CSP Online tool: http://cspisawesome.com/ Firefox

    add-on: https://addons.mozilla.org/en-US/firefox/addon/newusercspdesign/

  51. bonus HTTP header 100 % FREE!

  52. None
  53. None
  54. None

  55. wouldn't it be nice if the browser...

  56. ...blocked all HTTP requests there?

  57. HTTP Strict Transport Security

  58. $ curl --head https://login.persona.org HTTP/1.1 200 OK Vary: Accept-Encoding,Accept-Language Cache-Control:

    public, max-age=0 Content-Type: text/html; charset=utf8 Strict-Transport-Security: max-age=2592000 Date: Thu, 16 Aug 2012 03:29:19 GMT ETag: "2943768d6a45793897e83bf8804cd711" Connection: keep-alive X-Frame-Options: DENY Content-Length: 5374
  59. None

  60. HTTPS only site turn HSTS on

  61. Specs: http://www.w3.org/TR/CSP/ https://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec HOWTOs: https://developer.mozilla.org/en/Security/CSP https://developer.mozilla.org/en/Security/HTTP_Strict_Transport_Security Online tool: http://cspisawesome.com/ Firefox

    add-on: https://addons.mozilla.org/en-US/firefox/addon/newusercspdesign/ @fmarier http://fmarier.org

  62. Photo credits: Biohazard wallpaper: http://www.flickr.com/photos/rockyx/4273385120/ Under Construction: https://secure.flickr.com/photos/aguichard/6864586905/ Castle walls:

    https://secure.flickr.com/photos/rdale/585105348/ Wash hands: https://secure.flickr.com/photos/hygienematters/4504612019/ Copyright © 2013 François Marier Released under the terms of the Creative Commons Attribution Share Alike 3.0 Unported Licence