Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Defeating Cross-Site Scripting with Content Security Policy (updated)

Defeating Cross-Site Scripting with Content Security Policy (updated)

How a new HTTP response header can help increase the depth of your web application defenses.

Also includes a few slides on HTTP Strict Transport Security, a header which helps protects HTTPS sites from sslstrip attacks.


Francois Marier

January 29, 2013


  1. Defeating cross-site scripting with Content Security Policy François Marier –

  2. what is a cross-site scripting (aka “XSS”) attack?

  3. None
  4. None
  5. None
  6. None
  7. preventing XSS attacks

  8. print <<<EOF <html> <h1>$title</h1> </html> EOF;

  9. $title = escape($title); print <<<EOF <html> <h1>$title</h1> </html> EOF;

  10. templating system

  11. page.tpl: <html> <h1>{title}</h1> </html> page.php: render(“page.tpl”, $title);

  12. auto-escaping turned ON

  13. page.tpl: <html> <h1>{title|raw}</h1> </html> page.php: render(“page.tpl”, $title);

  14. auto-escaping turned ON escaping always ON

  15. browser default = allow all the real problem:

  16. None
  17. a way to get the browser to enforce the restrictions

    you want on your site
  18. $ curl --head http://example.com/ Content-Security-Policy: default-src 'self' ; img-src 'self'

    data ;
  19. $ curl --head https://example.com/login Content-Security-Policy: default-src 'self' ; img-src 'self'

    data ; frame-src 'self' https://login.persona.org ; script-src 'self' https://login.persona.org
  20. $ curl --head http://fmarier.org/ Content-Security-Policy: default-src 'none' ; img-src 'self'

    ; style-src 'self' ; font-src 'self'
  21. <object>, <applet> & <embed> <script> <style> & <link> <img> <audio>,

    <video>, <source> & <track> <frame> & <iframe> @font-face WebSocket, EventSource, & XMLHttpRequest
  22. >= 10 >= 6

  23. what does a CSP-enabled website look like?

  24. None
  25. None
  26. unless explicitly allowed by your policy inline scripts are not

  27. None
  28. None
  29. unless explicitly allowed by your policy external resources are not

  30. preparing your website for CSP (aka things you can do

  31. eliminate inline scripts and styles

  32. <script> do_stuff(); </script>

  33. <script src=”do_stuff.js”> </script>

  34. eliminate javascript: URIs

  35. <a href=”javascript:go()”> Go! </a>

  36. <a id=”go-button” href=”#”> Go! </a> var button = document.getElementById('go-button'); button.onclick

    = go;
  37. rolling out CSP

  38. start with a loose policy

  39. default-src 'self' *.example.com data;

  40. default-src 'self' *.example.com data; options unsafe-inline

  41. work towards a stricter policy

  42. default-src 'self'; img-src 'self' static.example.com data; style-src static.example.com; script-src static.example.com

  43. use the reporting mode

  44. Content-Security-Policy-Report-Only: default-src 'none' ; report-uri http://example.com/report.cgi

  45. { "csp-report": { "document-uri": "http://example.com/page.html", "referrer": "http://evil.example.com/haxor.html", "blocked-uri": "http://evil.example.com/foo.png", "violated-directive":

    "default-src 'none'", "original-policy": "default-src 'none' ... " } }
  46. add headers in web server config

  47. <Location /some/page> Header set Content-Security-Policy "default-src 'self' ; script-src 'self'

    http://example.org" </Location>
  48. not a replacement for proper XSS hygiene

  49. great tool to increase the depth of your defenses

  50. @fmarier http://fmarier.org Spec: http://www.w3.org/TR/CSP/ HOWTO: https://developer.mozilla.org/en/Security/CSP Online tool: http://cspisawesome.com/ Firefox

    add-on: https://addons.mozilla.org/en-US/firefox/addon/newusercspdesign/
  51. bonus HTTP header 100 % FREE!

  52. None
  53. None
  54. None
  55. wouldn't it be nice if the browser...

  56. ...blocked all HTTP requests there?

  57. HTTP Strict Transport Security

  58. $ curl --head https://login.persona.org HTTP/1.1 200 OK Vary: Accept-Encoding,Accept-Language Cache-Control:

    public, max-age=0 Content-Type: text/html; charset=utf8 Strict-Transport-Security: max-age=2592000 Date: Thu, 16 Aug 2012 03:29:19 GMT ETag: "2943768d6a45793897e83bf8804cd711" Connection: keep-alive X-Frame-Options: DENY Content-Length: 5374
  59. None
  60. HTTPS only site turn HSTS on

  61. Specs: http://www.w3.org/TR/CSP/ https://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec HOWTOs: https://developer.mozilla.org/en/Security/CSP https://developer.mozilla.org/en/Security/HTTP_Strict_Transport_Security Online tool: http://cspisawesome.com/ Firefox

    add-on: https://addons.mozilla.org/en-US/firefox/addon/newusercspdesign/ @fmarier http://fmarier.org
  62. Photo credits: Biohazard wallpaper: http://www.flickr.com/photos/rockyx/4273385120/ Under Construction: https://secure.flickr.com/photos/aguichard/6864586905/ Castle walls:

    https://secure.flickr.com/photos/rdale/585105348/ Wash hands: https://secure.flickr.com/photos/hygienematters/4504612019/ Copyright © 2013 François Marier Released under the terms of the Creative Commons Attribution Share Alike 3.0 Unported Licence