Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CSP a Powerful Security Steroid

Jxck
February 09, 2017

CSP a Powerful Security Steroid

Chrome Tech Night #9 @2016/2/9

Jxck

February 09, 2017
Tweet

More Decks by Jxck

Other Decks in Technology

Transcript

  1. CSP
    powerful security steroid
    Chrome Tech Talk Night #9
    #chromejp 2017/02/09

    View Slide

  2. Jack

    View Slide

  3. mozaic.fm

    View Slide

  4. P
    rotein
    S
    teroid
    4
    C
    ontent

    View Slide

  5. 5
    C
    ontent
    S
    teroid
    P
    rotein
    S
    ecurity
    P
    olicy

    View Slide

  6. 6

    View Slide

  7. 7
    Policy of Security for Content
    ● This content is allowed to
    ○ exec inline script ?
    ○ load assets from origin xxx ?
    ○ embend iframe ?
    ○ mixed content ?
    ○ etc

    View Slide

  8. 8
    How to apply CSP
    ● via Header
    ● via Meta Tag
    Content-Security-Policy: $policy
    http-equiv=”Content-Security-Policy”
    content=”$policy”
    >

    View Slide

  9. 9
    CSP directives
    ● fetch directive
    ● document directive
    ● navigation directive
    ● reporting directive

    View Slide

  10. 10
    fetch directives
    ● default-src
    ● child-src
    ● connect-src
    ● font-src
    ● frame-src
    ● img-src
    ● manifest-src
    ● media-src
    ● object-src
    ● script-src
    ● style-src
    ● worker-src
    whitelist of allowed orign
    fallback to default-src
    ex)
    img-src; http://jxck.io
    default-src; ‘self’

    View Slide

  11. 11
    document directives
    ● base-uri
    ○ allowed url for
    ● plugin-types
    ○ allowed media type for /
    ● sandbox
    ○ behave like sandbox iframe
    ● disown-opener
    ○ behave like noopener

    View Slide

  12. 12
    navigation directives
    ● form-action
    ○ allowed action for
    ● frame-ancestors
    ○ allowed origin for embed this docment
    ● navigation-to
    ○ allowed origin to move (a, form, window.location etc)

    View Slide

  13. 13
    reporting directives
    ● report-uri
    ○ deprecated
    ○ only for fallback of report-to
    ● report-to
    ○ url to send violation report

    View Slide

  14. 14
    CSP keywords
    ● ‘self’
    ○ only from Same Origin
    ● ‘none’
    ○ from everywhere
    ● ‘unsafe-inline’
    ○ allow / <style><br/>● ‘unsafe-eval’<br/>○ allow `eval()` in JS<br/>● ‘strict-dynamic’<br/>○ specify nonce of script<br/>● ‘unsafe-hashed-attributes’<br/>○ specify a hash of inline script<br/>

    View Slide

  15. 15
    Most Powerful Policy
    ● can I have…
    ○ jquery from cdn ? :No
    ○ google anlytics ? :No
    ○ youtube? :No
    ○ iframe… :NO!
    ○ inline.. :Never !!
    Content-Security-Policy: default-src ‘self’

    View Slide

  16. 16
    Example: XSS

    View Slide

  17. No more Escape Input ?
    ● only checking a Policy , not Attack
    ○ in policy has a hole, It may have incident
    ○ no implement of CSP on old browser
    ● do Security thing, and adding CSP for cover
    ○ if security hall exists, block the attack
    17

    View Slide

  18. 18
    case study: github.com

    View Slide

  19. It’s really works ??
    19

    View Slide

  20. report-uri
    20
    ● Send Report as JSON to URI
    Content-Security-Policy:
    default-src ‘self’;
    report-uri https://report-server/...
    {
    "csp-report": {
    "document-uri": “...”,
    "referrer": “...”,
    "blocked-uri": “...”,
    "violated-directive": “...”,
    "original-policy": “...”,
    }
    }

    View Slide

  21. Report doesn’t tells me about attack
    ● you can know WHAT happened
    ○ document uri
    ○ violated policy
    ● you can’t know WHY happened
    ○ attack ? or not ?
    ● you can’t know WHAT result to USER
    ○ ad image not displayed ?
    ○ can’t read the article ?
    21

    View Slide

  22. It’s really… OK ...?
    22

    View Slide

  23. Too strict to deploy immediate
    ● Hard to make sure your policy right
    ○ crowring with browser on staging
    ● Real World Problems
    ○ every user use each browser with variaus setting
    ● Deploy in production immediately ?
    ○ bad experience for user ?
    ○ it’s wose than blocking attack ?
    23

    View Slide

  24. CSP-Report-Only
    ● only sending report
    ○ find out WHAT happened only
    ● rolling out to remove report-only
    ○ after finish testing policy
    ○ but I think it’s optional
    ○ finding what happened is enought for integration
    24

    View Slide

  25. 1 Year Experience
    25

    View Slide

  26. blog.jxck.io
    26
    ● basically static contents only
    ○ no
    ○ no Dynamic Generated
    ○ no CDN
    ● potentially no XSS
    ○ violation by Non XSS Attack
    ○ or attack not expected

    View Slide

  27. Current Settings
    27
    content-security-policy-report-only:
    default-src 'self'
    https://jxck.io
    https://*.jxck.io
    https://www.google-analytics.co
    m ;
    child-src https://blog.jxck.io
    https://www.youtube.com ;
    connect-src wss://ws.jxck.io ;
    report-uri https://jxck.report-uri.io/...

    View Slide

  28. 28
    CSP report (2016/3 ~ now)
    deploy fixup csp setting non critical reports

    View Slide

  29. 29
    CSP Report case#1
    ● append script via bookmarklet (maybe)
    {
    "csp-report": {
    "document-uri": "https://blog.jxck.io/entries/...",
    "referrer": "https://blog.jxck.io/",
    "violated-directive": "script-src",
    "effective-directive": "script-src",
    "original-policy": "default-src 'self' https://jxck.io...",
    "disposition": "report",
    "blocked-uri": "https://code.jquery.com/jquery-3.0.0.min.js",
    "line-number": 1,
    "column-number": 108,
    "status-code": 0
    }
    }

    View Slide

  30. 30
    CSP Report case#2
    ● browser-extension
    {
    "csp-report": {
    "document-uri": "https://blog.jxck.io/entries/...",
    "violated-directive": "default-src 'self' https://jxck.io ...",
    "effective-directive": "img-src",
    "original-policy": "default-src 'self' https://jxck.io ...",
    "blocked-uri": "ms-browser-extension",
    "status-code": 0
    }
    }

    View Slide

  31. 31
    CSP Report case#3
    ● inline style in Chrome .txt, .md, .xml
    {
    "csp-report": {
    "document-uri": "https://jxck.io/humans.txt",
    "referrer": "",
    "violated-directive": "style-src",
    "effective-directive": "style-src",
    "original-policy":"default-src 'self' https://*.jxck.io...",
    "disposition":"report",
    "blocked-uri":"inline",
    "line-number":1,
    "status-code":0
    }
    }
    Image

    View Slide

  32. 32
    CSP Report case#3
    ● inline style in Chrome .txt, .md, .xml

    View Slide

  33. 33
    CSP Report case#4
    ● inline style in FF view-source://
    {
    "csp-report": {
    "blocked-uri": "self",
    "document-uri": "view-source",
    "original-policy": "...",
    "script-sample": "-moz-tab-size: 4",
    "source-file": "view-source:https://blog.jxck.io/entries/...",
    "violated-directive": "default-src view-source:// ..."
    }
    } Image

    View Slide

  34. 34
    CSP Report case#4
    ● inline style in FF view-source://

    View Slide

  35. 35
    CSP Report case#5
    ● about://blank
    {
    "csp-report": {
    "document-uri": "about://blank",
    "violated-directive": "default-src 'self' https://jxck.io...",
    "effective-directive": "img-src",
    "original-policy": "default-src 'self' https://jxck.io…",
    "blocked-uri": "data",
    "status-code": 0
    }
    }

    View Slide

  36. More and More...
    36

    View Slide

  37. P
    rotein
    S
    teroid
    37
    C
    ontent

    View Slide

  38. 38
    Steroid (powerful but…)
    ● Blog for Engineer
    ○ bookmarklets, extentions, localproxy etc
    ○ user nomary arrange contents by themself
    ● Almost all seems Not Attack
    ○ really need to block them ?
    ○ safe ? incombenience ?
    ● Protected / Clippled
    ○ depends for contents
    ○ Github / Twitter etc

    View Slide

  39. Mixed Contents
    39

    View Slide

  40. Finding Mixed Contents
    40
    ● Mixed Contents
    ○ HTTP subresource in HTTPS
    ○ can’t ensure falsify by MITM
    ○ no green URL bar
    ● Active
    ○ Possible to modify outer DOM (script, iframe etc)
    ○ Blocked
    ● Passive
    ○ Impossible to modify outer DOM (img, video, audio etc)
    ○ Error but not blocked

    View Slide

  41. HTTPS Everywhere vs Mixed Contents
    41
    ● case of Mixed Contents
    ○ Consumer Generated Media
    ○ Ad
    ○ Legacy Hard Coded URL
    ● if Mixed
    ○ insecure url bar
    ○ broken contents
    ○ invisible Ad

    View Slide

  42. Upgrade-Insecure-Request
    42
    ● fetch http:// url as https://
    ○ 404 if not supported
    ○ never mixed contents
    ● avoid mixed only one header
    ○ no modify contents
    ○ find mixed by 404 in server access.log
    Content-Security-Policy: Upgrade-Insecure-Requests

    View Slide

  43. Block-All-Mixed-Contents
    43
    ● block if Passive mixed contents
    ○ broken contents if mixed
    ○ never mixed contents
    ● with CSP Report
    ○ Report-Only doesn’t broke contents
    ○ finding mixed by csp reoprt
    Content-Security-Policy: Block-All-Mixed-Contents

    View Slide

  44. Reporting Server
    44

    View Slide

  45. 45
    report-uri.io
    ● not recommended (in production)
    ○ bad UI
    ○ bad response at sending Report
    ○ can’t see data before half year
    ○ can’t see HTTP header
    ○ can’t export your data
    ● do yourself
    ○ simple POST endpoint for JSON
    ○ kibana, grafana, big query etc
    ○ Google Analytics support are welcome :)

    View Slide

  46. One More Thing
    46

    View Slide

  47. HTTP Public Key Pinning
    47
    ● pin a hash of public key
    ○ avoide CA incident
    ● hard to deploy
    ○ backup pin
    Public-Key-Pins: pin-sha256=”#{hash-of-public-key}”

    View Slide

  48. on my blog
    48

    View Slide

  49. from same service
    49

    View Slide

  50. HPKP Report
    50
    thumbnails.yammer.com:443
    (Pins set by thumbnails.yammer.com
    includeSubdomains=false)

    View Slide

  51. this is Real World Web
    51

    View Slide

  52. May the
    Safe
    be with Web
    52

    View Slide

  53. Jack

    View Slide