CSP a Powerful Security Steroid

Transcript

1. CSP powerful security steroid Chrome Tech Talk Night #9 #chromejp

   2017/02/09

2. Jack

3. mozaic.fm

4. P rotein S teroid 4 C ontent

5. 5 C ontent S teroid P rotein S ecurity P

   olicy

6. 6

7. 7 Policy of Security for Content • This content is

   allowed to ◦ exec inline script ? ◦ load assets from origin xxx ? ◦ embend iframe ? ◦ mixed content ? ◦ etc

8. 8 How to apply CSP • via Header • via

   Meta Tag Content-Security-Policy: $policy <meta http-equiv=”Content-Security-Policy” content=”$policy” >

9. 9 CSP directives • fetch directive • document directive •

   navigation directive • reporting directive

10. 10 fetch directives • default-src • child-src • connect-src •

    font-src • frame-src • img-src • manifest-src • media-src • object-src • script-src • style-src • worker-src whitelist of allowed orign fallback to default-src ex) img-src; http://jxck.io default-src; ‘self’

11. 11 document directives • base-uri ◦ allowed url for <base>

    • plugin-types ◦ allowed media type for <embed> / <object> • sandbox ◦ behave like sandbox iframe • disown-opener ◦ behave like noopener

12. 12 navigation directives • form-action ◦ allowed action for <form>

    • frame-ancestors ◦ allowed origin for embed this docment • navigation-to ◦ allowed origin to move (a, form, window.location etc)

13. 13 reporting directives • report-uri ◦ deprecated ◦ only for

    fallback of report-to • report-to ◦ url to send violation report

14. 14 CSP keywords • ‘self’ ◦ only from Same Origin

    • ‘none’ ◦ from everywhere • ‘unsafe-inline’ ◦ allow <script> / <style> • ‘unsafe-eval’ ◦ allow `eval()` in JS • ‘strict-dynamic’ ◦ specify nonce of script • ‘unsafe-hashed-attributes’ ◦ specify a hash of inline script

15. 15 Most Powerful Policy • can I have… ◦ jquery

    from cdn ? :No ◦ google anlytics ? :No ◦ youtube? :No ◦ iframe… :NO! ◦ inline.. :Never !! Content-Security-Policy: default-src ‘self’

16. 16 Example: XSS <meta http-equiv="Content-Security-Policy" content="default-src 'self'">

17. No more Escape Input ? • only checking a Policy

    , not Attack ◦ in policy has a hole, It may have incident ◦ no implement of CSP on old browser • do Security thing, and adding CSP for cover ◦ if security hall exists, block the attack 17

18. 18 case study: github.com

19. It’s really works ?? 19

20. report-uri 20 • Send Report as JSON to URI Content-Security-Policy:

    default-src ‘self’; report-uri https://report-server/... { "csp-report": { "document-uri": “...”, "referrer": “...”, "blocked-uri": “...”, "violated-directive": “...”, "original-policy": “...”, } }

21. Report doesn’t tells me about attack • you can know

    WHAT happened ◦ document uri ◦ violated policy • you can’t know WHY happened ◦ attack ? or not ? • you can’t know WHAT result to USER ◦ ad image not displayed ? ◦ can’t read the article ? 21

22. It’s really… OK ...? 22

23. Too strict to deploy immediate • Hard to make sure

    your policy right ◦ crowring with browser on staging • Real World Problems ◦ every user use each browser with variaus setting • Deploy in production immediately ? ◦ bad experience for user ? ◦ it’s wose than blocking attack ? 23

24. CSP-Report-Only • only sending report ◦ find out WHAT happened

    only • rolling out to remove report-only ◦ after finish testing policy ◦ but I think it’s optional ◦ finding what happened is enought for integration 24

25. 1 Year Experience 25

26. blog.jxck.io 26 • basically static contents only ◦ no <input>

    ◦ no Dynamic Generated ◦ no CDN • potentially no XSS ◦ violation by Non XSS Attack ◦ or attack not expected

27. Current Settings 27 content-security-policy-report-only: default-src 'self' https://jxck.io https://*.jxck.io https://www.google-analytics.co m

    ; child-src https://blog.jxck.io https://www.youtube.com ; connect-src wss://ws.jxck.io ; report-uri https://jxck.report-uri.io/...

28. 28 CSP report (2016/3 ~ now) deploy fixup csp setting

    non critical reports

29. 29 CSP Report case#1 • append script via bookmarklet (maybe)

    { "csp-report": { "document-uri": "https://blog.jxck.io/entries/...", "referrer": "https://blog.jxck.io/", "violated-directive": "script-src", "effective-directive": "script-src", "original-policy": "default-src 'self' https://jxck.io...", "disposition": "report", "blocked-uri": "https://code.jquery.com/jquery-3.0.0.min.js", "line-number": 1, "column-number": 108, "status-code": 0 } }

30. 30 CSP Report case#2 • browser-extension { "csp-report": { "document-uri":

    "https://blog.jxck.io/entries/...", "violated-directive": "default-src 'self' https://jxck.io ...", "effective-directive": "img-src", "original-policy": "default-src 'self' https://jxck.io ...", "blocked-uri": "ms-browser-extension", "status-code": 0 } }

31. 31 CSP Report case#3 • inline style in Chrome .txt,

    .md, .xml { "csp-report": { "document-uri": "https://jxck.io/humans.txt", "referrer": "", "violated-directive": "style-src", "effective-directive": "style-src", "original-policy":"default-src 'self' https://*.jxck.io...", "disposition":"report", "blocked-uri":"inline", "line-number":1, "status-code":0 } } Image

32. 32 CSP Report case#3 • inline style in Chrome .txt,

    .md, .xml

33. 33 CSP Report case#4 • inline style in FF view-source://

    { "csp-report": { "blocked-uri": "self", "document-uri": "view-source", "original-policy": "...", "script-sample": "-moz-tab-size: 4", "source-file": "view-source:https://blog.jxck.io/entries/...", "violated-directive": "default-src view-source:// ..." } } Image

34. 34 CSP Report case#4 • inline style in FF view-source://

35. 35 CSP Report case#5 • about://blank { "csp-report": { "document-uri":

    "about://blank", "violated-directive": "default-src 'self' https://jxck.io...", "effective-directive": "img-src", "original-policy": "default-src 'self' https://jxck.io…", "blocked-uri": "data", "status-code": 0 } }

36. More and More... 36

37. P rotein S teroid 37 C ontent

38. 38 Steroid (powerful but…) • Blog for Engineer ◦ bookmarklets,

    extentions, localproxy etc ◦ user nomary arrange contents by themself • Almost all seems Not Attack ◦ really need to block them ? ◦ safe ? incombenience ? • Protected / Clippled ◦ depends for contents ◦ Github / Twitter etc

39. Mixed Contents 39

40. Finding Mixed Contents 40 • Mixed Contents ◦ HTTP subresource

    in HTTPS ◦ can’t ensure falsify by MITM ◦ no green URL bar • Active ◦ Possible to modify outer DOM (script, iframe etc) ◦ Blocked • Passive ◦ Impossible to modify outer DOM (img, video, audio etc) ◦ Error but not blocked

41. HTTPS Everywhere vs Mixed Contents 41 • case of Mixed

    Contents ◦ Consumer Generated Media ◦ Ad ◦ Legacy Hard Coded URL • if Mixed ◦ insecure url bar ◦ broken contents ◦ invisible Ad

42. Upgrade-Insecure-Request 42 • fetch http:// url as https:// ◦ 404

    if not supported ◦ never mixed contents • avoid mixed only one header ◦ no modify contents ◦ find mixed by 404 in server access.log Content-Security-Policy: Upgrade-Insecure-Requests

43. Block-All-Mixed-Contents 43 • block if Passive mixed contents ◦ broken

    contents if mixed ◦ never mixed contents • with CSP Report ◦ Report-Only doesn’t broke contents ◦ finding mixed by csp reoprt Content-Security-Policy: Block-All-Mixed-Contents

44. Reporting Server 44

45. 45 report-uri.io • not recommended (in production) ◦ bad UI

    ◦ bad response at sending Report ◦ can’t see data before half year ◦ can’t see HTTP header ◦ can’t export your data • do yourself ◦ simple POST endpoint for JSON ◦ kibana, grafana, big query etc ◦ Google Analytics support are welcome :)

46. One More Thing 46

47. HTTP Public Key Pinning 47 • pin a hash of

    public key ◦ avoide CA incident • hard to deploy ◦ backup pin Public-Key-Pins: pin-sha256=”#{hash-of-public-key}”

48. on my blog 48

49. from same service 49

50. HPKP Report 50 thumbnails.yammer.com:443 (Pins set by thumbnails.yammer.com includeSubdomains=false)

51. this is Real World Web 51

52. May the Safe be with Web 52

53. Jack