CSP Is Dead, Long Live Strict CSP! - DeepSec 2016

CSP Is Dead, Long Live Strict CSP! - DeepSec 2016

Content Security Policy (CSP) is a defense-in-depth mechanism to restrict resources that can be loaded, embedded and executed in a web application, significantly reducing the risk and impact of injections. It is supported by most modern browsers, and it already is at its third iteration - yet, adoption in the web is struggling.

In this presentation I'll highlight the major roadblocks that make CSP deployment difficult, common mistakes, talk about how we automatically bypassed the CSP of more than 95% of ~1.6 Million domains, e.g., by showing how easy it is to defeat the whitelist-based model with some juicy bypasses, thanks to JSONP endpoints for example, by abusing a CDN and loading outdated versions of AngularJS.

Finally, I present a radically new way of doing CSP in a simpler, easier to maintain and more secure way based on nonces and making use of a new feature we contributed to CSP3.

We hope that after attending this talk you will understand how tricky it can be to deploy an effective CSP policy and what are the common mistakes to avoid, and as an attacker you will get resources and pointers on how well CSP is keeping up with modern web technologies, and how to break it.


Lukas Weichselbaum

November 11, 2016