Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Towards a Post-XSS World - JSConf EU 2013

Mike West
PRO
September 14, 2013
Programming
5
730

Towards a Post-XSS World - JSConf EU 2013

Cross-site scripting attacks are pervasive and dangerously exploitable threats to modern web applications, undermining the critical assumption that your app’s code is actually under your control. But you know that already; you’re likely playing whack-a-mole right now with one of the dozens of potential attack vectors your app exposes.

Happily, we’re this close to eradicating XSS with some new tools like Content Security Policy. Come spend a half-hour of your life learning how you can stop worrying about maliciously injected script. You’ll be glad you did!

Mike West
PRO

September 14, 2013
Tweet

More Decks by Mike West

See All by Mike West
W3C Permissions Workshop - 2022-12-05
mikewest
PRO
0
44
Isolation by Default
mikewest
PRO
0
1.4k
The Web We Can Ship
mikewest
PRO
0
290
Web Platform Security @ CMS Security Summit 2020
mikewest
PRO
0
2k
Web Platform Security @ TechDays 2019
mikewest
PRO
1
130
Cookies are bad @ HTTP Workshop 2019
mikewest
PRO
0
380
Web Platform Security @ CMS Security Summit
mikewest
PRO
0
87
Web Platform Security PhD Summit @ Google Munich
mikewest
PRO
2
700
BSides Munich
mikewest
PRO
0
270

Other Decks in Programming

See All in Programming
Kubernetesソースコードリーディング入門
bells17
15
2.9k
わかる!Hashicorp Waypoint | HashiTalks: Japan2023
kazue
0
290
Construindo APIs resilientes: práticas de versionamento e documentação
monicaribeiro
0
110
Jetpack Compose の Side-effect を使いこなす / DroidKaigi 2023
star_zero
1
760
近代フロントエンドの歴史とKuma UIの登場意義
poteboy
3
3.9k
締切とはなにか、どういう効果があるのか #scrummikawa
murabayashi
0
310
Managing State Beyond ViewModels and Hilt (Updated)
vrallev
3
630
Reimagining text fields in Compose (dcNYC 23)
zachklipp
0
180
Jakarta EE 10 - Simplicity for Modern and Lightweight Cloud
ivargrimstad
0
400
Migrating From Spring Boot 2 To Spring Boot 3 - What's Jakarta EE Got To Do with It?
ivargrimstad
0
380
個人開発のiOSアプリでUI/UXを標準に寄せてみた / 20230919_orochi
uhooi
0
350
Software Architecture
hschwentner
6
1.5k

Featured

See All Featured
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.4k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
219
21k
Streamline your AJAX requests with AmplifyJS and jQuery
dougneiner
130
9k
The Invisible Customer
myddelton
113
12k
[Brighton Ruby 2023] The Magic of Rails
eileencodes
3
270
Code Review Best Practice
trishagee
53
13k
Faster Mobile Websites
deanohume
296
29k
Making the Leap to Tech Lead
cromwellryan
119
8.1k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
49
15k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
From Idea to $5000 a Month in 5 Months
shpigford
376
45k
Building a Scalable Design System with Sketch
lauravandoore
453
31k

Transcript

  1. Towards a Post-
    XSS World
    Mike West
    https://mikewest.org
    G+: mkw.st/+
    Twitter: @mikewest
    Slides: https://mkw.st/r/jsconfeu13

    View Slide

  2. http://www.html5rocks.com/en/tutorials/security/content-security-policy/
    https://mkw.st/r/csp

    View Slide

  3. View Slide

  4. Content injection
    is scary.

    View Slide

  5. scheme://host:port

    View Slide

  6. <br/>beAwesome();<br/>
    <br/>beEvil();<br/>

    View Slide

  7. <br/>beAwesome();<br/>

    Hello, <br/>beEvil();<br/>!

    View Slide

  8. <br/>p { color: {{USER_COLOR}}; }<br/>

    Hello {{USER_NAME}}, view your
    Account.

    <br/>var id = {{USER_ID}};<br/>

    View Slide

  9. https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
    goo.gl/XE0aW

    View Slide

  10. [][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])
    [+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]][([][(![]+[])[+[[+[]]]]+([][[]]+[])
    [+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]
    +!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]]]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]
    +!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]
    +(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]]]+([][[]]+[])[+[[+!+[]]]]+(![]+[])[+
    [[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[+!+[]]]]+([][[]]+[])[+[[+[]]]]+([][(![]+[])[+
    [[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+
    (!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+
    ([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+
    [])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]
    +!+[]]]]+(!![]+[])[+[[+!+[]]]]]((![]+[])[+[[+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[!+[]+!+
    []+!+[]]]]+(!![]+[])[+[[+!+[]]]]+(!![]+[])[+[[+[]]]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+
    []+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+
    (!![]+[])[+[[+!+[]]]]]+[])[+[[+!+[]]]+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+[+!+[]]+([][(![]+[])[+[[+[]]]]+
    ([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+
    [[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[+!+[]]]+[[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]]])()

    View Slide

  11. [][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])
    [+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]][([][(![]+[])[+[[+[]]]]+([][[]]+[])
    [+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]
    +!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]]]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]
    +!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]
    +(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]]]+([][[]]+[])[+[[+!+[]]]]+(![]+[])[+
    [[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[+!+[]]]]+([][[]]+[])[+[[+[]]]]+([][(![]+[])[+
    [[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+
    (!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+
    ([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+
    [])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]
    +!+[]]]]+(!![]+[])[+[[+!+[]]]]]((![]+[])[+[[+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[!+[]+!+
    []+!+[]]]]+(!![]+[])[+[[+!+[]]]]+(!![]+[])[+[[+[]]]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+
    []+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+
    (!![]+[])[+[[+!+[]]]]]+[])[+[[+!+[]]]+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+[+!+[]]+([][(![]+[])[+[[+[]]]]+
    ([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+
    [[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[+!+[]]]+[[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]]])()
    alert(1);

    View Slide

  12. "I discount the
    probability of
    perfection."
    -Alex Russell

    View Slide

  13. "We are all idiots
    with deadlines."
    -Mike West

    View Slide

  14. http://traumwerk.stanford.edu/philolog/2009/10/homers_odyssey_in_art_sirens_f.html

    View Slide

  15. http://w3.org/TR/CSP11

    View Slide

  16. View Slide

  17. Content-Security-Policy:
    default-src 'none';
    style-src https://mikewestdotorg.hasacdn.net;
    frame-src https://www.youtube.com
    https://www.speakerdeck.com;
    script-src https://mikewestdotorg.hasacdn.net
    https://ssl.google-analytics.com;
    img-src 'self'
    https://mikewestdotorg.hasacdn.net
    https://ssl.google-analytics.com;
    font-src https://mikewestdotorg.hasacdn.net

    View Slide

  18. Content-Security-Policy:
    default-src ...;
    script-src ...;
    object-src ...;
    style-src ...;
    img-src ...;
    media-src ...;
    frame-src ...;
    font-src ...;
    connect-src ...;
    sandbox ...;
    report-uri https://example.com/reporter.cgi

    View Slide

  19. Content-Security-Policy-Report-Only:
    default-src https:;
    report-uri https://example.com/csp-violations
    {
    "csp-report": {
    "document-uri": "http://example.org/page.html",
    "referrer": "http://evil.example.com/haxor.html",
    "blocked-uri": "http://evil.example.com/img.png",
    "violated-directive": "default-src 'self'",
    "original-policy": "...",
    "source-file": "http://example.com/script.js",
    "line-number": 10,
    "column-number": 11,
    }
    }

    View Slide

  20. https://twitter.com/rwaldron/status/371801007829041153

    View Slide

  21. <br/>function handleClick() { ... }<br/>
    Click me!
    Click me!

    View Slide



  22. Click me!
    Click me!

    function handleClick() {
    ...
    }
    function init() {
    for (var e in document.querySelectorAll('.clckr'))
    e.addEventListener('click', handleClick);
    }

    View Slide

  23. Content-Security-Policy:
    script-src 'nonce-afbvjn+afpo-j1qer';
    Click me!
    Click me!
    <br/>function handleClick() { ... }<br/>function init() {<br/>var e;<br/>for (e in document.querySelectorAll('.clckr'))<br/>e.addEventListener('click', handleClick);<br/>}<br/>

    View Slide

  24. `eval()` is evil?

    View Slide

  25. http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/
    goo.gl/WJjv10

    View Slide

  26. http://www.html5rocks.com/en/tutorials/security/content-security-policy/
    https://mkw.st/r/csp

    View Slide

  27. http://lcamtuf.coredump.cx/postxss/

    View Slide

  28. https://mkw.st/r/jsconfeu13
    https://mkw.st/r/csp
    Danke!
    Mike West
    https://mikewest.org
    G+: mkw.st/+
    Twitter: @mikewest

    View Slide