Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Towards a Post-XSS World - JSConf EU 2013

Mike West
PRO
September 14, 2013
Programming
5
820

Towards a Post-XSS World - JSConf EU 2013

Cross-site scripting attacks are pervasive and dangerously exploitable threats to modern web applications, undermining the critical assumption that your app’s code is actually under your control. But you know that already; you’re likely playing whack-a-mole right now with one of the dozens of potential attack vectors your app exposes.

Happily, we’re this close to eradicating XSS with some new tools like Content Security Policy. Come spend a half-hour of your life learning how you can stop worrying about maliciously injected script. You’ll be glad you did!

Mike West
PRO

September 14, 2013
Tweet

More Decks by Mike West

See All by Mike West
W3C Permissions Workshop - 2022-12-05
mikewest
PRO
0
90
Isolation by Default
mikewest
PRO
0
1.6k
The Web We Can Ship
mikewest
PRO
0
380
Web Platform Security @ CMS Security Summit 2020
mikewest
PRO
0
2.4k
Web Platform Security @ TechDays 2019
mikewest
PRO
1
150
Cookies are bad @ HTTP Workshop 2019
mikewest
PRO
0
390
Web Platform Security @ CMS Security Summit
mikewest
PRO
0
96
Web Platform Security PhD Summit @ Google Munich
mikewest
PRO
2
810
BSides Munich
mikewest
PRO
0
310

Other Decks in Programming

See All in Programming
Fragment Composition of GraphQL
quramy
13
1.6k
Documentation for users with AsciiDoc and Antora
ahus1
0
370
Native Federation: The Future of Micro Frontends in Angular
manfredsteyer
PRO
0
140
禅の心を手に入れよ
eltociear
1
430
冗長なエラーログを削減し、スタックトレースを手に入れる / Reducing Verbose Error Logs and Obtaining Stack Traces
upamune
0
1.1k
The Cutting Edge Of Versioning (LambdaConf 2024)
chriskrycho
0
230
Node.js v22 で変わること
yosuke_furukawa
PRO
12
4.1k
ペパボOpenTelemetry革命
pyama86
2
180
Ruby Function Composition
bkuhlmann
1
340
使ってみよう Azure AI Document Intelligence
kosmosebi
2
370
Hanami and htmx
bkuhlmann
0
230
dbtのドメイン分割による データ基盤の改善とDigdagとの連携
sakama
0
480

Featured

See All Featured
Designing with Data
zakiwarfel
96
4.8k
KATA
mclloyd
16
12k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
358
22k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
242
1.2M
Writing Fast Ruby
sferik
622
60k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
9
1.3k
VelocityConf: Rendering Performance Case Studies
addyosmani
321
23k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
Building an army of robots
kneath
300
41k
Fashionably flexible responsive web design (full day workshop)
malarkey
398
65k
Making the Leap to Tech Lead
cromwellryan
125
8.5k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
66
14k

Transcript

  1. Towards a Post- XSS World Mike West https://mikewest.org G+: mkw.st/+

    Twitter: @mikewest Slides: https://mkw.st/r/jsconfeu13

  2. http://www.html5rocks.com/en/tutorials/security/content-security-policy/ https://mkw.st/r/csp

  3. None

  4. Content injection is scary.

  5. scheme://host:port

  6. <script> beAwesome(); </script> <script> beEvil(); </script>

  7. <script> beAwesome(); </script> <!-- <p>Hello, {$name}!</p> --> <p>Hello, <script> beEvil();

    </script>!</p>

  8. <style> p { color: {{USER_COLOR}}; } </style> <p> Hello {{USER_NAME}},

    view your <a href="{{USER_URL}}">Account</a>. </p> <script> var id = {{USER_ID}}; </script> <!-- DEBUG: {{INFO}} -->

  9. https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet goo.gl/XE0aW

  10. [][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[]) [+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]][([][(![]+[])[+[[+[]]]]+([][[]]+[]) [+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[] +!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]]]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[] +!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]] +(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]]]+([][[]]+[])[+[[+!+[]]]]+(![]+[])[+ [[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[+!+[]]]]+([][[]]+[])[+[[+[]]]]+([][(![]+[])[+ [[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+ (!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+ ([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+

    [])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[] +!+[]]]]+(!![]+[])[+[[+!+[]]]]]((![]+[])[+[[+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[!+[]+!+ []+!+[]]]]+(!![]+[])[+[[+!+[]]]]+(!![]+[])[+[[+[]]]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+ []+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+ (!![]+[])[+[[+!+[]]]]]+[])[+[[+!+[]]]+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+[+!+[]]+([][(![]+[])[+[[+[]]]]+ ([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+ [[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[+!+[]]]+[[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]]])()

  11. [][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[]) [+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]][([][(![]+[])[+[[+[]]]]+([][[]]+[]) [+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[] +!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]]]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[] +!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]] +(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]]]+([][[]]+[])[+[[+!+[]]]]+(![]+[])[+ [[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[+!+[]]]]+([][[]]+[])[+[[+[]]]]+([][(![]+[])[+ [[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+ (!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+ ([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+

    [])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[] +!+[]]]]+(!![]+[])[+[[+!+[]]]]]((![]+[])[+[[+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[!+[]+!+ []+!+[]]]]+(!![]+[])[+[[+!+[]]]]+(!![]+[])[+[[+[]]]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+ []+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+ (!![]+[])[+[[+!+[]]]]]+[])[+[[+!+[]]]+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+[+!+[]]+([][(![]+[])[+[[+[]]]]+ ([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+ [[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[+!+[]]]+[[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]]])() alert(1);

  12. "I discount the probability of perfection." -Alex Russell

  13. "We are all idiots with deadlines." -Mike West

  14. http://traumwerk.stanford.edu/philolog/2009/10/homers_odyssey_in_art_sirens_f.html

  15. http://w3.org/TR/CSP11

  16. None

  17. Content-Security-Policy: default-src 'none'; style-src https://mikewestdotorg.hasacdn.net; frame-src https://www.youtube.com https://www.speakerdeck.com; script-src https://mikewestdotorg.hasacdn.net

    https://ssl.google-analytics.com; img-src 'self' https://mikewestdotorg.hasacdn.net https://ssl.google-analytics.com; font-src https://mikewestdotorg.hasacdn.net

  18. Content-Security-Policy: default-src ...; script-src ...; object-src ...; style-src ...; img-src

    ...; media-src ...; frame-src ...; font-src ...; connect-src ...; sandbox ...; report-uri https://example.com/reporter.cgi

  19. Content-Security-Policy-Report-Only: default-src https:; report-uri https://example.com/csp-violations { "csp-report": { "document-uri": "http://example.org/page.html",

    "referrer": "http://evil.example.com/haxor.html", "blocked-uri": "http://evil.example.com/img.png", "violated-directive": "default-src 'self'", "original-policy": "...", "source-file": "http://example.com/script.js", "line-number": 10, "column-number": 11, } }

  20. https://twitter.com/rwaldron/status/371801007829041153

  21. <script> function handleClick() { ... } </script> <button onclick="handleClick()">Click me!</button>

    <a href="javascript:handleClick()">Click me!</a>

  22. <!-- index.html --> <script src="clickHandler.js"></script> <button class="clckr">Click me!</button> <a href="#"

    class="clckr">Click me!</a> <!-- clickHandler.js --> function handleClick() { ... } function init() { for (var e in document.querySelectorAll('.clckr')) e.addEventListener('click', handleClick); }

  23. Content-Security-Policy: script-src 'nonce-afbvjn+afpo-j1qer'; <button class="clckr">Click me!</button> <a href="#" class="clckr">Click me!</a>

    <script nonce="oafbvjn+afpo-j1qer"> function handleClick() { ... } function init() { var e; for (e in document.querySelectorAll('.clckr')) e.addEventListener('click', handleClick); } </script>

  24. `eval()` is evil?

  25. http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/ goo.gl/WJjv10

  26. http://www.html5rocks.com/en/tutorials/security/content-security-policy/ https://mkw.st/r/csp

  27. http://lcamtuf.coredump.cx/postxss/

  28. https://mkw.st/r/jsconfeu13 https://mkw.st/r/csp Danke! Mike West https://mikewest.org G+: mkw.st/+ Twitter: @mikewest