Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ACM CCS 2016 - CSP Is Dead, Long Live CSP!

Michele Spagnuolo
October 27, 2016
Technology
2
320

ACM CCS 2016 - CSP Is Dead, Long Live CSP!

Paper: https://research.google.com/pubs/pub45542.html

Content Security Policy is a web platform mechanism designed to mitigate cross-site scripting (XSS), the top security vulnerability in modern web applications. In this paper, we take a closer look at the practical benefits of adopting CSP and identify significant flaws in real-world deployments that result in bypasses in 94.72% of all distinct policies. We base our Internet-wide analysis on a search engine corpus of approximately 100 billion pages from over 1 billion hostnames; the result covers CSP deployments on 1,680,867 hosts with 26,011 unique CSP policies – the most comprehensive study to date. We introduce the security-relevant aspects of the CSP specification and provide an in-depth analysis of its threat model, focusing on XSS protections. We identify three common classes of CSP bypasses and explain how they subvert the security of a policy. We then turn to a quantitative analysis of policies deployed on the Internet in order to understand their security benefits. We observe that 14 out of the 15 domains most commonly whitelisted for loading scripts contain unsafe endpoints; as a consequence, 75.81% of distinct policies use script whitelists that allow attackers to bypass CSP. In total, we find that 94.68% of policies that attempt to limit script execution are ineffective, and that 99.34% of hosts with CSP use policies that offer no benefit against XSS. Finally, we propose the ’strict-dynamic’ keyword, an addition to the specification that facilitates the creation of policies based on cryptographic nonces, without relying on domain whitelists. We discuss our experience deploying such a nonce-based policy in a complex application and provide guidance to web authors for improving their policies.

Michele Spagnuolo

October 27, 2016
Tweet

More Decks by Michele Spagnuolo

See All by Michele Spagnuolo
Securing web apps with modern features
mikispag
0
32
The web is broken: let's fix it!
mikispag
3
2.1k
Content Security Policy: A successful mess between hardening and mitigation
mikispag
8
3.9k
Defense-in-Depth Techniques for Modern Web Applications and Google’s Journey with CSP - Michele Spagnuolo and Lukas Weichselbaum
mikispag
3
1.7k
So we broke all CSPs... You won't guess what happened next! - Michele Spagnuolo and Lukas Weichselbaum
mikispag
7
3.7k
Making CSP great again! - Michele Spagnuolo and Lukas Weichselbaum
mikispag
11
6.9k
Abusing JSONP with Rosetta Flash
mikispag
1
610

Other Decks in Technology

See All in Technology
サービスレベル管理とは?〜計測すべき指標と活用について/What is Service Level Management
newrelic2023
0
280
アクセシビリティに関わる職種とは?〜freee編〜
magi1125
0
8k
GPTによる薬歴の自動生成のPoC
pharma_x_tech
1
630
守りから「攻め」の開発へ!New Relicを活用してサービスと共に成長するチームになる
yoshikikomoriya
0
320
ジェネレーティブAI実践入門/20230524
yoshidashingo
4
2.1k
Amazon VPC Lattice を使い始める前におさえておきたいポイント n 選 / Introduction to VPC Lattice
hayaok3
1
600
初学者が1ヶ月ほどAWS CDKを勉強してみた - AWS CDK Conference Japan 2023
sakaguchi
0
560
Road to RubyKaigi Speaker (case sue445) #rubykaigi2023_after
sue445
PRO
0
350
サーバーレスサービスの特徴と アプリケーションの考え方 / Characteristics of serverless services and Concept of application
_kensh
0
120
[Journal club] Hyena Hierarchy: Towards Larger Convolutional Language Models
keio_smilab
PRO
1
110
全世界のユーザー体験の改善にNew Relic Mobileをどのように活用したか/How New Relic Mobile was used to improve the global user experience
isaoshimizu
1
350
Semantic Kernel LT
takashi1029
0
190

Featured

See All Featured
Facilitating Awesome Meetings
lara
35
4.8k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
16
5.8k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
217
21k
Streamline your AJAX requests with AmplifyJS and jQuery
dougneiner
130
8.9k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
3
540
The Power of CSS Pseudo Elements
geoffreycrofte
54
4.5k
Build The Right Thing And Hit Your Dates
maggiecrowley
23
1.5k
A Tale of Four Properties
chriscoyier
149
21k
Embracing the Ebb and Flow
colly
76
3.7k
It's Worth the Effort
3n
178
26k
GraphQLとの向き合い方2022年版
quramy
23
11k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
9
770

Transcript

  1. CSP is Dead,
    Long Live CSP
    On the Insecurity of Whitelists and the
    Future of Content Security Policy
    Lukas Weichselbaum
    Michele Spagnuolo
    Sebastian Lekies
    Artur Janc
    ACM CCS, 2016, Vienna

    View Slide

  2. About Us
    We work in a special focus area of the Google security team
    aimed at improving product security by targeted proactive
    projects to mitigate whole classes of bugs.
    Michele Spagnuolo
    Senior Information Security
    Engineer
    Lukas Weichselbaum
    Senior Information Security
    Engineer

    View Slide

  3. Research Questions
    TL;DR: is CSP protecting against XSS?
    1

    View Slide

  4. Research Questions
    ◉ How is CSP used on the web?
    ◉ Do deployed CSPs protect against XSS?
    ◉ Do CSP whitelists work in practice?
    ◉ Is there a better way to effectively mitigate XSS?

    View Slide

  5. Recap: What is CSP?
    ◉ An HTTP header developers can use to lock down
    their web applications in various ways.
    ◉ A defense-in-depth mechanism - it reduces the
    harm that a malicious injection can cause, but it is
    not a replacement for careful input validation and
    output encoding.

    View Slide

  6. Recap: How does CSP work?
    Script injections (XSS) get blocked
    Content-Security-Policy
    default-src 'self';
    script-src 'self' yep.com;
    report-uri /csp_violation_logger;
    money.example.com money.example.com
    yep.com
    attacker.com

    ">'>alert(42)<br/>
    money.example.com/csp_violations_logger
    CSP
    blocks
    inline script
    not allowed
    src="//yep.com/x.js">
    ">'>src="//attacker.com">
    CSP
    blocks
    source not
    whitelisted
    CSP
    allows
    CSP
    allows

    View Slide

  7. Data Set
    Internet-wide analysis on the full Google index (approximately 100 billion pages)
    2

    View Slide

  8. Collecting CSPs & Bypasses
    WWW Google Index
    100 Billion pages
    CSP
    Filter
    1.6 Million
    Hosts with
    CSP
    CSP
    Dedupe
    26,011
    unique CSPs
    In addition to the CSPs, we also
    collected JSONP endpoints and
    Angular libraries (whitelist bypasses)
    JSONP
    Filter
    8.8 Million
    JSONP
    endpoints
    Angular
    Filter
    2.6 Million
    Angular
    libraries

    View Slide

  9. Normalize & de-duplicate CSPs
    ◉ Problem 1: CSP can have variable parts (e.g. nonces)
    ◉ Problem 2: Same CSP on thousands of hostnames
    ○ Caused by off-the-shelf web applications
    ■ e.g., message boards and e-commerce platforms
    ○ De-duplication by hostname/CSP would have been strongly
    biased
    ◉ De-duplication based on the normalized CSP string

    View Slide

  10. Normalize & de-duplicate CSPs
    CSP
    Dedupe
    ◉ Normalization:
    ○ Parse CSP,
    ○ Replaced nonces and report URIs, with fixed placeholders,
    ○ Order directives and directive values
    script-src 'self' 'nonce-xyz789' example.com;
    report-uri /csp/a2d0ad39-5d0e-40d4-81ce-e43cb07697b8;
    script-src 'nonce-abc123' 'self' example.com;
    report-uri /csp/97830f0f-d1df-4847-b98f-67a28d866731;
    script-src 'self' 'nonce-PLACEHOLDER' example.com;
    report-uri PLACEHOLDER;
    Normalize
    &
    de-dupe

    View Slide

  11. CSP Use Cases
    All Unique Policies
    This data set contains
    all unique CSP
    policies, both in
    report-only and
    enforcing mode.
    XSS Policies
    ● enforced
    ● at least one of:
    ○ script-src
    ○ object-src
    ○ default-src
    Strict XSS Policies
    Like XSS Policies, not
    including unsafe
    directive values as:
    ● 'unsafe-inline'
    ● a URI scheme
    ● the * wildcard
    26,011
    unique CSPs
    86% 11%

    View Slide

  12. CSP Evaluation
    Assess whether a CSP policy can be bypassed to execute attacker-controlled scripts
    3

    View Slide

  13. Evaluation of CSPs
    ◉ We only considered automatic & FP-free checks
    ◉ We assess if CSP can be bypassed (XSS)
    ◉ Checks:
    ○ Usage of ’unsafe-inline’ in script-src
    ○ Missing object-src
    ○ Use of wildcards in whitelists
    ■ E.g. script-src * http: https: data:
    ○ Unsafe origin in whitelists
    ■ JSONP-like endpoints
    ■ Endpoints hosting Angular

    View Slide

  14. Some CSP Bypass Examples
    'unsafe-inline' in script-src
    script-src 'self' 'unsafe-inline';
    object-src 'none';
    CSP-Bypass:
    ">'>alert(1337)
    URL scheme/wildcard in script-src
    script-src 'self' https: data: *;
    object-src 'none';
    CSP-Bypass: ">'>src=data:text/javascript,alert(13
    37)>
    Missing or lax object-src
    script-src 'none';
    CSP-Bypass: ">'>type="application/x-shockwave-flash"
    data='https://ajax.googleapis.com/aj
    ax/libs/yui/2.8.0r4/build/charts/ass
    ets/charts.swf?allowedDomain=\"})))}
    catch(e){alert(1337)}//'>
    value="always">
    JSONP-like endpoint in whitelist
    script-src 'self' whitelisted.com;
    object-src 'none';
    CSP-Bypass: ">'>src="https://whitelisted.com/jsonp?
    callback=alert">
    AngularJS library in whitelist
    script-src 'self' whitelisted.com;
    object-src 'none';
    CSP-Bypass: ">src="https://whitelisted.com/angularjs/1.1.3/angular.min.js">

    These bypasses can be verified in an automated and FP-free manner

    View Slide

  15. Results
    The state of CSP on the web
    4

    View Slide

  16. How secure are real-world CSP policies ?
    Unique CSPs Report Only
    Bypassable
    unsafe_inline
    Missing
    object_src
    Wildcard in
    script-src
    whitelist
    Unsafe
    domain
    in script-src
    whitelist
    Trivially
    Bypassable
    Total
    Unique CSPs
    26011
    2591
    9.96%
    21947
    84.38%
    3131
    12.04%
    5753
    22.12%
    19719
    75.81%
    24637
    94.72%
    XSS Policies
    22425
    0
    0%
    19652
    87.63%
    2109
    9.4%
    4816
    21.48%
    17754
    79.17%
    21232
    94.68%
    Strict XSS Policies
    2437
    0
    0%
    0
    0%
    348
    14.28%
    0
    0%
    1015
    41.65%
    1244
    51.05%

    View Slide

  17. Do CSP whitelists work in practice ?
    The median policy has 12 distinct whitelisted hosts (in script-src).
    At the median of 12 entries, we managed to bypass 94.8 % of all policies!

    View Slide

  18. Do CSP whitelists work in practice ?
    Top 10 hosts for whitelist
    bypasses are sufficient to
    bypass 68% of all unique CSPs!

    View Slide

  19. CSP-Evaluator
    https://csp-evaluator.withgoogle.com
    ● Core library is open source
    ● Also as a Chrome Extension

    View Slide

  20. Do CSP whitelists work in practice ?
    ◉ Problems due to 'unsafe-inline', missing object-src,
    and wildcards could potentially be fixed
    ◉ Stop whitelisting domains that allow to bypass CSP
    is a much harder problem:
    ○ Can't use CDNs
    ○ Can't use widgets (e.g. Google Maps)
    ○ ...

    View Slide

  21. 'strict-dynamic'
    Drop whitelists and use nonces with dynamic trust propagation instead
    5

    View Slide

  22. Effects of 'strict-dynamic'
    ◉ Nonce-only not feasible in practice (libraries,
    widgets)
    ◉ Grant trust transitively via a one-use token (nonce)
    instead of listing whitelisted origins
    ◉ If present in a script-src or default-src directive,
    together with a nonce and/or hash
    ○ discard whitelists (for backward-compatibility)
    ○ Allow JS execution triggered by non-parser-inserted active
    content (dynamically generated).

    View Slide

  23. 'strict-dynamic' propagates trust to non-parser-inserted JS
    <br/>var s = document.createElement("script");<br/>s.src = "//example.com/bar.js";<br/>document.body.appendChild(s);<br/>
    <br/>var s = "<script ";<br/>s += "src=//example.com/bar.js>";
    document.write(s);

    <br/>var s = "<script ";<br/>s += "src=//example.com/bar.js>";
    document.body.innerHTML = s;

    View Slide

  24. How to adopt strict CSP ?
    1. Add nonces to elements<br/>2. Refactor inline event handlers and javascript: URIs<br/>3. Serve the following Content-Security-Policy header:<br/>script-src 'nonce-{random}' 'unsafe-inline''strict-dynamic' https: http:;<br/>object-src 'none';<br/>Detailed instructions on https://csp.withgoogle.com<br/>

    View Slide

  25. Advantages of a strict CSP ?
    ◉ tags injected via XSS will be blocked, because of<br/>missing nonce<br/>◉ No host/path whitelists necessary!<br/>○ Less breakages<br/>○ No need to go through the painful process of crafting and maintaining a<br/>whitelist → every product uses the same CSP!<br/>◉ No bypasses because of JSONP-like endpoints on external<br/>domains<br/>

    View Slide

  26. Does it work in practice ?
    ◉ Yes! 'strict-dynamic' is already served to millions of users
    ◉ Complex web applications with 'strict-dynamic':
    ○ Google Photos, Google Cloud Console, Google Wallet, Google History
    Chrome Web Store, Google Careers Search...

    View Slide

  27. Browser support for CSP
    :)
    :(
    Nonce support
    'strict-dynamic' support
    CSP support

    View Slide

  28. Research Questions
    ◉ How is CSP used on the web?
    ◉ Do deployed CSPs protect against XSS?
    ◉ Do CSP whitelists work in practice?
    ◉ Is there a better way to effectively mitigate XSS?
    No! >94% automatically bypassable
    No! Top 10 domains sufficient to bypass 68% CSPs
    Mostly to mitigate risk of XSS
    Nonces/hashes + 'strict-dynamic'

    View Slide

  29. Any questions ?
    You can find us at:
    {lwe,mikispag,slekies,aaj}@google.com
    @we1x, @mikispag, @slekies, @arturjanc
    Thanks!

    View Slide

  30. Appendix
    A

    View Slide

  31. Recap: What is XSS?
    String error = Request.getParameter("error");
    response.write(“” + error + “”);
    ◉ Attacker controlled scripts executing in the context of a user
    GET /errorPage?error=alert(1)
    alert(1)

    View Slide

  32. Most commonly whitelisted domains
    Count Origin XSS bypass JSONP bypass Angular bypass 'object-src' bypass
    8825 www.google-analytics.com yes, if 'unsafe-eval' yes, if 'unsafe-eval' no no
    7201 *.googleapis.com yes yes yes yes
    6307 *.google-analytics.com yes, if 'unsafe-eval' yes, if 'unsafe-eval' no no
    5817 *.google.com yes yes no no
    5475 *.yandex.ru yes yes no no
    5146 *.gstatic.com yes no yes no
    5076 vk.com yes yes no yes
    4728 mc.yandex.ru yes yes no no
    4423 yandex.st yes no yes no
    4189 ajax.googleapis.com yes yes yes yes
    3829 *.googlesyndication.com yes yes no no
    3621 *.doubleclick.net yes yes no no
    3617 yastatic.net yes no yes no
    2959 connect.facebook.net no no no no
    2809 www.google.com yes yes no no

    View Slide