Save 37% off PRO during our Black Friday Sale! »

BSidesLA Managing Content Security Policy

E0fdc1036537c1308400fc8ba6e987b0?s=47 Neil Matatall
September 11, 2014

BSidesLA Managing Content Security Policy

Talks about how to succeed at CSP. Tips on applying policies, managing reports, and managing a project. It also talks about CSP level 2 features such as nonce and hash (and how it will save the world)


Neil Matatall

September 11, 2014


  1. Managing Content Security Policy @ndm

  2. @ndm BSidesLA 2014 Before we get into CSP, here’s a

  3. @ndm BSidesLA 2014 What is CSP • the greatest thing

    since sliced bread • our savior in a world full of xss
  4. @ndm BSidesLA 2014 Should you apply CSP It is negligent

    to write a new web application without applying CSP from day 1. ! CSP should be on 100% of html endpoints but it is not trivial to apply CSP to an existing app.
  5. @ndm BSidesLA 2014 This is an unrealistic policy default-src ‘self’;

    object-src ‘none’ ! XSS eliminated* √ Flashed disabled √ Mixed content disallowed √ Third party content not allowed √
  6. @ndm BSidesLA 2014 This is a realistic policy default-src ‘self’;

    img-src; object-src ‘none’; script-src; style-src XSS eliminated* √ Flash disabled √ Mixed content disallowed √ Third party content not allowed √
  7. @ndm BSidesLA 2014 This is a common policy default-src ‘self’;

    img-src; script-src ‘unsafe-inline’; style-src ‘unsafe-inline’ XSS eliminated* X Flash disabled X Mixed content disallowed √ Third party content not allowed √
  8. @ndm BSidesLA 2014 This is a useless policy default-src *;

    script-src * ‘unsafe-inline’ ‘unsafe-eval’; style-src * ‘unsafe-inline’; ! XSS eliminated* X Flash disabled X Mixed content disallowed X Third party content not allowed X
  9. @ndm BSidesLA 2014 This is a crazy policy content-security-policy-report-only:script-src 'self'

    'unsafe-inline' 'unsafe-eval' https:// https:// https:// https://;frame-src 'self' https:// static/ https://* resources/ https://* https:// https://www- https://;object-src https://mail-;report-uri /mail/ cspreport
  10. @ndm BSidesLA 2014 Seriously, what is CSP • http response

    header • set of directives, that determine what a browser is allowed to do
  11. @ndm BSidesLA 2014 How • Limit where resources can load

    from • Enable/disable use of eval • Enable/disable inline javascript • Enable/disable inline css
  12. @ndm BSidesLA 2014 What is inline javascript? • Inline event

    handlers (onClick=””) • javascript: URIs <a href=”javascript:”> • Content in <script> tags
  13. @ndm BSidesLA 2014 How does the browser know? ! <script>goodStuff()</script>

  14. @ndm BSidesLA 2014 How might the browser know? ! <script

  15. @ndm BSidesLA 2014 CSP Features • CSP has built-in reporting

    • CSP has “report-only” mode for testing • You can set a report-only and enforced header for the same page
  16. @ndm BSidesLA 2014 Agenda • What is CSP? • How

    to apply CSP • How to manage CSP reports • How to win at CSP
  17. @ndm BSidesLA 2014 Steps for success • Apply CSP in

    all environments (dev/ staging/prod) • Use your employees as beta testers • Have a safety valve
  18. @ndm BSidesLA 2014 Make a plan • Ensure no inline

    script is introduced • Ensure no new hosts are introduced • Set realistic expectations on goals
  19. @ndm BSidesLA 2014 Apply CSP client-side • caspr-enforcer o

    • userCSP o
  20. @ndm BSidesLA 2014 How to apply CSP Header set Content-Security-Policy

    ... add_header Content-Security-Policy ...
  21. @ndm BSidesLA 2014 How to apply CSP IRL WRITE CODE

  22. @ndm BSidesLA 2014 Better yet PROVIDE A LIBRARY

  23. @ndm BSidesLA 2014 POLICY = "default-src 'self'; connect-src 'self'; font-src

    'self'; frame-src https://s- https://* https:// * https://* https://* 'self'; img-src https://fbcdn-sphotos- https://* https://* https://* https:// * 'self' data:; media-src 'self'; object-src 'self'; script-src https://* https://* https:// * https://* 'self' about:; style-src 'unsafe-inline' https://fbcdn-sphotos- https://* https://* https://* https:// * 'self'; report-uri https://;”" if FeatureToggle.isAvailable?(:enforce_csp)
 response.headers[‘Content-Security-Policy’] = POLICY" else
 response.headers[‘Content-Security-Policy-Report-Only] = POLICY" end
  24. @ndm BSidesLA 2014 ssl_src = ["","", "*", "*", "*", "",

    ""].map {|s| "https://" + s}.join(" ")
 csp = {
 enforce: lambda {
 default_src: 'self',
 frame_src: "#{ssl_src} self",
 script_src: "#{ssl_src} self about:",
 style_src: "inline #{ssl_src} self",
 img_src: "#{ssl_src} self",
 report_uri: '//'
  25. @ndm BSidesLA 2014 Libraries helmet (express/node) secureheaders (rails/sinatra/padrino/ruby) highlines (j2ee/java)

    secureheader (go) laravel-secureheaders (php) NWebSec (ASP.NET) django-csp + commonware (Django/Python) SecureHeaders (ASP.NET) Dancer-Plugin-SecureHeaders (Perl) ring-secure-headers (Clojure) mod_secure_headers (apache)
  26. @ndm BSidesLA 2014 Do I really need a library? Yes.

  27. @ndm BSidesLA 2014 Should I need a library? No. Frameworks

    should provide this, amirite? ! Want XSS? √ Want Mixed content? √ Want Flash Exploits √ Want 3rd party content √
  28. @ndm BSidesLA 2014 CSP Level 2 Is your best friend

    Case study: 2 years: tried to remove inline script - FAIL 2 weeks: implemented script nonce feature - SUCCESS*
  29. @ndm BSidesLA 2014 Nonces ...script-src ‘nonce-abc123’... <script nonce=”abc123”>
 alert(“Hey I

    can run!”)
 alert(“this will never happen!”)
  30. @ndm BSidesLA 2014 Hashes script-src ‘sha256-asdfasdf’ <script>
 alert(“Hey I can

 alert(“this will never happen!”)
  31. @ndm BSidesLA 2014 build csp level 2 into the framework

    In order to enable nonce in secure_headers: • add ‘nonce’ to the script-src config ! script_src: "#{ssl_src} self about: nonce"
  32. @ndm BSidesLA 2014 What about hashes? • In use on :) • Library support is more tricky, but coming • Want to calculate your hashes? ! $.each($('script'), function(index, x) { " val sha = CryptoJS.SHA1(x.innerHTML); " console.log("'sha1-"+sha.toString(CryptoJS.enc.Base64)+"'") ;
  33. @ndm BSidesLA 2014 Monolithic app? Sorry :( The REPL cycle

    is very long here. It’s a long process.
  34. @ndm BSidesLA 2014 Service oriented? Easy! Apply secure defaults and

    the apps will converge on secure settings • Disallow eval/inline script by default • Have your code tell you about overrides
  35. @ndm BSidesLA 2014 Agenda • What is CSP? • How

    to apply CSP • How to manage CSP reports • How to win at CSP
  36. @ndm BSidesLA 2014 Reporting You cannot be successful with CSP

    on a large scale if you don’t analyze your reports.
  37. @ndm BSidesLA 2014 What’s in a report? {
 "csp-report": {

    "document-uri": "",
 "referrer": "",
 "blocked-uri": "",
 "violated-directive": "img-src 'self'"
  38. @ndm BSidesLA 2014 What’s _not_ in a report? • classification

    (mixed content, inline script, etc.) • report-only? enforced? • underlying application identifier (easier to tie back to code) • user agent
  39. @ndm BSidesLA 2014 Classifying reports if blockedUri is empty (or

    self) {
 if violation type is script {
 } elsif violation type is style {
 } else {
 } else {
 if the scheme of the blocked uri is http and (the violated directive contains http + blocked host or https is whitelisted and http is not) {
 } elseif violated directive does not contain the blocked host {
 } else {

  40. @ndm BSidesLA 2014 Since you have a library... • You

    can add data to your report-uri o was this policy enforced? o what application generated the alert? o e.g. report-uri /csp_reports? read_only=true&app_name=twitter
  41. @ndm BSidesLA 2014 Report normalization for better stats • blocked-uri

    -> blocked_host • document-uri -> document-host, path o ->, ndm • violated-directive -> violation type o script-src ‘self’ … -> script-src • user-agent -> browser o Mozilla/5.0...AppleWebKit...Chrome/… -> Chrome
  42. @ndm BSidesLA 2014 FILTER FILTER FILTER document_uri must match the

    subdomain the report was sent to ! blocked_uri and source_file must start with http (unless blank) !
  43. @ndm BSidesLA 2014 FILTER (cont’d) ! val reasonFiltered: Option[String] =

 val sourceFileString = sourceFile.getOrElse("").toLowerCase
 if ("localhost" == reportHost || "localhost" == blockedHost
 || "" == reportHost || "" == blockedHost) {
 } else if (sourceFileString.startsWith("resource://")
 || blockedUri.contains("")) {
 } else if (sourceFileString.startsWith("chromenull://") || blockedUri.startsWith("chromenull://")) {
 Some("chromenull")" … and the list goes on" ! !
  44. @ndm BSidesLA 2014 Watch graphs

  45. @ndm BSidesLA 2014 Alert on Spikes of activity

  46. @ndm BSidesLA 2014 Dive into your reports

  47. @ndm BSidesLA 2014 Answer questions • Give me the inline

    script reports for twitter o app_name: twitter classification: inline_script • “What kind of violations happen the most?” o use the classification field (or violation_type) • “What pages generate the most violations?” o use report_host + path
  48. @ndm BSidesLA 2014 Investigation strategy Click a bunch of shit

  49. @ndm BSidesLA 2014 That’s a lot to build to

    the rescue!
  50. @ndm BSidesLA 2014

  51. @ndm BSidesLA 2014 Agenda • What is CSP? • How

    to apply CSP • How to manage CSP reports • How to win at CSP
  52. @ndm BSidesLA 2014 Checklist Ensure only compliant code is introduced

    Provide the tools to configure a policy Monitor the reports, build a case Test on your employees/beta testers Gradually turn the dial from 0 to 11 Profit
  53. @ndm BSidesLA 2014 Open issues “Inline” reports are crazy hard

    to decipher. ! ! Trigger all types of inline violations, see how they look in the reports
  54. @ndm BSidesLA 2014 What is it looking for? Inline script

    javascript: uris inline event handlers use of eval inline style
  55. @ndm BSidesLA 2014 Distinct blocked URI values “” “self” !

    ! WAT
  56. @ndm BSidesLA 2014 Script samples FTW kinda eval("shouldn't happen") link-decoration:

    bold console.log(“shouldn't happen") onerror attribute on IMG element ! ! Firefox only :’(
  57. @ndm BSidesLA 2014 Early results We’re not in a happy

  58. @ndm BSidesLA 2014 Future research Plugin signatures

  59. @ndm BSidesLA 2014

  60. @ndm BSidesLA 2014 Resources