Upgrade to Pro — share decks privately, control downloads, hide ads and more …

BSidesLA Managing Content Security Policy

Neil Matatall
September 11, 2014

BSidesLA Managing Content Security Policy

Talks about how to succeed at CSP. Tips on applying policies, managing reports, and managing a project. It also talks about CSP level 2 features such as nonce and hash (and how it will save the world)

Neil Matatall

September 11, 2014

More Decks by Neil Matatall

Other Decks in Programming


  1. Managing Content Security Policy @ndm

  2. @ndm BSidesLA 2014 Before we get into CSP, here’s a

  3. @ndm BSidesLA 2014 What is CSP • the greatest thing

    since sliced bread • our savior in a world full of xss
  4. @ndm BSidesLA 2014 Should you apply CSP It is negligent

    to write a new web application without applying CSP from day 1. ! CSP should be on 100% of html endpoints but it is not trivial to apply CSP to an existing app.
  5. @ndm BSidesLA 2014 This is an unrealistic policy default-src ‘self’;

    object-src ‘none’ ! XSS eliminated* √ Flashed disabled √ Mixed content disallowed √ Third party content not allowed √
  6. @ndm BSidesLA 2014 This is a realistic policy default-src ‘self’;

    img-src https://mycdn.com; object-src ‘none’; script-src https://mycdn.com; style-src https://mycdn.com XSS eliminated* √ Flash disabled √ Mixed content disallowed √ Third party content not allowed √
  7. @ndm BSidesLA 2014 This is a common policy default-src ‘self’;

    img-src https://mycdn.com; script-src ‘unsafe-inline’ https://mycdn.com; style-src ‘unsafe-inline’ https://mycdn.com XSS eliminated* X Flash disabled X Mixed content disallowed √ Third party content not allowed √
  8. @ndm BSidesLA 2014 This is a useless policy default-src *;

    script-src * ‘unsafe-inline’ ‘unsafe-eval’; style-src * ‘unsafe-inline’; ! XSS eliminated* X Flash disabled X Mixed content disallowed X Third party content not allowed X
  9. @ndm BSidesLA 2014 This is a crazy policy content-security-policy-report-only:script-src 'self'

    'unsafe-inline' 'unsafe-eval' https://talkgadget.google.com/ https:// www.googleapis.com/appsmarket/v2/installedApps/ https://www-gm-opensocial.googleusercontent.com/gadgets/js/ https://docs.google.com/static/doclist/client/js/ https://www.google.com/tools/feedback/ https://s.ytimg.com/yts/jsbin/ https://www.youtube.com/iframe_api https://ssl.google-analytics.com/ https://apis.google.com/_/scs/abc-static/ https:// apis.google.com/js/ https://clients1.google.com/complete/ https://apis.google.com/_/scs/apps-static/_/js/ https:// ssl.gstatic.com/inputtools/js/ https://ssl.gstatic.com/cloudsearch/static/o/js/ https://www.gstatic.com/feedback/js/ https:// www.gstatic.com/common_sharing/static/client/js/ https://www.gstatic.com/og/_/js/;frame-src 'self' https:// accounts.google.com/ https://apis.google.com/u/ https://clients6.google.com/static/ https://content.googleapis.com/ static/ https://mail-attachment.googleusercontent.com/ https://www.google.com/calendar/ https://docs.google.com/ https://drive.google.com https://*.googleusercontent.com/docs/securesc/ https://feedback.googleusercontent.com/ resources/ https://www.google.com/tools/feedback/ https://*.googleusercontent.com/gadgets/ifr https:// talkgadget.google.com/u/ https://talkgadget.google.com/talkgadget/ https://isolated.mail.google.com/mail/ https://www- gm-opensocial.googleusercontent.com/gadgets/ https://plus.google.com/ https://wallet.google.com/gmail/ https:// www.youtube.com/embed/ https://clients5.google.com/pagead/drt/dn/ https://clients5.google.com/ads/measurement/jn/ https://www.gstatic.com/mail/ww/ https://clients5.google.com/webstore/wall/;object-src https://mail- attachment.googleusercontent.com/swfs/ https://mail-attachment.googleusercontent.com/attachment/;report-uri /mail/ cspreport
  10. @ndm BSidesLA 2014 Seriously, what is CSP • http response

    header • set of directives, that determine what a browser is allowed to do
  11. @ndm BSidesLA 2014 How • Limit where resources can load

    from • Enable/disable use of eval • Enable/disable inline javascript • Enable/disable inline css
  12. @ndm BSidesLA 2014 What is inline javascript? • Inline event

    handlers (onClick=””) • javascript: URIs <a href=”javascript:”> • Content in <script> tags
  13. @ndm BSidesLA 2014 How does the browser know? ! <script>goodStuff()</script>

  14. @ndm BSidesLA 2014 How might the browser know? ! <script

  15. @ndm BSidesLA 2014 CSP Features • CSP has built-in reporting

    • CSP has “report-only” mode for testing • You can set a report-only and enforced header for the same page
  16. @ndm BSidesLA 2014 Agenda • What is CSP? • How

    to apply CSP • How to manage CSP reports • How to win at CSP
  17. @ndm BSidesLA 2014 Steps for success • Apply CSP in

    all environments (dev/ staging/prod) • Use your employees as beta testers • Have a safety valve
  18. @ndm BSidesLA 2014 Make a plan • Ensure no inline

    script is introduced • Ensure no new hosts are introduced • Set realistic expectations on goals
  19. @ndm BSidesLA 2014 Apply CSP client-side • caspr-enforcer o https://chrome.google.com/webstore/detail/caspr-enforcer/

    • userCSP o https://github.com/patilkr/userCSP
  20. @ndm BSidesLA 2014 How to apply CSP Header set Content-Security-Policy

    ... add_header Content-Security-Policy ...
  21. @ndm BSidesLA 2014 How to apply CSP IRL WRITE CODE

  22. @ndm BSidesLA 2014 Better yet PROVIDE A LIBRARY

  23. @ndm BSidesLA 2014 POLICY = "default-src 'self'; connect-src 'self'; font-src

    'self'; frame-src https://s- static.ak.fbcdn.net https://fbcdn-sphotos-a.akamaihd.net https://*.googleapis.com https:// *.twitter.com https://*.twimg.com https://*.google-analytics.com https://s3.amazonaws.com https://twitter.com 'self'; img-src https://s-static.ak.fbcdn.net https://fbcdn-sphotos- a.akamaihd.net https://*.googleapis.com https://*.twitter.com https://*.twimg.com https:// *.google-analytics.com https://s3.amazonaws.com https://twitter.com https://twimg0-a.akamaihd.net 'self' data:; media-src 'self'; object-src 'self'; script-src https://s-static.ak.fbcdn.net https://fbcdn-sphotos-a.akamaihd.net https://*.googleapis.com https://*.twitter.com https:// *.twimg.com https://*.google-analytics.com https://s3.amazonaws.com https://twitter.com 'self' about:; style-src 'unsafe-inline' https://s-static.ak.fbcdn.net https://fbcdn-sphotos- a.akamaihd.net https://*.googleapis.com https://*.twitter.com https://*.twimg.com https:// *.google-analytics.com https://s3.amazonaws.com https://twitter.com 'self'; report-uri https:// twitter.com/i/csp_report?enforce=true&app_name=ORZGC3TTNRQXI2LPNYWXGZLSOZUWGZI%3D;”" if FeatureToggle.isAvailable?(:enforce_csp)
 response.headers[‘Content-Security-Policy’] = POLICY" else
 response.headers[‘Content-Security-Policy-Report-Only] = POLICY" end
  24. @ndm BSidesLA 2014 ssl_src = ["s-static.ak.fbcdn.net","fbcdn-sphotos-a.akamaihd.net", "*.twitter.com", "*.twimg.com", "*.google-analytics.com", "s3.amazonaws.com",

    "twitter.com"].map {|s| "https://" + s}.join(" ")
 csp = {
 enforce: lambda {
 default_src: 'self',
 frame_src: "#{ssl_src} self",
 script_src: "#{ssl_src} self about:",
 style_src: "inline #{ssl_src} self",
 img_src: "#{ssl_src} https://twimg0-a.akamaihd.net self",
 report_uri: '//twitter.com/i/csp_report'
  25. @ndm BSidesLA 2014 Libraries helmet (express/node) secureheaders (rails/sinatra/padrino/ruby) highlines (j2ee/java)

    secureheader (go) laravel-secureheaders (php) NWebSec (ASP.NET) django-csp + commonware (Django/Python) SecureHeaders (ASP.NET) Dancer-Plugin-SecureHeaders (Perl) ring-secure-headers (Clojure) mod_secure_headers (apache)
  26. @ndm BSidesLA 2014 Do I really need a library? Yes.

  27. @ndm BSidesLA 2014 Should I need a library? No. Frameworks

    should provide this, amirite? ! Want XSS? √ Want Mixed content? √ Want Flash Exploits √ Want 3rd party content √
  28. @ndm BSidesLA 2014 CSP Level 2 Is your best friend

    Case study: 2 years: tried to remove inline script - FAIL 2 weeks: implemented script nonce feature - SUCCESS*
  29. @ndm BSidesLA 2014 Nonces ...script-src ‘nonce-abc123’... <script nonce=”abc123”>
 alert(“Hey I

    can run!”)
 alert(“this will never happen!”)
  30. @ndm BSidesLA 2014 Hashes script-src ‘sha256-asdfasdf’ <script>
 alert(“Hey I can

 alert(“this will never happen!”)
  31. @ndm BSidesLA 2014 build csp level 2 into the framework

    In order to enable nonce in secure_headers: • add ‘nonce’ to the script-src config ! script_src: "#{ssl_src} self about: nonce"
  32. @ndm BSidesLA 2014 What about hashes? • In use on

    blog.matatall.com :) • Library support is more tricky, but coming • Want to calculate your hashes? ! $.each($('script'), function(index, x) { " val sha = CryptoJS.SHA1(x.innerHTML); " console.log("'sha1-"+sha.toString(CryptoJS.enc.Base64)+"'") ;
  33. @ndm BSidesLA 2014 Monolithic app? Sorry :( The REPL cycle

    is very long here. It’s a long process.
  34. @ndm BSidesLA 2014 Service oriented? Easy! Apply secure defaults and

    the apps will converge on secure settings • Disallow eval/inline script by default • Have your code tell you about overrides
  35. @ndm BSidesLA 2014 Agenda • What is CSP? • How

    to apply CSP • How to manage CSP reports • How to win at CSP
  36. @ndm BSidesLA 2014 Reporting You cannot be successful with CSP

    on a large scale if you don’t analyze your reports.
  37. @ndm BSidesLA 2014 What’s in a report? {
 "csp-report": {

    "document-uri": "http://example.org/page.html",
 "referrer": "http://evil.example.com/haxor.html",
 "blocked-uri": "http://evil.example.com/image.png",
 "violated-directive": "img-src 'self'"
  38. @ndm BSidesLA 2014 What’s _not_ in a report? • classification

    (mixed content, inline script, etc.) • report-only? enforced? • underlying application identifier (easier to tie back to code) • user agent
  39. @ndm BSidesLA 2014 Classifying reports if blockedUri is empty (or

    self) {
 if violation type is script {
 } elsif violation type is style {
 } else {
 } else {
 if the scheme of the blocked uri is http and (the violated directive contains http + blocked host or https is whitelisted and http is not) {
 } elseif violated directive does not contain the blocked host {
 } else {

  40. @ndm BSidesLA 2014 Since you have a library... • You

    can add data to your report-uri o was this policy enforced? o what application generated the alert? o e.g. report-uri /csp_reports? read_only=true&app_name=twitter
  41. @ndm BSidesLA 2014 Report normalization for better stats • blocked-uri

    -> blocked_host • document-uri -> document-host, path o https://twitter.com/ndm -> twitter.com, ndm • violated-directive -> violation type o script-src ‘self’ … -> script-src • user-agent -> browser o Mozilla/5.0...AppleWebKit...Chrome/… -> Chrome
  42. @ndm BSidesLA 2014 FILTER FILTER FILTER document_uri must match the

    subdomain the report was sent to ! blocked_uri and source_file must start with http (unless blank) ! http://engineeringblog.yelp.com/2014/09/csp_reports_at_scale.html
  43. @ndm BSidesLA 2014 FILTER (cont’d) ! val reasonFiltered: Option[String] =

 val sourceFileString = sourceFile.getOrElse("").toLowerCase
 if ("localhost" == reportHost || "localhost" == blockedHost
 || "" == reportHost || "" == blockedHost) {
 } else if (sourceFileString.startsWith("resource://")
 || blockedUri.contains("addons.mozilla.org%22%3B%0Avar%20c%3D%22FastestFox")) {
 } else if (sourceFileString.startsWith("chromenull://") || blockedUri.startsWith("chromenull://")) {
 Some("chromenull")" … and the list goes on" ! ! https://blog.matatall.com/2014/07/twitters-csp-report-collector-design/
  44. @ndm BSidesLA 2014 Watch graphs

  45. @ndm BSidesLA 2014 Alert on Spikes of activity

  46. @ndm BSidesLA 2014 Dive into your reports

  47. @ndm BSidesLA 2014 Answer questions • Give me the inline

    script reports for twitter o app_name: twitter classification: inline_script • “What kind of violations happen the most?” o use the classification field (or violation_type) • “What pages generate the most violations?” o use report_host + path
  48. @ndm BSidesLA 2014 Investigation strategy Click a bunch of shit

  49. @ndm BSidesLA 2014 That’s a lot to build caspr.io to

    the rescue!
  50. @ndm BSidesLA 2014

  51. @ndm BSidesLA 2014 Agenda • What is CSP? • How

    to apply CSP • How to manage CSP reports • How to win at CSP
  52. @ndm BSidesLA 2014 Checklist Ensure only compliant code is introduced

    Provide the tools to configure a policy Monitor the reports, build a case Test on your employees/beta testers Gradually turn the dial from 0 to 11 Profit
  53. @ndm BSidesLA 2014 Open issues “Inline” reports are crazy hard

    to decipher. ! https://csp-inline-fingerprint.herokuapp.com ! Trigger all types of inline violations, see how they look in the reports
  54. @ndm BSidesLA 2014 What is it looking for? Inline script

    javascript: uris inline event handlers use of eval inline style
  55. @ndm BSidesLA 2014 Distinct blocked URI values “” “self” !

    ! WAT
  56. @ndm BSidesLA 2014 Script samples FTW kinda eval("shouldn't happen") link-decoration:

    bold console.log(“shouldn't happen") onerror attribute on IMG element ! ! Firefox only :’(
  57. @ndm BSidesLA 2014 Early results We’re not in a happy

  58. @ndm BSidesLA 2014 Future research Plugin signatures

  59. @ndm BSidesLA 2014

  60. @ndm BSidesLA 2014 Resources twitter.com/seeesspee CspPlayground.com CspIsAwesome.com securityheaders.com caniuse.com/contentsecuritypolicy