BSidesLA Managing Content Security Policy

Transcript

1. Managing Content Security Policy @ndm

2. @ndm BSidesLA 2014 Before we get into CSP, here’s a

   dog

3. @ndm BSidesLA 2014 What is CSP • the greatest thing

   since sliced bread • our savior in a world full of xss

4. @ndm BSidesLA 2014 Should you apply CSP It is negligent

   to write a new web application without applying CSP from day 1. ! CSP should be on 100% of html endpoints but it is not trivial to apply CSP to an existing app.

5. @ndm BSidesLA 2014 This is an unrealistic policy default-src ‘self’;

   object-src ‘none’ ! XSS eliminated* √ Flashed disabled √ Mixed content disallowed √ Third party content not allowed √

6. @ndm BSidesLA 2014 This is a realistic policy default-src ‘self’;

   img-src https://mycdn.com; object-src ‘none’; script-src https://mycdn.com; style-src https://mycdn.com XSS eliminated* √ Flash disabled √ Mixed content disallowed √ Third party content not allowed √

7. @ndm BSidesLA 2014 This is a common policy default-src ‘self’;

   img-src https://mycdn.com; script-src ‘unsafe-inline’ https://mycdn.com; style-src ‘unsafe-inline’ https://mycdn.com XSS eliminated* X Flash disabled X Mixed content disallowed √ Third party content not allowed √

8. @ndm BSidesLA 2014 This is a useless policy default-src *;

   script-src * ‘unsafe-inline’ ‘unsafe-eval’; style-src * ‘unsafe-inline’; ! XSS eliminated* X Flash disabled X Mixed content disallowed X Third party content not allowed X

9. @ndm BSidesLA 2014 This is a crazy policy content-security-policy-report-only:script-src 'self'

   'unsafe-inline' 'unsafe-eval' https://talkgadget.google.com/ https:// www.googleapis.com/appsmarket/v2/installedApps/ https://www-gm-opensocial.googleusercontent.com/gadgets/js/ https://docs.google.com/static/doclist/client/js/ https://www.google.com/tools/feedback/ https://s.ytimg.com/yts/jsbin/ https://www.youtube.com/iframe_api https://ssl.google-analytics.com/ https://apis.google.com/_/scs/abc-static/ https:// apis.google.com/js/ https://clients1.google.com/complete/ https://apis.google.com/_/scs/apps-static/_/js/ https:// ssl.gstatic.com/inputtools/js/ https://ssl.gstatic.com/cloudsearch/static/o/js/ https://www.gstatic.com/feedback/js/ https:// www.gstatic.com/common_sharing/static/client/js/ https://www.gstatic.com/og/_/js/;frame-src 'self' https:// accounts.google.com/ https://apis.google.com/u/ https://clients6.google.com/static/ https://content.googleapis.com/ static/ https://mail-attachment.googleusercontent.com/ https://www.google.com/calendar/ https://docs.google.com/ https://drive.google.com https://*.googleusercontent.com/docs/securesc/ https://feedback.googleusercontent.com/ resources/ https://www.google.com/tools/feedback/ https://*.googleusercontent.com/gadgets/ifr https:// talkgadget.google.com/u/ https://talkgadget.google.com/talkgadget/ https://isolated.mail.google.com/mail/ https://www- gm-opensocial.googleusercontent.com/gadgets/ https://plus.google.com/ https://wallet.google.com/gmail/ https:// www.youtube.com/embed/ https://clients5.google.com/pagead/drt/dn/ https://clients5.google.com/ads/measurement/jn/ https://www.gstatic.com/mail/ww/ https://clients5.google.com/webstore/wall/;object-src https://mail- attachment.googleusercontent.com/swfs/ https://mail-attachment.googleusercontent.com/attachment/;report-uri /mail/ cspreport

10. @ndm BSidesLA 2014 Seriously, what is CSP • http response

    header • set of directives, that determine what a browser is allowed to do

11. @ndm BSidesLA 2014 How • Limit where resources can load

    from • Enable/disable use of eval • Enable/disable inline javascript • Enable/disable inline css

12. @ndm BSidesLA 2014 What is inline javascript? • Inline event

    handlers (onClick=””) • javascript: URIs <a href=”javascript:”> • Content in <script> tags

13. @ndm BSidesLA 2014 How does the browser know? ! <script>goodStuff()</script>


    <script>badStuff()</script>

14. @ndm BSidesLA 2014 How might the browser know? ! <script

    src=”/goodstuff.js”></script>
 <script>badStuff()</script>

15. @ndm BSidesLA 2014 CSP Features • CSP has built-in reporting

    • CSP has “report-only” mode for testing • You can set a report-only and enforced header for the same page

16. @ndm BSidesLA 2014 Agenda • What is CSP? • How

    to apply CSP • How to manage CSP reports • How to win at CSP

17. @ndm BSidesLA 2014 Steps for success • Apply CSP in

    all environments (dev/ staging/prod) • Use your employees as beta testers • Have a safety valve

18. @ndm BSidesLA 2014 Make a plan • Ensure no inline

    script is introduced • Ensure no new hosts are introduced • Set realistic expectations on goals

19. @ndm BSidesLA 2014 Apply CSP client-side • caspr-enforcer o https://chrome.google.com/webstore/detail/caspr-enforcer/

    • userCSP o https://github.com/patilkr/userCSP

20. @ndm BSidesLA 2014 How to apply CSP Header set Content-Security-Policy

    ... add_header Content-Security-Policy ...

21. @ndm BSidesLA 2014 How to apply CSP IRL WRITE CODE

22. @ndm BSidesLA 2014 Better yet PROVIDE A LIBRARY

23. @ndm BSidesLA 2014 POLICY = "default-src 'self'; connect-src 'self'; font-src

    'self'; frame-src https://s- static.ak.fbcdn.net https://fbcdn-sphotos-a.akamaihd.net https://*.googleapis.com https:// *.twitter.com https://*.twimg.com https://*.google-analytics.com https://s3.amazonaws.com https://twitter.com 'self'; img-src https://s-static.ak.fbcdn.net https://fbcdn-sphotos- a.akamaihd.net https://*.googleapis.com https://*.twitter.com https://*.twimg.com https:// *.google-analytics.com https://s3.amazonaws.com https://twitter.com https://twimg0-a.akamaihd.net 'self' data:; media-src 'self'; object-src 'self'; script-src https://s-static.ak.fbcdn.net https://fbcdn-sphotos-a.akamaihd.net https://*.googleapis.com https://*.twitter.com https:// *.twimg.com https://*.google-analytics.com https://s3.amazonaws.com https://twitter.com 'self' about:; style-src 'unsafe-inline' https://s-static.ak.fbcdn.net https://fbcdn-sphotos- a.akamaihd.net https://*.googleapis.com https://*.twitter.com https://*.twimg.com https:// *.google-analytics.com https://s3.amazonaws.com https://twitter.com 'self'; report-uri https:// twitter.com/i/csp_report?enforce=true&app_name=ORZGC3TTNRQXI2LPNYWXGZLSOZUWGZI%3D;”" if FeatureToggle.isAvailable?(:enforce_csp)
 response.headers[‘Content-Security-Policy’] = POLICY" else
 response.headers[‘Content-Security-Policy-Report-Only] = POLICY" end

24. @ndm BSidesLA 2014 ssl_src = ["s-static.ak.fbcdn.net","fbcdn-sphotos-a.akamaihd.net", "*.twitter.com", "*.twimg.com", "*.google-analytics.com", "s3.amazonaws.com",

    "twitter.com"].map {|s| "https://" + s}.join(" ")
 csp = {
 enforce: lambda {
 FeatureToggle.isAvailable?(:enforce_csp)
 },
 default_src: 'self',
 frame_src: "#{ssl_src} self",
 script_src: "#{ssl_src} self about:",
 style_src: "inline #{ssl_src} self",
 img_src: "#{ssl_src} https://twimg0-a.akamaihd.net self",
 report_uri: '//twitter.com/i/csp_report'
 }

25. @ndm BSidesLA 2014 Libraries helmet (express/node) secureheaders (rails/sinatra/padrino/ruby) highlines (j2ee/java)

    secureheader (go) laravel-secureheaders (php) NWebSec (ASP.NET) django-csp + commonware (Django/Python) SecureHeaders (ASP.NET) Dancer-Plugin-SecureHeaders (Perl) ring-secure-headers (Clojure) mod_secure_headers (apache)

26. @ndm BSidesLA 2014 Do I really need a library? Yes.

27. @ndm BSidesLA 2014 Should I need a library? No. Frameworks

    should provide this, amirite? ! Want XSS? √ Want Mixed content? √ Want Flash Exploits √ Want 3rd party content √

28. @ndm BSidesLA 2014 CSP Level 2 Is your best friend

    Case study: 2 years: tried to remove inline script - FAIL 2 weeks: implemented script nonce feature - SUCCESS*

29. @ndm BSidesLA 2014 Nonces ...script-src ‘nonce-abc123’... <script nonce=”abc123”>
 alert(“Hey I

    can run!”)
 </script>
 <script>
 alert(“this will never happen!”)
 </script>

30. @ndm BSidesLA 2014 Hashes script-src ‘sha256-asdfasdf’ <script>
 alert(“Hey I can

    run!”)
 </script>
 <script>
 alert(“this will never happen!”)
 </script>

31. @ndm BSidesLA 2014 build csp level 2 into the framework

    In order to enable nonce in secure_headers: • add ‘nonce’ to the script-src config ! script_src: "#{ssl_src} self about: nonce"

32. @ndm BSidesLA 2014 What about hashes? • In use on

    blog.matatall.com :) • Library support is more tricky, but coming • Want to calculate your hashes? ! $.each($('script'), function(index, x) { " val sha = CryptoJS.SHA1(x.innerHTML); " console.log("'sha1-"+sha.toString(CryptoJS.enc.Base64)+"'") ;
 });

33. @ndm BSidesLA 2014 Monolithic app? Sorry :( The REPL cycle

    is very long here. It’s a long process.

34. @ndm BSidesLA 2014 Service oriented? Easy! Apply secure defaults and

    the apps will converge on secure settings • Disallow eval/inline script by default • Have your code tell you about overrides

35. @ndm BSidesLA 2014 Agenda • What is CSP? • How

    to apply CSP • How to manage CSP reports • How to win at CSP

36. @ndm BSidesLA 2014 Reporting You cannot be successful with CSP

    on a large scale if you don’t analyze your reports.

37. @ndm BSidesLA 2014 What’s in a report? {
 "csp-report": {


    "document-uri": "http://example.org/page.html",
 "referrer": "http://evil.example.com/haxor.html",
 "blocked-uri": "http://evil.example.com/image.png",
 "violated-directive": "img-src 'self'"
 }
 }

38. @ndm BSidesLA 2014 What’s _not_ in a report? • classification

    (mixed content, inline script, etc.) • report-only? enforced? • underlying application identifier (easier to tie back to code) • user agent

39. @ndm BSidesLA 2014 Classifying reports if blockedUri is empty (or

    self) {
 if violation type is script {
 "inline_script"
 } elsif violation type is style {
 "inline_style"
 } else {
 "inline_something"
 }
 } else {
 if the scheme of the blocked uri is http and (the violated directive contains http + blocked host or https is whitelisted and http is not) {
 "mixed_content"
 } elseif violated directive does not contain the blocked host {
 "unauthorized_host"
 } else {
 "???"
 }


40. @ndm BSidesLA 2014 Since you have a library... • You

    can add data to your report-uri o was this policy enforced? o what application generated the alert? o e.g. report-uri /csp_reports? read_only=true&app_name=twitter

41. @ndm BSidesLA 2014 Report normalization for better stats • blocked-uri

    -> blocked_host • document-uri -> document-host, path o https://twitter.com/ndm -> twitter.com, ndm • violated-directive -> violation type o script-src ‘self’ … -> script-src • user-agent -> browser o Mozilla/5.0...AppleWebKit...Chrome/… -> Chrome

42. @ndm BSidesLA 2014 FILTER FILTER FILTER document_uri must match the

    subdomain the report was sent to ! blocked_uri and source_file must start with http (unless blank) ! http://engineeringblog.yelp.com/2014/09/csp_reports_at_scale.html

43. @ndm BSidesLA 2014 FILTER (cont’d) ! val reasonFiltered: Option[String] =

    {
 val sourceFileString = sourceFile.getOrElse("").toLowerCase
 
 if ("localhost" == reportHost || "localhost" == blockedHost
 || "127.0.0.1" == reportHost || "127.0.0.1" == blockedHost) {
 Some("localhost")
 } else if (sourceFileString.startsWith("resource://")
 || blockedUri.contains("addons.mozilla.org%22%3B%0Avar%20c%3D%22FastestFox")) {
 Some("firefox_extension")
 } else if (sourceFileString.startsWith("chromenull://") || blockedUri.startsWith("chromenull://")) {
 Some("chromenull")" … and the list goes on" ! ! https://blog.matatall.com/2014/07/twitters-csp-report-collector-design/

44. @ndm BSidesLA 2014 Watch graphs

45. @ndm BSidesLA 2014 Alert on Spikes of activity

46. @ndm BSidesLA 2014 Dive into your reports

47. @ndm BSidesLA 2014 Answer questions • Give me the inline

    script reports for twitter o app_name: twitter classification: inline_script • “What kind of violations happen the most?” o use the classification field (or violation_type) • “What pages generate the most violations?” o use report_host + path

48. @ndm BSidesLA 2014 Investigation strategy Click a bunch of shit

49. @ndm BSidesLA 2014 That’s a lot to build caspr.io to

    the rescue!

50. @ndm BSidesLA 2014

51. @ndm BSidesLA 2014 Agenda • What is CSP? • How

    to apply CSP • How to manage CSP reports • How to win at CSP

52. @ndm BSidesLA 2014 Checklist Ensure only compliant code is introduced

    Provide the tools to configure a policy Monitor the reports, build a case Test on your employees/beta testers Gradually turn the dial from 0 to 11 Profit

53. @ndm BSidesLA 2014 Open issues “Inline” reports are crazy hard

    to decipher. ! https://csp-inline-fingerprint.herokuapp.com ! Trigger all types of inline violations, see how they look in the reports

54. @ndm BSidesLA 2014 What is it looking for? Inline script

    javascript: uris inline event handlers use of eval inline style

55. @ndm BSidesLA 2014 Distinct blocked URI values “” “self” !

    ! WAT

56. @ndm BSidesLA 2014 Script samples FTW kinda eval("shouldn't happen") link-decoration:

    bold console.log(“shouldn't happen") onerror attribute on IMG element ! ! Firefox only :’(

57. @ndm BSidesLA 2014 Early results We’re not in a happy

    state

58. @ndm BSidesLA 2014 Future research Plugin signatures

59. @ndm BSidesLA 2014

60. @ndm BSidesLA 2014 Resources twitter.com/seeesspee CspPlayground.com CspIsAwesome.com securityheaders.com caniuse.com/contentsecuritypolicy