Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
How CSP Will (maybe) Solve the XSS Problem
Search
Neil Matatall
September 12, 2014
Programming
0
160
How CSP Will (maybe) Solve the XSS Problem
More ramblings about how awesome csp and how it solves all of your problems.
Neil Matatall
September 12, 2014
Tweet
Share
More Decks by Neil Matatall
See All by Neil Matatall
Twubhubbook - It's like appsec, but for startups (with notes)
oreoshake
0
130
Twubhubbook - it's like appsec, but for startups (without notes)
oreoshake
0
120
Automatic Application Security v2
oreoshake
0
140
JRubyFX For Web Developers
oreoshake
0
250
Automatic Application Security
oreoshake
0
160
Putting your robots to work: Security Automation @Twitter
oreoshake
2
180
BSidesLA Managing Content Security Policy
oreoshake
3
1.1k
Other Decks in Programming
See All in Programming
MCPでVibe Working。そして、結局はContext Eng(略)/ Working with Vibe on MCP And Context Eng
rkaga
5
2.2k
The Past, Present, and Future of Enterprise Java
ivargrimstad
0
340
1から理解するWeb Push
dora1998
7
1.8k
さようなら Date。 ようこそTemporal! 3年間先行利用して得られた知見の共有
8beeeaaat
3
1.4k
@Environment(\.keyPath)那么好我不允许你们不知道! / atEnvironment keyPath is so good and you should know it!
lovee
0
110
奥深くて厄介な「改行」と仲良くなる20分
oguemon
1
520
Testing Trophyは叫ばない
toms74209200
0
850
為你自己學 Python - 冷知識篇
eddie
1
350
そのAPI、誰のため? Androidライブラリ設計における利用者目線の実践テクニック
mkeeda
2
270
テストコードはもう書かない:JetBrains AI Assistantに委ねる非同期処理のテスト自動設計・生成
makun
0
250
プロパティベーステストによるUIテスト: LLMによるプロパティ定義生成でエッジケースを捉える
tetta_pdnt
0
310
CJK and Unicode From a PHP Committer
youkidearitai
PRO
0
110
Featured
See All Featured
How to Think Like a Performance Engineer
csswizardry
26
1.9k
Mobile First: as difficult as doing things right
swwweet
224
9.9k
Side Projects
sachag
455
43k
The Cost Of JavaScript in 2023
addyosmani
53
8.9k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
33
2.4k
How GitHub (no longer) Works
holman
315
140k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Into the Great Unknown - MozCon
thekraken
40
2k
Optimising Largest Contentful Paint
csswizardry
37
3.4k
Music & Morning Musume
bryan
46
6.8k
For a Future-Friendly Web
brad_frost
180
9.9k
Transcript
How CSP Will (maybe) Solve the XSS Problem Neil Matatall
OWASP SD 4/17/2014
Me • Twitter appsec engineer • I’m actually just a
developer • In the business of going out of business • Sick and tired of fixing XSS
XSS is so 1998
So is XSS prevention
What is XSS <input name=“id” value=“<%=id%>”>
What is XSS ”><script>badStuff()</script>
What is XSS <input name=“id” value=“”> <script>badStuff()</script> ”>
What is XSS <script> var id=<%=id%>; </script>
What is XSS 0;badStuff();
What is XSS <script> var id=0; badStuff() </script>
What is XSS <script> setInterval(1000, ‘<%=todo%>’) </script>
What is XSS badStuff();
What is XSS <script> setInterval(1000, ‘badStuff()’) </script>
What is XSS <input name=“id” onBlur=“doStuff(<%=id %>)”>
What is XSS ); badStuff(
What is XSS <input name=“id” onBlur=“doStuff(); badStuff()”>
What is XSS <a href=“<%=link%>”>Hi Mom!</a>
What is XSS javascript:badThings()
What is XSS <a href=“javascript:badThings()”> Hi Mom!</a>
What is XSS <a href=“#” onClick=“doThing(‘<%=link%>’)”> Hi Mom! </a>
What is XSS ');badStuff('
What is XSS <a href=“#” onClick= “doThing(‘');badStuff('’)” > Hi Mom!
</a>
What is XSS <a href=“#” onClick= “doThing(‘’);badStuff(‘’)”> Hi Mom! </a>
What is DOM XSS <script> document.body.innerHTML = document.getElementById(‘name’).value; </script>
What is DOM XSS
What is DOM XSS <body> <img src=x onError=badThings()> </body>
What is DOM XSS <script> var name = $(‘#name’).val $(‘body’).html(name)
</script>
What is DOM XSS
What is DOM XSS <body> <img src=x onError=badThings()> </body>
jQuery is XSS $(data)
What is XSS <style> a { color: <%=usersFavoriteColor%>; } </style>
What is XSS I dunno, something with SVG, CSS Expressions,
etc. The list grows.
Because Dr. Mario
Because Dr. Mario
Why do those crazy things?
CODE != DATA “select * from table where id =
“ + id “<a href=“ + link + “>text</a>”
But we don’t do stupid things
I will religiously escape content
I will religiously escape content part 2
JSFuck - Write any JavaScript with 6 Characters: []()!+ I
will religiously escape content part 3
None
I’ll sanitize / validate input
I’ll use a scanner
I’ll perform periodic assessments
Security is about layers
None
Thermos? Koozie?
<script>goodStuff()</script> <script>badStuff()</script> How does the browser know?
What is dangerous? • inline javascript • <script>…</script> • <input
onBlur=“…”> • <a href=“javascript:…”> • on-the-fly code generation • setTimeout, eval, new Function(“…”)
What’s a CSP??? default-src ‘self’; connect-src ‘self’; font-src ‘self’ data:;
frame-src ‘self’ about: javascript:; frame-ancestors https://twitter.com; img-src https://mycdn.xom data:; media-src ‘https://mycdn.xom; object-src ‘none’; script-src https://mycdn.xom; style-src 'unsafe-inline' https://mycdn.xom; report-uri https://twitter.com/scribes/csp_report
CSP is more than XSS protection
Nothing is free
Report-Only mode
Techniques for removing inline javascript
Removing the dangerous stuff
CSP 1.1 • Whitelisting inline <script> in a safe way
Inline code <script> stuff() </script>
Nonces <script nonce=“34298734…”> stuff() </script>
Hashes <script> stuff() </script>
Hashes are more secure, and more limited than nonces
What you still can’t do • Inline event handlers •
<input onBlur=“doGoodThing()”> • <a href=“javascript:…”> • Dynamic javascript • <script> var id=<%=id%> </script> • Hash values won’t match • Nonce provides absolutely no security
Automatic CSP Protection (Silverish bullet)
Whitelisting javascript • Find all javascript • Compute all hash
values • Whitelist scripts with corresponding hashes
Assume: Sane web framework • Do a regular expression search
over all templates, capture all inline javascript • Store a map of the hash(es) in each individual file • Each time the file is rendered, add the corresponding hashes to the header
Developer productivity • Serve dynamic hash values in (!production), serve
hardcoded hash values in production
None