Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How CSP Will (maybe) Solve the XSS Problem

Avatar for Neil Matatall Neil Matatall
September 12, 2014
Programming
170
0

How CSP Will (maybe) Solve the XSS Problem

More ramblings about how awesome csp and how it solves all of your problems.

Avatar for Neil Matatall

Neil Matatall

September 12, 2014

More Decks by Neil Matatall

See All by Neil Matatall
Twubhubbook - It's like appsec, but for startups (with notes)
Avatar for Neil Matatall oreoshake
0
150
Twubhubbook - it's like appsec, but for startups (without notes)
Avatar for Neil Matatall oreoshake
0
130
Automatic Application Security v2
Avatar for Neil Matatall oreoshake
0
160
JRubyFX For Web Developers
Avatar for Neil Matatall oreoshake
0
260
Automatic Application Security
Avatar for Neil Matatall oreoshake
0
160
Putting your robots to work: Security Automation @Twitter
Avatar for Neil Matatall oreoshake
2
190
BSidesLA Managing Content Security Policy
Avatar for Neil Matatall oreoshake
3
1.1k

Other Decks in Programming

See All in Programming
Make SRE Operations Easier with Azure SRE Agent
Avatar for KAMEGAWA Kazushi kkamegawa
0
3.6k
net-httpのHTTP/2対応について
Avatar for NARUSE, Yui naruse
0
440
PHPで使える日時の表現と、その知り方 #frontend_phpcon_do
Avatar for hideki kinjyo o0h
PRO
0
180
jQueryをバージョンアップする前に使いたいjQuery Migrate
Avatar for Atsushi Matsuo matsuo_atsushi
0
180
「AIで開発し、AIを届ける」をEvalでつなぐ 〜AIネイティブに始めるプロダクト開発の実践〜 / Connecting "Develop with AI, deliver AI" with Eval
Avatar for r-kagaya rkaga
4
2.2k
These Five Tricks Can Make Your Apps Greener, Cheaper, & Nicer
Avatar for Holly Cummins hollycummins
0
270
脅威をエンジニアリングの糧にして――現場編 / Turning Threats into Engineering Fuel — Field Edition
Avatar for nrs nrslib
0
250
Swiftのレキシカルスコープ管理
Avatar for kntk kntkymt
0
210
Migrations : C'est une question d'hygiène !
Avatar for Vincent Amstoutz vinceamstoutz
0
3.2k
AI駆動開発で崩れていくコードベースを立て直す
Avatar for Kyoko NR kyoko_nr_nr
1
430
LLM本来の能力を解き放つサンドボックス技術とAI民主化への適用
Avatar for Yuku Kotani yukukotani
3
2.7k
Oxcを導入して開発体験が向上した話
Avatar for Yuji Yamaguchi yug1224
4
280

Featured

See All Featured
The Anti-SEO Checklist Checklist. Pubcon Cyber Week
Avatar for Ryan Jones ryanjones
0
150
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
Avatar for Addy Osmani addyosmani
10
1.2k
The Invisible Side of Design
Avatar for Vitaly Friedman smashingmag
302
52k
Impact Scores and Hybrid Strategies: The future of link building
Avatar for Tamara Novitovic tamaranovitovic
0
300
The Spectacular Lies of Maps
Avatar for Per Axbom axbom
PRO
1
790
Max Prin - Stacking Signals: How International SEO Comes Together (And Falls Apart)
Avatar for Tech SEO Connect techseoconnect
PRO
0
170
Stewardship and Sustainability of Urban and Community Forests
Avatar for Eric Wiseman pwiseman
0
220
Java REST API Framework Comparison - PWX 2021
Avatar for Matt Raible mraible
34
9.3k
Testing 201, or: Great Expectations
Avatar for Joseph Mastey jmmastey
46
8.2k
Designing for humans not robots
Avatar for Tammie Lister tammielis
254
26k
The Straight Up "How To Draw Better" Workshop
Avatar for Dennis Kardys denniskardys
239
140k
How to Think Like a Performance Engineer
Avatar for Harry Roberts csswizardry
28
2.6k

Transcript

  1. How CSP Will (maybe) Solve the XSS Problem Neil Matatall

    OWASP SD 4/17/2014

  2. Me • Twitter appsec engineer • I’m actually just a

    developer • In the business of going out of business • Sick and tired of fixing XSS

  3. XSS is so 1998

  4. So is XSS prevention

  5. What is XSS <input name=“id” value=“<%=id%>”>

  6. What is XSS ”><script>badStuff()</script>

  7. What is XSS <input name=“id” value=“”> <script>badStuff()</script> ”>

  8. What is XSS <script> var id=<%=id%>; </script>

  9. What is XSS 0;badStuff();

  10. What is XSS <script> var id=0; badStuff() </script>

  11. What is XSS <script> setInterval(1000, ‘<%=todo%>’) </script>

  12. What is XSS badStuff();

  13. What is XSS <script> setInterval(1000, ‘badStuff()’) </script>

  14. What is XSS <input name=“id” onBlur=“doStuff(<%=id %>)”>

  15. What is XSS ); badStuff(

  16. What is XSS <input name=“id” onBlur=“doStuff(); badStuff()”>

  17. What is XSS <a href=“<%=link%>”>Hi Mom!</a>

  18. What is XSS javascript:badThings()

  19. What is XSS <a href=“javascript:badThings()”> Hi Mom!</a>

  20. What is XSS <a href=“#” onClick=“doThing(‘<%=link%>’)”> Hi Mom! </a>

  21. What is XSS &#39;);badStuff(&#39;

  22. What is XSS <a href=“#” onClick= “doThing(‘&#39;);badStuff(&#39;’)” > Hi Mom!

    </a>

  23. What is XSS <a href=“#” onClick= “doThing(‘’);badStuff(‘’)”> Hi Mom! </a>

  24. What is DOM XSS <script> document.body.innerHTML = document.getElementById(‘name’).value; </script>

  25. What is DOM XSS

  26. What is DOM XSS <body> <img src=x onError=badThings()> </body>

  27. What is DOM XSS <script> var name = $(‘#name’).val $(‘body’).html(name)

    </script>

  28. What is DOM XSS

  29. What is DOM XSS <body> <img src=x onError=badThings()> </body>

  30. jQuery is XSS $(data)

  31. What is XSS <style> a { color: <%=usersFavoriteColor%>; } </style>

  32. What is XSS I dunno, something with SVG, CSS Expressions,

    etc. The list grows.

  33. Because Dr. Mario

  34. Because Dr. Mario

  35. Why do those crazy things?

  36. CODE != DATA “select * from table where id =

    “ + id “<a href=“ + link + “>text</a>”

  37. But we don’t do stupid things

  38. I will religiously escape content

  39. I will religiously escape content part 2

  40. JSFuck - Write any JavaScript with 6 Characters: []()!+ I

    will religiously escape content part 3
  41. None

  42. I’ll sanitize / validate input

  43. I’ll use a scanner

  44. I’ll perform periodic assessments

  45. Security is about layers

  46. None

  47. Thermos? Koozie?

  48. <script>goodStuff()</script> <script>badStuff()</script> How does the browser know?

  49. What is dangerous? • inline javascript • <script>…</script> • <input

    onBlur=“…”> • <a href=“javascript:…”> • on-the-fly code generation • setTimeout, eval, new Function(“…”)

  50. What’s a CSP??? default-src ‘self’; connect-src ‘self’; font-src ‘self’ data:;

    frame-src ‘self’ about: javascript:; frame-ancestors https://twitter.com; img-src https://mycdn.xom data:; media-src ‘https://mycdn.xom; object-src ‘none’; script-src https://mycdn.xom; style-src 'unsafe-inline' https://mycdn.xom; report-uri https://twitter.com/scribes/csp_report

  51. CSP is more than XSS protection

  52. Nothing is free

  53. Report-Only mode

  54. Techniques for removing inline javascript

  55. Removing the dangerous stuff

  56. CSP 1.1 • Whitelisting inline <script> in a safe way

  57. Inline code <script> stuff() </script>

  58. Nonces <script nonce=“34298734…”> stuff() </script>

  59. Hashes <script> stuff() </script>

  60. Hashes are more secure, and more limited than nonces

  61. What you still can’t do • Inline event handlers •

    <input onBlur=“doGoodThing()”> • <a href=“javascript:…”> • Dynamic javascript • <script> var id=<%=id%> </script> • Hash values won’t match • Nonce provides absolutely no security

  62. Automatic CSP Protection (Silverish bullet)

  63. Whitelisting javascript • Find all javascript • Compute all hash

    values • Whitelist scripts with corresponding hashes

  64. Assume: Sane web framework • Do a regular expression search

    over all templates, capture all inline javascript • Store a map of the hash(es) in each individual file • Each time the file is rendered, add the corresponding hashes to the header

  65. Developer productivity • Serve dynamic hash values in (!production), serve

    hardcoded hash values in production
  66. None