How CSP Will (maybe) Solve the XSS Problem

Transcript

1. How CSP Will (maybe) Solve the XSS Problem Neil Matatall

   OWASP SD 4/17/2014

2. Me • Twitter appsec engineer • I’m actually just a

   developer • In the business of going out of business • Sick and tired of fixing XSS

3. XSS is so 1998

4. So is XSS prevention

5. What is XSS <input name=“id” value=“<%=id%>”>

6. What is XSS ”><script>badStuff()</script>

7. What is XSS <input name=“id” value=“”> <script>badStuff()</script> ”>

8. What is XSS <script> var id=<%=id%>; </script>

9. What is XSS 0;badStuff();

10. What is XSS <script> var id=0; badStuff() </script>

11. What is XSS <script> setInterval(1000, ‘<%=todo%>’) </script>

12. What is XSS badStuff();

13. What is XSS <script> setInterval(1000, ‘badStuff()’) </script>

14. What is XSS <input name=“id” onBlur=“doStuff(<%=id %>)”>

15. What is XSS ); badStuff(

16. What is XSS <input name=“id” onBlur=“doStuff(); badStuff()”>

17. What is XSS <a href=“<%=link%>”>Hi Mom!</a>

18. What is XSS javascript:badThings()

19. What is XSS <a href=“javascript:badThings()”> Hi Mom!</a>

20. What is XSS <a href=“#” onClick=“doThing(‘<%=link%>’)”> Hi Mom! </a>

21. What is XSS &#39;);badStuff(&#39;

22. What is XSS <a href=“#” onClick= “doThing(‘&#39;);badStuff(&#39;’)” > Hi Mom!

    </a>

23. What is XSS <a href=“#” onClick= “doThing(‘’);badStuff(‘’)”> Hi Mom! </a>

24. What is DOM XSS <script> document.body.innerHTML = document.getElementById(‘name’).value; </script>

25. What is DOM XSS

26. What is DOM XSS <body> <img src=x onError=badThings()> </body>

27. What is DOM XSS <script> var name = $(‘#name’).val $(‘body’).html(name)

    </script>

28. What is DOM XSS

29. What is DOM XSS <body> <img src=x onError=badThings()> </body>

30. jQuery is XSS $(data)

31. What is XSS <style> a { color: <%=usersFavoriteColor%>; } </style>

32. What is XSS I dunno, something with SVG, CSS Expressions,

    etc. The list grows.

33. Because Dr. Mario

34. Because Dr. Mario

35. Why do those crazy things?

36. CODE != DATA “select * from table where id =

    “ + id “<a href=“ + link + “>text</a>”

37. But we don’t do stupid things

38. I will religiously escape content

39. I will religiously escape content part 2

40. JSFuck - Write any JavaScript with 6 Characters: []()!+ I

    will religiously escape content part 3
41. None

42. I’ll sanitize / validate input

43. I’ll use a scanner

44. I’ll perform periodic assessments

45. Security is about layers

46. None

47. Thermos? Koozie?

48. <script>goodStuff()</script> <script>badStuff()</script> How does the browser know?

49. What is dangerous? • inline javascript • <script>…</script> • <input

    onBlur=“…”> • <a href=“javascript:…”> • on-the-fly code generation • setTimeout, eval, new Function(“…”)

50. What’s a CSP??? default-src ‘self’; connect-src ‘self’; font-src ‘self’ data:;

    frame-src ‘self’ about: javascript:; frame-ancestors https://twitter.com; img-src https://mycdn.xom data:; media-src ‘https://mycdn.xom; object-src ‘none’; script-src https://mycdn.xom; style-src 'unsafe-inline' https://mycdn.xom; report-uri https://twitter.com/scribes/csp_report

51. CSP is more than XSS protection

52. Nothing is free

53. Report-Only mode

54. Techniques for removing inline javascript

55. Removing the dangerous stuff

56. CSP 1.1 • Whitelisting inline <script> in a safe way

57. Inline code <script> stuff() </script>

58. Nonces <script nonce=“34298734…”> stuff() </script>

59. Hashes <script> stuff() </script>

60. Hashes are more secure, and more limited than nonces

61. What you still can’t do • Inline event handlers •

    <input onBlur=“doGoodThing()”> • <a href=“javascript:…”> • Dynamic javascript • <script> var id=<%=id%> </script> • Hash values won’t match • Nonce provides absolutely no security

62. Automatic CSP Protection (Silverish bullet)

63. Whitelisting javascript • Find all javascript • Compute all hash

    values • Whitelist scripts with corresponding hashes

64. Assume: Sane web framework • Do a regular expression search

    over all templates, capture all inline javascript • Store a map of the hash(es) in each individual file • Each time the file is rendered, add the corresponding hashes to the header

65. Developer productivity • Serve dynamic hash values in (!production), serve

    hardcoded hash values in production
66. None