Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
How CSP Will (maybe) Solve the XSS Problem
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Neil Matatall
September 12, 2014
Programming
170
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
How CSP Will (maybe) Solve the XSS Problem
More ramblings about how awesome csp and how it solves all of your problems.
Neil Matatall
September 12, 2014
More Decks by Neil Matatall
See All by Neil Matatall
Twubhubbook - It's like appsec, but for startups (with notes)
oreoshake
0
150
Twubhubbook - it's like appsec, but for startups (without notes)
oreoshake
0
130
Automatic Application Security v2
oreoshake
0
160
JRubyFX For Web Developers
oreoshake
0
260
Automatic Application Security
oreoshake
0
170
Putting your robots to work: Security Automation @Twitter
oreoshake
2
190
BSidesLA Managing Content Security Policy
oreoshake
3
1.1k
Other Decks in Programming
See All in Programming
Spec Driven Development | AI Summit Lisbon
danielsogl
PRO
0
210
Dataformのリポジトリを立ち上げるときにまずやること / dataform-day0-2026
snhryt
0
190
ローカルLLMを使ってB2Bサービスを作っていての学び
yaotti
0
220
OSもどきOS
arkw
0
590
Mujeres en SEO Summit 2026 - Greatest Disaster Hits en Web Performance
guaca
0
200
なぜ型を書くのか? TSKaigi2026で改めて考える #tskaigi_smarthr
kajitack
0
160
Creating Composable Callables in Contemporary C++
rollbear
0
170
軽量Java基盤の設計 DIコンテナに頼らない、長期保守と1秒起動の実現 JJUG CCC 2026 Spring
macha64
0
590
さぁV100、メモリをお食べ・・・
nilpe
0
160
AI駆動開発を妨げる技術的負債の解消アプローチ / ai-refactoring-approach
minodriven
14
7.2k
AI時代のUIはどこへ行く?その2!
yusukebe
22
7.5k
Hatena Engineer Seminar #37「言語モデルの活用に関する研究」
slashnephy
0
180
Featured
See All Featured
Breaking role norms: Why Content Design is so much more than writing copy - Taylor Woolridge
uxyall
0
330
How to make the Groovebox
asonas
2
2.2k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Building Adaptive Systems
keathley
44
3.1k
Art, The Web, and Tiny UX
lynnandtonic
304
22k
Documentation Writing (for coders)
carmenintech
77
5.4k
The Language of Interfaces
destraynor
162
27k
GraphQLとの向き合い方2022年版
quramy
50
15k
Test your architecture with Archunit
thirion
1
2.3k
Why You Should Never Use an ORM
jnunemaker
PRO
61
9.9k
Exploring anti-patterns in Rails
aemeredith
3
430
Optimizing for Happiness
mojombo
378
71k
Transcript
How CSP Will (maybe) Solve the XSS Problem Neil Matatall
OWASP SD 4/17/2014
Me • Twitter appsec engineer • I’m actually just a
developer • In the business of going out of business • Sick and tired of fixing XSS
XSS is so 1998
So is XSS prevention
What is XSS <input name=“id” value=“<%=id%>”>
What is XSS ”><script>badStuff()</script>
What is XSS <input name=“id” value=“”> <script>badStuff()</script> ”>
What is XSS <script> var id=<%=id%>; </script>
What is XSS 0;badStuff();
What is XSS <script> var id=0; badStuff() </script>
What is XSS <script> setInterval(1000, ‘<%=todo%>’) </script>
What is XSS badStuff();
What is XSS <script> setInterval(1000, ‘badStuff()’) </script>
What is XSS <input name=“id” onBlur=“doStuff(<%=id %>)”>
What is XSS ); badStuff(
What is XSS <input name=“id” onBlur=“doStuff(); badStuff()”>
What is XSS <a href=“<%=link%>”>Hi Mom!</a>
What is XSS javascript:badThings()
What is XSS <a href=“javascript:badThings()”> Hi Mom!</a>
What is XSS <a href=“#” onClick=“doThing(‘<%=link%>’)”> Hi Mom! </a>
What is XSS ');badStuff('
What is XSS <a href=“#” onClick= “doThing(‘');badStuff('’)” > Hi Mom!
</a>
What is XSS <a href=“#” onClick= “doThing(‘’);badStuff(‘’)”> Hi Mom! </a>
What is DOM XSS <script> document.body.innerHTML = document.getElementById(‘name’).value; </script>
What is DOM XSS
What is DOM XSS <body> <img src=x onError=badThings()> </body>
What is DOM XSS <script> var name = $(‘#name’).val $(‘body’).html(name)
</script>
What is DOM XSS
What is DOM XSS <body> <img src=x onError=badThings()> </body>
jQuery is XSS $(data)
What is XSS <style> a { color: <%=usersFavoriteColor%>; } </style>
What is XSS I dunno, something with SVG, CSS Expressions,
etc. The list grows.
Because Dr. Mario
Because Dr. Mario
Why do those crazy things?
CODE != DATA “select * from table where id =
“ + id “<a href=“ + link + “>text</a>”
But we don’t do stupid things
I will religiously escape content
I will religiously escape content part 2
JSFuck - Write any JavaScript with 6 Characters: []()!+ I
will religiously escape content part 3
None
I’ll sanitize / validate input
I’ll use a scanner
I’ll perform periodic assessments
Security is about layers
None
Thermos? Koozie?
<script>goodStuff()</script> <script>badStuff()</script> How does the browser know?
What is dangerous? • inline javascript • <script>…</script> • <input
onBlur=“…”> • <a href=“javascript:…”> • on-the-fly code generation • setTimeout, eval, new Function(“…”)
What’s a CSP??? default-src ‘self’; connect-src ‘self’; font-src ‘self’ data:;
frame-src ‘self’ about: javascript:; frame-ancestors https://twitter.com; img-src https://mycdn.xom data:; media-src ‘https://mycdn.xom; object-src ‘none’; script-src https://mycdn.xom; style-src 'unsafe-inline' https://mycdn.xom; report-uri https://twitter.com/scribes/csp_report
CSP is more than XSS protection
Nothing is free
Report-Only mode
Techniques for removing inline javascript
Removing the dangerous stuff
CSP 1.1 • Whitelisting inline <script> in a safe way
Inline code <script> stuff() </script>
Nonces <script nonce=“34298734…”> stuff() </script>
Hashes <script> stuff() </script>
Hashes are more secure, and more limited than nonces
What you still can’t do • Inline event handlers •
<input onBlur=“doGoodThing()”> • <a href=“javascript:…”> • Dynamic javascript • <script> var id=<%=id%> </script> • Hash values won’t match • Nonce provides absolutely no security
Automatic CSP Protection (Silverish bullet)
Whitelisting javascript • Find all javascript • Compute all hash
values • Whitelist scripts with corresponding hashes
Assume: Sane web framework • Do a regular expression search
over all templates, capture all inline javascript • Store a map of the hash(es) in each individual file • Each time the file is rendered, add the corresponding hashes to the header
Developer productivity • Serve dynamic hash values in (!production), serve
hardcoded hash values in production
None