Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
How CSP Will (maybe) Solve the XSS Problem
Search
Neil Matatall
September 12, 2014
Programming
0
160
How CSP Will (maybe) Solve the XSS Problem
More ramblings about how awesome csp and how it solves all of your problems.
Neil Matatall
September 12, 2014
Tweet
Share
More Decks by Neil Matatall
See All by Neil Matatall
Twubhubbook - It's like appsec, but for startups (with notes)
oreoshake
0
130
Twubhubbook - it's like appsec, but for startups (without notes)
oreoshake
0
120
Automatic Application Security v2
oreoshake
0
140
JRubyFX For Web Developers
oreoshake
0
250
Automatic Application Security
oreoshake
0
160
Putting your robots to work: Security Automation @Twitter
oreoshake
2
180
BSidesLA Managing Content Security Policy
oreoshake
3
1.1k
Other Decks in Programming
See All in Programming
レトロゲームから学ぶ通信技術の歴史
kimkim0106
0
130
[DevinMeetupTokyo2025] コード書かせないDevinの使い方
takumiyoshikawa
2
140
おやつのお供はお決まりですか?@WWDC25 Recap -Japan-\(region).swift
shingangan
0
150
可変変数との向き合い方 $$変数名が踊り出す$$ / php conference Variable variables
gunji
0
230
テストから始めるAgentic Coding 〜Claude Codeと共に行うTDD〜 / Agentic Coding starts with testing
rkaga
16
6k
Claude Code + Container Use と Cursor で作る ローカル並列開発環境のススメ / ccc local dev
kaelaela
12
7.4k
抽象化という思考のツール - 理解と活用 - / Abstraction-as-a-Tool-for-Thinking
shin1x1
1
580
テスターからテストエンジニアへ ~新米テストエンジニアが歩んだ9ヶ月振り返り~
non0113
2
240
[SRE NEXT] 複雑なシステムにおけるUser Journey SLOの導入
yakenji
0
740
iOS開発スターターキットの作り方
akidon0000
0
180
「App Intent」よくわからんけどすごい!
rinngo0302
1
120
The Evolution of Enterprise Java with Jakarta EE 11 and Beyond
ivargrimstad
0
470
Featured
See All Featured
StorybookのUI Testing Handbookを読んだ
zakiyama
30
5.9k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Being A Developer After 40
akosma
90
590k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
Documentation Writing (for coders)
carmenintech
72
4.9k
Testing 201, or: Great Expectations
jmmastey
43
7.6k
Why Our Code Smells
bkeepers
PRO
337
57k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
18
1k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
50
5.5k
Mobile First: as difficult as doing things right
swwweet
223
9.7k
Measuring & Analyzing Core Web Vitals
bluesmoon
7
530
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Transcript
How CSP Will (maybe) Solve the XSS Problem Neil Matatall
OWASP SD 4/17/2014
Me • Twitter appsec engineer • I’m actually just a
developer • In the business of going out of business • Sick and tired of fixing XSS
XSS is so 1998
So is XSS prevention
What is XSS <input name=“id” value=“<%=id%>”>
What is XSS ”><script>badStuff()</script>
What is XSS <input name=“id” value=“”> <script>badStuff()</script> ”>
What is XSS <script> var id=<%=id%>; </script>
What is XSS 0;badStuff();
What is XSS <script> var id=0; badStuff() </script>
What is XSS <script> setInterval(1000, ‘<%=todo%>’) </script>
What is XSS badStuff();
What is XSS <script> setInterval(1000, ‘badStuff()’) </script>
What is XSS <input name=“id” onBlur=“doStuff(<%=id %>)”>
What is XSS ); badStuff(
What is XSS <input name=“id” onBlur=“doStuff(); badStuff()”>
What is XSS <a href=“<%=link%>”>Hi Mom!</a>
What is XSS javascript:badThings()
What is XSS <a href=“javascript:badThings()”> Hi Mom!</a>
What is XSS <a href=“#” onClick=“doThing(‘<%=link%>’)”> Hi Mom! </a>
What is XSS ');badStuff('
What is XSS <a href=“#” onClick= “doThing(‘');badStuff('’)” > Hi Mom!
</a>
What is XSS <a href=“#” onClick= “doThing(‘’);badStuff(‘’)”> Hi Mom! </a>
What is DOM XSS <script> document.body.innerHTML = document.getElementById(‘name’).value; </script>
What is DOM XSS
What is DOM XSS <body> <img src=x onError=badThings()> </body>
What is DOM XSS <script> var name = $(‘#name’).val $(‘body’).html(name)
</script>
What is DOM XSS
What is DOM XSS <body> <img src=x onError=badThings()> </body>
jQuery is XSS $(data)
What is XSS <style> a { color: <%=usersFavoriteColor%>; } </style>
What is XSS I dunno, something with SVG, CSS Expressions,
etc. The list grows.
Because Dr. Mario
Because Dr. Mario
Why do those crazy things?
CODE != DATA “select * from table where id =
“ + id “<a href=“ + link + “>text</a>”
But we don’t do stupid things
I will religiously escape content
I will religiously escape content part 2
JSFuck - Write any JavaScript with 6 Characters: []()!+ I
will religiously escape content part 3
None
I’ll sanitize / validate input
I’ll use a scanner
I’ll perform periodic assessments
Security is about layers
None
Thermos? Koozie?
<script>goodStuff()</script> <script>badStuff()</script> How does the browser know?
What is dangerous? • inline javascript • <script>…</script> • <input
onBlur=“…”> • <a href=“javascript:…”> • on-the-fly code generation • setTimeout, eval, new Function(“…”)
What’s a CSP??? default-src ‘self’; connect-src ‘self’; font-src ‘self’ data:;
frame-src ‘self’ about: javascript:; frame-ancestors https://twitter.com; img-src https://mycdn.xom data:; media-src ‘https://mycdn.xom; object-src ‘none’; script-src https://mycdn.xom; style-src 'unsafe-inline' https://mycdn.xom; report-uri https://twitter.com/scribes/csp_report
CSP is more than XSS protection
Nothing is free
Report-Only mode
Techniques for removing inline javascript
Removing the dangerous stuff
CSP 1.1 • Whitelisting inline <script> in a safe way
Inline code <script> stuff() </script>
Nonces <script nonce=“34298734…”> stuff() </script>
Hashes <script> stuff() </script>
Hashes are more secure, and more limited than nonces
What you still can’t do • Inline event handlers •
<input onBlur=“doGoodThing()”> • <a href=“javascript:…”> • Dynamic javascript • <script> var id=<%=id%> </script> • Hash values won’t match • Nonce provides absolutely no security
Automatic CSP Protection (Silverish bullet)
Whitelisting javascript • Find all javascript • Compute all hash
values • Whitelist scripts with corresponding hashes
Assume: Sane web framework • Do a regular expression search
over all templates, capture all inline javascript • Store a map of the hash(es) in each individual file • Each time the file is rendered, add the corresponding hashes to the header
Developer productivity • Serve dynamic hash values in (!production), serve
hardcoded hash values in production
None