Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How CSP Will (maybe) Solve the XSS Problem

Avatar for Neil Matatall Neil Matatall
September 12, 2014
Programming
0
160

How CSP Will (maybe) Solve the XSS Problem

More ramblings about how awesome csp and how it solves all of your problems.

Avatar for Neil Matatall

Neil Matatall

September 12, 2014
Tweet

More Decks by Neil Matatall

See All by Neil Matatall
Twubhubbook - It's like appsec, but for startups (with notes)
Avatar for Neil Matatall oreoshake
0
130
Twubhubbook - it's like appsec, but for startups (without notes)
Avatar for Neil Matatall oreoshake
0
120
Automatic Application Security v2
Avatar for Neil Matatall oreoshake
0
140
JRubyFX For Web Developers
Avatar for Neil Matatall oreoshake
0
250
Automatic Application Security
Avatar for Neil Matatall oreoshake
0
160
Putting your robots to work: Security Automation @Twitter
Avatar for Neil Matatall oreoshake
2
180
BSidesLA Managing Content Security Policy
Avatar for Neil Matatall oreoshake
3
1.1k

Other Decks in Programming

See All in Programming
レトロゲームから学ぶ通信技術の歴史
Avatar for kimkim0106 kimkim0106
0
130
[DevinMeetupTokyo2025] コード書かせないDevinの使い方
Avatar for yoshi takumiyoshikawa
2
140
おやつのお供はお決まりですか?@WWDC25 Recap -Japan-\(region).swift
Avatar for gangan shingangan
0
150
可変変数との向き合い方 $$変数名が踊り出す$$ / php conference Variable variables
Avatar for Gunji gunji
0
230
テストから始めるAgentic Coding 〜Claude Codeと共に行うTDD〜 / Agentic Coding starts with testing
Avatar for r-kagaya rkaga
16
6k
Claude Code + Container Use と Cursor で作る ローカル並列開発環境のススメ / ccc local dev
Avatar for Yuichi Maekawa kaelaela
12
7.4k
抽象化という思考のツール - 理解と活用 - / Abstraction-as-a-Tool-for-Thinking
Avatar for shin1x1 shin1x1
1
580
テスターからテストエンジニアへ ~新米テストエンジニアが歩んだ9ヶ月振り返り~
Avatar for のんちゃん non0113
2
240
[SRE NEXT] 複雑なシステムにおけるUser Journey SLOの導入
Avatar for yakenji yakenji
0
740
iOS開発スターターキットの作り方
Avatar for akidon0000 akidon0000
0
180
「App Intent」よくわからんけどすごい!
Avatar for rinngo rinngo0302
1
120
The Evolution of Enterprise Java with Jakarta EE 11 and Beyond
Avatar for ivargrimstad ivargrimstad
0
470

Featured

See All Featured
StorybookのUI Testing Handbookを読んだ
Avatar for Shingo Yamazaki zakiyama
30
5.9k
Fight the Zombie Pattern Library - RWD Summit 2016
Avatar for Marcelo Somers marcelosomers
234
17k
Being A Developer After 40
Avatar for Adrian Kosmaczewski akosma
90
590k
Building a Scalable Design System with Sketch
Avatar for Laura Van Doore lauravandoore
462
33k
Documentation Writing (for coders)
Avatar for Carmen Chung carmenintech
72
4.9k
Testing 201, or: Great Expectations
Avatar for Joseph Mastey jmmastey
43
7.6k
Why Our Code Smells
Avatar for Brandon Keepers bkeepers
PRO
337
57k
Improving Core Web Vitals using Speculation Rules API
Avatar for Sergey Chernyshev sergeychernyshev
18
1k
JavaScript: Past, Present, and Future - NDC Porto 2020
Avatar for David Neal reverentgeek
50
5.5k
Mobile First: as difficult as doing things right
Avatar for Swwweet swwweet
223
9.7k
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
7
530
Keith and Marios Guide to Fast Websites
Avatar for Keith Pitt keithpitt
411
22k

Transcript

  1. How CSP Will (maybe) Solve the XSS Problem Neil Matatall

    OWASP SD 4/17/2014

  2. Me • Twitter appsec engineer • I’m actually just a

    developer • In the business of going out of business • Sick and tired of fixing XSS

  3. XSS is so 1998

  4. So is XSS prevention

  5. What is XSS <input name=“id” value=“<%=id%>”>

  6. What is XSS ”><script>badStuff()</script>

  7. What is XSS <input name=“id” value=“”> <script>badStuff()</script> ”>

  8. What is XSS <script> var id=<%=id%>; </script>

  9. What is XSS 0;badStuff();

  10. What is XSS <script> var id=0; badStuff() </script>

  11. What is XSS <script> setInterval(1000, ‘<%=todo%>’) </script>

  12. What is XSS badStuff();

  13. What is XSS <script> setInterval(1000, ‘badStuff()’) </script>

  14. What is XSS <input name=“id” onBlur=“doStuff(<%=id %>)”>

  15. What is XSS ); badStuff(

  16. What is XSS <input name=“id” onBlur=“doStuff(); badStuff()”>

  17. What is XSS <a href=“<%=link%>”>Hi Mom!</a>

  18. What is XSS javascript:badThings()

  19. What is XSS <a href=“javascript:badThings()”> Hi Mom!</a>

  20. What is XSS <a href=“#” onClick=“doThing(‘<%=link%>’)”> Hi Mom! </a>

  21. What is XSS &#39;);badStuff(&#39;

  22. What is XSS <a href=“#” onClick= “doThing(‘&#39;);badStuff(&#39;’)” > Hi Mom!

    </a>

  23. What is XSS <a href=“#” onClick= “doThing(‘’);badStuff(‘’)”> Hi Mom! </a>

  24. What is DOM XSS <script> document.body.innerHTML = document.getElementById(‘name’).value; </script>

  25. What is DOM XSS

  26. What is DOM XSS <body> <img src=x onError=badThings()> </body>

  27. What is DOM XSS <script> var name = $(‘#name’).val $(‘body’).html(name)

    </script>

  28. What is DOM XSS

  29. What is DOM XSS <body> <img src=x onError=badThings()> </body>

  30. jQuery is XSS $(data)

  31. What is XSS <style> a { color: <%=usersFavoriteColor%>; } </style>

  32. What is XSS I dunno, something with SVG, CSS Expressions,

    etc. The list grows.

  33. Because Dr. Mario

  34. Because Dr. Mario

  35. Why do those crazy things?

  36. CODE != DATA “select * from table where id =

    “ + id “<a href=“ + link + “>text</a>”

  37. But we don’t do stupid things

  38. I will religiously escape content

  39. I will religiously escape content part 2

  40. JSFuck - Write any JavaScript with 6 Characters: []()!+ I

    will religiously escape content part 3
  41. None

  42. I’ll sanitize / validate input

  43. I’ll use a scanner

  44. I’ll perform periodic assessments

  45. Security is about layers

  46. None

  47. Thermos? Koozie?

  48. <script>goodStuff()</script> <script>badStuff()</script> How does the browser know?

  49. What is dangerous? • inline javascript • <script>…</script> • <input

    onBlur=“…”> • <a href=“javascript:…”> • on-the-fly code generation • setTimeout, eval, new Function(“…”)

  50. What’s a CSP??? default-src ‘self’; connect-src ‘self’; font-src ‘self’ data:;

    frame-src ‘self’ about: javascript:; frame-ancestors https://twitter.com; img-src https://mycdn.xom data:; media-src ‘https://mycdn.xom; object-src ‘none’; script-src https://mycdn.xom; style-src 'unsafe-inline' https://mycdn.xom; report-uri https://twitter.com/scribes/csp_report

  51. CSP is more than XSS protection

  52. Nothing is free

  53. Report-Only mode

  54. Techniques for removing inline javascript

  55. Removing the dangerous stuff

  56. CSP 1.1 • Whitelisting inline <script> in a safe way

  57. Inline code <script> stuff() </script>

  58. Nonces <script nonce=“34298734…”> stuff() </script>

  59. Hashes <script> stuff() </script>

  60. Hashes are more secure, and more limited than nonces

  61. What you still can’t do • Inline event handlers •

    <input onBlur=“doGoodThing()”> • <a href=“javascript:…”> • Dynamic javascript • <script> var id=<%=id%> </script> • Hash values won’t match • Nonce provides absolutely no security

  62. Automatic CSP Protection (Silverish bullet)

  63. Whitelisting javascript • Find all javascript • Compute all hash

    values • Whitelist scripts with corresponding hashes

  64. Assume: Sane web framework • Do a regular expression search

    over all templates, capture all inline javascript • Store a map of the hash(es) in each individual file • Each time the file is rendered, add the corresponding hashes to the header

  65. Developer productivity • Serve dynamic hash values in (!production), serve

    hardcoded hash values in production
  66. None