Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How CSP Will (maybe) Solve the XSS Problem

Sponsored · SiteGround - Reliable hosting with speed, security, and support you can count on.
Avatar for Neil Matatall Neil Matatall
September 12, 2014
Programming
0
160

How CSP Will (maybe) Solve the XSS Problem

More ramblings about how awesome csp and how it solves all of your problems.

Avatar for Neil Matatall

Neil Matatall

September 12, 2014
Tweet

More Decks by Neil Matatall

See All by Neil Matatall
Twubhubbook - It's like appsec, but for startups (with notes)
Avatar for Neil Matatall oreoshake
0
140
Twubhubbook - it's like appsec, but for startups (without notes)
Avatar for Neil Matatall oreoshake
0
130
Automatic Application Security v2
Avatar for Neil Matatall oreoshake
0
160
JRubyFX For Web Developers
Avatar for Neil Matatall oreoshake
0
260
Automatic Application Security
Avatar for Neil Matatall oreoshake
0
160
Putting your robots to work: Security Automation @Twitter
Avatar for Neil Matatall oreoshake
2
190
BSidesLA Managing Content Security Policy
Avatar for Neil Matatall oreoshake
3
1.1k

Other Decks in Programming

See All in Programming
[PHPerKaigi 2026]PHPerKaigi2025の企画CodeGolfが最高すぎて社内で内製して半年運営して得た内製と運営の知見
Avatar for Z.O.E. ikezoemakoto
0
130
What Spring Developers Should Know About Jakarta EE
Avatar for ivargrimstad ivargrimstad
0
600
AWS×クラウドネイティブソフトウェア設計 / AWS x Cloud-Native Software Design
Avatar for nrs nrslib
16
3.3k
Angular-Apps smarter machen mit Gen AI: Lokal und offlinefähig - Hands-on Workshop!
Avatar for Christian Liebel christianliebel
PRO
0
120
Claude Code Skill入門
Avatar for maya mayahoney
0
400
Vuetify 3 → 4 何が変わった?差分と移行ポイント10分まとめ
Avatar for kouki.miura koukimiura
0
150
AI 開発合宿を通して得た学び
Avatar for ニフティ株式会社 niftycorp
PRO
0
150
20260228_JAWS_Beginner_Kansai
Avatar for Takuya Yonezawa takuyay0ne
5
580
仕様漏れ実装漏れをなくすトレーサビリティAI基盤のご紹介
Avatar for Kuniwak orgachem
PRO
6
2k
ふつうの Rubyist、ちいさなデバイス、大きな一年
Avatar for bash0C7 bash0c7
0
1k
安いハードウェアでVulkan
Avatar for Fadis fadis
0
460
new(1.26) ← これすき / kamakura.go #8
Avatar for utagawa kiki utgwkk
0
2.5k

Featured

See All Featured
How GitHub (no longer) Works
Avatar for Zach Holman holman
316
150k
We Analyzed 250 Million AI Search Results: Here's What I Found
Avatar for Josh Blyskal joshbly
1
980
How to build a perfect <img>
Avatar for Jono Alderson jonoalderson
1
5.3k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
Avatar for Eileen M. Uchitelle eileencodes
141
35k
State of Search Keynote: SEO is Dead Long Live SEO
Avatar for Ryan Jones ryanjones
0
150
Designing Experiences People Love
Avatar for Jonathan Moore moore
143
24k
SERP Conf. Vienna - Web Accessibility: Optimizing for Inclusivity and SEO
Avatar for Sara Fernández Carmona sarafernandez
1
1.3k
Performance Is Good for Brains [We Love Speed 2024]
Avatar for Tammy Everts tammyeverts
12
1.5k
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
39
3.1k
WCS-LA-2024
Avatar for Leonardo Collado-Torres lcolladotor
0
480
Joys of Absence: A Defence of Solitary Play
Avatar for Sebastian Deterding codingconduct
1
310
Fantastic passwords and where to find them - at NoRuKo
Avatar for Phil Nash philnash
52
3.6k

Transcript

  1. How CSP Will (maybe) Solve the XSS Problem Neil Matatall

    OWASP SD 4/17/2014

  2. Me • Twitter appsec engineer • I’m actually just a

    developer • In the business of going out of business • Sick and tired of fixing XSS

  3. XSS is so 1998

  4. So is XSS prevention

  5. What is XSS <input name=“id” value=“<%=id%>”>

  6. What is XSS ”><script>badStuff()</script>

  7. What is XSS <input name=“id” value=“”> <script>badStuff()</script> ”>

  8. What is XSS <script> var id=<%=id%>; </script>

  9. What is XSS 0;badStuff();

  10. What is XSS <script> var id=0; badStuff() </script>

  11. What is XSS <script> setInterval(1000, ‘<%=todo%>’) </script>

  12. What is XSS badStuff();

  13. What is XSS <script> setInterval(1000, ‘badStuff()’) </script>

  14. What is XSS <input name=“id” onBlur=“doStuff(<%=id %>)”>

  15. What is XSS ); badStuff(

  16. What is XSS <input name=“id” onBlur=“doStuff(); badStuff()”>

  17. What is XSS <a href=“<%=link%>”>Hi Mom!</a>

  18. What is XSS javascript:badThings()

  19. What is XSS <a href=“javascript:badThings()”> Hi Mom!</a>

  20. What is XSS <a href=“#” onClick=“doThing(‘<%=link%>’)”> Hi Mom! </a>

  21. What is XSS &#39;);badStuff(&#39;

  22. What is XSS <a href=“#” onClick= “doThing(‘&#39;);badStuff(&#39;’)” > Hi Mom!

    </a>

  23. What is XSS <a href=“#” onClick= “doThing(‘’);badStuff(‘’)”> Hi Mom! </a>

  24. What is DOM XSS <script> document.body.innerHTML = document.getElementById(‘name’).value; </script>

  25. What is DOM XSS

  26. What is DOM XSS <body> <img src=x onError=badThings()> </body>

  27. What is DOM XSS <script> var name = $(‘#name’).val $(‘body’).html(name)

    </script>

  28. What is DOM XSS

  29. What is DOM XSS <body> <img src=x onError=badThings()> </body>

  30. jQuery is XSS $(data)

  31. What is XSS <style> a { color: <%=usersFavoriteColor%>; } </style>

  32. What is XSS I dunno, something with SVG, CSS Expressions,

    etc. The list grows.

  33. Because Dr. Mario

  34. Because Dr. Mario

  35. Why do those crazy things?

  36. CODE != DATA “select * from table where id =

    “ + id “<a href=“ + link + “>text</a>”

  37. But we don’t do stupid things

  38. I will religiously escape content

  39. I will religiously escape content part 2

  40. JSFuck - Write any JavaScript with 6 Characters: []()!+ I

    will religiously escape content part 3
  41. None

  42. I’ll sanitize / validate input

  43. I’ll use a scanner

  44. I’ll perform periodic assessments

  45. Security is about layers

  46. None

  47. Thermos? Koozie?

  48. <script>goodStuff()</script> <script>badStuff()</script> How does the browser know?

  49. What is dangerous? • inline javascript • <script>…</script> • <input

    onBlur=“…”> • <a href=“javascript:…”> • on-the-fly code generation • setTimeout, eval, new Function(“…”)

  50. What’s a CSP??? default-src ‘self’; connect-src ‘self’; font-src ‘self’ data:;

    frame-src ‘self’ about: javascript:; frame-ancestors https://twitter.com; img-src https://mycdn.xom data:; media-src ‘https://mycdn.xom; object-src ‘none’; script-src https://mycdn.xom; style-src 'unsafe-inline' https://mycdn.xom; report-uri https://twitter.com/scribes/csp_report

  51. CSP is more than XSS protection

  52. Nothing is free

  53. Report-Only mode

  54. Techniques for removing inline javascript

  55. Removing the dangerous stuff

  56. CSP 1.1 • Whitelisting inline <script> in a safe way

  57. Inline code <script> stuff() </script>

  58. Nonces <script nonce=“34298734…”> stuff() </script>

  59. Hashes <script> stuff() </script>

  60. Hashes are more secure, and more limited than nonces

  61. What you still can’t do • Inline event handlers •

    <input onBlur=“doGoodThing()”> • <a href=“javascript:…”> • Dynamic javascript • <script> var id=<%=id%> </script> • Hash values won’t match • Nonce provides absolutely no security

  62. Automatic CSP Protection (Silverish bullet)

  63. Whitelisting javascript • Find all javascript • Compute all hash

    values • Whitelist scripts with corresponding hashes

  64. Assume: Sane web framework • Do a regular expression search

    over all templates, capture all inline javascript • Store a map of the hash(es) in each individual file • Each time the file is rendered, add the corresponding hashes to the header

  65. Developer productivity • Serve dynamic hash values in (!production), serve

    hardcoded hash values in production
  66. None