$30 off During Our Annual Pro Sale. View Details »

How CSP Will (maybe) Solve the XSS Problem

Avatar for Neil Matatall Neil Matatall
September 12, 2014
Programming
0
160

How CSP Will (maybe) Solve the XSS Problem

More ramblings about how awesome csp and how it solves all of your problems.

Avatar for Neil Matatall

Neil Matatall

September 12, 2014
Tweet

More Decks by Neil Matatall

See All by Neil Matatall
Twubhubbook - It's like appsec, but for startups (with notes)
Avatar for Neil Matatall oreoshake
0
130
Twubhubbook - it's like appsec, but for startups (without notes)
Avatar for Neil Matatall oreoshake
0
120
Automatic Application Security v2
Avatar for Neil Matatall oreoshake
0
150
JRubyFX For Web Developers
Avatar for Neil Matatall oreoshake
0
250
Automatic Application Security
Avatar for Neil Matatall oreoshake
0
160
Putting your robots to work: Security Automation @Twitter
Avatar for Neil Matatall oreoshake
2
180
BSidesLA Managing Content Security Policy
Avatar for Neil Matatall oreoshake
3
1.1k

Other Decks in Programming

See All in Programming
全員アーキテクトで挑む、 巨大で高密度なドメインの紐解き方
Avatar for Agata Naomichi agatan
8
11k
目的で駆動する、AI時代のアーキテクチャ設計 / purpose-driven-architecture
Avatar for MinoDriven minodriven
11
3.7k
Herb to ReActionView: A New Foundation for the View Layer @ San Francisco Ruby Conference 2025
Avatar for Marco Roth marcoroth
0
210
JJUG CCC 2025 Fall: Virtual Thread Deep Dive
Avatar for ternbusty ternbusty
3
500
20 years of Symfony, what's next?

Avatar for Fabien Potencier fabpot
1
150
Full-Cycle Reactivity in Angular: SignalStore mit Signal Forms und Resources
Avatar for Manfred Steyer manfredsteyer
PRO
0
150
関数の挙動書き換える
Avatar for takato fukui takatofukui
4
760
CSC305 Lecture 14
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
0
330
Web エンジニアが JavaScript で AI Agent を作る / JSConf JP 2025 sponsor session
Avatar for izumin5210 izumin5210
4
2.1k
スタートアップを支える技術戦略と組織づくり
Avatar for pospome pospome
8
13k
レイトレZ世代に捧ぐ、今からレイトレを始めるための小径
Avatar for ichi-raven ichi_raven
0
480
TUIライブラリつくってみた / i-just-make-TUI-library
Avatar for kazto kazto
1
190

Featured

See All Featured
Scaling GitHub
Avatar for Zach Holman holman
464
140k
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
38
2.9k
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
9
680
How to Think Like a Performance Engineer
Avatar for Harry Roberts csswizardry
28
2.3k
The Web Performance Landscape in 2024 [PerfNow 2024]
Avatar for Tammy Everts tammyeverts
11
950
The World Runs on Bad Software
Avatar for Brandon Keepers bkeepers
PRO
72
12k
Designing Dashboards & Data Visualisations in Web Apps
Avatar for Des Traynor destraynor
231
54k
StorybookのUI Testing Handbookを読んだ
Avatar for Shingo Yamazaki zakiyama
31
6.4k
How STYLIGHT went responsive
Avatar for nonsquared nonsquared
100
5.9k
A Modern Web Designer's Workflow
Avatar for Chris Coyier chriscoyier
697
190k
Building Better People: How to give real-time feedback that sticks.
Avatar for Will Jessup wjessup
370
20k
Git: the NoSQL Database
Avatar for Brandon Keepers bkeepers
PRO
432
66k

Transcript

  1. How CSP Will (maybe) Solve the XSS Problem Neil Matatall

    OWASP SD 4/17/2014

  2. Me • Twitter appsec engineer • I’m actually just a

    developer • In the business of going out of business • Sick and tired of fixing XSS

  3. XSS is so 1998

  4. So is XSS prevention

  5. What is XSS <input name=“id” value=“<%=id%>”>

  6. What is XSS ”><script>badStuff()</script>

  7. What is XSS <input name=“id” value=“”> <script>badStuff()</script> ”>

  8. What is XSS <script> var id=<%=id%>; </script>

  9. What is XSS 0;badStuff();

  10. What is XSS <script> var id=0; badStuff() </script>

  11. What is XSS <script> setInterval(1000, ‘<%=todo%>’) </script>

  12. What is XSS badStuff();

  13. What is XSS <script> setInterval(1000, ‘badStuff()’) </script>

  14. What is XSS <input name=“id” onBlur=“doStuff(<%=id %>)”>

  15. What is XSS ); badStuff(

  16. What is XSS <input name=“id” onBlur=“doStuff(); badStuff()”>

  17. What is XSS <a href=“<%=link%>”>Hi Mom!</a>

  18. What is XSS javascript:badThings()

  19. What is XSS <a href=“javascript:badThings()”> Hi Mom!</a>

  20. What is XSS <a href=“#” onClick=“doThing(‘<%=link%>’)”> Hi Mom! </a>

  21. What is XSS &#39;);badStuff(&#39;

  22. What is XSS <a href=“#” onClick= “doThing(‘&#39;);badStuff(&#39;’)” > Hi Mom!

    </a>

  23. What is XSS <a href=“#” onClick= “doThing(‘’);badStuff(‘’)”> Hi Mom! </a>

  24. What is DOM XSS <script> document.body.innerHTML = document.getElementById(‘name’).value; </script>

  25. What is DOM XSS

  26. What is DOM XSS <body> <img src=x onError=badThings()> </body>

  27. What is DOM XSS <script> var name = $(‘#name’).val $(‘body’).html(name)

    </script>

  28. What is DOM XSS

  29. What is DOM XSS <body> <img src=x onError=badThings()> </body>

  30. jQuery is XSS $(data)

  31. What is XSS <style> a { color: <%=usersFavoriteColor%>; } </style>

  32. What is XSS I dunno, something with SVG, CSS Expressions,

    etc. The list grows.

  33. Because Dr. Mario

  34. Because Dr. Mario

  35. Why do those crazy things?

  36. CODE != DATA “select * from table where id =

    “ + id “<a href=“ + link + “>text</a>”

  37. But we don’t do stupid things

  38. I will religiously escape content

  39. I will religiously escape content part 2

  40. JSFuck - Write any JavaScript with 6 Characters: []()!+ I

    will religiously escape content part 3
  41. None

  42. I’ll sanitize / validate input

  43. I’ll use a scanner

  44. I’ll perform periodic assessments

  45. Security is about layers

  46. None

  47. Thermos? Koozie?

  48. <script>goodStuff()</script> <script>badStuff()</script> How does the browser know?

  49. What is dangerous? • inline javascript • <script>…</script> • <input

    onBlur=“…”> • <a href=“javascript:…”> • on-the-fly code generation • setTimeout, eval, new Function(“…”)

  50. What’s a CSP??? default-src ‘self’; connect-src ‘self’; font-src ‘self’ data:;

    frame-src ‘self’ about: javascript:; frame-ancestors https://twitter.com; img-src https://mycdn.xom data:; media-src ‘https://mycdn.xom; object-src ‘none’; script-src https://mycdn.xom; style-src 'unsafe-inline' https://mycdn.xom; report-uri https://twitter.com/scribes/csp_report

  51. CSP is more than XSS protection

  52. Nothing is free

  53. Report-Only mode

  54. Techniques for removing inline javascript

  55. Removing the dangerous stuff

  56. CSP 1.1 • Whitelisting inline <script> in a safe way

  57. Inline code <script> stuff() </script>

  58. Nonces <script nonce=“34298734…”> stuff() </script>

  59. Hashes <script> stuff() </script>

  60. Hashes are more secure, and more limited than nonces

  61. What you still can’t do • Inline event handlers •

    <input onBlur=“doGoodThing()”> • <a href=“javascript:…”> • Dynamic javascript • <script> var id=<%=id%> </script> • Hash values won’t match • Nonce provides absolutely no security

  62. Automatic CSP Protection (Silverish bullet)

  63. Whitelisting javascript • Find all javascript • Compute all hash

    values • Whitelist scripts with corresponding hashes

  64. Assume: Sane web framework • Do a regular expression search

    over all templates, capture all inline javascript • Store a map of the hash(es) in each individual file • Each time the file is rendered, add the corresponding hashes to the header

  65. Developer productivity • Serve dynamic hash values in (!production), serve

    hardcoded hash values in production
  66. None