Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How CSP Will (maybe) Solve the XSS Problem

E0fdc1036537c1308400fc8ba6e987b0?s=47 Neil Matatall
September 12, 2014

How CSP Will (maybe) Solve the XSS Problem

More ramblings about how awesome csp and how it solves all of your problems.

E0fdc1036537c1308400fc8ba6e987b0?s=128

Neil Matatall

September 12, 2014
Tweet

Transcript

  1. How CSP Will (maybe) Solve the XSS Problem Neil Matatall

    OWASP SD 4/17/2014
  2. Me • Twitter appsec engineer • I’m actually just a

    developer • In the business of going out of business • Sick and tired of fixing XSS
  3. XSS is so 1998

  4. So is XSS prevention

  5. What is XSS <input name=“id” value=“<%=id%>”>

  6. What is XSS ”><script>badStuff()</script>

  7. What is XSS <input name=“id” value=“”> <script>badStuff()</script> ”>

  8. What is XSS <script> var id=<%=id%>; </script>

  9. What is XSS 0;badStuff();

  10. What is XSS <script> var id=0; badStuff() </script>

  11. What is XSS <script> setInterval(1000, ‘<%=todo%>’) </script>

  12. What is XSS badStuff();

  13. What is XSS <script> setInterval(1000, ‘badStuff()’) </script>

  14. What is XSS <input name=“id” onBlur=“doStuff(<%=id %>)”>

  15. What is XSS ); badStuff(

  16. What is XSS <input name=“id” onBlur=“doStuff(); badStuff()”>

  17. What is XSS <a href=“<%=link%>”>Hi Mom!</a>

  18. What is XSS javascript:badThings()

  19. What is XSS <a href=“javascript:badThings()”> Hi Mom!</a>

  20. What is XSS <a href=“#” onClick=“doThing(‘<%=link%>’)”> Hi Mom! </a>

  21. What is XSS &#39;);badStuff(&#39;

  22. What is XSS <a href=“#” onClick= “doThing(‘&#39;);badStuff(&#39;’)” > Hi Mom!

    </a>
  23. What is XSS <a href=“#” onClick= “doThing(‘’);badStuff(‘’)”> Hi Mom! </a>

  24. What is DOM XSS <script> document.body.innerHTML = document.getElementById(‘name’).value; </script>

  25. What is DOM XSS

  26. What is DOM XSS <body> <img src=x onError=badThings()> </body>

  27. What is DOM XSS <script> var name = $(‘#name’).val $(‘body’).html(name)

    </script>
  28. What is DOM XSS

  29. What is DOM XSS <body> <img src=x onError=badThings()> </body>

  30. jQuery is XSS $(data)

  31. What is XSS <style> a { color: <%=usersFavoriteColor%>; } </style>

  32. What is XSS I dunno, something with SVG, CSS Expressions,

    etc. The list grows.
  33. Because Dr. Mario

  34. Because Dr. Mario

  35. Why do those crazy things?

  36. CODE != DATA “select * from table where id =

    “ + id “<a href=“ + link + “>text</a>”
  37. But we don’t do stupid things

  38. I will religiously escape content

  39. I will religiously escape content part 2

  40. JSFuck - Write any JavaScript with 6 Characters: []()!+ I

    will religiously escape content part 3
  41. None
  42. I’ll sanitize / validate input

  43. I’ll use a scanner

  44. I’ll perform periodic assessments

  45. Security is about layers

  46. None
  47. Thermos? Koozie?

  48. <script>goodStuff()</script> <script>badStuff()</script> How does the browser know?

  49. What is dangerous? • inline javascript • <script>…</script> • <input

    onBlur=“…”> • <a href=“javascript:…”> • on-the-fly code generation • setTimeout, eval, new Function(“…”)
  50. What’s a CSP??? default-src ‘self’; connect-src ‘self’; font-src ‘self’ data:;

    frame-src ‘self’ about: javascript:; frame-ancestors https://twitter.com; img-src https://mycdn.xom data:; media-src ‘https://mycdn.xom; object-src ‘none’; script-src https://mycdn.xom; style-src 'unsafe-inline' https://mycdn.xom; report-uri https://twitter.com/scribes/csp_report
  51. CSP is more than XSS protection

  52. Nothing is free

  53. Report-Only mode

  54. Techniques for removing inline javascript

  55. Removing the dangerous stuff

  56. CSP 1.1 • Whitelisting inline <script> in a safe way

  57. Inline code <script> stuff() </script>

  58. Nonces <script nonce=“34298734…”> stuff() </script>

  59. Hashes <script> stuff() </script>

  60. Hashes are more secure, and more limited than nonces

  61. What you still can’t do • Inline event handlers •

    <input onBlur=“doGoodThing()”> • <a href=“javascript:…”> • Dynamic javascript • <script> var id=<%=id%> </script> • Hash values won’t match • Nonce provides absolutely no security
  62. Automatic CSP Protection (Silverish bullet)

  63. Whitelisting javascript • Find all javascript • Compute all hash

    values • Whitelist scripts with corresponding hashes
  64. Assume: Sane web framework • Do a regular expression search

    over all templates, capture all inline javascript • Store a map of the hash(es) in each individual file • Each time the file is rendered, add the corresponding hashes to the header
  65. Developer productivity • Serve dynamic hash values in (!production), serve

    hardcoded hash values in production
  66. None