Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
How CSP Will (maybe) Solve the XSS Problem
Search
Neil Matatall
September 12, 2014
Programming
0
150
How CSP Will (maybe) Solve the XSS Problem
More ramblings about how awesome csp and how it solves all of your problems.
Neil Matatall
September 12, 2014
Tweet
Share
More Decks by Neil Matatall
See All by Neil Matatall
Twubhubbook - It's like appsec, but for startups (with notes)
oreoshake
0
110
Twubhubbook - it's like appsec, but for startups (without notes)
oreoshake
0
110
Automatic Application Security v2
oreoshake
0
130
JRubyFX For Web Developers
oreoshake
0
210
Automatic Application Security
oreoshake
0
140
Putting your robots to work: Security Automation @Twitter
oreoshake
2
170
BSidesLA Managing Content Security Policy
oreoshake
3
1k
Other Decks in Programming
See All in Programming
元気予報
suu_mire0726
0
860
Ruby GitHub Packages
bkuhlmann
0
620
Hanami and htmx
bkuhlmann
0
190
Elm 0.19.0 Changes
bkuhlmann
0
480
try!Swift Tokyo 2024 参加報告 LT
akidon0000
1
190
Git Lint
bkuhlmann
4
740
#phpcon_odawara オープン・クローズドなテストフィクスチャを求めて / open closed test fixtures
77web
3
220
Netty Chicago Java User Group 2024-04-17
sullis
0
120
Build with AI 2024 Seoul - 제로부터 시작하는 Flutter with Gemini 생활 - 박제창
itsmedreamwalker
0
200
脱・初心者!脱・マネコン!AWS CDKを使ってみませんか!?
har1101
0
300
Folding Cheat Sheet #3
philipschwarz
PRO
0
110
デザインシステムで Tailwind CSSとCSS in JSに分散投資をしたら良かった話
fsubal
18
4.8k
Featured
See All Featured
Agile that works and the tools we love
rasmusluckow
324
20k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
1
1.3k
RailsConf 2023
tenderlove
2
530
Facilitating Awesome Meetings
lara
41
5.6k
YesSQL, Process and Tooling at Scale
rocio
163
13k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.9k
What’s in a name? Adding method to the madness
productmarketing
PRO
15
2.6k
Become a Pro
speakerdeck
PRO
10
4.5k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
76
41k
Happy Clients
brianwarren
91
6.4k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
186
16k
Transcript
How CSP Will (maybe) Solve the XSS Problem Neil Matatall
OWASP SD 4/17/2014
Me • Twitter appsec engineer • I’m actually just a
developer • In the business of going out of business • Sick and tired of fixing XSS
XSS is so 1998
So is XSS prevention
What is XSS <input name=“id” value=“<%=id%>”>
What is XSS ”><script>badStuff()</script>
What is XSS <input name=“id” value=“”> <script>badStuff()</script> ”>
What is XSS <script> var id=<%=id%>; </script>
What is XSS 0;badStuff();
What is XSS <script> var id=0; badStuff() </script>
What is XSS <script> setInterval(1000, ‘<%=todo%>’) </script>
What is XSS badStuff();
What is XSS <script> setInterval(1000, ‘badStuff()’) </script>
What is XSS <input name=“id” onBlur=“doStuff(<%=id %>)”>
What is XSS ); badStuff(
What is XSS <input name=“id” onBlur=“doStuff(); badStuff()”>
What is XSS <a href=“<%=link%>”>Hi Mom!</a>
What is XSS javascript:badThings()
What is XSS <a href=“javascript:badThings()”> Hi Mom!</a>
What is XSS <a href=“#” onClick=“doThing(‘<%=link%>’)”> Hi Mom! </a>
What is XSS ');badStuff('
What is XSS <a href=“#” onClick= “doThing(‘');badStuff('’)” > Hi Mom!
</a>
What is XSS <a href=“#” onClick= “doThing(‘’);badStuff(‘’)”> Hi Mom! </a>
What is DOM XSS <script> document.body.innerHTML = document.getElementById(‘name’).value; </script>
What is DOM XSS
What is DOM XSS <body> <img src=x onError=badThings()> </body>
What is DOM XSS <script> var name = $(‘#name’).val $(‘body’).html(name)
</script>
What is DOM XSS
What is DOM XSS <body> <img src=x onError=badThings()> </body>
jQuery is XSS $(data)
What is XSS <style> a { color: <%=usersFavoriteColor%>; } </style>
What is XSS I dunno, something with SVG, CSS Expressions,
etc. The list grows.
Because Dr. Mario
Because Dr. Mario
Why do those crazy things?
CODE != DATA “select * from table where id =
“ + id “<a href=“ + link + “>text</a>”
But we don’t do stupid things
I will religiously escape content
I will religiously escape content part 2
JSFuck - Write any JavaScript with 6 Characters: []()!+ I
will religiously escape content part 3
None
I’ll sanitize / validate input
I’ll use a scanner
I’ll perform periodic assessments
Security is about layers
None
Thermos? Koozie?
<script>goodStuff()</script> <script>badStuff()</script> How does the browser know?
What is dangerous? • inline javascript • <script>…</script> • <input
onBlur=“…”> • <a href=“javascript:…”> • on-the-fly code generation • setTimeout, eval, new Function(“…”)
What’s a CSP??? default-src ‘self’; connect-src ‘self’; font-src ‘self’ data:;
frame-src ‘self’ about: javascript:; frame-ancestors https://twitter.com; img-src https://mycdn.xom data:; media-src ‘https://mycdn.xom; object-src ‘none’; script-src https://mycdn.xom; style-src 'unsafe-inline' https://mycdn.xom; report-uri https://twitter.com/scribes/csp_report
CSP is more than XSS protection
Nothing is free
Report-Only mode
Techniques for removing inline javascript
Removing the dangerous stuff
CSP 1.1 • Whitelisting inline <script> in a safe way
Inline code <script> stuff() </script>
Nonces <script nonce=“34298734…”> stuff() </script>
Hashes <script> stuff() </script>
Hashes are more secure, and more limited than nonces
What you still can’t do • Inline event handlers •
<input onBlur=“doGoodThing()”> • <a href=“javascript:…”> • Dynamic javascript • <script> var id=<%=id%> </script> • Hash values won’t match • Nonce provides absolutely no security
Automatic CSP Protection (Silverish bullet)
Whitelisting javascript • Find all javascript • Compute all hash
values • Whitelist scripts with corresponding hashes
Assume: Sane web framework • Do a regular expression search
over all templates, capture all inline javascript • Store a map of the hash(es) in each individual file • Each time the file is rendered, add the corresponding hashes to the header
Developer productivity • Serve dynamic hash values in (!production), serve
hardcoded hash values in production
None