Content Security Policy - the panacea for XSS or placebo?

5b723186bd1e23af569bd623f193a2b9?s=47 oxdef
August 22, 2013
Programming
0
16

Content Security Policy - the panacea for XSS or placebo?

OWASP AppSec Research EU 2013

5b723186bd1e23af569bd623f193a2b9?s=128

oxdef

August 22, 2013
Tweet

Want more?

5b723186bd1e23af569bd623f193a2b9?s=48 oxdef
0
61
5b723186bd1e23af569bd623f193a2b9?s=48 oxdef
0
30
5b723186bd1e23af569bd623f193a2b9?s=48 oxdef
0
8
7cbd3f5f922d798cc312eaf596de7ae6?s=48 iamctodd
2
510
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
14
870
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
6
470
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
0
300
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
8
620
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
9
330
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
3
360
C35e01544a0dd94a2cf1619ee8a42ebb?s=48 clairelew
5
900
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
1
230

Transcript

  1. 1.

    Taras Ivashchenko Information Security Officer CSP - the panacea for

    XSS or placebo?
  2. 2.

    2 $ whoami Information security officer at Yandex's product security

    team Web application security researcher Yet another security blogger www.oxdef.info
  3. 3.

    XSS

  4. 4.

    4 XSS Why again about XSS?! Still one of the

    the most common web application security issues Ok, but please don't show me those alerts
  5. 5.

    5 Prevention Input validation Output escaping depending on context httponly

    session cookie Browser based solutions: IE filter, NoScript ?
  6. 6.

    CSP

  7. 7.

    7 Content Security Policy Browser side mechanism to mitigate XSS

    attacks Source whitelists for client side resources of web application Content-Security-Policy HTTP header W3C Candidate Recommendation
  8. 8.

    8 HTML Template <h1>Test XSS page</h1> <h3>Hello, <i> {{ foo

    | safe }}!</i></h3> How it Works Demo URL http://127.0.0.1:5000/xss?foo= <img src="http://www.oxdef.info/exploit.png">
  9. 9.

    9 Without CSP

  10. 10.

    10 Content-Security-Policy: img-src 'self' CSP in Action

  11. 11.

    11 Policy Content-Security-Policy: default-src 'self'; script-src 'self' static.example.com Control JavaScript

    HTML <!doctype html><html><head> <meta charset="utf-8"> <script src="/js/jquery-1.10.2.js"></script> <script src="//evil.net/evil.js"></script>... console.log Refused to load the script 'http://evil.net/evil.js' because it violates...
  12. 12.

    12 Unsafe-inline and unsafe-eval • unsafe-inline allows: –Inline scripts and

    styles –onclick=”...” –javascrtipt: –You should not include it in the policy! • unsafe-eval allows: –eval() –new Function –setTimeout, setInterval with string as a first argument –You should not include it in the policy!
  13. 13.

    13 Other Directives media-src – audio and video object-src -

    plugin objects (e.g. Flash) frame-src – iframe sources font-src – font files connect-src – XMLHttpRequest, WebSockets, EventSource
  14. 14.

    14 { "csp-report": { "violated-directive": "img-src data: ... *.example.com", "referrer":

    "", "blocked-uri": "https://static.doubleclick.net", "document-uri": "https://example.com/foo", "original-policy": "default-src ...; report-uri csp.php" } } Reporting Content-Security-Policy-Report-Only: ...; report-uri csp.php Policy Log contents
  15. 15.

    15 Browser Support Content-Security-Policy 25+ 23+ 1.7+ X-Content-Security-Policy 4 -

    22 10 (sandbox) X-WebKit-CSP 14 - 25 5.1+ Mobile browsers: 7.0+ 28+ 23+
  16. 16.

    16 Bypass Manipulating HTTP response headers Implementation bugs: MFSA 2012-36:

    Content Security Policy inline-script bypass JSONP XSS without JS
  17. 17.

    17 <!doctype html> <html> <head> <meta charset="utf-8"> <script src="/js/jquery.min.js"></script> </head>

    <body> <script nonce="Nc3n83cnSAd"> // Some inline code here </script> See in the Next Version: nonce-source Content-Security-Policy: script-src 'self' nonce-Nc3n83cnSAd Policy HTML Code
  18. 18.

    Case-study

  19. 19.

    19 About the Service One of the most popular mail

    services in Russia Over 12 million email messages daily Lots of client side code and hosts to communicate with
  20. 20.

    20 CSP Tester Extension for Chromium based browsers Simple and

    Advanced modes Content-Security-Policy and X-WebKit- CSP headers Help links for directives https://github.com/oxdef/csp-tester
  21. 21.

    21 CSP Tester in action

  22. 22.

    22 The Plan 1.Test it on the corporate mail 2.It's

    ok - let's try it on production in Report- Only mode 3.Analyze tons of logs ;-( 4.Fix bugs and improve the policy 5.Switch to block mode 6.Profit! :-)
  23. 23.

    23 Changes in service Try to remove all inline code

  24. 24.

    24 Log Analysis awk, grep, sort,head for gigabytes of logs?

    Yes, but we can do it in more complex way with help of Python Charts for directives and blocked URIs
  25. 25.

    25 Problems Browser implementations differ 3rd party JS libraries Inline

    styles in HTML letters Browser extensions What is that *** external code doing in our DOM?
  26. 26.

    26 From Report-Only to Block mode Fix bugs from CSP

    logs Use only standard CSP HTTP header Allow browser extensions unsafe-inline for style-src unsafe-eval for script-src
  27. 27.

    27 Tips Teach your front-end developers Add CSP as security

    requirement for new products Don't forget about mobile versions! Research your core front-end components to support CSP Assign developer responsible for CSP
  28. 28.

    28 CSP Based IDS Magic XSS XSS XSS Test &

    Fix
  29. 29.

    29 Conclusion CSP is not a panacea but it's a

    good «yet another level» to protect your users against XSS attacks
  30. 30.

    30 To be continued ;-)

  31. 31.

    Taras Ivashchenko Information Security Officer oxdef@yandex-team.ru http://company.yandex.com/security Thanks