Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Content Security Policy - the panacea for XSS or placebo?

oxdef
August 22, 2013
Programming
0
200

Content Security Policy - the panacea for XSS or placebo?

OWASP AppSec Research EU 2013

oxdef

August 22, 2013
Tweet

More Decks by oxdef

See All by oxdef
How to improve software security with OWASP open source initiatives
oxdef
0
82
Keynote at ZeroNights X (2021)
oxdef
0
47
Security Culture: Here be Hackers
oxdef
0
300
OWASP Top 10 - 2017 What’s inside?
oxdef
0
270
И разработчик станет хакером!
oxdef
0
30
Implementing Content Security Policy at a Large Scale
oxdef
0
320
Security in developer’s life: knowledge is power
oxdef
0
190
HTTPS by default - no more clear
oxdef
0
14
Web Application Security: future standards and technologies
oxdef
0
200

Other Decks in Programming

See All in Programming
Migrating From Spring Boot 2 To Spring Boot 3 - What's Jakarta EE Got To Do with It?
ivargrimstad
0
670
what's new in Material Design で気になったトピック
punchdrunker
1
290
Github CopilotとChatGPTを使って感じた使い分けの糸口 / JavaDo #22
gishi_yama
0
180
PO,SMに送るテスト自動化の8原則に5箇条を添えて / scrumniigata2023
pineapplecandy
2
830
フロントエンド刷新をプロジェクトとして進める際に気をつけていること
koba04
1
1.2k
LlamaIndex で Text-to-SQL 100 本ノック!
os1ma
2
800
デザイナーと協業しているNuxtプロジェクトを、ChromaticによるVRTでさらに改善した話
mozu1206
0
270
KubeCon + CNCon Europe 2023 Recap Flux Beyond Git: Harnessing the Power of OCI
ksudate
0
310
FSE時代におけるWEBサイト制作の研究 #wpshinshu / 2023-05-20 Shinshu WordPress Meetup vol.23
torounit
0
230
Let's write RBS!
pocke
0
1.9k
SpringIO_19-05-2023.pdf
ancaghenade
0
120
これだけは知っておきたいクラス設計の基礎知識
masuda220
PRO
20
14k

Featured

See All Featured
The MySQL Ecosystem @ GitHub 2015
samlambert
240
11k
The Illustrated Children's Guide to Kubernetes
chrisshort
26
44k
The Cult of Friendly URLs
andyhume
70
5.2k
Being A Developer After 40
akosma
50
580k
Unsuck your backbone
ammeep
660
56k
Build The Right Thing And Hit Your Dates
maggiecrowley
23
1.6k
Debugging Ruby Performance
tmm1
68
11k
Fashionably flexible responsive web design (full day workshop)
malarkey
395
64k
Mobile First: as difficult as doing things right
swwweet
213
8k
Rebuilding a faster, lazier Slack
samanthasiow
70
7.7k
Learning to Love Humans: Emotional Interface Design
aarron
264
38k
VelocityConf: Rendering Performance Case Studies
addyosmani
317
22k

Transcript

  1. Taras Ivashchenko
    Information Security Officer
    CSP - the
    panacea for XSS
    or placebo?

    View Slide

  2. 2
    $ whoami
    Information security officer at Yandex's product
    security team
    Web application security researcher
    Yet another security blogger www.oxdef.info

    View Slide

  3. XSS

    View Slide

  4. 4
    XSS
    Why again about XSS?!
    Still one of the the most common web application
    security issues
    Ok, but please don't show me those alerts

    View Slide

  5. 5
    Prevention
    Input validation
    Output escaping depending on context
    httponly session cookie
    Browser based solutions: IE filter, NoScript
    ?

    View Slide

  6. CSP

    View Slide

  7. 7
    Content Security Policy
    Browser side mechanism to mitigate XSS attacks
    Source whitelists for client side resources of web
    application
    Content-Security-Policy HTTP header
    W3C Candidate Recommendation

    View Slide

  8. 8
    HTML Template
    Test XSS page
    Hello, {{ foo | safe }}!
    How it Works
    Demo URL
    http://127.0.0.1:5000/xss?foo=

    View Slide

  9. 9
    Without CSP

    View Slide

  10. 10
    Content-Security-Policy: img-src 'self'
    CSP in Action

    View Slide

  11. 11
    Policy
    Content-Security-Policy: default-src 'self'; script-src
    'self' static.example.com
    Control JavaScript
    HTML



    ...
    console.log
    Refused to load the script 'http://evil.net/evil.js'
    because it violates...

    View Slide

  12. 12
    Unsafe-inline and unsafe-eval
    • unsafe-inline allows:
    –Inline scripts and styles
    –onclick=”...”
    –javascrtipt:
    –You should not include it in the policy!
    • unsafe-eval allows:
    –eval()
    –new Function
    –setTimeout, setInterval with string as a first argument
    –You should not include it in the policy!

    View Slide

  13. 13
    Other Directives
    media-src – audio and video
    object-src - plugin objects (e.g. Flash)
    frame-src – iframe sources
    font-src – font files
    connect-src – XMLHttpRequest, WebSockets,
    EventSource

    View Slide

  14. 14
    {
    "csp-report": {
    "violated-directive": "img-src data: ...
    *.example.com",
    "referrer": "",
    "blocked-uri": "https://static.doubleclick.net",
    "document-uri": "https://example.com/foo",
    "original-policy": "default-src ...; report-uri
    csp.php"
    }
    }
    Reporting
    Content-Security-Policy-Report-Only: ...; report-uri csp.php
    Policy
    Log contents

    View Slide

  15. 15
    Browser Support
    Content-Security-Policy 25+ 23+
    1.7+
    X-Content-Security-Policy 4 - 22
    10 (sandbox)
    X-WebKit-CSP 14 - 25 5.1+
    Mobile browsers: 7.0+ 28+ 23+

    View Slide

  16. 16
    Bypass
    Manipulating HTTP response headers
    Implementation bugs: MFSA 2012-36: Content
    Security Policy inline-script bypass
    JSONP
    XSS without JS

    View Slide

  17. 17







    <br/>// Some inline code here<br/>
    See in the Next Version: nonce-source
    Content-Security-Policy: script-src 'self' nonce-Nc3n83cnSAd
    Policy
    HTML Code

    View Slide

  18. Case-study

    View Slide

  19. 19
    About the Service
    One of the most popular mail services in Russia
    Over 12 million email messages daily
    Lots of client side code and hosts to communicate
    with

    View Slide

  20. 20
    CSP Tester
    Extension for Chromium based browsers
    Simple and Advanced modes
    Content-Security-Policy and X-WebKit-
    CSP headers
    Help links for directives
    https://github.com/oxdef/csp-tester

    View Slide

  21. 21
    CSP Tester in action

    View Slide

  22. 22
    The Plan
    1.Test it on the corporate mail
    2.It's ok - let's try it on production in Report-
    Only mode
    3.Analyze tons of logs ;-(
    4.Fix bugs and improve the policy
    5.Switch to block mode
    6.Profit! :-)

    View Slide

  23. 23
    Changes in service
    Try to remove all inline code

    View Slide

  24. 24
    Log Analysis
    awk, grep, sort,head for gigabytes of logs?
    Yes, but we can do it in more complex way with
    help of Python
    Charts for directives and blocked URIs

    View Slide

  25. 25
    Problems
    Browser implementations differ
    3rd party JS libraries
    Inline styles in HTML letters
    Browser extensions
    What is that *** external code doing in our DOM?

    View Slide

  26. 26
    From Report-Only to Block mode
    Fix bugs from CSP logs
    Use only standard CSP HTTP header
    Allow browser extensions
    unsafe-inline for style-src
    unsafe-eval for script-src

    View Slide

  27. 27
    Tips
    Teach your front-end developers
    Add CSP as security requirement for new products
    Don't forget about mobile versions!
    Research your core front-end components to
    support CSP
    Assign developer responsible for CSP

    View Slide

  28. 28
    CSP Based IDS
    Magic
    XSS
    XSS
    XSS
    Test & Fix

    View Slide

  29. 29
    Conclusion
    CSP is not a panacea
    but it's a good «yet another level» to
    protect your users against XSS attacks

    View Slide

  30. 30
    To be continued ;-)

    View Slide

  31. Taras Ivashchenko
    Information Security Officer
    [email protected]
    http://company.yandex.com/security
    Thanks

    View Slide