$30 off During Our Annual Pro Sale. View Details »

Content Security Policy - the panacea for XSS or placebo?

oxdef
August 22, 2013
Programming
0
240

Content Security Policy - the panacea for XSS or placebo?

OWASP AppSec Research EU 2013

oxdef

August 22, 2013
Tweet

More Decks by oxdef

See All by oxdef
How to improve software security with OWASP open source initiatives
oxdef
0
110
Keynote at ZeroNights X (2021)
oxdef
0
77
Security Culture: Here be Hackers
oxdef
0
350
OWASP Top 10 - 2017 What’s inside?
oxdef
0
310
И разработчик станет хакером!
oxdef
0
32
Implementing Content Security Policy at a Large Scale
oxdef
0
360
Security in developer’s life: knowledge is power
oxdef
0
230
HTTPS by default - no more clear
oxdef
0
23
Web Application Security: future standards and technologies
oxdef
0
230

Other Decks in Programming

See All in Programming
JakartaEE_for_Spring_OttawaJUG-2023.pdf
ivargrimstad
0
110
​고군분투 LLM 프로덕트 적용기: Blind Prompting 부터 Agent까지
huffon
2
1.2k
[Helvetic Ruby 2023] Profiling Ruby tests with Swiss precision
palkan
0
350
日時処理の新スタンダード: Synchro によるタイムゾーン安全、楽々開発
codehex
0
660
Developing a Vim plugin with Ruby
okuramasafumi
0
230
未定義動作でFizz Buzz / Undefined Fizz Buzz
kaityo256
PRO
1
390
緊急SOS!KubernetesのCompletedな10万Jobぜんぶ消す
tk3fftk
2
210
個人から始める開発生産性向上
takamin55
1
220
Kyo - Functional Scala 2023
fwbrasil
0
2k
PHP and Symfony Apps As Standalone Binaries
dunglas
1
850
集団意思決定の落とし穴と誰も望まない技術的負債
h0r15h0
0
2.7k
Cloudflare Workers は楽しい!
codehex
8
2.3k

Featured

See All Featured
Facilitating Awesome Meetings
lara
37
5.2k
Into the Great Unknown - MozCon
thekraken
7
660
BBQ
matthewcrist
76
8.5k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
13
5.9k
Git: the NoSQL Database
bkeepers
PRO
420
62k
Done Done
chrislema
178
15k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
14k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
4k
Teambox: Starting and Learning
jrom
125
8.2k
Designing for Performance
lara
601
66k
What the flash - Photography Introduction
edds
64
11k
Visualization
eitanlees
131
13k

Transcript

  1. Taras Ivashchenko
    Information Security Officer
    CSP - the
    panacea for XSS
    or placebo?

    View Slide

  2. 2
    $ whoami
    Information security officer at Yandex's product
    security team
    Web application security researcher
    Yet another security blogger www.oxdef.info

    View Slide

  3. XSS

    View Slide

  4. 4
    XSS
    Why again about XSS?!
    Still one of the the most common web application
    security issues
    Ok, but please don't show me those alerts

    View Slide

  5. 5
    Prevention
    Input validation
    Output escaping depending on context
    httponly session cookie
    Browser based solutions: IE filter, NoScript
    ?

    View Slide

  6. CSP

    View Slide

  7. 7
    Content Security Policy
    Browser side mechanism to mitigate XSS attacks
    Source whitelists for client side resources of web
    application
    Content-Security-Policy HTTP header
    W3C Candidate Recommendation

    View Slide

  8. 8
    HTML Template
    Test XSS page
    Hello, {{ foo | safe }}!
    How it Works
    Demo URL
    http://127.0.0.1:5000/xss?foo=

    View Slide

  9. 9
    Without CSP

    View Slide

  10. 10
    Content-Security-Policy: img-src 'self'
    CSP in Action

    View Slide

  11. 11
    Policy
    Content-Security-Policy: default-src 'self'; script-src
    'self' static.example.com
    Control JavaScript
    HTML



    ...
    console.log
    Refused to load the script 'http://evil.net/evil.js'
    because it violates...

    View Slide

  12. 12
    Unsafe-inline and unsafe-eval
    • unsafe-inline allows:
    –Inline scripts and styles
    –onclick=”...”
    –javascrtipt:
    –You should not include it in the policy!
    • unsafe-eval allows:
    –eval()
    –new Function
    –setTimeout, setInterval with string as a first argument
    –You should not include it in the policy!

    View Slide

  13. 13
    Other Directives
    media-src – audio and video
    object-src - plugin objects (e.g. Flash)
    frame-src – iframe sources
    font-src – font files
    connect-src – XMLHttpRequest, WebSockets,
    EventSource

    View Slide

  14. 14
    {
    "csp-report": {
    "violated-directive": "img-src data: ...
    *.example.com",
    "referrer": "",
    "blocked-uri": "https://static.doubleclick.net",
    "document-uri": "https://example.com/foo",
    "original-policy": "default-src ...; report-uri
    csp.php"
    }
    }
    Reporting
    Content-Security-Policy-Report-Only: ...; report-uri csp.php
    Policy
    Log contents

    View Slide

  15. 15
    Browser Support
    Content-Security-Policy 25+ 23+
    1.7+
    X-Content-Security-Policy 4 - 22
    10 (sandbox)
    X-WebKit-CSP 14 - 25 5.1+
    Mobile browsers: 7.0+ 28+ 23+

    View Slide

  16. 16
    Bypass
    Manipulating HTTP response headers
    Implementation bugs: MFSA 2012-36: Content
    Security Policy inline-script bypass
    JSONP
    XSS without JS

    View Slide

  17. 17







    <br/>// Some inline code here<br/>
    See in the Next Version: nonce-source
    Content-Security-Policy: script-src 'self' nonce-Nc3n83cnSAd
    Policy
    HTML Code

    View Slide

  18. Case-study

    View Slide

  19. 19
    About the Service
    One of the most popular mail services in Russia
    Over 12 million email messages daily
    Lots of client side code and hosts to communicate
    with

    View Slide

  20. 20
    CSP Tester
    Extension for Chromium based browsers
    Simple and Advanced modes
    Content-Security-Policy and X-WebKit-
    CSP headers
    Help links for directives
    https://github.com/oxdef/csp-tester

    View Slide

  21. 21
    CSP Tester in action

    View Slide

  22. 22
    The Plan
    1.Test it on the corporate mail
    2.It's ok - let's try it on production in Report-
    Only mode
    3.Analyze tons of logs ;-(
    4.Fix bugs and improve the policy
    5.Switch to block mode
    6.Profit! :-)

    View Slide

  23. 23
    Changes in service
    Try to remove all inline code

    View Slide

  24. 24
    Log Analysis
    awk, grep, sort,head for gigabytes of logs?
    Yes, but we can do it in more complex way with
    help of Python
    Charts for directives and blocked URIs

    View Slide

  25. 25
    Problems
    Browser implementations differ
    3rd party JS libraries
    Inline styles in HTML letters
    Browser extensions
    What is that *** external code doing in our DOM?

    View Slide

  26. 26
    From Report-Only to Block mode
    Fix bugs from CSP logs
    Use only standard CSP HTTP header
    Allow browser extensions
    unsafe-inline for style-src
    unsafe-eval for script-src

    View Slide

  27. 27
    Tips
    Teach your front-end developers
    Add CSP as security requirement for new products
    Don't forget about mobile versions!
    Research your core front-end components to
    support CSP
    Assign developer responsible for CSP

    View Slide

  28. 28
    CSP Based IDS
    Magic
    XSS
    XSS
    XSS
    Test & Fix

    View Slide

  29. 29
    Conclusion
    CSP is not a panacea
    but it's a good «yet another level» to
    protect your users against XSS attacks

    View Slide

  30. 30
    To be continued ;-)

    View Slide

  31. Taras Ivashchenko
    Information Security Officer
    [email protected]
    http://company.yandex.com/security
    Thanks

    View Slide