Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Implementing Content Security Policy at a Large Scale

oxdef
November 17, 2017
Programming
0
320

Implementing Content Security Policy at a Large Scale

The reality is that XSSs are there, despite of the development of built-in security mechanisms of modern browsers and frameworks with escaping enabled by default. The Content Security Policy seems to be a quite powerful countervailing measure, while it is an open standard. Yandex have gained extensive expertise in implementing CSP at a large scale. In this talk we will discuss tips and tricks for implementing the technology in many services.

ZeroNights 2017

oxdef

November 17, 2017
Tweet

More Decks by oxdef

See All by oxdef
How to improve software security with OWASP open source initiatives
oxdef
0
82
Keynote at ZeroNights X (2021)
oxdef
0
46
Security Culture: Here be Hackers
oxdef
0
300
OWASP Top 10 - 2017 What’s inside?
oxdef
0
260
И разработчик станет хакером!
oxdef
0
30
Security in developer’s life: knowledge is power
oxdef
0
190
HTTPS by default - no more clear
oxdef
0
14
Web Application Security: future standards and technologies
oxdef
0
200
Content Security Policy - the panacea for XSS or placebo?
oxdef
0
200

Other Decks in Programming

See All in Programming
デザイナーと協業しているNuxtプロジェクトを、ChromaticによるVRTでさらに改善した話
mozu1206
0
250
Studio Botを遠くから眺める
shinmiy
0
140
KubeCon + CNCon Europe 2023 Recap Flux Beyond Git: Harnessing the Power of OCI
ksudate
0
240
Swagger Codegenで楽にSwiftのModelを生成する / Easily generate Swift Models with Swagger Codegen
naokimrmt
0
130
失敗から学ぶBtoB SaaSでカオスを招かない個社カスタマイズ開発の考え方 #開発話
77web
1
350
Devoxx UK - Java Life is Short
kdubois
0
180
若者とGPTのすべて
pyama86
0
200
Ruby JIT Hacking Guide / RubyKaigi 2023
k0kubun
0
3.5k
ランニングコストやっべぇぞ!ECS/FargateでECRへのアクセスについて
honma12345
0
830
新人PHPer向け 圧倒的に差をつける仕事の進め方 #phpstudy
77web
2
550
enjoy_conferences
maimux2x
0
4.9k
2023年5月ミートアップRubyKaigi2023スペシャル
umizaru
0
5.1k

Featured

See All Featured
How GitHub Uses GitHub to Build GitHub
holman
466
280k
Fantastic passwords and where to find them - at NoRuKo
philnash
33
2k
Pencils Down: Stop Designing & Start Developing
hursman
115
10k
Building an army of robots
kneath
300
41k
WebSockets: Embracing the real-time Web
robhawkes
58
6.2k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
658
120k
Happy Clients
brianwarren
90
5.9k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
33
21k
In The Pink: A Labor of Love
frogandcode
133
21k
Ruby is Unlike a Banana
tanoku
93
9.7k
[RailsConf 2023] Rails as a piece of cake
palkan
6
1.5k
A better future with KSS
kneath
230
16k

Transcript

  1. View Slide

  2. Content Security Policy.
    How to implement on an
    industrial scale
    Security

    View Slide

  3. $ whois
    Product security team lead in Yandex
    OWASP Russia chapter leader
    Yet another security blogger oxdef.info

    View Slide

  4. Does anybody use CSP?

    View Slide

  5. < 1% of all sites :-( But …

    View Slide

  6. Empty slide about XSS
    Because no more slides about XSS

    View Slide

  7. Content security policy

    View Slide

  8. Content security policy
    Browser side mechanism to mitigate XSS attacks
    Open live standard www.w3.org/TR/CSP
    Source whitelists and signatures for client side code and
    resources of web application
    Content-Security-Policy and Content-Security-Policy-
    Report-Only HTTP headers
    HTML meta element

    View Slide

  9. View Slide

  10. In a nutshell
    Policy
    default-src 'none'; script-src 'nonce-Nc3n83cnSAd' static.example.com
    HTML





    View Slide

  11. unsafe-inline and unsafe-eval
    unsafe-inline
    Inline scripts and styles
    onclick="..."
    javascrtipt:
    unsafe-eval
    eval()
    new Function
    setTimeout , setInterval with string as a first argument

    View Slide

  12. Other directives
    style-src - CSS styles
    media-src – audio and video
    object-src - plugin objects (e.g. Flash)
    frame-src – iframe sources
    font-src – font files
    connect-src - XMLHttpRequest, WebSocket

    View Slide

  13. When CSP protects against XSS
    In order to protect against XSS, web application authors SHOULD include:
    both the script-src and object-src directives, or
    include a default-src directive, which covers both scripts and plugins.
    In either case, authors SHOULD NOT include either 'unsafe-inline' or data: as
    valid sources in their policies. Both enable XSS attacks by allowing code to be
    included directly in the document itself; they are best avoided completely.
    www.w3.org/TR/CSP2/

    View Slide

  14. When CSP stronger protects against XSS
    Default value should be 'none'
    Strictly specify base-uri
    Avoid wildcard sources in source lists of directives
    Minimize source lists
    Exam script-src sources against JSONP endpoints
    Use strict style-src value

    View Slide

  15. Reporting
    Policy
    Content-Security-Policy-Report-Only: ...; report-uri /csp-log
    Log contents
    "csp-report": {
    "violated-directive": "img-src data: ...*.example.com",
    "blocked-uri": "https://static.doubleclick.net",
    "document-uri": "https://example.com/foo",
    "original-policy": "default-src ...; report-uri /csp-log"
    }

    View Slide

  16. What is current version?
    CSPv2 W3C Candidate Recommendation
    CSPv3 W3C Working Draft
    CSPv2 vs. CSPv3
    The specification has been rewritten from the ground up in terms of the
    FETCH specification
    The strict-dynamic source expression will now allow script which executes on
    a page to load more script via non-“parser-inserted” script elements.
    report-uri → report-to
    More directives: manifest-src , disown-opener

    View Slide

  17. Browser support
    Google Chrome 25+
    Mozilla Firefox 23+
    Yandex Browser 1.7+
    Safari 10.2+
    MS Edge 14+

    View Slide

  18. Bypass?!

    View Slide

  19. Bypass ways
    Manipulating HTTP response headers
    Implementation bugs
    JSONP
    Script gadgets
    XSS without JS

    View Slide

  20. Pain Experience

    View Slide

  21. Yandex scale
    At least 50+ public complex services yandex.ru/all
    Thousands of developers
    Lots of client side code and hosts to communicate with
    Error in policy can cause problems for millions of users
    Many 3rd party JavaScript libraries
    Legacy code

    View Slide

  22. Main goal is to
    implement CSP into all
    services.

    View Slide

  23. View Slide

  24. Education
    Detailed guide at internal security portal
    What is CSP
    How to prepare service to implement CSP
    Policy best practices
    Tools
    FAQ
    Contact form
    Internal activities and talks
    Hype ^_-

    View Slide

  25. View Slide

  26. CSP Tester as extension
    Extension for Chromium based browsers and Mozilla Firefox
    Simple and Advanced modes
    Help links for directives
    github.com/yandex/csp-tester

    View Slide

  27. CSP Tester in action

    View Slide

  28. CSP Tester as service
    Self-checking service
    Education
    Part of global automated security control Molly
    Approximately 50 tests
    API

    View Slide

  29. CSP Tester service in action

    View Slide

  30. Other stuff
    Collector for CSP logs from all services
    Support and modules for core front-end components, e.g. middleware for
    Express/NodeJS
    CSP log parser CSP Reporter

    View Slide

  31. View Slide

  32. Manage and control
    High level tickets to implement CSP for all services
    Mandatory requirement for all new services
    Final security review and robots
    CSP checks are integrated into automation security scanning process by
    Molly

    View Slide

  33. Public JavaScript API changes
    Let’s make our public JavaScript API more friendly to CSP
    Yandex Metrica counter
    Yandex Maps API

    View Slide

  34. Problems and solutions
    3rd party JavaScript components
    3rd party services without built-in CSP support
    Wildcard sources
    Big size of policy
    JSONP
    Legacy code

    View Slide

  35. Summary
    Teach your front-end developers
    Implement CSP into existing services
    Add CSP as security requirement for new ones
    Don’t forget about mobile versions
    Research your core front-end components to support CSP
    Keep your CSP policy clean, minimal and strict

    View Slide

  36. It could be difficult but
    you should try it…

    View Slide

  37. to make your users safer!

    View Slide

  38. Q&A

    View Slide

  39. Taras Ivashchenko
    Product security team
    [email protected]
    oxdef
    @oxdef
    Contacts

    View Slide