Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
Defeating cross-site scripting with Content Security Policy François Marier – @fmarier
Slide 2
Slide 2 text
what is a cross-site scripting (aka “XSS”) attack?
Slide 3
Slide 3 text
No content
Slide 4
Slide 4 text
No content
Slide 5
Slide 5 text
No content
Slide 6
Slide 6 text
No content
Slide 7
Slide 7 text
preventing XSS attacks
Slide 8
Slide 8 text
print <<
$title
EOF;
Slide 9
Slide 9 text
$title = escape($title); print <<
$title
EOF;
Slide 10
Slide 10 text
templating system
Slide 11
Slide 11 text
page.tpl:
{title}
page.php: render(“page.tpl”, $title);
Slide 12
Slide 12 text
auto-escaping turned ON
Slide 13
Slide 13 text
page.tpl:
{title|raw}
page.php: render(“page.tpl”, $title);
Slide 14
Slide 14 text
auto-escaping turned ON escaping always ON
Slide 15
Slide 15 text
browser default = allow all the real problem:
Slide 16
Slide 16 text
No content
Slide 17
Slide 17 text
a way to get the browser to enforce the restrictions you want on your site
Slide 18
Slide 18 text
$ curl --head http://example.com/ Content-Security-Policy: default-src 'self' ; img-src 'self' data ;
Slide 19
Slide 19 text
$ curl --head https://example.com/login Content-Security-Policy: default-src 'self' ; img-src 'self' data ; frame-src 'self' https://login.persona.org ; script-src 'self' https://login.persona.org
Slide 20
Slide 20 text
$ curl --head http://fmarier.org/ Content-Security-Policy: default-src 'none' ; img-src 'self' ; style-src 'self' ; font-src 'self'
Slide 21
Slide 21 text
, & <style> & <link> <img> <audio>, <video>, <source> & <track> <frame> & <iframe> @font-face WebSocket, EventSource, & XMLHttpRequest
Slide 22
Slide 22 text
>= 10 >= 6
Slide 23
Slide 23 text
what does a CSP-enabled website look like?
Slide 24
Slide 24 text
No content
Slide 25
Slide 25 text
No content
Slide 26
Slide 26 text
unless explicitly allowed by your policy inline scripts are not executed
Slide 27
Slide 27 text
No content
Slide 28
Slide 28 text
No content
Slide 29
Slide 29 text
unless explicitly allowed by your policy external resources are not loaded
Slide 30
Slide 30 text
preparing your website for CSP (aka things you can do today)
Slide 31
Slide 31 text
eliminate inline scripts and styles
Slide 32
Slide 32 text
do_stuff();
Slide 33
Slide 33 text
Slide 34
Slide 34 text
eliminate javascript: URIs
Slide 35
Slide 35 text
Go!
Slide 36
Slide 36 text
Go!
var button = document.getElementById('go-button'); button.onclick = go;
Slide 37
Slide 37 text
rolling out CSP
Slide 38
Slide 38 text
start with a loose policy
Slide 39
Slide 39 text
default-src 'self' *.example.com data;
Slide 40
Slide 40 text
default-src 'self' *.example.com data; options unsafe-inline
Slide 41
Slide 41 text
work towards a stricter policy
Slide 42
Slide 42 text
default-src 'self'; img-src 'self' static.example.com data; style-src static.example.com; script-src static.example.com
Slide 43
Slide 43 text
use the reporting mode
Slide 44
Slide 44 text
Content-Security-Policy-Report-Only: default-src 'none' ; report-uri http://example.com/report.cgi
Slide 45
Slide 45 text
{ "csp-report": { "document-uri": "http://example.com/page.html", "referrer": "http://evil.example.com/haxor.html", "blocked-uri": "http://evil.example.com/foo.png", "violated-directive": "default-src 'none'", "original-policy": "default-src 'none' ... " } }
Slide 46
Slide 46 text
add headers in web server config
Slide 47
Slide 47 text
Header set Content-Security-Policy "default-src 'self' ; script-src 'self' http://example.org"
Slide 48
Slide 48 text
not a replacement for proper XSS hygiene
Slide 49
Slide 49 text
great tool to increase the depth of your defenses
Slide 50
Slide 50 text
@fmarier http://fmarier.org Spec: http://www.w3.org/TR/CSP/ HOWTO: https://developer.mozilla.org/en/Security/CSP Online tool: http://cspisawesome.com/ Firefox add-on: https://addons.mozilla.org/en-US/firefox/addon/newusercspdesign/
Slide 51
Slide 51 text
bonus HTTP header 100 % FREE!
Slide 52
Slide 52 text
No content
Slide 53
Slide 53 text
No content
Slide 54
Slide 54 text
No content
Slide 55
Slide 55 text
wouldn't it be nice if the browser...
Slide 56
Slide 56 text
...blocked all HTTP requests there?
Slide 57
Slide 57 text
HTTP Strict Transport Security
Slide 58
Slide 58 text
$ curl --head https://login.persona.org HTTP/1.1 200 OK Vary: Accept-Encoding,Accept-Language Cache-Control: public, max-age=0 Content-Type: text/html; charset=utf8 Strict-Transport-Security: max-age=2592000 Date: Thu, 16 Aug 2012 03:29:19 GMT ETag: "2943768d6a45793897e83bf8804cd711" Connection: keep-alive X-Frame-Options: DENY Content-Length: 5374
Slide 59
Slide 59 text
No content
Slide 60
Slide 60 text
HTTPS only site turn HSTS on
Slide 61
Slide 61 text
Specs: http://www.w3.org/TR/CSP/ https://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec HOWTOs: https://developer.mozilla.org/en/Security/CSP https://developer.mozilla.org/en/Security/HTTP_Strict_Transport_Security Online tool: http://cspisawesome.com/ Firefox add-on: https://addons.mozilla.org/en-US/firefox/addon/newusercspdesign/ @fmarier http://fmarier.org
Slide 62
Slide 62 text
Photo credits: Biohazard wallpaper: http://www.flickr.com/photos/rockyx/4273385120/ Under Construction: https://secure.flickr.com/photos/aguichard/6864586905/ Castle walls: https://secure.flickr.com/photos/rdale/585105348/ Wash hands: https://secure.flickr.com/photos/hygienematters/4504612019/ Copyright © 2013 François Marier Released under the terms of the Creative Commons Attribution Share Alike 3.0 Unported Licence