CSP a Powerful Security Steroid

Slide 1

Slide 1 text

CSP powerful security steroid Chrome Tech Talk Night #9 #chromejp 2017/02/09

Slide 2

Slide 2 text

Jack

Slide 3

Slide 3 text

mozaic.fm

Slide 4

Slide 4 text

P rotein S teroid 4 C ontent

Slide 5

Slide 5 text

5 C ontent S teroid P rotein S ecurity P olicy

Slide 6

Slide 6 text

Slide 7

Slide 7 text

7 Policy of Security for Content ● This content is allowed to ○ exec inline script ? ○ load assets from origin xxx ? ○ embend iframe ? ○ mixed content ? ○ etc

Slide 8

Slide 8 text

8 How to apply CSP ● via Header ● via Meta Tag Content-Security-Policy: $policy

Slide 9

Slide 9 text

9 CSP directives ● fetch directive ● document directive ● navigation directive ● reporting directive

Slide 10

Slide 10 text

10 fetch directives ● default-src ● child-src ● connect-src ● font-src ● frame-src ● img-src ● manifest-src ● media-src ● object-src ● script-src ● style-src ● worker-src whitelist of allowed orign fallback to default-src ex) img-src; http://jxck.io default-src; ‘self’

Slide 11

Slide 11 text

11 document directives ● base-uri ○ allowed url for ● plugin-types ○ allowed media type for / ● sandbox ○ behave like sandbox iframe ● disown-opener ○ behave like noopener

Slide 12

Slide 12 text

12 navigation directives ● form-action ○ allowed action for ● frame-ancestors ○ allowed origin for embed this docment ● navigation-to ○ allowed origin to move (a, form, window.location etc)

Slide 13

Slide 13 text

13 reporting directives ● report-uri ○ deprecated ○ only for fallback of report-to ● report-to ○ url to send violation report

Slide 14

Slide 14 text

14 CSP keywords ● ‘self’ ○ only from Same Origin ● ‘none’ ○ from everywhere ● ‘unsafe-inline’ ○ allow / <style> ● ‘unsafe-eval’ ○ allow `eval()` in JS ● ‘strict-dynamic’ ○ specify nonce of script ● ‘unsafe-hashed-attributes’ ○ specify a hash of inline script

Slide 15

Slide 15 text

15 Most Powerful Policy ● can I have… ○ jquery from cdn ? :No ○ google anlytics ? :No ○ youtube? :No ○ iframe… :NO! ○ inline.. :Never !! Content-Security-Policy: default-src ‘self’

Slide 16

Slide 16 text

16 Example: XSS

Slide 17

Slide 17 text

No more Escape Input ? ● only checking a Policy , not Attack ○ in policy has a hole, It may have incident ○ no implement of CSP on old browser ● do Security thing, and adding CSP for cover ○ if security hall exists, block the attack 17

Slide 18

Slide 18 text

18 case study: github.com

Slide 19

Slide 19 text

It’s really works ?? 19

Slide 20

Slide 20 text

report-uri 20 ● Send Report as JSON to URI Content-Security-Policy: default-src ‘self’; report-uri https://report-server/... { "csp-report": { "document-uri": “...”, "referrer": “...”, "blocked-uri": “...”, "violated-directive": “...”, "original-policy": “...”, } }

Slide 21

Slide 21 text

Report doesn’t tells me about attack ● you can know WHAT happened ○ document uri ○ violated policy ● you can’t know WHY happened ○ attack ? or not ? ● you can’t know WHAT result to USER ○ ad image not displayed ? ○ can’t read the article ? 21

Slide 22

Slide 22 text

It’s really… OK ...? 22

Slide 23

Slide 23 text

Too strict to deploy immediate ● Hard to make sure your policy right ○ crowring with browser on staging ● Real World Problems ○ every user use each browser with variaus setting ● Deploy in production immediately ? ○ bad experience for user ? ○ it’s wose than blocking attack ? 23

Slide 24

Slide 24 text

CSP-Report-Only ● only sending report ○ find out WHAT happened only ● rolling out to remove report-only ○ after finish testing policy ○ but I think it’s optional ○ finding what happened is enought for integration 24

Slide 25

Slide 25 text

1 Year Experience 25

Slide 26

Slide 26 text

blog.jxck.io 26 ● basically static contents only ○ no ○ no Dynamic Generated ○ no CDN ● potentially no XSS ○ violation by Non XSS Attack ○ or attack not expected

Slide 27

Slide 27 text

Current Settings 27 content-security-policy-report-only: default-src 'self' https://jxck.io https://*.jxck.io https://www.google-analytics.co m ; child-src https://blog.jxck.io https://www.youtube.com ; connect-src wss://ws.jxck.io ; report-uri https://jxck.report-uri.io/...

Slide 28

Slide 28 text

28 CSP report (2016/3 ~ now) deploy fixup csp setting non critical reports

Slide 29

Slide 29 text

29 CSP Report case#1 ● append script via bookmarklet (maybe) { "csp-report": { "document-uri": "https://blog.jxck.io/entries/...", "referrer": "https://blog.jxck.io/", "violated-directive": "script-src", "effective-directive": "script-src", "original-policy": "default-src 'self' https://jxck.io...", "disposition": "report", "blocked-uri": "https://code.jquery.com/jquery-3.0.0.min.js", "line-number": 1, "column-number": 108, "status-code": 0 } }

Slide 30

Slide 30 text

30 CSP Report case#2 ● browser-extension { "csp-report": { "document-uri": "https://blog.jxck.io/entries/...", "violated-directive": "default-src 'self' https://jxck.io ...", "effective-directive": "img-src", "original-policy": "default-src 'self' https://jxck.io ...", "blocked-uri": "ms-browser-extension", "status-code": 0 } }

Slide 31

Slide 31 text

31 CSP Report case#3 ● inline style in Chrome .txt, .md, .xml { "csp-report": { "document-uri": "https://jxck.io/humans.txt", "referrer": "", "violated-directive": "style-src", "effective-directive": "style-src", "original-policy":"default-src 'self' https://*.jxck.io...", "disposition":"report", "blocked-uri":"inline", "line-number":1, "status-code":0 } } Image

Slide 32

Slide 32 text

32 CSP Report case#3 ● inline style in Chrome .txt, .md, .xml

Slide 33

Slide 33 text

33 CSP Report case#4 ● inline style in FF view-source:// { "csp-report": { "blocked-uri": "self", "document-uri": "view-source", "original-policy": "...", "script-sample": "-moz-tab-size: 4", "source-file": "view-source:https://blog.jxck.io/entries/...", "violated-directive": "default-src view-source:// ..." } } Image

Slide 34

Slide 34 text

34 CSP Report case#4 ● inline style in FF view-source://

Slide 35

Slide 35 text

35 CSP Report case#5 ● about://blank { "csp-report": { "document-uri": "about://blank", "violated-directive": "default-src 'self' https://jxck.io...", "effective-directive": "img-src", "original-policy": "default-src 'self' https://jxck.io…", "blocked-uri": "data", "status-code": 0 } }

Slide 36

Slide 36 text

More and More... 36

Slide 37

Slide 37 text

P rotein S teroid 37 C ontent

Slide 38

Slide 38 text

38 Steroid (powerful but…) ● Blog for Engineer ○ bookmarklets, extentions, localproxy etc ○ user nomary arrange contents by themself ● Almost all seems Not Attack ○ really need to block them ? ○ safe ? incombenience ? ● Protected / Clippled ○ depends for contents ○ Github / Twitter etc

Slide 39

Slide 39 text

Mixed Contents 39

Slide 40

Slide 40 text

Finding Mixed Contents 40 ● Mixed Contents ○ HTTP subresource in HTTPS ○ can’t ensure falsify by MITM ○ no green URL bar ● Active ○ Possible to modify outer DOM (script, iframe etc) ○ Blocked ● Passive ○ Impossible to modify outer DOM (img, video, audio etc) ○ Error but not blocked

Slide 41

Slide 41 text

HTTPS Everywhere vs Mixed Contents 41 ● case of Mixed Contents ○ Consumer Generated Media ○ Ad ○ Legacy Hard Coded URL ● if Mixed ○ insecure url bar ○ broken contents ○ invisible Ad

Slide 42

Slide 42 text

Upgrade-Insecure-Request 42 ● fetch http:// url as https:// ○ 404 if not supported ○ never mixed contents ● avoid mixed only one header ○ no modify contents ○ find mixed by 404 in server access.log Content-Security-Policy: Upgrade-Insecure-Requests

Slide 43

Slide 43 text

Block-All-Mixed-Contents 43 ● block if Passive mixed contents ○ broken contents if mixed ○ never mixed contents ● with CSP Report ○ Report-Only doesn’t broke contents ○ finding mixed by csp reoprt Content-Security-Policy: Block-All-Mixed-Contents

Slide 44

Slide 44 text

Reporting Server 44

Slide 45

Slide 45 text

45 report-uri.io ● not recommended (in production) ○ bad UI ○ bad response at sending Report ○ can’t see data before half year ○ can’t see HTTP header ○ can’t export your data ● do yourself ○ simple POST endpoint for JSON ○ kibana, grafana, big query etc ○ Google Analytics support are welcome :)

Slide 46

Slide 46 text

One More Thing 46

Slide 47

Slide 47 text

HTTP Public Key Pinning 47 ● pin a hash of public key ○ avoide CA incident ● hard to deploy ○ backup pin Public-Key-Pins: pin-sha256=”#{hash-of-public-key}”

Slide 48

Slide 48 text

on my blog 48

Slide 49

Slide 49 text

from same service 49

Slide 50

Slide 50 text

HPKP Report 50 thumbnails.yammer.com:443 (Pins set by thumbnails.yammer.com includeSubdomains=false)