Slide 1
Slide 1 text
CSP
Content Security Policy
Slide 2
Slide 2 text
DISCLAIMER
Slide 3
Slide 3 text
() { :; };
Slide 4
Slide 4 text
THE ISSUE
AT HAND
Slide 5
Slide 5 text
XSS
— and other browser–based attacks
Slide 6
Slide 6 text
Same origin policy
Slide 7
Slide 7 text
Same origin policy
http://foo.com
http://bar.com
Slide 8
Slide 8 text
XSS
Slide 9
Slide 9 text
Persisted XSS
Slide 10
Slide 10 text
Persisted XSS
User A
Server
Slide 11
Slide 11 text
Slide 12
Slide 12 text
Persisted XSS
User A
Server
User B
Slide 13
Slide 13 text
No content
Slide 14
Slide 14 text
User B
User B
User B
Persisted XSS
User A
Server
User B
Slide 15
Slide 15 text
Persisted XSS
User A
Server
User B
Slide 16
Slide 16 text
Reflected XSS
Slide 17
Slide 17 text
<%= params[:user].html_safe %>
Slide 18
Slide 18 text
SESSION HIJACKING
CONTENT SPOOFING
…
Slide 19
Slide 19 text
Slide 20
Slide 20 text
No content
Slide 21
Slide 21 text
No content
Slide 22
Slide 22 text
THE ROOT
OF THE
PROBLEM?
Slide 23
Slide 23 text
The user
Slide 24
Slide 24 text
The browser
Slide 25
Slide 25 text
THE SOLUTION
Slide 26
Slide 26 text
MOAR REGEX!!1!
Slide 27
Slide 27 text
li {list-style-image: ↵
url(“javascript:alert(‘XSS')");} ↵
- XSS
!
!
!
↵
Slide 28
Slide 28 text
— OWASP XSS
Prevention Rules
Slide 29
Slide 29 text
Never Insert Untrusted Data
Except in Allowed Locations
1
Slide 30
Slide 30 text
HTML Escape Before Inserting
Untrusted Data into HTML
Element Content
2
Slide 31
Slide 31 text
Attribute Escape Before Inserting
Untrusted Data into HTML
Common Attributes
3
Slide 32
Slide 32 text
JavaScript Escape Before
Inserting Untrusted Data into
JavaScript Data Values
4
Slide 33
Slide 33 text
HTML escape JSON values in an
HTML context and read the data
with JSON.parse
4.1
Slide 34
Slide 34 text
JSON entity encoding
4.1.1
Slide 35
Slide 35 text
HTML entity encoding
4.1.2
Slide 36
Slide 36 text
CSS Escape And Strictly Validate
Before Inserting Untrusted Data
into HTML Style Property Values
5
Slide 37
Slide 37 text
URL Escape Before Inserting
Untrusted Data into HTML URL
Parameter Values
6
Slide 38
Slide 38 text
Sanitize HTML Markup with a
Library Designed for the Job
7
Slide 39
Slide 39 text
Prevent DOM-based XSS
8
Slide 40
Slide 40 text
No content
Slide 41
Slide 41 text
MOAR REGEX!!1!
Slide 42
Slide 42 text
Bonus Rules!
Slide 43
Slide 43 text
Use HTTPOnly cookie flag
A
Slide 44
Slide 44 text
Implement
Content Security Policy
B
Slide 45
Slide 45 text
Content
Security
Policy
Slide 46
Slide 46 text
No content
Slide 47
Slide 47 text
No content
Slide 48
Slide 48 text
No content
Slide 49
Slide 49 text
No content
Slide 50
Slide 50 text
No content
Slide 51
Slide 51 text
WHAT DOES IT DO?
Slide 52
Slide 52 text
Same origin policy
Slide 53
Slide 53 text
What can be loaded
and embedded,
and from where?
Slide 54
Slide 54 text
Which origins can be
connected to?
Slide 55
Slide 55 text
Which scripts can be executed
and in which context?
Slide 56
Slide 56 text
HOW DOES
IT WORK?
Slide 57
Slide 57 text
Response header
Slide 58
Slide 58 text
Content-Security-Policy: script-src 'self'
Header name
X-WebKit-CSP
X-Content-Security-Policy
IE > 9 < ?
Webkit < 6.1
Slide 59
Slide 59 text
Content-Security-Policy: script-src 'self'
Directive
Slide 60
Slide 60 text
Content-Security-Policy: script-src 'self'
Attribute (source)
Slide 61
Slide 61 text
Content-Security-Policy: [DIRECTIVE A]; [DIRECTIVE B]
Slide 62
Slide 62 text
Content-Security-Policy: script-src 'self' ↵
https://apis.google.com
Multiple sources
Slide 63
Slide 63 text
class CSP
def initialize(app, options={})
@app = app
end
def call(env)
status, headers, body = @app.call(env)
response = Rack::Response.new body, status, headers
response['Content-Security-Policy'] = "script-src 'self'"
response.finish
end
end
Slide 64
Slide 64 text
Directives
Slide 65
Slide 65 text
default-src
!
Default source for all directives
Slide 66
Slide 66 text
default-src
!
Default source for all directives
Slide 67
Slide 67 text
connect-src
!
Connections via XHR, WebSockets and EventSource
Slide 68
Slide 68 text
font-src
!
Origins of web fonts
Slide 69
Slide 69 text
frame-src
!
Origins embeddable via frames
Slide 70
Slide 70 text
img-src
!
Origins of images
Slide 71
Slide 71 text
media-src
!
Origins for audio and video
Slide 72
Slide 72 text
object-src
!
Origins of Flash and other plugins
Slide 73
Slide 73 text
style-src
!
Origins of stylesheets
Slide 74
Slide 74 text
Sandboxing
Slide 75
Slide 75 text
sandbox
!
Load page as loaded into iframe with “sandbox” attribute
Slide 76
Slide 76 text
Sources
Slide 77
Slide 77 text
'none'
!
Match nothing
Slide 78
Slide 78 text
No content
Slide 79
Slide 79 text
'self'
!
Only current origin
Slide 80
Slide 80 text
http://example.com:80
!
Servers
Slide 81
Slide 81 text
http:
*://example.com:*
!
Wildcards
Slide 82
Slide 82 text
Script execution
(Source)
Slide 83
Slide 83 text
'unsafe-inline'
!
Execute inline javascript
Slide 84
Slide 84 text
'unsafe-eval'
!
Eval is evil
Slide 85
Slide 85 text
setTimeout("alert('XSS')", 10);
Slide 86
Slide 86 text
var xss = new Function("alert('XSS');");
xss();
Slide 87
Slide 87 text
Reporting
Slide 88
Slide 88 text
report-uri
!
Endpoint for POST requests with JSON payload
Slide 89
Slide 89 text
Content-Security-Policy: report-uri /csp_report
Slide 90
Slide 90 text
{
"csp-report": {
"document-uri": "...",
"referrer": "...",
"blocked-uri": "...",
"violated-directive": "...",
"original-policy": "...",
}
}
Slide 91
Slide 91 text
class CSPReporter
def call(env)
report_data = JSON.parse(env['rack.input'].read)
report_data = report_data['csp-report']
if report_data
Logger.new(‘logs/csp_report.log’).warn(
format_report(report_data)
)
end
end
private
def format_report(data)
# ...
end
end
Slide 92
Slide 92 text
map '/csp_report' do
run CSPReporter.new
end
Slide 93
Slide 93 text
Reporting ONLY
Slide 94
Slide 94 text
Content-Security-Policy-Report-Only: […]
Slide 95
Slide 95 text
CAN I USE IT?
Slide 96
Slide 96 text
http://caniuse.com
Can I use it?
Slide 97
Slide 97 text
RUBY GEMS
Slide 98
Slide 98 text
twitter/secureheaders
!
p0deje/content-security-policy
Slide 99
Slide 99 text
default: &default
scope: "*"
directives:
- scripts: self https://google.com
!
report:
<<: *default
directives:
- report_uri: /csp_report
Slide 100
Slide 100 text
No content
Slide 101
Slide 101 text
THANKS!
@polarblau