Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A primer on Content Security Policy

A primer on Content Security Policy

Content Security Policy (CSP) is as a security concept aiming to prevent XSS and other forms of browser–based attacks right where they happen — in the browser. CSP has been around for a little while but it’s only now that browser vendors are closing in on implementing most of the W3C specification.

This talk will take a look at what CSP is, why it matters and how to use it with Ruby–based web applications.

References: https://gist.github.com/polarblau/9efa552df23b3cd8f967

Florian Plank

October 02, 2014
Tweet

More Decks by Florian Plank

Other Decks in Programming

Transcript

  1. CSP
    Content Security Policy

    View full-size slide

  2. THE ISSUE
    AT HAND

    View full-size slide

  3. XSS
    — and other browser–based attacks

    View full-size slide

  4. Same origin policy

    View full-size slide

  5. Same origin policy
    http://foo.com
    http://bar.com

    View full-size slide

  6. Persisted XSS

    View full-size slide

  7. Persisted XSS
    User A
    Server

    View full-size slide

  8. Persisted XSS
    User A
    Server
    User B

    View full-size slide

  9. User B
    User B
    User B
    Persisted XSS
    User A
    Server
    User B

    View full-size slide

  10. Persisted XSS
    User A
    Server
    User B

    View full-size slide

  11. Reflected XSS

    View full-size slide

  12. <%= params[:user].html_safe %>

    View full-size slide

  13. SESSION HIJACKING
    CONTENT SPOOFING

    View full-size slide

  14. THE ROOT
    OF THE
    PROBLEM?

    View full-size slide

  15. THE SOLUTION

    View full-size slide

  16. MOAR REGEX!!1!

    View full-size slide

  17. li {list-style-image: ↵<br/>url(“javascript:alert(‘XSS')");} ↵<br/>XSS
    !

    !
    ipt:aler ↵
    t('XSS')>
    !
    onerror=“alert(String.fromCharCode(88,83,83))”> ↵

    View full-size slide

  18. — OWASP XSS
    Prevention Rules

    View full-size slide

  19. Never Insert Untrusted Data
    Except in Allowed Locations
    1

    View full-size slide

  20. HTML Escape Before Inserting
    Untrusted Data into HTML
    Element Content
    2

    View full-size slide

  21. Attribute Escape Before Inserting
    Untrusted Data into HTML
    Common Attributes
    3

    View full-size slide

  22. JavaScript Escape Before
    Inserting Untrusted Data into
    JavaScript Data Values
    4

    View full-size slide

  23. HTML escape JSON values in an
    HTML context and read the data
    with JSON.parse
    4.1

    View full-size slide

  24. JSON entity encoding
    4.1.1

    View full-size slide

  25. HTML entity encoding
    4.1.2

    View full-size slide

  26. CSS Escape And Strictly Validate
    Before Inserting Untrusted Data
    into HTML Style Property Values
    5

    View full-size slide

  27. URL Escape Before Inserting
    Untrusted Data into HTML URL
    Parameter Values
    6

    View full-size slide

  28. Sanitize HTML Markup with a
    Library Designed for the Job
    7

    View full-size slide

  29. Prevent DOM-based XSS
    8

    View full-size slide

  30. MOAR REGEX!!1!

    View full-size slide

  31. Bonus Rules!

    View full-size slide

  32. Use HTTPOnly cookie flag
    A

    View full-size slide

  33. Implement
    Content Security Policy
    B

    View full-size slide

  34. Content
    Security
    Policy

    View full-size slide

  35. WHAT DOES IT DO?

    View full-size slide

  36. Same origin policy

    View full-size slide

  37. What can be loaded
    and embedded,
    and from where?

    View full-size slide

  38. Which origins can be
    connected to?

    View full-size slide

  39. Which scripts can be executed
    and in which context?

    View full-size slide

  40. HOW DOES
    IT WORK?

    View full-size slide

  41. Response header

    View full-size slide

  42. Content-Security-Policy: script-src 'self'
    Header name
    X-WebKit-CSP
    X-Content-Security-Policy
    IE > 9 < ?
    Webkit < 6.1

    View full-size slide

  43. Content-Security-Policy: script-src 'self'
    Directive

    View full-size slide

  44. Content-Security-Policy: script-src 'self'
    Attribute (source)

    View full-size slide

  45. Content-Security-Policy: [DIRECTIVE A]; [DIRECTIVE B]

    View full-size slide

  46. Content-Security-Policy: script-src 'self' ↵
    https://apis.google.com
    Multiple sources

    View full-size slide

  47. class CSP
    def initialize(app, options={})
    @app = app
    end
    def call(env)
    status, headers, body = @app.call(env)
    response = Rack::Response.new body, status, headers
    response['Content-Security-Policy'] = "script-src 'self'"
    response.finish
    end
    end

    View full-size slide

  48. default-src
    !
    Default source for all directives

    View full-size slide

  49. default-src
    !
    Default source for all directives

    View full-size slide

  50. connect-src
    !
    Connections via XHR, WebSockets and EventSource

    View full-size slide

  51. font-src
    !
    Origins of web fonts

    View full-size slide

  52. frame-src
    !
    Origins embeddable via frames

    View full-size slide

  53. img-src
    !
    Origins of images

    View full-size slide

  54. media-src
    !
    Origins for audio and video

    View full-size slide

  55. object-src
    !
    Origins of Flash and other plugins

    View full-size slide

  56. style-src
    !
    Origins of stylesheets

    View full-size slide

  57. sandbox
    !
    Load page as loaded into iframe with “sandbox” attribute

    View full-size slide

  58. 'none'
    !
    Match nothing

    View full-size slide

  59. 'self'
    !
    Only current origin

    View full-size slide

  60. http://example.com:80
    !
    Servers

    View full-size slide

  61. http:
    *://example.com:*
    !
    Wildcards

    View full-size slide

  62. Script execution
    (Source)

    View full-size slide

  63. 'unsafe-inline'
    !
    Execute inline javascript

    View full-size slide

  64. 'unsafe-eval'
    !
    Eval is evil

    View full-size slide

  65. setTimeout("alert('XSS')", 10);

    View full-size slide

  66. var xss = new Function("alert('XSS');");
    xss();

    View full-size slide

  67. report-uri
    !
    Endpoint for POST requests with JSON payload

    View full-size slide

  68. Content-Security-Policy: report-uri /csp_report

    View full-size slide

  69. {
    "csp-report": {
    "document-uri": "...",
    "referrer": "...",
    "blocked-uri": "...",
    "violated-directive": "...",
    "original-policy": "...",
    }
    }

    View full-size slide

  70. class CSPReporter
    def call(env)
    report_data = JSON.parse(env['rack.input'].read)
    report_data = report_data['csp-report']
    if report_data
    Logger.new(‘logs/csp_report.log’).warn(
    format_report(report_data)
    )
    end
    end
    private
    def format_report(data)
    # ...
    end
    end

    View full-size slide

  71. map '/csp_report' do
    run CSPReporter.new
    end

    View full-size slide

  72. Reporting ONLY

    View full-size slide

  73. Content-Security-Policy-Report-Only: […]

    View full-size slide

  74. CAN I USE IT?

    View full-size slide

  75. http://caniuse.com
    Can I use it?

    View full-size slide

  76. twitter/secureheaders
    !
    p0deje/content-security-policy

    View full-size slide

  77. default: &default
    scope: "*"
    directives:
    - scripts: self https://google.com
    !
    report:
    <<: *default
    directives:
    - report_uri: /csp_report

    View full-size slide

  78. THANKS!
    @polarblau

    View full-size slide