Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A primer on Content Security Policy

A primer on Content Security Policy

Content Security Policy (CSP) is as a security concept aiming to prevent XSS and other forms of browser–based attacks right where they happen — in the browser. CSP has been around for a little while but it’s only now that browser vendors are closing in on implementing most of the W3C specification.

This talk will take a look at what CSP is, why it matters and how to use it with Ruby–based web applications.

References: https://gist.github.com/polarblau/9efa552df23b3cd8f967

Florian Plank

October 02, 2014
Tweet

More Decks by Florian Plank

Other Decks in Programming

Transcript

  1. CSP
    Content Security Policy

    View Slide

  2. DISCLAIMER

    View Slide

  3. () { :; };

    View Slide

  4. THE ISSUE
    AT HAND

    View Slide

  5. XSS
    — and other browser–based attacks

    View Slide

  6. Same origin policy

    View Slide

  7. Same origin policy
    http://foo.com
    http://bar.com

    View Slide

  8. XSS

    View Slide

  9. Persisted XSS

    View Slide

  10. Persisted XSS
    User A
    Server

    View Slide


  11. View Slide

  12. Persisted XSS
    User A
    Server
    User B

    View Slide

  13. View Slide

  14. User B
    User B
    User B
    Persisted XSS
    User A
    Server
    User B

    View Slide

  15. Persisted XSS
    User A
    Server
    User B

    View Slide

  16. Reflected XSS

    View Slide


  17. View Slide

  18. SESSION HIJACKING
    CONTENT SPOOFING

    View Slide


  19. View Slide

  20. View Slide

  21. View Slide

  22. THE ROOT
    OF THE
    PROBLEM?

    View Slide

  23. The user

    View Slide

  24. The browser

    View Slide

  25. THE SOLUTION

    View Slide

  26. MOAR REGEX!!1!

    View Slide

  27. li {list-style-image: ↵<br/>url(“javascript:alert(‘XSS')");} ↵<br/>XSS
    !

    !
    ipt:aler ↵
    t('XSS')>
    !
    onerror=“alert(String.fromCharCode(88,83,83))”> ↵

    View Slide

  28. — OWASP XSS
    Prevention Rules

    View Slide

  29. Never Insert Untrusted Data
    Except in Allowed Locations
    1

    View Slide

  30. HTML Escape Before Inserting
    Untrusted Data into HTML
    Element Content
    2

    View Slide

  31. Attribute Escape Before Inserting
    Untrusted Data into HTML
    Common Attributes
    3

    View Slide

  32. JavaScript Escape Before
    Inserting Untrusted Data into
    JavaScript Data Values
    4

    View Slide

  33. HTML escape JSON values in an
    HTML context and read the data
    with JSON.parse
    4.1

    View Slide

  34. JSON entity encoding
    4.1.1

    View Slide

  35. HTML entity encoding
    4.1.2

    View Slide

  36. CSS Escape And Strictly Validate
    Before Inserting Untrusted Data
    into HTML Style Property Values
    5

    View Slide

  37. URL Escape Before Inserting
    Untrusted Data into HTML URL
    Parameter Values
    6

    View Slide

  38. Sanitize HTML Markup with a
    Library Designed for the Job
    7

    View Slide

  39. Prevent DOM-based XSS
    8

    View Slide

  40. View Slide

  41. MOAR REGEX!!1!

    View Slide

  42. Bonus Rules!

    View Slide

  43. Use HTTPOnly cookie flag
    A

    View Slide

  44. Implement
    Content Security Policy
    B

    View Slide

  45. Content
    Security
    Policy

    View Slide

  46. View Slide

  47. View Slide

  48. View Slide

  49. View Slide

  50. View Slide

  51. WHAT DOES IT DO?

    View Slide

  52. Same origin policy

    View Slide

  53. What can be loaded
    and embedded,
    and from where?

    View Slide

  54. Which origins can be
    connected to?

    View Slide

  55. Which scripts can be executed
    and in which context?

    View Slide

  56. HOW DOES
    IT WORK?

    View Slide

  57. Response header

    View Slide

  58. Content-Security-Policy: script-src 'self'
    Header name
    X-WebKit-CSP
    X-Content-Security-Policy
    IE > 9 < ?
    Webkit < 6.1

    View Slide

  59. Content-Security-Policy: script-src 'self'
    Directive

    View Slide

  60. Content-Security-Policy: script-src 'self'
    Attribute (source)

    View Slide

  61. Content-Security-Policy: [DIRECTIVE A]; [DIRECTIVE B]

    View Slide

  62. Content-Security-Policy: script-src 'self' ↵
    https://apis.google.com
    Multiple sources

    View Slide

  63. class CSP
    def initialize(app, options={})
    @app = app
    end
    def call(env)
    status, headers, body = @app.call(env)
    response = Rack::Response.new body, status, headers
    response['Content-Security-Policy'] = "script-src 'self'"
    response.finish
    end
    end

    View Slide

  64. Directives

    View Slide

  65. default-src
    !
    Default source for all directives

    View Slide

  66. default-src
    !
    Default source for all directives

    View Slide

  67. connect-src
    !
    Connections via XHR, WebSockets and EventSource

    View Slide

  68. font-src
    !
    Origins of web fonts

    View Slide

  69. frame-src
    !
    Origins embeddable via frames

    View Slide

  70. img-src
    !
    Origins of images

    View Slide

  71. media-src
    !
    Origins for audio and video

    View Slide

  72. object-src
    !
    Origins of Flash and other plugins

    View Slide

  73. style-src
    !
    Origins of stylesheets

    View Slide

  74. Sandboxing

    View Slide

  75. sandbox
    !
    Load page as loaded into iframe with “sandbox” attribute

    View Slide

  76. Sources

    View Slide

  77. 'none'
    !
    Match nothing

    View Slide

  78. View Slide

  79. 'self'
    !
    Only current origin

    View Slide

  80. http://example.com:80
    !
    Servers

    View Slide

  81. http:
    *://example.com:*
    !
    Wildcards

    View Slide

  82. Script execution
    (Source)

    View Slide

  83. 'unsafe-inline'
    !
    Execute inline javascript

    View Slide

  84. 'unsafe-eval'
    !
    Eval is evil

    View Slide

  85. setTimeout("alert('XSS')", 10);

    View Slide

  86. var xss = new Function("alert('XSS');");
    xss();

    View Slide

  87. Reporting

    View Slide

  88. report-uri
    !
    Endpoint for POST requests with JSON payload

    View Slide

  89. Content-Security-Policy: report-uri /csp_report

    View Slide

  90. {
    "csp-report": {
    "document-uri": "...",
    "referrer": "...",
    "blocked-uri": "...",
    "violated-directive": "...",
    "original-policy": "...",
    }
    }

    View Slide

  91. class CSPReporter
    def call(env)
    report_data = JSON.parse(env['rack.input'].read)
    report_data = report_data['csp-report']
    if report_data
    Logger.new(‘logs/csp_report.log’).warn(
    format_report(report_data)
    )
    end
    end
    private
    def format_report(data)
    # ...
    end
    end

    View Slide

  92. map '/csp_report' do
    run CSPReporter.new
    end

    View Slide

  93. Reporting ONLY

    View Slide

  94. Content-Security-Policy-Report-Only: […]

    View Slide

  95. CAN I USE IT?

    View Slide

  96. http://caniuse.com
    Can I use it?

    View Slide

  97. RUBY GEMS

    View Slide

  98. twitter/secureheaders
    !
    p0deje/content-security-policy

    View Slide

  99. default: &default
    scope: "*"
    directives:
    - scripts: self https://google.com
    !
    report:
    <directives:
    - report_uri: /csp_report

    View Slide

  100. View Slide

  101. THANKS!
    @polarblau

    View Slide