SlideShare ist ein Scribd-Unternehmen logo

Content Security Policy - Lessons learned at Yahoo

Binu Ramakrishnan
Binu Ramakrishnan

Content Security Policy (CSP) is a browser security mechanism against content injection. Using the CSP header, browsers can restrict content from just the domains whitelisted in the policy. This session shares lessons learned with deploying CSP at Yahoo.

Technologie
1 von 35
Downloaden Sie, um offline zu lesen
Content Security Policy Lessons learned at Yahoo B-Sides DC 10/17/2015 Binu Ramakrishnan & Vibha Sethi Yahoo Inc.
https://cwe.mitre.org/data/definitions/79.html http://bit.ly/1ZK9COc Cross-site Scripting ● Execution of malicious code injected by an attacker on victim’s web page ● Leads to credentials and data theft, malware distribution, site defacement etc. ● Primary reason: Improper neutralization of user input when it gets rendered on a web page ● Remained as a top threat on OWASP top ten list since its first publication in 2004
Common Remedies ● Input validation and output encoding ● Whitelist trusted contents and tags ● Isolation - e.g. safe iframes http://bit.ly/1VRI1Gb
source: https://www.cvedetails.com/vulnerabilities-by-types.php
CSP - An additional layer of protection
So what is CSP? ● Content Security Policy is a browser based mechanism that allow you to whitelist locations from which your web application can load resources. You can specify a policy on a web page with a CSP HTTP header like below: will allow resources to be only loaded from example.com ● Policy Delivery ○ content-security-policy ○ content-security-policy-report-only - for experimenting & monitoring ○ HTML meta tag content-security-policy: default-src https://example.com
Example <!DOCTYPE html> <html> <head> </head> <body> <img src="https://s.yimg.com/rz/uh/alphatars/B.png"> </body> </html> content-security-policy: default-src ‘self’; report-uri https://csp.example.com HTTP Header: https://example.com/test.html:
Violation report ● CSP facilitates generating and delivering violation reports to an endpoint in the report-uri directive. ● JSON format Sample CSP Report { "csp-report" : { "document-uri": "https://www.example.com/test.html" "referrer": "" "blocked-uri": "https://s.yimg.com/rz/uh/alphatars/B.png" "violated-directive": "default-src ‘self’" "effective-directive": "img-src" (CSP2.0 onwards) "original-policy": "default-src ‘self’" } }
Content Security Policy Directives
<html> <head> <link rel="stylesheet" href="https://style-example.com/pure.css"> <style type="text/css"> @font-face { font-family: "MyFont"; src: url(http://font-example.org/f.ttf); } </style> <script src="https://js-example.com/jsquery.js"></script> </head> <body> <img src="https://image-example.com/30d.png"> </img> <video controls> <source src="https://media-example.com//anpi.mp4" type=" video/mp4"> </video> <audio controls> <source src="https://media-example.com/horse.mp3" type=" audio/mpeg"> </audio> <object data="https://obj-example/bg.swf"></object> <embed src="https://obj-example/bg.swf"></embed> <iframe src="https://child-example.com"></iframe> <script> (new XMLHttpRequest()).open('GET', 'https://connect-example.com/'); </script> </body> </html> style-src font-src script-src img-src media-src object-src child-src (CSP 2.0) connect-src ----------- default-src Fetch directives Each directive corresponds to a specific type of resource
<html> <head> <base href="https://example.com/" target="_blank"> </head> <body> <form action='https://form-sub-example.com' id='theform' method='post'> <input type='text' name='fieldname' value='fieldvalue'> <input type='submit' id='submit' value='submit'> </form> </body> </html> frame-ancestors - controls who is allowed to frame your page (iframe, object, embed tags) plugin-types - whitelist MIME types for object and embed tags. e.g. application/pdf sandbox - similar to iframe sandbox attribute. supports allow-forms allow- same-origin allow-top-navigation report-uri - specifies a URL to which the user agent sends reports about policy violation base-uri form-action More directives
Directive keywords ● ‘none’ - content-security-policy: default-src ‘none’; ○ Disallows any urls ○ Helpful when you are building a CSP policy ● ‘self’ - content-security-policy: default-src ‘self’; ○ Restricts access to application’s own origin ○ Protocol and port must match as well ● ‘unsafe-inline’ - content-security-policy: script-src ‘unsafe- inline’; ○ allows inline scripts/style ● ‘unsafe-eval’ - content-security-policy: script-src ‘unsafe- eval’; ○ allows eval(untrusted_input), setTimeout(untrusted_string) and setInterval (untrusted_string) and Function constructor ● ‘*’ - wildcard to allow all - content-security-policy: default-src *;
CSP versions & browser support CSP 1.0 http://www.w3.org/TR/CSP1/ ○ Available since 2012 ○ Directives: connect-src, default-src, font-src, frame-src, img-src, media- src, objects-src, report-uri, script-src, and style-src CSP 2.0 http://www.w3.org/TR/CSP2/ (CSP 1.1) ○ Mid 2015 ○ New directives: base-uri, child-src, form-action, frame-ancestors, plugin- types. ○ Deprecates frame-src Browser support status ○ CSP 1.0 is supported by all modern browsers ○ CSP 2.0 is supported by latest Chrome (v.40+), FireFox (v.35+) and Opera (v27+)
Let’s look at some examples…. On https://csp.example.com content-security-policy: default-src ‘self’; ● https://csp.example.com/campaign.js ● https://csp.example.com/reporting/report.js ● http://csp.example.com/campaign.js ● https://test.csp.com/campaign.js ● https://csp.example.com:8443/campaign.js
Why inline Javascript is bad? Content-Type: text/html; charset=utf-8 <script>console.log("Legitimate javascript code as part of the page");</script> <div> Welcome, <script>alert("Attack!");</script></div> https://trusted.example.com/welcome.php?username=<script>alert("Attack!");</script> <?php echo '<script>console.log("This is a legitimate javascript code as part of the page");</script>' echo '<div class="header"> Welcome, ' . $_GET['username']; . '</div>'; ?> It is hard for the browser to distinguish trusted javascript with a malicious script
Mitigation for inline scripts ● Solution 1: Externalizing inline javascript and CSS ○ May involve significant effort for existing applications ○ In addition, there are cases that require inline Javascript, notably for performance. ● Solution 2: use unsafe-inline ○ Reduce the effectiveness of CSP ● Solution 3: CSP 2.0 script whitelisting features - nonce-source and hash-source: ○ nonce whitelisting: nonce-$random - Requires modification to CSP header for every req ○ hash whitelisting - hashAlgorithm-base64hash ○ Hash computation: % echo -n "alert('Hello, world');" | openssl dgst -sha1 -binary | openssl enc -base64 content-security-policy: script-src 'nonce-random01' <script nonce="random01"> alert('Hello, world'); </script> content-security-policy: script-src 'sha1-RgO/D2C8PM9lERhYHMbiSllxM4g=' <script> alert('Hello, world'); </script>
Cross-site Scripting ○ CSP prevents XSS from being exploited. How ever it does NOT fix XSS Unapproved third party beacons, tags and contents ○ Using CSP, restrict the resources to just the whitelisted domains Packet Sniffing ○ Using CSP, servers can enforce all content be loaded using HTTPS ○ e.g. Content-Security-Policy: default-src https:// Clickjacking - “Look before you click” ○ Use frame-ancestors to specify valid parents ○ Alternate to x-frame-options Block unwanted plugins ○ Use plugin-types to allow only valid plugins What are some of the most common attacks and how can CSP help mitigate?
Browser behavior Feature completeness Implementation disparities Mobile browsers https://www.flickr.com/photos/stargardener/5178063063/
CSP deployment ● Identify domains you trust and start with with a restrictive policy ● Initial policy sample: ● Use HTTPS and enable reporting ● Test this policy using a browser based CSP testing tool (e.g. caspr) ● Rinse and repeat! content-security-policy-report-only: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; font-src 'self'; report-uri https://csp.example.com
Automation with csp-validator.js % bin/phantomjs csp-validator.js Usage: csp-validator.js [--quiet] <URL> Returns: 0 => SUCCESS - No violations 1 => FAIL - System/parse/input error 2 => CSP-VIOLATION - Violation detected
Post deployment ● In theory, fully compliant CSP implementation can leverage reports to detect injection attacks; however.. ● Reports are noisy due to browser extension violations ● Detect malicious extensions in user browser
Browser extensions
Browser extension Javascript
content-security-policy: default-src ‘self’;
Browser extensions - To sum-up ● Extensions are considered as part of Trusted Computing Base ● They can ○ Interfere with our web pages ○ Alter and inject javascripts to our page ■ Ad injection ■ Malware, exfiltrate user information ■ Alter CSP header itself! ● May contain security vulnerabilities ● Generate large volume of CSP reports ● Make injection attack detection extremely hard http://bit.ly/1kbsLbp
● Not a solution for all content injection problems ○ E.g. SQL, Shell and other server side injections ● Loose policies ○ Render CSP less effective ● Browser extensions can override CSP policies, ○ Less effective against malicious extensions ● Whitelisted locations are fully trusted ○ CDN scenario Not so good side of CSP
● Maintain code hygiene ○ Keep HTML, CSS and Javascript separate ○ Use Javascript event handlers ● Automation ○ csp-validator.js protects against CSP misconfigurations and HTTPS enforcement ● Use stricter policies ○ Always use https: ○ Avoid the use of unsafe-inline and unsafe-eval ○ Use paths https://cdn.example.com/asset/path/ (CSP 2.0 feature) ○ Avoid wildcards if possible - *.example.com ● Enable reporting even on enforce mode ○ Help in detecting content injection in near real time CSP best practices
CSP - What else? ● Scan violation URLs for malwares ● Detect injection attacks in near real time by analyzing CSP violation reports ● Threat intelligence - IP and URL reputation based on blocked links https://www.flickr.com/photos/drp/34988312
CSP testing tools ● csptester.io - Open source tool ● csp-validator.js for CICD - PhantomJS headless script to audit CSP policy for the given URL ● GitHub: https://github.com/yahoo/csptester ● Chrome browser plugin - caspr
Demo ● csptester.io ● csp-validator.js
● ● ● ● ● ● ● Summary
Q & A Thank you!

Empfohlen

Http security response headers
Http security response headers Http security response headers
Http security response headers mohammadhosseinrouha
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyAustin Gil
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
Content security policy
Content security policyContent security policy
Content security policyRonan Dunne, CEH, SSCP
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Secure Code Warrior - NoSQL injection
Secure Code Warrior - NoSQL injectionSecure Code Warrior - NoSQL injection
Secure Code Warrior - NoSQL injectionSecure Code Warrior
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 

Empfohlen

Http security response headers
Http security response headers Http security response headers
Http security response headers mohammadhosseinrouha
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyAustin Gil
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
Content security policy
Content security policyContent security policy
Content security policyRonan Dunne, CEH, SSCP
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Secure Code Warrior - NoSQL injection
Secure Code Warrior - NoSQL injectionSecure Code Warrior - NoSQL injection
Secure Code Warrior - NoSQL injectionSecure Code Warrior
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource SharingLuke Weerasooriya
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSДмитрий Бумов
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
An Introduction To REST API
An Introduction To REST APIAn Introduction To REST API
An Introduction To REST APIAniruddh Bhilvare
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewalldavidjohnrace
 
Asynchronous javascript
Asynchronous javascript Asynchronous javascript
Asynchronous javascriptEman Mohamed
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesMarco Morana
 
JSON and XML
JSON and XMLJSON and XML
JSON and XMLPeople Strategists
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationAlbena Asenova-Belal
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugLewis Ardern
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Ssrf
SsrfSsrf
SsrfIlan Mindel
 
WebAssembly Overview
WebAssembly OverviewWebAssembly Overview
WebAssembly OverviewAlexandr Skachkov
 
CloudFlare vs Incapsula vs ModSecurity
CloudFlare vs Incapsula vs ModSecurityCloudFlare vs Incapsula vs ModSecurity
CloudFlare vs Incapsula vs ModSecurityZero Science Lab
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
RESTful services
RESTful servicesRESTful services
RESTful servicesgouthamrv
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyRyan LaBouve
 
Surfer en toute legalite sur le net
Surfer en toute legalite sur le netSurfer en toute legalite sur le net
Surfer en toute legalite sur le netAAT's
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource SharingLuke Weerasooriya
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewalldavidjohnrace
 
Asynchronous javascript
Asynchronous javascript Asynchronous javascript
Asynchronous javascriptEman Mohamed
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesMarco Morana
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationAlbena Asenova-Belal
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugLewis Ardern
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
CloudFlare vs Incapsula vs ModSecurity
CloudFlare vs Incapsula vs ModSecurityCloudFlare vs Incapsula vs ModSecurity
CloudFlare vs Incapsula vs ModSecurityZero Science Lab
 
RESTful services
RESTful servicesRESTful services
RESTful servicesgouthamrv
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
 

Was ist angesagt? (20)

Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource Sharing
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSS
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
An Introduction To REST API
An Introduction To REST APIAn Introduction To REST API
An Introduction To REST API
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
 
Asynchronous javascript
Asynchronous javascript Asynchronous javascript
Asynchronous javascript
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery Vulnerabilities
 
JSON and XML
JSON and XMLJSON and XML
JSON and XML
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
Ssrf
SsrfSsrf
Ssrf
 
WebAssembly Overview
WebAssembly OverviewWebAssembly Overview
WebAssembly Overview
 
CloudFlare vs Incapsula vs ModSecurity
CloudFlare vs Incapsula vs ModSecurityCloudFlare vs Incapsula vs ModSecurity
CloudFlare vs Incapsula vs ModSecurity
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
RESTful services
RESTful servicesRESTful services
RESTful services
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
 

Andere mochten auch

Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyRyan LaBouve
 
Surfer en toute legalite sur le net
Surfer en toute legalite sur le netSurfer en toute legalite sur le net
Surfer en toute legalite sur le netAAT's
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
AppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the UglyAppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the UglyEli Nesterov
 
A Scalable Client Authentication & Authorization Service for Container-Based ...
A Scalable Client Authentication & Authorization Service for Container-Based ...A Scalable Client Authentication & Authorization Service for Container-Based ...
A Scalable Client Authentication & Authorization Service for Container-Based ...Binu Ramakrishnan
 
AppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSPAppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSPEli Nesterov
 
Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy RUY
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security PolicyMarkus Wichmann
 
Securing application deployments in multi-tenant CI/CD environments
Securing application deployments in multi-tenant CI/CD environmentsSecuring application deployments in multi-tenant CI/CD environments
Securing application deployments in multi-tenant CI/CD environmentsBinu Ramakrishnan
 
Getting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your WebappGetting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your WebappFrancois Marier
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity George Boobyer
 
Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your ApplicationsAmazon Web Services
 
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...CNIL ..
 
Intervention CNIL : droit des internautes et obligations des e-marchands
Intervention CNIL : droit des internautes et obligations des e-marchandsIntervention CNIL : droit des internautes et obligations des e-marchands
Intervention CNIL : droit des internautes et obligations des e-marchandsNet Design
 

Andere mochten auch (17)

Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
Surfer en toute legalite sur le net
Surfer en toute legalite sur le netSurfer en toute legalite sur le net
Surfer en toute legalite sur le net
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
AppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the UglyAppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the Ugly
 
A Scalable Client Authentication & Authorization Service for Container-Based ...
A Scalable Client Authentication & Authorization Service for Container-Based ...A Scalable Client Authentication & Authorization Service for Container-Based ...
A Scalable Client Authentication & Authorization Service for Container-Based ...
 
AppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSPAppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSP
 
Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security Policy
 
Securing application deployments in multi-tenant CI/CD environments
Securing application deployments in multi-tenant CI/CD environmentsSecuring application deployments in multi-tenant CI/CD environments
Securing application deployments in multi-tenant CI/CD environments
 
Getting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your WebappGetting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your Webapp
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 
Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications
 
Malaysia's National Cyber Security Policy
Malaysia's National Cyber Security PolicyMalaysia's National Cyber Security Policy
Malaysia's National Cyber Security Policy
 
Security HTTP Headers
Security HTTP HeadersSecurity HTTP Headers
Security HTTP Headers
 
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...
 
Intervention CNIL : droit des internautes et obligations des e-marchands
Intervention CNIL : droit des internautes et obligations des e-marchandsIntervention CNIL : droit des internautes et obligations des e-marchands
Intervention CNIL : droit des internautes et obligations des e-marchands
 

Ähnlich wie Content Security Policy - Lessons learned at Yahoo

Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityMikal Villa
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Securing the client side web
Securing the client side webSecuring the client side web
Securing the client side webSC5.io
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyKevin Hakanson
 
Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Mike Tetreault
 
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)ColdFusionConference
 
Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdfAbhi Jain
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...PROIDEA
 
Bp101-Can Domino Be Hacked
Bp101-Can Domino Be HackedBp101-Can Domino Be Hacked
Bp101-Can Domino Be HackedHoward Greenberg
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyGeorge Boobyer
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdfksudhakarreddy5
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 

Ähnlich wie Content Security Policy - Lessons learned at Yahoo (20)

Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
 
Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header Security
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Securing the client side web
Securing the client side webSecuring the client side web
Securing the client side web
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web Cryptography
 
Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)
 
21 05-2018
21 05-201821 05-2018
21 05-2018
 
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)
 
Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdf
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
 
Bp101-Can Domino Be Hacked
Bp101-Can Domino Be HackedBp101-Can Domino Be Hacked
Bp101-Can Domino Be Hacked
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
 

Kürzlich hochgeladen

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Kürzlich hochgeladen (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

Content Security Policy - Lessons learned at Yahoo

  • 1. Content Security Policy Lessons learned at Yahoo B-Sides DC 10/17/2015 Binu Ramakrishnan & Vibha Sethi Yahoo Inc.
  • 2. https://cwe.mitre.org/data/definitions/79.html http://bit.ly/1ZK9COc Cross-site Scripting ● Execution of malicious code injected by an attacker on victim’s web page ● Leads to credentials and data theft, malware distribution, site defacement etc. ● Primary reason: Improper neutralization of user input when it gets rendered on a web page ● Remained as a top threat on OWASP top ten list since its first publication in 2004
  • 3. Common Remedies ● Input validation and output encoding ● Whitelist trusted contents and tags ● Isolation - e.g. safe iframes http://bit.ly/1VRI1Gb
  • 5. CSP - An additional layer of protection
  • 6. So what is CSP? ● Content Security Policy is a browser based mechanism that allow you to whitelist locations from which your web application can load resources. You can specify a policy on a web page with a CSP HTTP header like below: will allow resources to be only loaded from example.com ● Policy Delivery ○ content-security-policy ○ content-security-policy-report-only - for experimenting & monitoring ○ HTML meta tag content-security-policy: default-src https://example.com
  • 7. Example <!DOCTYPE html> <html> <head> </head> <body> <img src="https://s.yimg.com/rz/uh/alphatars/B.png"> </body> </html> content-security-policy: default-src ‘self’; report-uri https://csp.example.com HTTP Header: https://example.com/test.html:
  • 8. Violation report ● CSP facilitates generating and delivering violation reports to an endpoint in the report-uri directive. ● JSON format Sample CSP Report { "csp-report" : { "document-uri": "https://www.example.com/test.html" "referrer": "" "blocked-uri": "https://s.yimg.com/rz/uh/alphatars/B.png" "violated-directive": "default-src ‘self’" "effective-directive": "img-src" (CSP2.0 onwards) "original-policy": "default-src ‘self’" } }
  • 10. <html> <head> <link rel="stylesheet" href="https://style-example.com/pure.css"> <style type="text/css"> @font-face { font-family: "MyFont"; src: url(http://font-example.org/f.ttf); } </style> <script src="https://js-example.com/jsquery.js"></script> </head> <body> <img src="https://image-example.com/30d.png"> </img> <video controls> <source src="https://media-example.com//anpi.mp4" type=" video/mp4"> </video> <audio controls> <source src="https://media-example.com/horse.mp3" type=" audio/mpeg"> </audio> <object data="https://obj-example/bg.swf"></object> <embed src="https://obj-example/bg.swf"></embed> <iframe src="https://child-example.com"></iframe> <script> (new XMLHttpRequest()).open('GET', 'https://connect-example.com/'); </script> </body> </html> style-src font-src script-src img-src media-src object-src child-src (CSP 2.0) connect-src ----------- default-src Fetch directives Each directive corresponds to a specific type of resource
  • 11. <html> <head> <base href="https://example.com/" target="_blank"> </head> <body> <form action='https://form-sub-example.com' id='theform' method='post'> <input type='text' name='fieldname' value='fieldvalue'> <input type='submit' id='submit' value='submit'> </form> </body> </html> frame-ancestors - controls who is allowed to frame your page (iframe, object, embed tags) plugin-types - whitelist MIME types for object and embed tags. e.g. application/pdf sandbox - similar to iframe sandbox attribute. supports allow-forms allow- same-origin allow-top-navigation report-uri - specifies a URL to which the user agent sends reports about policy violation base-uri form-action More directives
  • 12. Directive keywords ● ‘none’ - content-security-policy: default-src ‘none’; ○ Disallows any urls ○ Helpful when you are building a CSP policy ● ‘self’ - content-security-policy: default-src ‘self’; ○ Restricts access to application’s own origin ○ Protocol and port must match as well ● ‘unsafe-inline’ - content-security-policy: script-src ‘unsafe- inline’; ○ allows inline scripts/style ● ‘unsafe-eval’ - content-security-policy: script-src ‘unsafe- eval’; ○ allows eval(untrusted_input), setTimeout(untrusted_string) and setInterval (untrusted_string) and Function constructor ● ‘*’ - wildcard to allow all - content-security-policy: default-src *;
  • 13. CSP versions & browser support CSP 1.0 http://www.w3.org/TR/CSP1/ ○ Available since 2012 ○ Directives: connect-src, default-src, font-src, frame-src, img-src, media- src, objects-src, report-uri, script-src, and style-src CSP 2.0 http://www.w3.org/TR/CSP2/ (CSP 1.1) ○ Mid 2015 ○ New directives: base-uri, child-src, form-action, frame-ancestors, plugin- types. ○ Deprecates frame-src Browser support status ○ CSP 1.0 is supported by all modern browsers ○ CSP 2.0 is supported by latest Chrome (v.40+), FireFox (v.35+) and Opera (v27+)
  • 14. Let’s look at some examples…. On https://csp.example.com content-security-policy: default-src ‘self’; ● https://csp.example.com/campaign.js ● https://csp.example.com/reporting/report.js ● http://csp.example.com/campaign.js ● https://test.csp.com/campaign.js ● https://csp.example.com:8443/campaign.js
  • 15. Why inline Javascript is bad? Content-Type: text/html; charset=utf-8 <script>console.log("Legitimate javascript code as part of the page");</script> <div> Welcome, <script>alert("Attack!");</script></div> https://trusted.example.com/welcome.php?username=<script>alert("Attack!");</script> <?php echo '<script>console.log("This is a legitimate javascript code as part of the page");</script>' echo '<div class="header"> Welcome, ' . $_GET['username']; . '</div>'; ?> It is hard for the browser to distinguish trusted javascript with a malicious script
  • 16. Mitigation for inline scripts ● Solution 1: Externalizing inline javascript and CSS ○ May involve significant effort for existing applications ○ In addition, there are cases that require inline Javascript, notably for performance. ● Solution 2: use unsafe-inline ○ Reduce the effectiveness of CSP ● Solution 3: CSP 2.0 script whitelisting features - nonce-source and hash-source: ○ nonce whitelisting: nonce-$random - Requires modification to CSP header for every req ○ hash whitelisting - hashAlgorithm-base64hash ○ Hash computation: % echo -n "alert('Hello, world');" | openssl dgst -sha1 -binary | openssl enc -base64 content-security-policy: script-src 'nonce-random01' <script nonce="random01"> alert('Hello, world'); </script> content-security-policy: script-src 'sha1-RgO/D2C8PM9lERhYHMbiSllxM4g=' <script> alert('Hello, world'); </script>
  • 17. Cross-site Scripting ○ CSP prevents XSS from being exploited. How ever it does NOT fix XSS Unapproved third party beacons, tags and contents ○ Using CSP, restrict the resources to just the whitelisted domains Packet Sniffing ○ Using CSP, servers can enforce all content be loaded using HTTPS ○ e.g. Content-Security-Policy: default-src https:// Clickjacking - “Look before you click” ○ Use frame-ancestors to specify valid parents ○ Alternate to x-frame-options Block unwanted plugins ○ Use plugin-types to allow only valid plugins What are some of the most common attacks and how can CSP help mitigate?
  • 18. Browser behavior Feature completeness Implementation disparities Mobile browsers https://www.flickr.com/photos/stargardener/5178063063/
  • 19. CSP deployment ● Identify domains you trust and start with with a restrictive policy ● Initial policy sample: ● Use HTTPS and enable reporting ● Test this policy using a browser based CSP testing tool (e.g. caspr) ● Rinse and repeat! content-security-policy-report-only: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; font-src 'self'; report-uri https://csp.example.com
  • 20.
  • 21. Automation with csp-validator.js % bin/phantomjs csp-validator.js Usage: csp-validator.js [--quiet] <URL> Returns: 0 => SUCCESS - No violations 1 => FAIL - System/parse/input error 2 => CSP-VIOLATION - Violation detected
  • 22. Post deployment ● In theory, fully compliant CSP implementation can leverage reports to detect injection attacks; however.. ● Reports are noisy due to browser extension violations ● Detect malicious extensions in user browser
  • 26.
  • 27. Browser extensions - To sum-up ● Extensions are considered as part of Trusted Computing Base ● They can ○ Interfere with our web pages ○ Alter and inject javascripts to our page ■ Ad injection ■ Malware, exfiltrate user information ■ Alter CSP header itself! ● May contain security vulnerabilities ● Generate large volume of CSP reports ● Make injection attack detection extremely hard http://bit.ly/1kbsLbp
  • 28.
  • 29. ● Not a solution for all content injection problems ○ E.g. SQL, Shell and other server side injections ● Loose policies ○ Render CSP less effective ● Browser extensions can override CSP policies, ○ Less effective against malicious extensions ● Whitelisted locations are fully trusted ○ CDN scenario Not so good side of CSP
  • 30. ● Maintain code hygiene ○ Keep HTML, CSS and Javascript separate ○ Use Javascript event handlers ● Automation ○ csp-validator.js protects against CSP misconfigurations and HTTPS enforcement ● Use stricter policies ○ Always use https: ○ Avoid the use of unsafe-inline and unsafe-eval ○ Use paths https://cdn.example.com/asset/path/ (CSP 2.0 feature) ○ Avoid wildcards if possible - *.example.com ● Enable reporting even on enforce mode ○ Help in detecting content injection in near real time CSP best practices
  • 31. CSP - What else? ● Scan violation URLs for malwares ● Detect injection attacks in near real time by analyzing CSP violation reports ● Threat intelligence - IP and URL reputation based on blocked links https://www.flickr.com/photos/drp/34988312
  • 32. CSP testing tools ● csptester.io - Open source tool ● csp-validator.js for CICD - PhantomJS headless script to audit CSP policy for the given URL ● GitHub: https://github.com/yahoo/csptester ● Chrome browser plugin - caspr
  • 35. Q & A Thank you!