W3CContent SecurityPolicy 1.0One measure against web attacks.No less and no more.@m2w2 Markus Wichmann, May 2013
What is CSP about at all?Just some terms:Web ApplicationsWeb Application SecurityCross-Site Scripting (XSS)XSS PreventionP...
AgendaW3C Content Security Policy (CSP)The Web without CSPPlain old HTMLXSS (Cross-Site Scripting)Enter: CSPCSP Deployment...
The Web... without CSP@m2w2 Markus Wichmann, May 2013<html><head>...import style sheets......import JavaScript files...</h...
XSS (Cross-Site Scripting)Phase 1: Injection Attack.@m2w2 Markus Wichmann, May 2013Server ADatabase:Forumentries<html>.......
XSS Phase 2: The Victim@m2w2 Markus Wichmann, May 2013<html>...Hey folks, look at my evilsite: <script>alert(‘This is anXS...
XSS Phase 3:Send Victim to Hell – Just one Example@m2w2 Markus Wichmann, May 2013http://www.evil.labEvil Scripts, CookieSt...
XSS recap@m2w2 Markus Wichmann, May 2013Hacker Victim Web Page W W WInfect with evil ScriptVisit PageInject ScriptDo somet...
Enter: CSPDeclarative Source Whitelisting„What am I allowed to fetch, and from where?“@m2w2 Markus Wichmann, May 2013
Our example, revisited:What do we really need?@m2w2 Markus Wichmann, May 2013<html><head>...import style sheets......impor...
What do we really need?@m2w2 Markus Wichmann, May 2013<html><head>...import style sheets......import JavaScript files...</...
CSP DeploymentSolution: HTTP headerName: Content-Security-Policy*Values:Resource Directiveseach with a Source List* see CS...
CSP Deployment: Our recent exampleIf you wrote it separately (dont do this, not correct,just for demonstration purposes):C...
CSP Directivesdefault-src origin to fall back on if theres no rulethat is more specific(e.g. see directives below)style-sr...
CSP Source Listsnone restrict directive to nothing at allself current origin, but not its subdomainsunsafe-inline allows i...
CSP Deployments effectAttacker finds hole? Bad enough.Attacker injects script? Bad enough.But:If script does not match whi...
CSP ReportingFind weak pieces of your code: Let browser report attempted policy breaches!Content-Security-Policy: default-...
CSPs limitations (as of May 2013) 1/2Browsers supporting CSP 1.0:Firefox 4–16 partial support, use X-Content-Security-Poli...
CSPs limitations (as of May 2013) 2/2CSP protects users againstMost Cross-Site Scripting attacksCSP does NOT protect again...
Possible Future of CSPCSP 1.1 currently in draft status (as of 05/2013)Will mainly support more directivesscript-nonce all...
How browsers show CSP violationsin their debuggers (Firebug, Developer Tools, etc.)Firefox:Chrome:@m2w2 Markus Wichmann, M...
Thanks to all authorsof the following pages:http://www.w3.org/TR/CSP/https://dvcs.w3.org/hg/content-security-policy/raw-fi...
Thank you.@m2w2Constructive criticism always welcome!Disclaimer:The author of these slides does not give and cannot give a...
Upcoming SlideShare
Loading in...5
×

W3C Content Security Policy

3,302

Published on

What is Content Security Policy (CSP)? How to deploy it, what it's good for, what it's not good for.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,302
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
9
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "W3C Content Security Policy"

  1. 1. W3CContent SecurityPolicy 1.0One measure against web attacks.No less and no more.@m2w2 Markus Wichmann, May 2013
  2. 2. What is CSP about at all?Just some terms:Web ApplicationsWeb Application SecurityCross-Site Scripting (XSS)XSS PreventionPolicy Breach ReportingContent Security Policy 1.0 is aW3C candidate recommendation as of May 2013.I expect it to become a recommendation in the nearer future.@m2w2 Markus Wichmann, May 2013
  3. 3. AgendaW3C Content Security Policy (CSP)The Web without CSPPlain old HTMLXSS (Cross-Site Scripting)Enter: CSPCSP DeploymentCSP ReportingCSP LimitationsFuture of CSPHow browsers show CSP violation attempts@m2w2 Markus Wichmann, May 2013
  4. 4. The Web... without CSP@m2w2 Markus Wichmann, May 2013<html><head>...import style sheets......import JavaScript files...</head><body>...Forum Comments...<img src="...">...Google +1 Button......Facebook Like plugin......Twitter message...</body></html>Web Server:Page, Basic JS,Style SheetsDatabase:ForumCommentsFB pluginG+ buttonTwitter
  5. 5. XSS (Cross-Site Scripting)Phase 1: Injection Attack.@m2w2 Markus Wichmann, May 2013Server ADatabase:Forumentries<html>......Forum Comments...<textarea></textarea></html>Hey folks, look atmy evil site:http://bla.com/?q=%3Cscript%3Ealert(%91This%20is%20an%20XSS%20Vulnerability%92)%3C%2Fscript%3E
  6. 6. XSS Phase 2: The Victim@m2w2 Markus Wichmann, May 2013<html>...Hey folks, look at my evilsite: <script>alert(‘This is anXSS Vulnerability’)</script>...</html>Server ADatabase:ForumComments
  7. 7. XSS Phase 3:Send Victim to Hell – Just one Example@m2w2 Markus Wichmann, May 2013http://www.evil.labEvil Scripts, CookieStealing, Whatever!<html><head>...<script src="...evil.lab..."></head><body><script ...></body></html>1234
  8. 8. XSS recap@m2w2 Markus Wichmann, May 2013Hacker Victim Web Page W W WInfect with evil ScriptVisit PageInject ScriptDo something evil
  9. 9. Enter: CSPDeclarative Source Whitelisting„What am I allowed to fetch, and from where?“@m2w2 Markus Wichmann, May 2013
  10. 10. Our example, revisited:What do we really need?@m2w2 Markus Wichmann, May 2013<html><head>...import style sheets......import JavaScript files...</head><body>...Forum Comments...<img src="...">...Google +1 Button......Facebook Like plugin......Twitter message...</body></html>Database:ForumCommentsFB pluginG+buttonTwitterWeb Server:Page, Basic JS,Style Sheets
  11. 11. What do we really need?@m2w2 Markus Wichmann, May 2013<html><head>...import style sheets......import JavaScript files...</head><body>...Forum Comments...<img src="...">...Google +1 Button......Facebook Like plugin......Twitter message...</body></html>Database:ForumCommentsFB pluginG+buttonTwitter1. Style Sheets from ourown Web Server2. JavaScript from ourown Web Server3. JavaScript from apis.google.com4. iframe content fromplusone.google.com5. iframe content fromfacebook.com6. JavaScript fromplatform.twitter.com7. iframe content fromplatform.twitter.comWe DONT need inlinescripts (scripts tags withinthe body tag)!Web Server:Page, Basic JS,Style Sheets
  12. 12. CSP DeploymentSolution: HTTP headerName: Content-Security-Policy*Values:Resource Directiveseach with a Source List* see CSPs limitations (as of May 2013) 1/2 for special cases/special browsers@m2w2 Markus Wichmann, May 2013
  13. 13. CSP Deployment: Our recent exampleIf you wrote it separately (dont do this, not correct,just for demonstration purposes):Content-Security-Policy: default-src self;Content-Security-Policy: style-src self;Content-Security-Policy: script-src selfhttps://apis.google.com https://platform.twitter.com;Content-Security-Policy: frame-src https://plusone.google.com https://facebook.com https://platform.twitter.com;Correct all-in-one notation:Content-Security-Policy: default-src self;style-src self; script-src self https://apis.google.com https://platform.twitter.com;frame-src https://plusone.google.com https://facebook.com https://platform.twitter.com;@m2w2 Markus Wichmann, May 20131. Style Sheets from ourown Web Server2. JavaScript from ourown Web Server3. JavaScript from apis.google.com4. iframe content fromplusone.google.com5. iframe content fromfacebook.com6. JavaScript fromplatform.twitter.com7. iframe content fromplatform.twitter.comWe DONT want inlinescripts = script tags withinthe body tag!
  14. 14. CSP Directivesdefault-src origin to fall back on if theres no rulethat is more specific(e.g. see directives below)style-src origins for CSS stylesheetsimg-src origins for image filesfont-src origins to load web-fonts fromframe-src origins embeddable into iframesmedia-src origins of HTML5 audio and videoobject-src origins of Flash and similar pluginsconnect-src origins to connect to using XHR,WebSockets, and EventSource@m2w2 Markus Wichmann, May 2013
  15. 15. CSP Source Listsnone restrict directive to nothing at allself current origin, but not its subdomainsunsafe-inline allows inline JavaScript and CSSunsafe-eval allows JavaScripts eval methodhttp://uri.lab URI to allow, space-separated if multi@m2w2 Markus Wichmann, May 2013
  16. 16. CSP Deployments effectAttacker finds hole? Bad enough.Attacker injects script? Bad enough.But:If script does not match whitelist, it cannotbe executed.Bad enough... for the attacker.@m2w2 Markus Wichmann, May 2013
  17. 17. CSP ReportingFind weak pieces of your code: Let browser report attempted policy breaches!Content-Security-Policy: default-src self; report-uri/csp_report_parser;CSP Violation Attempts are reported to specified URI in JSON format like this:{"csp-report": {"document-uri": "http://example.org/page.html","referrer": "http://evil.example.com/","blocked-uri": "http://evil.example.com/evil.js","violated-directive": "script-src self https://apis.google.com","original-policy": "script-src self https://apis.google.com; report-uri http://example.org/csp_report_parser"}}@m2w2 Markus Wichmann, May 2013
  18. 18. CSPs limitations (as of May 2013) 1/2Browsers supporting CSP 1.0:Firefox 4–16 partial support, use X-Content-Security-PolicyFirefox 17+ seems like full support, use X-Content-Security-PolicyChrome 14+ seems to me like full supportIE 10+ very rudimentary support, see http://goo.gl/p5rkeSafari 5.1 partial support, use X-WebKit-CSP as header nameSafari 6.0+ seems to me like full supportiOS 6.0 Safari seems to me like full supportChrome for Android 25+ seems to me like full supportSources: http://caniuse.com/contentsecuritypolicy andMike Wests Twitter Post above@m2w2 Markus Wichmann, May 2013
  19. 19. CSPs limitations (as of May 2013) 2/2CSP protects users againstMost Cross-Site Scripting attacksCSP does NOT protect against:Cross-Site Request Forgery (XSRF/CSRF)Session RidingCookie Stealing (though this is a bit more difficult with CSP in place)SQL InjectionAnd please use HTTPS wherever possible.HTTP over SSL@m2w2 Markus Wichmann, May 2013
  20. 20. Possible Future of CSPCSP 1.1 currently in draft status (as of 05/2013)Will mainly support more directivesscript-nonce allow specific(!) inline scriptsplugin-types allow specific plugin MIME typesform-action specify form action URIs to allowSee https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#frame-options--experimental@m2w2 Markus Wichmann, May 2013
  21. 21. How browsers show CSP violationsin their debuggers (Firebug, Developer Tools, etc.)Firefox:Chrome:@m2w2 Markus Wichmann, May 2013
  22. 22. Thanks to all authorsof the following pages:http://www.w3.org/TR/CSP/https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#frame-options--experimentalhttp://www.html5rocks.com/en/tutorials/security/content-security-policy/http://en.wikipedia.org/wiki/Cross-site_scriptinghttp://de.wikipedia.org/wiki/Cross-Site-Request-Forgeryhttp://en.wikipedia.org/wiki/Same_origin_policyhttp://en.wikipedia.org/wiki/JSONPhttps://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Introductionhttp://en.wikipedia.org/wiki/Samy_wormhttp://maulwuff.de/pws/2012/web20sec/vortrag.htmlhttps://www.bsi.bund.de/cae/servlet/contentblob/476464/publicationFile/30632/WebSec_pdfhttp://www.linuxforu.com/2012/03/cyber-attacks-explained-web-exploitation/http://www.linuxforu.com/2010/09/securing-apache-part-2-xss-injections/https://wiki.mozilla.org/index.php?title=Security/CSP/Spec&oldid=133465https://twitter.com/mikewest/status/268721123145957377http://people.mozilla.com/~bsterne/content-security-policy/http://people.mozilla.com/~bsterne/content-security-policy/origin-header-proposal.htmlhttp://de.slideshare.net/shreeraj/xss-and-csrf-with-html5http://google-gruyere.appspot.com/part3#3__cross_site_script_inclusionhttp://intothesymmetry.blogspot.de/2012/06/facebook-logout-csrf-and-oauth-2.htmlhttp://www.kendoui.com/blogs/archive/11-10-03/using_cors_with_all_modern_browsers.aspx@m2w2 Markus Wichmann, May 2013
  23. 23. Thank you.@m2w2Constructive criticism always welcome!Disclaimer:The author of these slides does not give and cannot give any kind of warranties orguarantees or anything the like on the correctness of any information provided in theseslides.@m2w2 Markus Wichmann, May 2013
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×