W3C Content Security Policy
Upcoming SlideShare
Loading in...5
×
 

W3C Content Security Policy

on

  • 2,020 views

What is Content Security Policy (CSP)? How to deploy it, what it's good for, what it's not good for.

What is Content Security Policy (CSP)? How to deploy it, what it's good for, what it's not good for.

Statistics

Views

Total Views
2,020
Views on SlideShare
2,010
Embed Views
10

Actions

Likes
1
Downloads
5
Comments
0

2 Embeds 10

http://www.linkedin.com 6
https://twitter.com 4

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

W3C Content Security Policy W3C Content Security Policy Presentation Transcript

  • W3CContent SecurityPolicy 1.0One measure against web attacks.No less and no more.@m2w2 Markus Wichmann, May 2013
  • What is CSP about at all?Just some terms:Web ApplicationsWeb Application SecurityCross-Site Scripting (XSS)XSS PreventionPolicy Breach ReportingContent Security Policy 1.0 is aW3C candidate recommendation as of May 2013.I expect it to become a recommendation in the nearer future.@m2w2 Markus Wichmann, May 2013
  • AgendaW3C Content Security Policy (CSP)The Web without CSPPlain old HTMLXSS (Cross-Site Scripting)Enter: CSPCSP DeploymentCSP ReportingCSP LimitationsFuture of CSPHow browsers show CSP violation attempts@m2w2 Markus Wichmann, May 2013
  • The Web... without CSP@m2w2 Markus Wichmann, May 2013<html><head>...import style sheets......import JavaScript files...</head><body>...Forum Comments...<img src="...">...Google +1 Button......Facebook Like plugin......Twitter message...</body></html>Web Server:Page, Basic JS,Style SheetsDatabase:ForumCommentsFB pluginG+ buttonTwitter
  • XSS (Cross-Site Scripting)Phase 1: Injection Attack.@m2w2 Markus Wichmann, May 2013Server ADatabase:Forumentries<html>......Forum Comments...<textarea></textarea></html>Hey folks, look atmy evil site:http://bla.com/?q=%3Cscript%3Ealert(%91This%20is%20an%20XSS%20Vulnerability%92)%3C%2Fscript%3E
  • XSS Phase 2: The Victim@m2w2 Markus Wichmann, May 2013<html>...Hey folks, look at my evilsite: <script>alert(‘This is anXSS Vulnerability’)</script>...</html>Server ADatabase:ForumComments
  • XSS Phase 3:Send Victim to Hell – Just one Example@m2w2 Markus Wichmann, May 2013http://www.evil.labEvil Scripts, CookieStealing, Whatever!<html><head>...<script src="...evil.lab..."></head><body><script ...></body></html>1234
  • XSS recap@m2w2 Markus Wichmann, May 2013Hacker Victim Web Page W W WInfect with evil ScriptVisit PageInject ScriptDo something evil
  • Enter: CSPDeclarative Source Whitelisting„What am I allowed to fetch, and from where?“@m2w2 Markus Wichmann, May 2013
  • Our example, revisited:What do we really need?@m2w2 Markus Wichmann, May 2013<html><head>...import style sheets......import JavaScript files...</head><body>...Forum Comments...<img src="...">...Google +1 Button......Facebook Like plugin......Twitter message...</body></html>Database:ForumCommentsFB pluginG+buttonTwitterWeb Server:Page, Basic JS,Style Sheets
  • What do we really need?@m2w2 Markus Wichmann, May 2013<html><head>...import style sheets......import JavaScript files...</head><body>...Forum Comments...<img src="...">...Google +1 Button......Facebook Like plugin......Twitter message...</body></html>Database:ForumCommentsFB pluginG+buttonTwitter1. Style Sheets from ourown Web Server2. JavaScript from ourown Web Server3. JavaScript from apis.google.com4. iframe content fromplusone.google.com5. iframe content fromfacebook.com6. JavaScript fromplatform.twitter.com7. iframe content fromplatform.twitter.comWe DONT need inlinescripts (scripts tags withinthe body tag)!Web Server:Page, Basic JS,Style Sheets
  • CSP DeploymentSolution: HTTP headerName: Content-Security-Policy*Values:Resource Directiveseach with a Source List* see CSPs limitations (as of May 2013) 1/2 for special cases/special browsers@m2w2 Markus Wichmann, May 2013
  • CSP Deployment: Our recent exampleIf you wrote it separately (dont do this, not correct,just for demonstration purposes):Content-Security-Policy: default-src self;Content-Security-Policy: style-src self;Content-Security-Policy: script-src selfhttps://apis.google.com https://platform.twitter.com;Content-Security-Policy: frame-src https://plusone.google.com https://facebook.com https://platform.twitter.com;Correct all-in-one notation:Content-Security-Policy: default-src self;style-src self; script-src self https://apis.google.com https://platform.twitter.com;frame-src https://plusone.google.com https://facebook.com https://platform.twitter.com;@m2w2 Markus Wichmann, May 20131. Style Sheets from ourown Web Server2. JavaScript from ourown Web Server3. JavaScript from apis.google.com4. iframe content fromplusone.google.com5. iframe content fromfacebook.com6. JavaScript fromplatform.twitter.com7. iframe content fromplatform.twitter.comWe DONT want inlinescripts = script tags withinthe body tag!
  • CSP Directivesdefault-src origin to fall back on if theres no rulethat is more specific(e.g. see directives below)style-src origins for CSS stylesheetsimg-src origins for image filesfont-src origins to load web-fonts fromframe-src origins embeddable into iframesmedia-src origins of HTML5 audio and videoobject-src origins of Flash and similar pluginsconnect-src origins to connect to using XHR,WebSockets, and EventSource@m2w2 Markus Wichmann, May 2013
  • CSP Source Listsnone restrict directive to nothing at allself current origin, but not its subdomainsunsafe-inline allows inline JavaScript and CSSunsafe-eval allows JavaScripts eval methodhttp://uri.lab URI to allow, space-separated if multi@m2w2 Markus Wichmann, May 2013
  • CSP Deployments effectAttacker finds hole? Bad enough.Attacker injects script? Bad enough.But:If script does not match whitelist, it cannotbe executed.Bad enough... for the attacker.@m2w2 Markus Wichmann, May 2013
  • CSP ReportingFind weak pieces of your code: Let browser report attempted policy breaches!Content-Security-Policy: default-src self; report-uri/csp_report_parser;CSP Violation Attempts are reported to specified URI in JSON format like this:{"csp-report": {"document-uri": "http://example.org/page.html","referrer": "http://evil.example.com/","blocked-uri": "http://evil.example.com/evil.js","violated-directive": "script-src self https://apis.google.com","original-policy": "script-src self https://apis.google.com; report-uri http://example.org/csp_report_parser"}}@m2w2 Markus Wichmann, May 2013
  • CSPs limitations (as of May 2013) 1/2Browsers supporting CSP 1.0:Firefox 4–16 partial support, use X-Content-Security-PolicyFirefox 17+ seems like full support, use X-Content-Security-PolicyChrome 14+ seems to me like full supportIE 10+ very rudimentary support, see http://goo.gl/p5rkeSafari 5.1 partial support, use X-WebKit-CSP as header nameSafari 6.0+ seems to me like full supportiOS 6.0 Safari seems to me like full supportChrome for Android 25+ seems to me like full supportSources: http://caniuse.com/contentsecuritypolicy andMike Wests Twitter Post above@m2w2 Markus Wichmann, May 2013
  • CSPs limitations (as of May 2013) 2/2CSP protects users againstMost Cross-Site Scripting attacksCSP does NOT protect against:Cross-Site Request Forgery (XSRF/CSRF)Session RidingCookie Stealing (though this is a bit more difficult with CSP in place)SQL InjectionAnd please use HTTPS wherever possible.HTTP over SSL@m2w2 Markus Wichmann, May 2013
  • Possible Future of CSPCSP 1.1 currently in draft status (as of 05/2013)Will mainly support more directivesscript-nonce allow specific(!) inline scriptsplugin-types allow specific plugin MIME typesform-action specify form action URIs to allowSee https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#frame-options--experimental@m2w2 Markus Wichmann, May 2013
  • How browsers show CSP violationsin their debuggers (Firebug, Developer Tools, etc.)Firefox:Chrome:@m2w2 Markus Wichmann, May 2013
  • Thanks to all authorsof the following pages:http://www.w3.org/TR/CSP/https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#frame-options--experimentalhttp://www.html5rocks.com/en/tutorials/security/content-security-policy/http://en.wikipedia.org/wiki/Cross-site_scriptinghttp://de.wikipedia.org/wiki/Cross-Site-Request-Forgeryhttp://en.wikipedia.org/wiki/Same_origin_policyhttp://en.wikipedia.org/wiki/JSONPhttps://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Introductionhttp://en.wikipedia.org/wiki/Samy_wormhttp://maulwuff.de/pws/2012/web20sec/vortrag.htmlhttps://www.bsi.bund.de/cae/servlet/contentblob/476464/publicationFile/30632/WebSec_pdfhttp://www.linuxforu.com/2012/03/cyber-attacks-explained-web-exploitation/http://www.linuxforu.com/2010/09/securing-apache-part-2-xss-injections/https://wiki.mozilla.org/index.php?title=Security/CSP/Spec&oldid=133465https://twitter.com/mikewest/status/268721123145957377http://people.mozilla.com/~bsterne/content-security-policy/http://people.mozilla.com/~bsterne/content-security-policy/origin-header-proposal.htmlhttp://de.slideshare.net/shreeraj/xss-and-csrf-with-html5http://google-gruyere.appspot.com/part3#3__cross_site_script_inclusionhttp://intothesymmetry.blogspot.de/2012/06/facebook-logout-csrf-and-oauth-2.htmlhttp://www.kendoui.com/blogs/archive/11-10-03/using_cors_with_all_modern_browsers.aspx@m2w2 Markus Wichmann, May 2013
  • Thank you.@m2w2Constructive criticism always welcome!Disclaimer:The author of these slides does not give and cannot give any kind of warranties orguarantees or anything the like on the correctness of any information provided in theseslides.@m2w2 Markus Wichmann, May 2013