Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Content Security Policies: Let's Break Stuff

693 views

Published on

Content Security Policies are another tool we should have in our security toolbelt to help protect users of our sites. In this session I'll cover what they are, why they're needed, how they work and the limitations on what they can & cannot do to protect users. I'll demo attacks a CSP will block, break things, show what the different CSP directives & options will do and introduce some of the tools available to help with implementing a CSP on your sites!

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Content Security Policies: Let's Break Stuff

  1. 1. @BruntyCSP: Let’s Break Stuff CONTENT SECURITY POLICIES LET’S BREAK STUFF
  2. 2. @BruntyCSP: Let’s Break Stuff BECAUSE YOU ALL TOTALLY CARE ABOUT THIS, RIGHT?! ABOUT ME ▸ Senior Software Engineer at Viva IT
 (that group always in orange hoodies at conferences) ▸ @Brunty ▸ @PHPem ▸ mfyu.co.uk ▸ matt@mfyu.co.uk
  3. 3. @BruntyCSP: Let’s Break Stuff BECAUSE YOU ALL TOTALLY CARE ABOUT THIS, RIGHT?! THINGS I DO ▸ Fly fast & acrobatic first-person-view quadcopters ▸ Dungeon master for D&D campaigns with friends ▸ Mentor, lead & teach apprentices and junior developers ▸ Run & organise PHP East Midlands ▸ Speak at user groups and conferences ▸ Break production sites with incorrectly configured content security policies
  4. 4. @BruntyCSP: Let’s Break Stuff WHY DO WE NEED CSP?
  5. 5. @BruntyCSP: Let’s Break Stuff FIRST, SOME BACKGROUND WHAT IS CROSS-SITE-SCRIPTING (XSS)? ▸ XSS enables an attacker to inject client-side scripts into non-malicious web pages viewed by other users ▸ In 2016 there was a 61% likelihood of a browser-based vulnerability being found in a web application ▸ Of those browser based vulnerabilities, 86% were found to be XSS related ▸ That’s just over 52% of all web application vulnerabilities
 https://www.edgescan.com/assets/docs/reports/2016-edgescan-stats-report.pdf
  6. 6. @BruntyCSP: Let’s Break Stuff FIRST, SOME BACKGROUND WHAT CAN BE DONE WITH XSS? ▸ Anything a site owner can do in JS can be done in an XSS attack ▸ Make modifications to the DOM (you could replace an entire page and control data going in/out) ▸ Use XMLHttpRequest to send HTTP requests ▸ Access HTML5 APIs - webcam, microphone, geolocation ▸ Steal cookies (and therefore steal session cookies)
  7. 7. @BruntyCSP: Let’s Break Stuff FIRST, SOME BACKGROUND WELL KNOWN XSS ATTACKS ▸ Twitter self-retweeting tweet
 https://www.youtube.com/watch?v=zv0kZKC6GAM ▸ Samy worm
 https://en.wikipedia.org/wiki/Samy_(computer_worm) ▸ Facebook XSS attacks
 http://theharmonyguy.com/oldsite/2011/04/21/recent-facebook-xss-attacks-show-increasing- sophistication/ ▸ And so many more…
  8. 8. @BruntyCSP: Let’s Break Stuff TYPES OF XSS ATTACK STORED XSS (AKA PERSISTENT OR TYPE I) ▸ Occurs when input is stored - generally in a server-side database, but not always ▸ This could also be within a HTML5 database, thus never being sent to the server at all ▸ who.is was a site Rickrolled by a TXT record in the DNS of a website (yes, really)
  9. 9. @BruntyCSP: Let’s Break Stuff TYPES OF XSS ATTACK REFLECTED XSS (AKA NON-PERSISTENT OR TYPE II) ▸ Occurs when user input provided in the request is immediately returned - such as in an error message, search string etc ▸ Data is not stored, and in some instances, may not even reach the server (see the next type of XSS)
  10. 10. @BruntyCSP: Let’s Break Stuff TYPES OF XSS ATTACK DOM-BASED XSS (AKA TYPE-0) ▸ The entire flow of the attack takes place within the browser ▸ For example, if JavaScript in the site takes input, and uses something like document.write based on that input, it can be vulnerable to a DOM-based XSS attack
  11. 11. @BruntyCSP: Let’s Break Stuff TYPES OF XSS ATTACK SELF XSS ▸ Social-engineering form of XSS ▸ Requires the user to execute code in the browser ▸ Doing so via the console can’t be protected by a lot of methods ▸ Not considered a ‘true’ XSS attack due to requiring the user to execute the code
  12. 12. @BruntyCSP: Let’s Break Stuff
  13. 13. @BruntyCSP: Let’s Break Stuff console.log("%cStop!", "font: 5em sans-serif; font-weight: bold; color: red;");
  14. 14. @BruntyCSP: Let’s Break Stuff STOP THE HACKERS LET’S FIGHT BACK
  15. 15. @BruntyCSP: Let’s Break Stuff HTTP RESPONSE HEADER TO HELP REDUCE XSS RISKS WHAT IS A CSP?
  16. 16. @BruntyCSP: Let’s Break Stuff DECLARES WHAT RESOURCES ARE ALLOWED TO LOAD HOW DOES A CSP WORK?
  17. 17. @BruntyCSP: Let’s Break Stuff WHAT CAN WE PROTECT?
  18. 18. @BruntyCSP: Let’s Break Stuff DEFAULT-SRC
  19. 19. @BruntyCSP: Let’s Break Stuff SCRIPT-SRC
  20. 20. @BruntyCSP: Let’s Break Stuff STYLE-SRC
  21. 21. @BruntyCSP: Let’s Break Stuff UPGRADE- INSECURE-REQUESTS
  22. 22. @BruntyCSP: Let’s Break Stuff FORM-ACTION
  23. 23. @BruntyCSP: Let’s Break Stuff WORKER-SRC
 BASE-URI
 PLUGIN-TYPES
 SANDBOX
 FRAME-ANCESTORS
 CONNECT-SRC
 CHILD-SRC
 AND MANY MORE…
  24. 24. @BruntyCSP: Let’s Break Stuff FULL REFERENCE:https://content-security-policy.com
 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
  25. 25. @BruntyCSP: Let’s Break Stuff A FEW EXAMPLES OF DIRECTIVES
  26. 26. @BruntyCSP: Let’s Break Stuff IMG-SRC * WILDCARD, ALLOWS ANY URL EXCEPT DATA: BLOB: FILESYSTEM: SCHEMES.
  27. 27. @BruntyCSP: Let’s Break Stuff OBJECT-SRC 'NONE' DON’T LOAD RESOURCES FROM ANY SOURCE
  28. 28. @BruntyCSP: Let’s Break Stuff STYLE-SRC ‘SELF' ALLOW LOADING FROM SAME ORIGIN (SAME SCHEME, HOST AND PORT)
  29. 29. @BruntyCSP: Let’s Break Stuff SCRIPT-SRC 'UNSAFE-INLINE' ALLOWS USE OF INLINE SOURCE ELEMENTS SUCH AS STYLE ATTRIBUTE, ONCLICK, OR SCRIPT TAG BODIES
  30. 30. @BruntyCSP: Let’s Break Stuff DON’T USE UNSAFE-INLINE
  31. 31. @BruntyCSP: Let’s Break Stuff <script nonce="$RANDOM">...</script> script-src 'self' 'nonce-$RANDOM'
  32. 32. @BruntyCSP: Let’s Break Stuff Content-Security-Policy: default-src: 'none'; script-src 'self' https://*.google.com 'nonce- pahsbdlensudsmslnaf7adn'; style-src ‘self'; img-src: 'self'; upgrade-insecure-requests; form-action ‘http:// mysite.com'; report-uri https://mfyu.report-uri.io/r/ default/csp/reportOnly;
  33. 33. @BruntyCSP: Let’s Break Stuff I BROKE PRODUCTION WITH A BAD CSP LEARN FROM MY MISTAKES
  34. 34. @BruntyCSP: Let’s Break Stuff DON’T DO WHAT I DID
  35. 35. @BruntyCSP: Let’s Break Stuff IMPLEMENTATION ADVICE
  36. 36. @BruntyCSP: Let’s Break Stuff REPORT-URI
  37. 37. @BruntyCSP: Let’s Break Stuff WHEN A POLICY FAILURE OCCURS, THE BROWSER SENDS A JSON PAYLOAD TO THAT URL
  38. 38. @BruntyCSP: Let’s Break Stuff { "csp-report": { "blocked-uri": "self", "document-uri": "https://mysite.com", "line-number": 1, "original-policy": "script-src 'self'", "script-sample": "try { for(var lastpass_iter=0; lastpass...", "source-file": "https://mysite.com", "violated-directive": "script-src 'self'" } }
  39. 39. @BruntyCSP: Let’s Break Stuff HTTP://REPORT-URI.IO
  40. 40. @BruntyCSP: Let’s Break Stuff REPORT-ONLY
  41. 41. @BruntyCSP: Let’s Break Stuff Content-Security-Policy-Report-Only: script-src 'self' https://*.google.com; style-src 'self'; report-uri https://mfyu.report-uri.io/r/default/csp/reportOnly;
  42. 42. @BruntyCSP: Let’s Break Stuff TRIAL STUFF BEFORE ENFORCING
  43. 43. @BruntyCSP: Let’s Break Stuff USE REPORT-ONLY
  44. 44. @BruntyCSP: Let’s Break Stuff LOVE REPORT-ONLY
  45. 45. @BruntyCSP: Let’s Break Stuff HATE REPORT-ONLY
  46. 46. @BruntyCSP: Let’s Break Stuff BUT THERE WILL BE NOISE, LOTS OF NOISE
  47. 47. @BruntyCSP: Let’s Break Stuff WAYS TO REMOVE BARRIERS IN DEVELOPMENT NONCES ▸ Don’t generate multiple nonces in the same request (but do generate a new nonce on each separate request) ▸ If using a templating engine (such as twig) - add the nonce as a global so it’s available in every template by default ▸ Write a helper to generate tags with a nonce if it’s available
  48. 48. @BruntyCSP: Let’s Break Stuff WAYS TO MAKE DEALING WITH A CSP EASIER TIPS ▸ Have an easy and quick way to disable the CSP in production if required ▸ Better yet, have a way to switch it from enforced to report only so you can get violations reported to help you debug ▸ Add the CSP at an application level if you need a nonce - be careful with doing it at a vhost config level (as changes require web server config reload)
  49. 49. @BruntyCSP: Let’s Break Stuff BROWSER SUPPORT
  50. 50. @BruntyCSP: Let’s Break Stuff
  51. 51. @BruntyCSP: Let’s Break Stuff DEMO
  52. 52. @BruntyCSP: Let’s Break Stuff @SCOTT_HELME (HE KNOWS HIS STUFF!) (THIS ISN’T ME)
  53. 53. @BruntyCSP: Let’s Break Stuff HOMEWORK TIME! LINKS & FURTHER READING ▸ https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) ▸ https://content-security-policy.com ▸ https://report-uri.io ▸ https://scotthelme.co.uk/just-how-much-traffic-can-you-generate-using-csp/ ▸ https://www.edgescan.com/assets/docs/reports/2016-edgescan-stats-report.pdf ▸ http://theharmonyguy.com/oldsite/2011/04/21/recent-facebook-xss-attacks-show- increasing-sophistication/ ▸ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy ▸ https://github.com/Brunty/csp-demo
  54. 54. @BruntyCSP: Let’s Break Stuff FEEDBACK: https://joind.in/talk/d914f
  55. 55. @BruntyCSP: Let’s Break Stuff THANK YOU
  56. 56. @BruntyCSP: Let’s Break Stuff QUESTIONS?

×