[Cluj] CSP (Content Security Policy)

OWASP EEE
OWASP EEEOWASP
CSP (Content Security Policy) - tricks to save your reputation and improve resilience - Teofil Cojocariu (the brain) Bogdan Oniga (the experimenter) Lucian Corlan (the guy convincing the other 2 to showcase this)
What is Content Security Policy? •An HTTP Header (+meta tag) •Allows you to block what an application loads, connects to or executes (e.g. restrict domains from which content is being loaded and what it does) •Blocking a wide range of attacks – Content Injection attacks (XSS, Mixed-Content) •Untested… "Upgrade Insecure Requests" CSP can be used to automatically upgrade insecure requests to a secure alternative before a browser fetches them •Used successfully by businesses (e.g. Facebook, Twitter, PayPal, GitHub… and even some darker sites ☺) •CSP Report Only! – focus of this presentation..
History of CSP & Browsers Support •Started at Mozilla and grown into own W3C specification •v1.0 – Browsers support is very good, but the exception is IE, of course :x •v2.0 – changes some directives, adds SecurityPolicyViolationEvent •v3.0 – draft 2 days ago – “rewritten from the ground up in terms of the [FETCH] specification – e.g. child-src, script-src”
What is CSP Report Only?CSP, but without blocking anything - this only reports information to an endpoint. # Content-Security-Policy-Report-Only: default-src 'self' data: https://ajax.googleapis.com; report-uri https://csplocal.betfair/?csp; --- POST https://csplocal.betfair/?csp HTTP/1.1 Host: csplocal.betfair Content-Type: application/json POST_Data { "csp-report": { "blocked-uri": "http://site.games.nxt.dev.betfair/?pi.localeId=en&pi.regionId=GBR&pi.brandId=betfair", "document-uri": "https://games.nxt.dev.betfair/exchange-card-derby-racing/turbo/", "original-policy": "default-src 'self' data: https://ajax.googleapis.com; report-uri https://csplocal.betfair/?csp;", "referrer": "https://games.nxt.dev.betfair/", "violated-directive": "frame-src https:" } } -- document-uri - where error occurred referrer - referrer blocked-uri - the actually problem violated-directive - what happen source-file - where error occurred (file) script-sample - sample of injected script
How is the content restricted? •By Source: 'none', 'self', specific hostnames, * •By Category • unsafe-inline (script-src & style-src only) • unsafe-eval (script-src only) •No string-to-code functions or in-line scripts. •Browser Extensions? •Bug: CSP does not block cross-domain applets with object-src 'self‘ Details here: https://bugzilla.mozilla.org/show_bug.cgi?id=90893 3
Problems with restrictions? •Remove patterns from the code that were banned by unsafe-eval •Covert text-to-JavaScript functions like eval() •Remove all in-line JavaScript a href="javascript:doSomething()". onkeyup() as well •Third Party Scripts: can you host all resources?..
What we are trying to do? •Report against mixed-content •New XSS protection at browser level •Protection against XSS in DOM (Mutation XSS) (devil) •Protection against injection of unknown scripts/resources Content-Security-Policy-Report-Only: default-src https:;script-src 'unsafe-inline';report-uri https://local.local/?csp; Source: http://www.securitee.org/files/mixedinc_isc2013.pdf
Helpers •There is no other way to get all mixed-content and security reports from browser except by using CSP and JavaScript (this will work only with some applications and it's hard to inject JS anyway without breaking stuff) •Don't push CSP to production directly, use CSP Report Only first!.. (although some xxx sites are mature enough and do! ☺) •Don't rely on CSP to protect the application against XSS •Doesn't matter what backend you run (Java, PHP, ASP and so on) ;)
Stats veracode.com scanned 2 years ago first 1 million of sites from Alexa.com and the results are below.
Python script.. 2 days ago scanned ~250k domains from Alexa.com. # CSP Report Only $ cat output.txt | grep -i "content-security-policy-report-only" | wc > ~500 # CSP $ cat output.txt | grep -i "content-security-policy'" | wc > ~700 Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' *.xvideos.com *.xnxx.com *.trafficfactory.biz ajax.googleapis.com www.google-analytics.com *.addthis.com www.loading-delivery2.com www.google.com Guess the website.. (?) # Easter egg. Jobs in the headers… Haha! $ cat output.txt | grep -i "job|hire|work" | grep http | wc > ~1100 Our scanning
Dashboard (future project SecHunter) Idea… •1 Webserver (nginx), 1 DB Server •Application: • Backend: Python, Flask (framework) & Jade (Template Engine) • Database: MongoDB • Frontend: Bootstrap + gentelella theme
[Cluj] CSP (Content Security Policy)
Demo! •Demo CSP: Generate Header •Demo CSP Report Only •Push to production? Report Only! Not me! Others on the topic: https://www.youtube.com/watch?v=9V64zQi2pX0&list=PLBcFXK_g1tl8ysm6zwZSlb6QliyKqTzVh&index=14 https://www.youtube.com/watch?v=93tIdSik9q8&index=6&list=PLBcFXK_g1tl8ysm6zwZSlb6QliyKqTzVh
1 of 13

[Cluj] CSP (Content Security Policy)

Download to read offline
Internet

CSP (Content Security Policy). Teofil Cojocariu, Bogdan Oniga, Lucian Corlan

OWASP EEE
OWASP EEEOWASP

Recommended

Meteor Meets Mallory by
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets MalloryEmily Stark
6K views28 slides
Web security at Meteor (Pivotal Labs) by
Web security at Meteor (Pivotal Labs)Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)Emily Stark
3.7K views25 slides
Virtual Networking Security - Perimeter Security by
Virtual Networking Security - Perimeter SecurityVirtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityEng Teong Cheah
99 views12 slides
2015-04-25-content-security-policy by
2015-04-25-content-security-policy2015-04-25-content-security-policy
2015-04-25-content-security-policySastry Tumuluri
435 views11 slides
10 things I’ve learnt about web application security by
10 things I’ve learnt about web application security10 things I’ve learnt about web application security
10 things I’ve learnt about web application securityJames Crowley
102 views43 slides
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf by
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
1.6K views24 slides

More Related Content

What's hot

Vulners report: comparing vulnerability world 2016 to 2017 by
Vulners report: comparing vulnerability world 2016 to 2017Vulners report: comparing vulnerability world 2016 to 2017
Vulners report: comparing vulnerability world 2016 to 2017Kirill Ermakov
481 views14 slides
Http security response headers by
Http security response headers Http security response headers
Http security response headers mohammadhosseinrouha
105 views21 slides
Cookie mechanism and attacks on web-client by
Cookie mechanism and attacks on web-client Cookie mechanism and attacks on web-client
Cookie mechanism and attacks on web-client Positive Hack Days
716 views7 slides
Web content security policies by
Web content security policiesWeb content security policies
Web content security policiesDhanu Gupta
64 views7 slides
Content Security Policy by
Content Security PolicyContent Security Policy
Content Security PolicyRyan LaBouve
2.6K views43 slides
Xss what the heck-! by
Xss what the heck-!Xss what the heck-!
Xss what the heck-!VodqaBLR
662 views25 slides

What's hot(20)

Vulners report: comparing vulnerability world 2016 to 2017 by Kirill Ermakov
Vulners report: comparing vulnerability world 2016 to 2017Vulners report: comparing vulnerability world 2016 to 2017
Vulners report: comparing vulnerability world 2016 to 2017
Kirill Ermakov481 views
Http security response headers by mohammadhosseinrouha
Http security response headers Http security response headers
Http security response headers
mohammadhosseinrouha105 views
Cookie mechanism and attacks on web-client by Positive Hack Days
Cookie mechanism and attacks on web-client Cookie mechanism and attacks on web-client
Cookie mechanism and attacks on web-client
Positive Hack Days716 views
Web content security policies by Dhanu Gupta
Web content security policiesWeb content security policies
Web content security policies
Dhanu Gupta64 views
Content Security Policy by Ryan LaBouve
Content Security PolicyContent Security Policy
Content Security Policy
Ryan LaBouve2.6K views
Xss what the heck-! by VodqaBLR
Xss what the heck-!Xss what the heck-!
Xss what the heck-!
VodqaBLR662 views
Phu appsec13 by drewz lin
Phu appsec13Phu appsec13
Phu appsec13
drewz lin1.2K views
Content Security Policy by Austin Gil
Content Security PolicyContent Security Policy
Content Security Policy
Austin Gil1.5K views
Apache mod security 3.1 by Hai Dinh Tuan
Apache mod security 3.1Apache mod security 3.1
Apache mod security 3.1
Hai Dinh Tuan1.4K views
Introduction to Mod security session April 2016 by Rahul
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
Rahul1.1K views
Defeating Cross-Site Scripting with Content Security Policy (updated) by Francois Marier
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
Francois Marier3.3K views
MongoDB Security Introduction - Presentation by Habilelabs
MongoDB Security Introduction - PresentationMongoDB Security Introduction - Presentation
MongoDB Security Introduction - Presentation
Habilelabs630 views
Security HTTP Headers by Chang Yu-Sheng
Security HTTP HeadersSecurity HTTP Headers
Security HTTP Headers
Chang Yu-Sheng261 views
Java EE 6 Security in practice with GlassFish by Markus Eisele
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
Markus Eisele2.5K views
Advance java session 7 by Smita B Kumar
Advance java session 7Advance java session 7
Advance java session 7
Smita B Kumar79 views
Cross site scripting by Dilan Warnakulasooriya
Cross site scriptingCross site scripting
Cross site scripting
Dilan Warnakulasooriya1.1K views
mod_security introduction at study2study #3 by Naoya Nakazawa
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3
Naoya Nakazawa2.3K views
Vulnerability Funalitics with vulners.com by Kirill Ermakov
Vulnerability Funalitics with vulners.comVulnerability Funalitics with vulners.com
Vulnerability Funalitics with vulners.com
Kirill Ermakov1.1K views
Web vulnerabilities by Oleksandr Kovalchuk
Web vulnerabilitiesWeb vulnerabilities
Web vulnerabilities
Oleksandr Kovalchuk609 views
웹 개발을 위해 꼭 알아야하는 보안 공격 by 선협 이
웹 개발을 위해 꼭 알아야하는 보안 공격웹 개발을 위해 꼭 알아야하는 보안 공격
웹 개발을 위해 꼭 알아야하는 보안 공격
선협 이7.4K views

Viewers also liked

[Poland] It's only about frontend by
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontendOWASP EEE
521 views56 slides
[Bucharest] XML Based Attacks by
[Bucharest] XML Based Attacks[Bucharest] XML Based Attacks
[Bucharest] XML Based AttacksOWASP EEE
610 views25 slides
[Lithuania] I am the cavalry by
[Lithuania] I am the cavalry[Lithuania] I am the cavalry
[Lithuania] I am the cavalryOWASP EEE
539 views36 slides
Dia da Música by
Dia da MúsicaDia da Música
Dia da MúsicaPaulo Antunes
1.2K views18 slides
[Austria] Security by Design by
[Austria] Security by Design[Austria] Security by Design
[Austria] Security by DesignOWASP EEE
665 views16 slides
[Bucharest] Catching up with today's malicious actors by
[Bucharest] Catching up with today's malicious actors[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actorsOWASP EEE
431 views25 slides

Viewers also liked(12)

[Poland] It's only about frontend by OWASP EEE
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontend
OWASP EEE521 views
[Bucharest] XML Based Attacks by OWASP EEE
[Bucharest] XML Based Attacks[Bucharest] XML Based Attacks
[Bucharest] XML Based Attacks
OWASP EEE610 views
[Lithuania] I am the cavalry by OWASP EEE
[Lithuania] I am the cavalry[Lithuania] I am the cavalry
[Lithuania] I am the cavalry
OWASP EEE539 views
Dia da Música by Paulo Antunes
Dia da MúsicaDia da Música
Dia da Música
Paulo Antunes1.2K views
[Austria] Security by Design by OWASP EEE
[Austria] Security by Design[Austria] Security by Design
[Austria] Security by Design
OWASP EEE665 views
[Bucharest] Catching up with today's malicious actors by OWASP EEE
[Bucharest] Catching up with today's malicious actors[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors
OWASP EEE431 views
RESUME OF MAHFUZUR RAHMAN_Oct' 15 by Mahfuzur Rahman
RESUME OF MAHFUZUR RAHMAN_Oct' 15RESUME OF MAHFUZUR RAHMAN_Oct' 15
RESUME OF MAHFUZUR RAHMAN_Oct' 15
Mahfuzur Rahman317 views
[Russia] Node.JS - Architecture and Vulnerabilities by OWASP EEE
[Russia] Node.JS - Architecture and Vulnerabilities[Russia] Node.JS - Architecture and Vulnerabilities
[Russia] Node.JS - Architecture and Vulnerabilities
OWASP EEE560 views
[Russia] Give me a stable input by OWASP EEE
[Russia] Give me a stable input[Russia] Give me a stable input
[Russia] Give me a stable input
OWASP EEE335 views
[Lithuania] Introduction to threat modeling by OWASP EEE
[Lithuania] Introduction to threat modeling[Lithuania] Introduction to threat modeling
[Lithuania] Introduction to threat modeling
OWASP EEE444 views
[Lithuania] DigiCerts and DigiID to Enterprise apps by OWASP EEE
[Lithuania] DigiCerts and DigiID to Enterprise apps[Lithuania] DigiCerts and DigiID to Enterprise apps
[Lithuania] DigiCerts and DigiID to Enterprise apps
OWASP EEE350 views
[Russia] MySQL OOB injections by OWASP EEE
[Russia] MySQL OOB injections[Russia] MySQL OOB injections
[Russia] MySQL OOB injections
OWASP EEE1.6K views

Similar to [Cluj] CSP (Content Security Policy)

[Wroclaw #2] Web Application Security Headers by
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
1K views35 slides
Cross Site Scripting - Mozilla Security Learning Center by
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
6.1K views38 slides
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application by
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationNguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationSecurity Bootcamp
1.4K views63 slides
Web security: Securing Untrusted Web Content in Browsers by
Web security: Securing Untrusted Web Content in BrowsersWeb security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersPhú Phùng
1.3K views38 slides
Protecting Against Web Attacks by
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web AttacksAlert Logic
238 views29 slides
DevSecOps - automating security by
DevSecOps - automating securityDevSecOps - automating security
DevSecOps - automating securityJohn Staveley
727 views53 slides

Similar to [Cluj] CSP (Content Security Policy)(20)

[Wroclaw #2] Web Application Security Headers by OWASP
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
OWASP1K views
Cross Site Scripting - Mozilla Security Learning Center by Michael Coates
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates6.1K views
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application by Security Bootcamp
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationNguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Security Bootcamp1.4K views
Web security: Securing Untrusted Web Content in Browsers by Phú Phùng
Web security: Securing Untrusted Web Content in BrowsersWeb security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in Browsers
Phú Phùng1.3K views
Protecting Against Web Attacks by Alert Logic
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
Alert Logic 238 views
DevSecOps - automating security by John Staveley
DevSecOps - automating securityDevSecOps - automating security
DevSecOps - automating security
John Staveley727 views
How do JavaScript frameworks impact the security of applications? by Ksenia Peguero
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
Ksenia Peguero651 views
Secure coding guidelines by Zakaria SMAHI
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI650 views
1z0-997-20-oci-professional-incomplete 2021 update sax ah.docx by MohamedHusseinEid
1z0-997-20-oci-professional-incomplete 2021 update sax ah.docx1z0-997-20-oci-professional-incomplete 2021 update sax ah.docx
1z0-997-20-oci-professional-incomplete 2021 update sax ah.docx
MohamedHusseinEid98 views
1z0-997-20-oci-professional-incomplete 2021 update sax ah (1).docx by MohamedHusseinEid
1z0-997-20-oci-professional-incomplete 2021 update sax ah (1).docx1z0-997-20-oci-professional-incomplete 2021 update sax ah (1).docx
1z0-997-20-oci-professional-incomplete 2021 update sax ah (1).docx
MohamedHusseinEid42 views
Prevoty NYC Java SIG 20150730 by chadtindel
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
chadtindel784 views
Threat_Modelling.pdf by MarlboroAbyad
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdf
MarlboroAbyad6 views
Top Ten Web Hacking Techniques of 2012 by Jeremiah Grossman
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
Jeremiah Grossman3.9K views
Top Ten Java Defense for Web Applications v2 by Jim Manico
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Jim Manico37.2K views
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an... by LogeekNightUkraine
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
LogeekNightUkraine200 views
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It by Aleksandr Yampolskiy
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing ItYou Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
Aleksandr Yampolskiy889 views
W3 conf hill-html5-security-realities by Brad Hill
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill10.4K views
Oracle Database 12c Attack Vectors by Martin Toshev
Oracle Database 12c Attack VectorsOracle Database 12c Attack Vectors
Oracle Database 12c Attack Vectors
Martin Toshev2.2K views
Drupal Security Basics for the DrupalJax January Meetup by Chris Hales
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January Meetup
Chris Hales1.3K views
Cm5 secure code_training_1day_system configuration by dcervigni
Cm5 secure code_training_1day_system configurationCm5 secure code_training_1day_system configuration
Cm5 secure code_training_1day_system configuration
dcervigni73 views

More from OWASP EEE

[Austria] ZigBee exploited by
[Austria] ZigBee exploited[Austria] ZigBee exploited
[Austria] ZigBee exploitedOWASP EEE
747 views48 slides
[Austria] How we hacked an online mobile banking Trojan by
[Austria] How we hacked an online mobile banking Trojan[Austria] How we hacked an online mobile banking Trojan
[Austria] How we hacked an online mobile banking TrojanOWASP EEE
654 views41 slides
[Poland] SecOps live cooking with OWASP appsec tools by
[Poland] SecOps live cooking with OWASP appsec tools[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec toolsOWASP EEE
461 views35 slides
[Cluj] Turn SSL ON by
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ONOWASP EEE
406 views16 slides
[Cluj] Information Security Through Gamification by
[Cluj] Information Security Through Gamification[Cluj] Information Security Through Gamification
[Cluj] Information Security Through GamificationOWASP EEE
585 views17 slides
[Cluj] A distributed - collaborative client certification system by
[Cluj] A distributed - collaborative client certification system[Cluj] A distributed - collaborative client certification system
[Cluj] A distributed - collaborative client certification systemOWASP EEE
163 views14 slides

More from OWASP EEE(17)

[Austria] ZigBee exploited by OWASP EEE
[Austria] ZigBee exploited[Austria] ZigBee exploited
[Austria] ZigBee exploited
OWASP EEE747 views
[Austria] How we hacked an online mobile banking Trojan by OWASP EEE
[Austria] How we hacked an online mobile banking Trojan[Austria] How we hacked an online mobile banking Trojan
[Austria] How we hacked an online mobile banking Trojan
OWASP EEE654 views
[Poland] SecOps live cooking with OWASP appsec tools by OWASP EEE
[Poland] SecOps live cooking with OWASP appsec tools[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools
OWASP EEE461 views
[Cluj] Turn SSL ON by OWASP EEE
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
OWASP EEE406 views
[Cluj] Information Security Through Gamification by OWASP EEE
[Cluj] Information Security Through Gamification[Cluj] Information Security Through Gamification
[Cluj] Information Security Through Gamification
OWASP EEE585 views
[Cluj] A distributed - collaborative client certification system by OWASP EEE
[Cluj] A distributed - collaborative client certification system[Cluj] A distributed - collaborative client certification system
[Cluj] A distributed - collaborative client certification system
OWASP EEE163 views
[Russia] Bugs -> max, time <= T by OWASP EEE
[Russia] Bugs -> max, time <= T[Russia] Bugs -> max, time <= T
[Russia] Bugs -> max, time <= T
OWASP EEE346 views
[Russia] Building better product security by OWASP EEE
[Russia] Building better product security[Russia] Building better product security
[Russia] Building better product security
OWASP EEE382 views
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent by OWASP EEE
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
OWASP EEE774 views
[Hungary] I play Jack of Information Disclosure by OWASP EEE
[Hungary] I play Jack of Information Disclosure[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure
OWASP EEE510 views
[Hungary] Survival is not mandatory. The air force one has departured are you... by OWASP EEE
[Hungary] Survival is not mandatory. The air force one has departured are you...[Hungary] Survival is not mandatory. The air force one has departured are you...
[Hungary] Survival is not mandatory. The air force one has departured are you...
OWASP EEE378 views
[Hungary] Secure Software? Start appreciating your developers! by OWASP EEE
[Hungary] Secure Software? Start appreciating your developers![Hungary] Secure Software? Start appreciating your developers!
[Hungary] Secure Software? Start appreciating your developers!
OWASP EEE237 views
[Bucharest] Your intents are dirty, droid! by OWASP EEE
[Bucharest] Your intents are dirty, droid![Bucharest] Your intents are dirty, droid!
[Bucharest] Your intents are dirty, droid!
OWASP EEE390 views
[Bucharest] #DontTrustTheDarkSide by OWASP EEE
[Bucharest] #DontTrustTheDarkSide[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSide
OWASP EEE517 views
[Bucharest] From SCADA to IoT Cyber Security by OWASP EEE
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security
OWASP EEE1.1K views
[Bucharest] Reversing the Apple Sandbox by OWASP EEE
[Bucharest] Reversing the Apple Sandbox[Bucharest] Reversing the Apple Sandbox
[Bucharest] Reversing the Apple Sandbox
OWASP EEE338 views
[Bucharest] Attack is easy, let's talk defence by OWASP EEE
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence
OWASP EEE792 views

Recently uploaded

Affiliate Marketing by
Affiliate MarketingAffiliate Marketing
Affiliate MarketingNavin Dhanuka
17 views30 slides
ATPMOUSE_융합2조.pptx by
ATPMOUSE_융합2조.pptxATPMOUSE_융합2조.pptx
ATPMOUSE_융합2조.pptxkts120898
35 views70 slides
hamro digital logics.pptx by
hamro digital logics.pptxhamro digital logics.pptx
hamro digital logics.pptxtupeshghimire
10 views36 slides
The Dark Web : Hidden Services by
The Dark Web : Hidden ServicesThe Dark Web : Hidden Services
The Dark Web : Hidden ServicesAnshu Singh
14 views24 slides
How to think like a threat actor for Kubernetes.pptx by
How to think like a threat actor for Kubernetes.pptxHow to think like a threat actor for Kubernetes.pptx
How to think like a threat actor for Kubernetes.pptxLibbySchulze1
5 views33 slides
Marketing and Community Building in Web3 by
Marketing and Community Building in Web3Marketing and Community Building in Web3
Marketing and Community Building in Web3Federico Ast
14 views64 slides

Recently uploaded(6)

Affiliate Marketing by Navin Dhanuka
Affiliate MarketingAffiliate Marketing
Affiliate Marketing
Navin Dhanuka17 views
ATPMOUSE_융합2조.pptx by kts120898
ATPMOUSE_융합2조.pptxATPMOUSE_융합2조.pptx
ATPMOUSE_융합2조.pptx
kts12089835 views
hamro digital logics.pptx by tupeshghimire
hamro digital logics.pptxhamro digital logics.pptx
hamro digital logics.pptx
tupeshghimire10 views
The Dark Web : Hidden Services by Anshu Singh
The Dark Web : Hidden ServicesThe Dark Web : Hidden Services
The Dark Web : Hidden Services
Anshu Singh14 views
How to think like a threat actor for Kubernetes.pptx by LibbySchulze1
How to think like a threat actor for Kubernetes.pptxHow to think like a threat actor for Kubernetes.pptx
How to think like a threat actor for Kubernetes.pptx
LibbySchulze15 views
Marketing and Community Building in Web3 by Federico Ast
Marketing and Community Building in Web3Marketing and Community Building in Web3
Marketing and Community Building in Web3
Federico Ast14 views

[Cluj] CSP (Content Security Policy)

  • 1. CSP (Content Security Policy) - tricks to save your reputation and improve resilience - Teofil Cojocariu (the brain) Bogdan Oniga (the experimenter) Lucian Corlan (the guy convincing the other 2 to showcase this)
  • 2. What is Content Security Policy? •An HTTP Header (+meta tag) •Allows you to block what an application loads, connects to or executes (e.g. restrict domains from which content is being loaded and what it does) •Blocking a wide range of attacks – Content Injection attacks (XSS, Mixed-Content) •Untested… "Upgrade Insecure Requests" CSP can be used to automatically upgrade insecure requests to a secure alternative before a browser fetches them •Used successfully by businesses (e.g. Facebook, Twitter, PayPal, GitHub… and even some darker sites ☺) •CSP Report Only! – focus of this presentation..
  • 3. History of CSP & Browsers Support •Started at Mozilla and grown into own W3C specification •v1.0 – Browsers support is very good, but the exception is IE, of course :x •v2.0 – changes some directives, adds SecurityPolicyViolationEvent •v3.0 – draft 2 days ago – “rewritten from the ground up in terms of the [FETCH] specification – e.g. child-src, script-src”
  • 4. What is CSP Report Only?CSP, but without blocking anything - this only reports information to an endpoint. # Content-Security-Policy-Report-Only: default-src 'self' data: https://ajax.googleapis.com; report-uri https://csplocal.betfair/?csp; --- POST https://csplocal.betfair/?csp HTTP/1.1 Host: csplocal.betfair Content-Type: application/json POST_Data { "csp-report": { "blocked-uri": "http://site.games.nxt.dev.betfair/?pi.localeId=en&pi.regionId=GBR&pi.brandId=betfair", "document-uri": "https://games.nxt.dev.betfair/exchange-card-derby-racing/turbo/", "original-policy": "default-src 'self' data: https://ajax.googleapis.com; report-uri https://csplocal.betfair/?csp;", "referrer": "https://games.nxt.dev.betfair/", "violated-directive": "frame-src https:" } } -- document-uri - where error occurred referrer - referrer blocked-uri - the actually problem violated-directive - what happen source-file - where error occurred (file) script-sample - sample of injected script
  • 5. How is the content restricted? •By Source: 'none', 'self', specific hostnames, * •By Category • unsafe-inline (script-src & style-src only) • unsafe-eval (script-src only) •No string-to-code functions or in-line scripts. •Browser Extensions? •Bug: CSP does not block cross-domain applets with object-src 'self‘ Details here: https://bugzilla.mozilla.org/show_bug.cgi?id=90893 3
  • 6. Problems with restrictions? •Remove patterns from the code that were banned by unsafe-eval •Covert text-to-JavaScript functions like eval() •Remove all in-line JavaScript a href="javascript:doSomething()". onkeyup() as well •Third Party Scripts: can you host all resources?..
  • 7. What we are trying to do? •Report against mixed-content •New XSS protection at browser level •Protection against XSS in DOM (Mutation XSS) (devil) •Protection against injection of unknown scripts/resources Content-Security-Policy-Report-Only: default-src https:;script-src 'unsafe-inline';report-uri https://local.local/?csp; Source: http://www.securitee.org/files/mixedinc_isc2013.pdf
  • 8. Helpers •There is no other way to get all mixed-content and security reports from browser except by using CSP and JavaScript (this will work only with some applications and it's hard to inject JS anyway without breaking stuff) •Don't push CSP to production directly, use CSP Report Only first!.. (although some xxx sites are mature enough and do! ☺) •Don't rely on CSP to protect the application against XSS •Doesn't matter what backend you run (Java, PHP, ASP and so on) ;)
  • 9. Stats veracode.com scanned 2 years ago first 1 million of sites from Alexa.com and the results are below.
  • 10. Python script.. 2 days ago scanned ~250k domains from Alexa.com. # CSP Report Only $ cat output.txt | grep -i "content-security-policy-report-only" | wc > ~500 # CSP $ cat output.txt | grep -i "content-security-policy'" | wc > ~700 Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' *.xvideos.com *.xnxx.com *.trafficfactory.biz ajax.googleapis.com www.google-analytics.com *.addthis.com www.loading-delivery2.com www.google.com Guess the website.. (?) # Easter egg. Jobs in the headers… Haha! $ cat output.txt | grep -i "job|hire|work" | grep http | wc > ~1100 Our scanning
  • 11. Dashboard (future project SecHunter) Idea… •1 Webserver (nginx), 1 DB Server •Application: • Backend: Python, Flask (framework) & Jade (Template Engine) • Database: MongoDB • Frontend: Bootstrap + gentelella theme
  • 13. Demo! •Demo CSP: Generate Header •Demo CSP Report Only •Push to production? Report Only! Not me! Others on the topic: https://www.youtube.com/watch?v=9V64zQi2pX0&list=PLBcFXK_g1tl8ysm6zwZSlb6QliyKqTzVh&index=14 https://www.youtube.com/watch?v=93tIdSik9q8&index=6&list=PLBcFXK_g1tl8ysm6zwZSlb6QliyKqTzVh