Defeating Cross-Site Scripting with Content Security Policy

2,419 views

Published on

How a new proposed HTTP response header can help increase the depth of your web application defenses.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,419
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
21
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Defeating Cross-Site Scripting with Content Security Policy

  1. 1. Defeating cross-site scriptingwith Content Security Policy Francois Marier <francois@catalyst.net.nz>
  2. 2. what is a cross-site scripting (aka “XSS”) attack?
  3. 3. preventing XSS attacks
  4. 4. print <<<EOF<html><h1>$title</h1></html>EOF;
  5. 5. $title = escape($title);print <<<EOF<html><h1>$title</h1></html>EOF;
  6. 6. templating system
  7. 7. page.tpl: <html> <h1>{title}</h1> </html>page.php: render(“page.tpl”, $title);
  8. 8. auto-escaping turned ON
  9. 9. page.tpl: <html> <h1>{title|raw}</h1> </html>page.php: render(“page.tpl”, $title);
  10. 10. auto-escaping turned ON != escaping always ON
  11. 11. the real problem:browser default = allow all
  12. 12. a way to get the browserto enforce the restrictions you want on your site
  13. 13. $ curl --head https://www.libravatar.org/X-Content-Security-Policy: default-src self ; img-src self data
  14. 14. $ curl --headhttps://www.libravatar.org/account/login/X-Content-Security-Policy: default-src self ; img-src self data ; frame-src self https://browserid.org ; script-src self https://browserid.org
  15. 15. $ curl --head http://fmarier.org/X-Content-Security-Policy: default-src none ; img-src self ; style-src self ; font-src self
  16. 16. <object> <script> <style> <img> <audio> & <video> <frame> & <iframe> <font>WebSocket & XMLHttpRequest
  17. 17. >= 4 >= 13 >= 5 >= 10
  18. 18. what does a CSP-enabled website look like?
  19. 19. unless explicitly allowed by your policy inline scripts are not executed
  20. 20. unless explicitly allowed by your policy external resources are not loaded
  21. 21. preparing your website for CSP (aka things you can do today)
  22. 22. eliminate inline scripts and styles
  23. 23. <script>do_stuff();</script>
  24. 24. <script src=”do_stuff.js”></script>
  25. 25. eliminate javascript: URIs
  26. 26. <a href=”javascript:go()”>Go!</a>
  27. 27. <a id=”go-button” href=”#”>Go!</a>var button = document.getElementById(go-button);button.onclick = go;
  28. 28. add headers in web server config
  29. 29. <Location /some/page> Header set X-Content-Security-Policy "default-src self ; script-src self http://example.org"</Location>
  30. 30. not a replacement forproper XSS hygiene
  31. 31. great tool to increase the depth of your defenses
  32. 32. Spec:http://www.w3.org/TR/CSP/HOWTO:https://developer.mozilla.org/en/Security/CSP fmarier fmarier Copyright © 2012 François Marier Released under the terms of the Creative Commons Attribution Share Alike 3.0 Unported Licence
  33. 33. Credits:Biohazard wallpaper: http://www.flickr.com/photos/rockyx/4273385120/Under Construction: https://secure.flickr.com/photos/aguichard/6864586905/

×