Defeating Cross-Site Scripting with Content Security Policy (updated)

3,295 views

Published on

How a new HTTP response header can help increase the depth of your web application defenses.

Also includes a few slides on HTTP Strict Transport Security, a header which helps protects HTTPS sites from sslstrip attacks.

Published in: Technology, News & Politics
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,295
On SlideShare
0
From Embeds
0
Number of Embeds
14
Actions
Shares
0
Downloads
19
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Defeating Cross-Site Scripting with Content Security Policy (updated)

  1. 1. Defeating cross-site scripting with Content Security PolicyFrançois Marier – @fmarier
  2. 2. what is a cross-site scripting (aka “XSS”) attack?
  3. 3. preventing XSS attacks
  4. 4. print <<<EOF<html><h1>$title</h1></html>EOF;
  5. 5. $title = escape($title);print <<<EOF<html><h1>$title</h1></html>EOF;
  6. 6. templating system
  7. 7. page.tpl: <html> <h1>{title}</h1> </html>page.php: render(“page.tpl”, $title);
  8. 8. auto-escaping turned ON
  9. 9. page.tpl: <html> <h1>{title|raw}</h1> </html>page.php: render(“page.tpl”, $title);
  10. 10. auto-escaping turned ON escaping always ON
  11. 11. the real problem:browser default = allow all
  12. 12. a way to get the browserto enforce the restrictions you want on your site
  13. 13. $ curl --head http://example.com/Content-Security-Policy: default-src self ; img-src self data ;
  14. 14. $ curl --head https://example.com/loginContent-Security-Policy: default-src self ; img-src self data ; frame-src self https://login.persona.org ; script-src self https://login.persona.org
  15. 15. $ curl --head http://fmarier.org/Content-Security-Policy: default-src none ; img-src self ; style-src self ; font-src self
  16. 16. <object>, <applet> & <embed> <script> <style> & <link> <img> <audio>, <video>, <source> & <track> <frame> & <iframe> @font-faceWebSocket, EventSource, & XMLHttpRequest
  17. 17. >= 10
  18. 18. what does a CSP-enabled website look like?
  19. 19. unless explicitly allowed by your policy inline scripts are not executed
  20. 20. unless explicitly allowed by your policyexternal resources are not loaded
  21. 21. preparing your website for CSP (aka things you can do today)
  22. 22. eliminate inline scripts and styles
  23. 23. <script>do_stuff();</script>
  24. 24. <script src=”do_stuff.js”></script>
  25. 25. eliminate javascript: URIs
  26. 26. <a href=”javascript:go()”>Go!</a>
  27. 27. <a id=”go-button” href=”#”>Go!</a>var button = document.getElementById(go-button);button.onclick = go;
  28. 28. rolling out CSP
  29. 29. start with a loose policy
  30. 30. default-src self *.example.com data;
  31. 31. default-src self *.example.com data;options unsafe-inline
  32. 32. work towards a stricter policy
  33. 33. default-src self;img-src self static.example.com data;style-src static.example.com;script-src static.example.com
  34. 34. use the reporting mode
  35. 35. Content-Security-Policy-Report-Only: default-src none ; report-uri http://example.com/report.cgi
  36. 36. { "csp-report": { "document-uri": "http://example.com/page.html", "referrer": "http://evil.example.com/haxor.html", "blocked-uri": "http://evil.example.com/foo.png", "violated-directive": "default-src none", "original-policy": "default-src none ... " }}
  37. 37. add headers in web server config
  38. 38. <Location /some/page> Header set Content-Security-Policy "default-src self ; script-src self http://example.org"</Location>
  39. 39. not areplacement for properXSS hygiene
  40. 40. great tool to increase the depth ofyour defenses
  41. 41. Spec:http://www.w3.org/TR/CSP/HOWTO:https://developer.mozilla.org/en/Security/CSP@fmarier http://fmarier.org
  42. 42. 100 % FREE! bonusHTTP header
  43. 43. wouldnt it be nice if the browser...
  44. 44. ...blocked all HTTP requests there?
  45. 45. HTTP StrictTransport Security
  46. 46. $ curl --head https://login.persona.orgHTTP/1.1 200 OKVary: Accept-Encoding,Accept-LanguageCache-Control: public, max-age=0Content-Type: text/html; charset=utf8Strict-Transport-Security: max-age= 2592000Date: Thu, 16 Aug 2012 03:29:19 GMTETag: "2943768d6a45793897e83bf8804cd711"Connection: keep-aliveX-Frame-Options: DENYContent-Length: 5374
  47. 47. HTTPS only site turn HSTS on
  48. 48. Spec:http://www.w3.org/TR/CSP/https://tools.ietf.org/html/draft-ietf-websec-strict-transport-secHOWTO:https://developer.mozilla.org/en/Security/CSPhttps://developer.mozilla.org/en/Security/HTTP_Strict_Transport_Security@fmarier http://fmarier.org
  49. 49. Photo credits:Biohazard wallpaper: http://www.flickr.com/photos/rockyx/4273385120/Under Construction: https://secure.flickr.com/photos/aguichard/6864586905/Castle walls: https://secure.flickr.com/photos/rdale/585105348/Wash hands: https://secure.flickr.com/photos/hygienematters/4504612019/ Copyright © 2012 François Marier Released under the terms of the Creative Commons Attribution Share Alike 3.0 Unported Licence

×