Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Future of Web Security Opened up by CSP


Published on

Presentation materials of hasemunea (Yosuke HASEGAWA & nishimunea) for AVTOKYO2014.

Published in: Engineering
  • Hello! Get Your Professional Job-Winning Resume Here - Check our website!
    Are you sure you want to  Yes  No
    Your message goes here

Future of Web Security Opened up by CSP

  1. 1. AVTOKYO2014 HASEMUNEA (Nishimunea & Yosuke HASEGAWA) Future of Web Security Opened up by CSP
  2. 2. Nishimunea (Muneaki Nishimura) Firefox OS Community, Japan Lecturer of Security Camp 2014
  3. 3. Yosuke HASEGAWA Shibuya.XSS / Lecturer of Security Camp 2014
  4. 4. Content Security Policy (CSP) • Browser feature to mitigate common attacks, e.g., XSS • Set Content-Security-Policy header in HTTP responses • W3C candidate recommendation, as of 2012 • Next generation, CSP Level 2, is under development
  5. 5. Browser Support • Supported by all major browsers except IE – IE is in development for future release • Forms of expressions – Content-Security-Policy : the W3C specs. – X-Content-Security-Policy : for Firefox 4-22, removed on 33 – X-WebKit-CSP : for earlier ver. of WebKit 4+ 4+ 6+5+ 25+ 4.4+N/A
  6. 6. Syntax • When you allow to load sub resources from any origin • If you allow loading of scripts only from jQuery's CDN • And if you ignore any plugins default-src * default-src *; script-src default-src *; script-src; object-src 'none'
  7. 7. CSP Directives default-src Default policy for resources that have no specific policy script-src Policy for script execution object-src Policy for plugins style-src Policy for stylesheets img-src Policy for image files media-src Policy for media files, e.g., <audio> and <video> frame-src Policy for frame contents font-src Policy for web fonts connect-src Policy for async. connections, e.g., XMLHttpRequest
  8. 8. CSP Level2 Directives base-uri Policy for base[href] form-action Policy for form[action] plugin-types Policy for executable plugin MIME types referrer Nearly identical to meta[name=referrer] frame-ancestors Nearly identical to X-Frame-Options xss-protection Nearly identical to X-XSS-Protection child-src Policy for child contents e.g., frames and workers sandbox Sandbox that is applied to the document
  9. 9. Violation Report • If 'report-uri' is set in CSP, browser lets the webmaster know violation of CSP including attempts of attack script-src 'self'; report-uri report.php • In the report, some details of violations are included. With them, webmaster can find causes of violation {"csp-report":{ "original-policy":"script-src 'self'; report-uri report.php", "script-sample":"alert(1);", "source-file":"" }}
  10. 10. Abusing CSP Violation Report • In some parts of a report, HTML tags can be included without proper escaping • Or, with a proxy tool, attacker can send malformed reports to webmaster's console {"csp-report":{ "document-uri":", "referrer":"", "blocked-uri":"data:text/html,<script>alert(1)</script>", "script-sample":"javascript:alert('<script>alert(1);</script>')" }}
  11. 11. DEMO