SlideShare a Scribd company logo

Content Security Policies: Let's Break Stuff @ PHP South Coast 2017

Matt Brunt
Matt Brunt

Content Security Policies are another tool we should have in our security toolbelt to help protect users of our sites. In this session I’ll cover what they are, why they’re needed, how they work and the limitations on what they can & cannot do to protect users. I’ll demo attacks a CSP will block, break things, show what the different CSP directives & options will do and introduce some of the tools available to help with implementing a CSP on your sites!

Technology
1 of 57
Download to read offline
@BruntyCSP: Let’s Break Stuff CONTENT SECURITY POLICIES LET’S BREAK STUFF
@BruntyCSP: Let’s Break Stuff BECAUSE YOU ALL TOTALLY CARE ABOUT THIS, RIGHT?! ABOUT ME ▸ Senior Software Engineer at Viva IT
 (that group in orange hoodies at some conferences & events) ▸ @Brunty ▸ @PHPem ▸ mfyu.co.uk ▸ matt@mfyu.co.uk
@BruntyCSP: Let’s Break Stuff BECAUSE YOU ALL TOTALLY CARE ABOUT THIS, RIGHT?! THINGS I DO ▸ Dungeon master for D&D campaigns with friends ▸ Mentor, lead & teach apprentices and junior developers ▸ Run & organise PHP East Midlands ▸ Speak at user groups and conferences ▸ Break production sites with incorrectly configured content security policies
@BruntyCSP: Let’s Break Stuff WHY DO WE NEED A CSP?
@BruntyCSP: Let’s Break Stuff FIRST, SOME BACKGROUND WHAT IS CROSS-SITE-SCRIPTING (XSS)? ▸ XSS enables an attacker to inject client-side scripts into non-malicious web pages viewed by other users ▸ In 2016 there was a 61% likelihood of a browser-based vulnerability being found in a web application ▸ Of those browser based vulnerabilities, 86% were found to be XSS related ▸ That’s just over 52% of all web application vulnerabilities
 https://www.edgescan.com/assets/docs/reports/2016-edgescan-stats-report.pdf
@BruntyCSP: Let’s Break Stuff FIRST, SOME BACKGROUND WHAT CAN BE DONE WITH XSS? ▸ Things a site owner can do in JS can be done in an XSS attack ▸ Make modifications to the DOM (you could replace an entire page and control data going in/out) ▸ Use XMLHttpRequest to send HTTP requests ▸ Access HTML5 APIs - webcam, microphone, geolocation ▸ Steal cookies (and therefore steal session cookies)
@BruntyCSP: Let’s Break Stuff
@BruntyCSP: Let’s Break Stuff FIRST, SOME BACKGROUND WELL KNOWN XSS ATTACKS ▸ Twitter self-retweeting tweet
 https://www.youtube.com/watch?v=zv0kZKC6GAM ▸ Samy worm
 https://en.wikipedia.org/wiki/Samy_(computer_worm) ▸ Facebook XSS attacks
 http://theharmonyguy.com/oldsite/2011/04/21/recent-facebook-xss-attacks-show-increasing- sophistication/ ▸ And so many more…
@BruntyCSP: Let’s Break Stuff TYPES OF XSS ATTACK STORED XSS (AKA PERSISTENT OR TYPE I) ▸ Occurs when input is stored - generally in a server-side database, but not always ▸ This could also be within a HTML5 database, thus never being sent to the server at all ▸ who.is was a site Rickrolled by a TXT record in the DNS of a website (yes, really)
@BruntyCSP: Let’s Break Stuff TYPES OF XSS ATTACK REFLECTED XSS (AKA NON-PERSISTENT OR TYPE II) ▸ Occurs when user input provided in the request is immediately returned - such as in an error message, search string etc ▸ Data is not stored, and in some instances, may not even reach the server (see the next type of XSS)
@BruntyCSP: Let’s Break Stuff TYPES OF XSS ATTACK DOM-BASED XSS (AKA TYPE-0) ▸ The entire flow of the attack takes place within the browser ▸ For example, if JavaScript in the site takes input, and uses something like document.write based on that input, it can be vulnerable to a DOM-based XSS attack
@BruntyCSP: Let’s Break Stuff TYPES OF XSS ATTACK SELF XSS ▸ Social-engineering form of XSS ▸ Requires the user to execute code in the browser ▸ Doing so via the console can’t be protected by a lot of methods ▸ Not considered a ‘true’ XSS attack due to requiring the user to execute the code
@BruntyCSP: Let’s Break Stuff
@BruntyCSP: Let’s Break Stuff console.log("%cStop!", "font: 5em sans-serif; font-weight: bold; color: red;");
@BruntyCSP: Let’s Break Stuff STOP THE HACKERS LET’S FIGHT BACK
@BruntyCSP: Let’s Break Stuff HTTP RESPONSE HEADER TO HELP REDUCE XSS RISKS WHAT IS A CSP?
@BruntyCSP: Let’s Break Stuff DECLARES WHAT RESOURCES ARE ALLOWED TO LOAD HOW DOES A CSP WORK?
@BruntyCSP: Let’s Break Stuff WHAT CAN WE PROTECT?
@BruntyCSP: Let’s Break Stuff DEFAULT-SRC
@BruntyCSP: Let’s Break Stuff SCRIPT-SRC
@BruntyCSP: Let’s Break Stuff STYLE-SRC
@BruntyCSP: Let’s Break Stuff UPGRADE- INSECURE-REQUESTS
@BruntyCSP: Let’s Break Stuff FORM-ACTION
@BruntyCSP: Let’s Break Stuff WORKER-SRC
 BASE-URI
 PLUGIN-TYPES
 SANDBOX
 FRAME-ANCESTORS
 CONNECT-SRC
 CHILD-SRC
 AND MANY MORE…
@BruntyCSP: Let’s Break Stuff FULL REFERENCE:https://content-security-policy.com
 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
@BruntyCSP: Let’s Break Stuff A FEW EXAMPLES OF DIRECTIVES
@BruntyCSP: Let’s Break Stuff IMG-SRC * WILDCARD, ALLOWS ANY URL EXCEPT DATA: BLOB: FILESYSTEM: SCHEMES.
@BruntyCSP: Let’s Break Stuff OBJECT-SRC 'NONE' DON’T LOAD RESOURCES FROM ANY SOURCE
@BruntyCSP: Let’s Break Stuff STYLE-SRC ‘SELF' ALLOW LOADING FROM SAME ORIGIN (SAME SCHEME, HOST AND PORT)
@BruntyCSP: Let’s Break Stuff SCRIPT-SRC 'UNSAFE-INLINE' ALLOWS USE OF INLINE SOURCE ELEMENTS SUCH AS STYLE ATTRIBUTE, ONCLICK, OR SCRIPT TAG BODIES
@BruntyCSP: Let’s Break Stuff DON’T USE UNSAFE-INLINE
@BruntyCSP: Let’s Break Stuff <script nonce="$RANDOM">...</script> script-src 'self' 'nonce-$RANDOM'
@BruntyCSP: Let’s Break Stuff Content-Security-Policy: default-src: 'none'; script-src 'self' https://*.google.com 'nonce- pahsbdlensudsmslnaf7adn'; style-src ‘self'; img-src: 'self'; upgrade-insecure-requests; form-action ‘http:// mysite.com'; report-uri https://mfyu.report-uri.io/r/ default/csp/reportOnly;
@BruntyCSP: Let’s Break Stuff I BROKE PRODUCTION WITH A BAD CSP LEARN FROM MY MISTAKES
@BruntyCSP: Let’s Break Stuff DON’T DO WHAT I DID
@BruntyCSP: Let’s Break Stuff IMPLEMENTATION ADVICE
@BruntyCSP: Let’s Break Stuff REPORT-URI
@BruntyCSP: Let’s Break Stuff WHEN A POLICY FAILURE OCCURS, THE BROWSER SENDS A JSON PAYLOAD TO THAT URL
@BruntyCSP: Let’s Break Stuff { "csp-report": { "blocked-uri": "self", "document-uri": "https://mysite.com", "line-number": 1, "original-policy": "script-src 'self'", "script-sample": "try { for(var lastpass_iter=0; lastpass...", "source-file": "https://mysite.com", "violated-directive": "script-src 'self'" } }
@BruntyCSP: Let’s Break Stuff REPORT-URI.IO
@BruntyCSP: Let’s Break Stuff REPORT-ONLY
@BruntyCSP: Let’s Break Stuff Content-Security-Policy-Report-Only: script-src 'self' https://*.google.com; style-src 'self'; report-uri https://mfyu.report-uri.io/r/default/csp/reportOnly;
@BruntyCSP: Let’s Break Stuff USE REPORT-ONLY
@BruntyCSP: Let’s Break Stuff TRIAL STUFF BEFORE ENFORCING
@BruntyCSP: Let’s Break Stuff LOVE REPORT-ONLY
@BruntyCSP: Let’s Break Stuff BUT THERE WILL BE NOISE, LOTS OF NOISE
@BruntyCSP: Let’s Break Stuff HATE REPORT-ONLY
@BruntyCSP: Let’s Break Stuff WAYS TO REMOVE BARRIERS IN DEVELOPMENT NONCES ▸ Don’t generate multiple nonces in the same request (but do generate a new nonce on each separate request) ▸ If using a templating engine (such as twig) - add the nonce as a global so it’s available in every template by default ▸ Write a helper to generate tags with a nonce if it’s available
@BruntyCSP: Let’s Break Stuff WAYS TO MAKE DEALING WITH A CSP EASIER TIPS ▸ Have an easy and quick way to disable the CSP in production if required ▸ Better yet, have a way to switch it from enforced to report only so you can get violations reported to help you debug ▸ Add the CSP at an application level if you need a nonce - be careful with doing it at a vhost config level (as changes require web server config reload)
@BruntyCSP: Let’s Break Stuff BROWSER SUPPORT
@BruntyCSP: Let’s Break Stuff
@BruntyCSP: Let’s Break Stuff DEMO
@BruntyCSP: Let’s Break Stuff @SCOTT_HELME (HE KNOWS HIS STUFF!) (THIS ISN’T ME)
@BruntyCSP: Let’s Break Stuff HOMEWORK TIME! LINKS & FURTHER READING ▸ https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) ▸ https://content-security-policy.com ▸ https://report-uri.io ▸ https://scotthelme.co.uk/just-how-much-traffic-can-you-generate-using-csp/ ▸ https://www.edgescan.com/assets/docs/reports/2016-edgescan-stats-report.pdf ▸ http://theharmonyguy.com/oldsite/2011/04/21/recent-facebook-xss-attacks-show- increasing-sophistication/ ▸ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy ▸ https://github.com/Brunty/csp-demo
@BruntyCSP: Let’s Break Stuff THANK YOU
@BruntyCSP: Let’s Break Stuff HTTPS://JOIND.IN/TALK/E45C8
@BruntyCSP: Let’s Break Stuff QUESTIONS? @BRUNTY @PHPEM MFYU.CO.UK MATT@MFYU.CO.UK

Recommended

Content Security Policies: Let's Break Stuff
Content Security Policies: Let's Break StuffContent Security Policies: Let's Break Stuff
Content Security Policies: Let's Break Stuff
Matt Brunt
 
Content Security Policies: Let's Break Stuff @ Scotland PHP
Content Security Policies: Let's Break Stuff @ Scotland PHPContent Security Policies: Let's Break Stuff @ Scotland PHP
Content Security Policies: Let's Break Stuff @ Scotland PHP
Matt Brunt
 
Content Security Policies: Let's Break Stuff for PHPSW at Bath Digital
Content Security Policies: Let's Break Stuff for PHPSW at Bath DigitalContent Security Policies: Let's Break Stuff for PHPSW at Bath Digital
Content Security Policies: Let's Break Stuff for PHPSW at Bath Digital
Matt Brunt
 
Content Security Policies: Let's Break Stuff @ PHP London, Sept 2017
Content Security Policies: Let's Break Stuff @ PHP London, Sept 2017Content Security Policies: Let's Break Stuff @ PHP London, Sept 2017
Content Security Policies: Let's Break Stuff @ PHP London, Sept 2017
Matt Brunt
 
CSPs: Let's Break Stuff for PHP Benelux
CSPs: Let's Break Stuff for PHP BeneluxCSPs: Let's Break Stuff for PHP Benelux
CSPs: Let's Break Stuff for PHP Benelux
Matt Brunt
 
Content Security Policies: Let's Break Stuff for WordCamp London
Content Security Policies: Let's Break Stuff for WordCamp LondonContent Security Policies: Let's Break Stuff for WordCamp London
Content Security Policies: Let's Break Stuff for WordCamp London
Matt Brunt
 
XSS (Cross Site Scripting)
XSS (Cross Site Scripting)XSS (Cross Site Scripting)
XSS (Cross Site Scripting)
Shubham Gupta
 
Word camp pune 2013 security
Word camp pune 2013 securityWord camp pune 2013 security
Word camp pune 2013 security
Gaurav Singh
 

Recommended

Content Security Policies: Let's Break Stuff
Content Security Policies: Let's Break StuffContent Security Policies: Let's Break Stuff
Content Security Policies: Let's Break Stuff
Matt Brunt
 
Content Security Policies: Let's Break Stuff @ Scotland PHP
Content Security Policies: Let's Break Stuff @ Scotland PHPContent Security Policies: Let's Break Stuff @ Scotland PHP
Content Security Policies: Let's Break Stuff @ Scotland PHP
Matt Brunt
 
Content Security Policies: Let's Break Stuff for PHPSW at Bath Digital
Content Security Policies: Let's Break Stuff for PHPSW at Bath DigitalContent Security Policies: Let's Break Stuff for PHPSW at Bath Digital
Content Security Policies: Let's Break Stuff for PHPSW at Bath Digital
Matt Brunt
 
Content Security Policies: Let's Break Stuff @ PHP London, Sept 2017
Content Security Policies: Let's Break Stuff @ PHP London, Sept 2017Content Security Policies: Let's Break Stuff @ PHP London, Sept 2017
Content Security Policies: Let's Break Stuff @ PHP London, Sept 2017
Matt Brunt
 
CSPs: Let's Break Stuff for PHP Benelux
CSPs: Let's Break Stuff for PHP BeneluxCSPs: Let's Break Stuff for PHP Benelux
CSPs: Let's Break Stuff for PHP Benelux
Matt Brunt
 
Content Security Policies: Let's Break Stuff for WordCamp London
Content Security Policies: Let's Break Stuff for WordCamp LondonContent Security Policies: Let's Break Stuff for WordCamp London
Content Security Policies: Let's Break Stuff for WordCamp London
Matt Brunt
 
XSS (Cross Site Scripting)
XSS (Cross Site Scripting)XSS (Cross Site Scripting)
XSS (Cross Site Scripting)
Shubham Gupta
 
Word camp pune 2013 security
Word camp pune 2013 securityWord camp pune 2013 security
Word camp pune 2013 security
Gaurav Singh
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
George Boobyer
 
Prototyping: Helping to take away the suck
Prototyping: Helping to take away the suckPrototyping: Helping to take away the suck
Prototyping: Helping to take away the suck
Harvard Web Working Group
 
Smart mobile storytelling christy robinson - denver news train - april 11-1...
Smart mobile storytelling christy robinson - denver news train - april 11-1...Smart mobile storytelling christy robinson - denver news train - april 11-1...
Smart mobile storytelling christy robinson - denver news train - april 11-1...
News Leaders Association's NewsTrain
 
Building Better Responsive Websites
Building Better Responsive WebsitesBuilding Better Responsive Websites
Building Better Responsive Websites
Holger Bartel
 
Chaos Driven Development (Bruce Wong)
Chaos Driven Development (Bruce Wong)Chaos Driven Development (Bruce Wong)
Chaos Driven Development (Bruce Wong)
Future Insights
 
Chaos Driven Development
Chaos Driven DevelopmentChaos Driven Development
Chaos Driven Development
Bruce Wong
 
Skynet vs planet of apes
Skynet vs planet of apesSkynet vs planet of apes
Skynet vs planet of apes
Adrien Blind
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environment
ajitdhumale
 
Christopher Guess presents Push
Christopher Guess presents PushChristopher Guess presents Push
Christopher Guess presents Push
Reynolds Journalism Institute (RJI)
 
Content wants to be free (from projects) - J.boye Aarhus 2015
Content wants to be free (from projects) - J.boye Aarhus 2015Content wants to be free (from projects) - J.boye Aarhus 2015
Content wants to be free (from projects) - J.boye Aarhus 2015
Rasmus Skjoldan
 
Enhance system transparency and truthfulness with request tracing
Enhance system transparency and truthfulness with request tracingEnhance system transparency and truthfulness with request tracing
Enhance system transparency and truthfulness with request tracing
Sam Keen
 
Happy Browser, Happy User! WordSesh 2019
Happy Browser, Happy User! WordSesh 2019Happy Browser, Happy User! WordSesh 2019
Happy Browser, Happy User! WordSesh 2019
Katie Sylor-Miller
 
Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header Security
Mikal Villa
 
DVC202_The Open Guide to AWS
DVC202_The Open Guide to AWSDVC202_The Open Guide to AWS
DVC202_The Open Guide to AWS
Amazon Web Services
 
Programming for non-programmers
Programming for non-programmersProgramming for non-programmers
Programming for non-programmersPancho Goldaracena
 
Beyond Mirai: The new age of MDDoS attacks
Beyond Mirai: The new age of MDDoS attacksBeyond Mirai: The new age of MDDoS attacks
Beyond Mirai: The new age of MDDoS attacks
APNIC
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
George Boobyer
 
How Chunky Do You Need To Be?: Adaptive Content Strategies For The Real World
How Chunky Do You Need To Be?: Adaptive Content Strategies For The Real WorldHow Chunky Do You Need To Be?: Adaptive Content Strategies For The Real World
How Chunky Do You Need To Be?: Adaptive Content Strategies For The Real World
Christopher Grant Ward
 
Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey
Yandex
 
20160816 amlight popbahia_rnp_ansp
20160816 amlight popbahia_rnp_ansp20160816 amlight popbahia_rnp_ansp
20160816 amlight popbahia_rnp_ansp
University of Twente
 
BDD & Behat for PHPUK
BDD & Behat for PHPUKBDD & Behat for PHPUK
BDD & Behat for PHPUK
Matt Brunt
 
BDD & Behat for PHPNE
BDD & Behat for PHPNEBDD & Behat for PHPNE
BDD & Behat for PHPNE
Matt Brunt
 

More Related Content

Similar to Content Security Policies: Let's Break Stuff @ PHP South Coast 2017

DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
George Boobyer
 
Prototyping: Helping to take away the suck
Prototyping: Helping to take away the suckPrototyping: Helping to take away the suck
Prototyping: Helping to take away the suck
Harvard Web Working Group
 
Smart mobile storytelling christy robinson - denver news train - april 11-1...
Smart mobile storytelling christy robinson - denver news train - april 11-1...Smart mobile storytelling christy robinson - denver news train - april 11-1...
Smart mobile storytelling christy robinson - denver news train - april 11-1...
News Leaders Association's NewsTrain
 
Building Better Responsive Websites
Building Better Responsive WebsitesBuilding Better Responsive Websites
Building Better Responsive Websites
Holger Bartel
 
Chaos Driven Development (Bruce Wong)
Chaos Driven Development (Bruce Wong)Chaos Driven Development (Bruce Wong)
Chaos Driven Development (Bruce Wong)
Future Insights
 
Chaos Driven Development
Chaos Driven DevelopmentChaos Driven Development
Chaos Driven Development
Bruce Wong
 
Skynet vs planet of apes
Skynet vs planet of apesSkynet vs planet of apes
Skynet vs planet of apes
Adrien Blind
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environment
ajitdhumale
 
Christopher Guess presents Push
Christopher Guess presents PushChristopher Guess presents Push
Christopher Guess presents Push
Reynolds Journalism Institute (RJI)
 
Content wants to be free (from projects) - J.boye Aarhus 2015
Content wants to be free (from projects) - J.boye Aarhus 2015Content wants to be free (from projects) - J.boye Aarhus 2015
Content wants to be free (from projects) - J.boye Aarhus 2015
Rasmus Skjoldan
 
Enhance system transparency and truthfulness with request tracing
Enhance system transparency and truthfulness with request tracingEnhance system transparency and truthfulness with request tracing
Enhance system transparency and truthfulness with request tracing
Sam Keen
 
Happy Browser, Happy User! WordSesh 2019
Happy Browser, Happy User! WordSesh 2019Happy Browser, Happy User! WordSesh 2019
Happy Browser, Happy User! WordSesh 2019
Katie Sylor-Miller
 
Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header Security
Mikal Villa
 
DVC202_The Open Guide to AWS
DVC202_The Open Guide to AWSDVC202_The Open Guide to AWS
DVC202_The Open Guide to AWS
Amazon Web Services
 
Programming for non-programmers
Programming for non-programmersProgramming for non-programmers
Programming for non-programmersPancho Goldaracena
 
Beyond Mirai: The new age of MDDoS attacks
Beyond Mirai: The new age of MDDoS attacksBeyond Mirai: The new age of MDDoS attacks
Beyond Mirai: The new age of MDDoS attacks
APNIC
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
George Boobyer
 
How Chunky Do You Need To Be?: Adaptive Content Strategies For The Real World
How Chunky Do You Need To Be?: Adaptive Content Strategies For The Real WorldHow Chunky Do You Need To Be?: Adaptive Content Strategies For The Real World
How Chunky Do You Need To Be?: Adaptive Content Strategies For The Real World
Christopher Grant Ward
 
Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey
Yandex
 
20160816 amlight popbahia_rnp_ansp
20160816 amlight popbahia_rnp_ansp20160816 amlight popbahia_rnp_ansp
20160816 amlight popbahia_rnp_ansp
University of Twente
 

Similar to Content Security Policies: Let's Break Stuff @ PHP South Coast 2017 (20)

DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 
Prototyping: Helping to take away the suck
Prototyping: Helping to take away the suckPrototyping: Helping to take away the suck
Prototyping: Helping to take away the suck
 
Smart mobile storytelling christy robinson - denver news train - april 11-1...
Smart mobile storytelling christy robinson - denver news train - april 11-1...Smart mobile storytelling christy robinson - denver news train - april 11-1...
Smart mobile storytelling christy robinson - denver news train - april 11-1...
 
Building Better Responsive Websites
Building Better Responsive WebsitesBuilding Better Responsive Websites
Building Better Responsive Websites
 
Chaos Driven Development (Bruce Wong)
Chaos Driven Development (Bruce Wong)Chaos Driven Development (Bruce Wong)
Chaos Driven Development (Bruce Wong)
 
Chaos Driven Development
Chaos Driven DevelopmentChaos Driven Development
Chaos Driven Development
 
Skynet vs planet of apes
Skynet vs planet of apesSkynet vs planet of apes
Skynet vs planet of apes
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environment
 
Christopher Guess presents Push
Christopher Guess presents PushChristopher Guess presents Push
Christopher Guess presents Push
 
Content wants to be free (from projects) - J.boye Aarhus 2015
Content wants to be free (from projects) - J.boye Aarhus 2015Content wants to be free (from projects) - J.boye Aarhus 2015
Content wants to be free (from projects) - J.boye Aarhus 2015
 
Enhance system transparency and truthfulness with request tracing
Enhance system transparency and truthfulness with request tracingEnhance system transparency and truthfulness with request tracing
Enhance system transparency and truthfulness with request tracing
 
Happy Browser, Happy User! WordSesh 2019
Happy Browser, Happy User! WordSesh 2019Happy Browser, Happy User! WordSesh 2019
Happy Browser, Happy User! WordSesh 2019
 
Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header Security
 
DVC202_The Open Guide to AWS
DVC202_The Open Guide to AWSDVC202_The Open Guide to AWS
DVC202_The Open Guide to AWS
 
Programming for non-programmers
Programming for non-programmersProgramming for non-programmers
Programming for non-programmers
 
Beyond Mirai: The new age of MDDoS attacks
Beyond Mirai: The new age of MDDoS attacksBeyond Mirai: The new age of MDDoS attacks
Beyond Mirai: The new age of MDDoS attacks
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
 
How Chunky Do You Need To Be?: Adaptive Content Strategies For The Real World
How Chunky Do You Need To Be?: Adaptive Content Strategies For The Real WorldHow Chunky Do You Need To Be?: Adaptive Content Strategies For The Real World
How Chunky Do You Need To Be?: Adaptive Content Strategies For The Real World
 
Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey
 
20160816 amlight popbahia_rnp_ansp
20160816 amlight popbahia_rnp_ansp20160816 amlight popbahia_rnp_ansp
20160816 amlight popbahia_rnp_ansp
 

More from Matt Brunt

BDD & Behat for PHPUK
BDD & Behat for PHPUKBDD & Behat for PHPUK
BDD & Behat for PHPUK
Matt Brunt
 
BDD & Behat for PHPNE
BDD & Behat for PHPNEBDD & Behat for PHPNE
BDD & Behat for PHPNE
Matt Brunt
 
BDD & Behat for Glasgow PHP
BDD & Behat for Glasgow PHPBDD & Behat for Glasgow PHP
BDD & Behat for Glasgow PHP
Matt Brunt
 
BDD & Behat
BDD & BehatBDD & Behat
BDD & Behat
Matt Brunt
 
BDD & Behat for Srijan Technologies
BDD & Behat for Srijan TechnologiesBDD & Behat for Srijan Technologies
BDD & Behat for Srijan Technologies
Matt Brunt
 
CSP - What? Why? How? PHPNW16
CSP - What? Why? How? PHPNW16CSP - What? Why? How? PHPNW16
CSP - What? Why? How? PHPNW16
Matt Brunt
 
PHPNW16 Matt Brunt - BDD & Behat
PHPNW16 Matt Brunt - BDD & BehatPHPNW16 Matt Brunt - BDD & Behat
PHPNW16 Matt Brunt - BDD & Behat
Matt Brunt
 
BDD - telling stories through code for PHPem
BDD - telling stories through code for PHPemBDD - telling stories through code for PHPem
BDD - telling stories through code for PHPem
Matt Brunt
 
BDD: Telling stories through code [For TechNotts]
BDD: Telling stories through code [For TechNotts]BDD: Telling stories through code [For TechNotts]
BDD: Telling stories through code [For TechNotts]
Matt Brunt
 

More from Matt Brunt (10)

BDD & Behat for PHPUK
BDD & Behat for PHPUKBDD & Behat for PHPUK
BDD & Behat for PHPUK
 
BDD & Behat for PHPNE
BDD & Behat for PHPNEBDD & Behat for PHPNE
BDD & Behat for PHPNE
 
BDD & Behat for Glasgow PHP
BDD & Behat for Glasgow PHPBDD & Behat for Glasgow PHP
BDD & Behat for Glasgow PHP
 
BDD & Behat
BDD & BehatBDD & Behat
BDD & Behat
 
BDD & Behat for Srijan Technologies
BDD & Behat for Srijan TechnologiesBDD & Behat for Srijan Technologies
BDD & Behat for Srijan Technologies
 
CSP - What? Why? How? PHPNW16
CSP - What? Why? How? PHPNW16CSP - What? Why? How? PHPNW16
CSP - What? Why? How? PHPNW16
 
PHPNW16 Matt Brunt - BDD & Behat
PHPNW16 Matt Brunt - BDD & BehatPHPNW16 Matt Brunt - BDD & Behat
PHPNW16 Matt Brunt - BDD & Behat
 
BDD - telling stories through code for PHPem
BDD - telling stories through code for PHPemBDD - telling stories through code for PHPem
BDD - telling stories through code for PHPem
 
BDD: Telling stories through code [For TechNotts]
BDD: Telling stories through code [For TechNotts]BDD: Telling stories through code [For TechNotts]
BDD: Telling stories through code [For TechNotts]
 
Intro to Gulp
Intro to GulpIntro to Gulp
Intro to Gulp
 

Recently uploaded

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 

Recently uploaded (20)

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 

Content Security Policies: Let's Break Stuff @ PHP South Coast 2017

  • 1. @BruntyCSP: Let’s Break Stuff CONTENT SECURITY POLICIES LET’S BREAK STUFF
  • 2. @BruntyCSP: Let’s Break Stuff BECAUSE YOU ALL TOTALLY CARE ABOUT THIS, RIGHT?! ABOUT ME ▸ Senior Software Engineer at Viva IT
 (that group in orange hoodies at some conferences & events) ▸ @Brunty ▸ @PHPem ▸ mfyu.co.uk ▸ matt@mfyu.co.uk
  • 3. @BruntyCSP: Let’s Break Stuff BECAUSE YOU ALL TOTALLY CARE ABOUT THIS, RIGHT?! THINGS I DO ▸ Dungeon master for D&D campaigns with friends ▸ Mentor, lead & teach apprentices and junior developers ▸ Run & organise PHP East Midlands ▸ Speak at user groups and conferences ▸ Break production sites with incorrectly configured content security policies
  • 4. @BruntyCSP: Let’s Break Stuff WHY DO WE NEED A CSP?
  • 5. @BruntyCSP: Let’s Break Stuff FIRST, SOME BACKGROUND WHAT IS CROSS-SITE-SCRIPTING (XSS)? ▸ XSS enables an attacker to inject client-side scripts into non-malicious web pages viewed by other users ▸ In 2016 there was a 61% likelihood of a browser-based vulnerability being found in a web application ▸ Of those browser based vulnerabilities, 86% were found to be XSS related ▸ That’s just over 52% of all web application vulnerabilities
 https://www.edgescan.com/assets/docs/reports/2016-edgescan-stats-report.pdf
  • 6. @BruntyCSP: Let’s Break Stuff FIRST, SOME BACKGROUND WHAT CAN BE DONE WITH XSS? ▸ Things a site owner can do in JS can be done in an XSS attack ▸ Make modifications to the DOM (you could replace an entire page and control data going in/out) ▸ Use XMLHttpRequest to send HTTP requests ▸ Access HTML5 APIs - webcam, microphone, geolocation ▸ Steal cookies (and therefore steal session cookies)
  • 8. @BruntyCSP: Let’s Break Stuff FIRST, SOME BACKGROUND WELL KNOWN XSS ATTACKS ▸ Twitter self-retweeting tweet
 https://www.youtube.com/watch?v=zv0kZKC6GAM ▸ Samy worm
 https://en.wikipedia.org/wiki/Samy_(computer_worm) ▸ Facebook XSS attacks
 http://theharmonyguy.com/oldsite/2011/04/21/recent-facebook-xss-attacks-show-increasing- sophistication/ ▸ And so many more…
  • 9. @BruntyCSP: Let’s Break Stuff TYPES OF XSS ATTACK STORED XSS (AKA PERSISTENT OR TYPE I) ▸ Occurs when input is stored - generally in a server-side database, but not always ▸ This could also be within a HTML5 database, thus never being sent to the server at all ▸ who.is was a site Rickrolled by a TXT record in the DNS of a website (yes, really)
  • 10. @BruntyCSP: Let’s Break Stuff TYPES OF XSS ATTACK REFLECTED XSS (AKA NON-PERSISTENT OR TYPE II) ▸ Occurs when user input provided in the request is immediately returned - such as in an error message, search string etc ▸ Data is not stored, and in some instances, may not even reach the server (see the next type of XSS)
  • 11. @BruntyCSP: Let’s Break Stuff TYPES OF XSS ATTACK DOM-BASED XSS (AKA TYPE-0) ▸ The entire flow of the attack takes place within the browser ▸ For example, if JavaScript in the site takes input, and uses something like document.write based on that input, it can be vulnerable to a DOM-based XSS attack
  • 12. @BruntyCSP: Let’s Break Stuff TYPES OF XSS ATTACK SELF XSS ▸ Social-engineering form of XSS ▸ Requires the user to execute code in the browser ▸ Doing so via the console can’t be protected by a lot of methods ▸ Not considered a ‘true’ XSS attack due to requiring the user to execute the code
  • 14. @BruntyCSP: Let’s Break Stuff console.log("%cStop!", "font: 5em sans-serif; font-weight: bold; color: red;");
  • 15. @BruntyCSP: Let’s Break Stuff STOP THE HACKERS LET’S FIGHT BACK
  • 16. @BruntyCSP: Let’s Break Stuff HTTP RESPONSE HEADER TO HELP REDUCE XSS RISKS WHAT IS A CSP?
  • 17. @BruntyCSP: Let’s Break Stuff DECLARES WHAT RESOURCES ARE ALLOWED TO LOAD HOW DOES A CSP WORK?
  • 18. @BruntyCSP: Let’s Break Stuff WHAT CAN WE PROTECT?
  • 19. @BruntyCSP: Let’s Break Stuff DEFAULT-SRC
  • 20. @BruntyCSP: Let’s Break Stuff SCRIPT-SRC
  • 21. @BruntyCSP: Let’s Break Stuff STYLE-SRC
  • 22. @BruntyCSP: Let’s Break Stuff UPGRADE- INSECURE-REQUESTS
  • 23. @BruntyCSP: Let’s Break Stuff FORM-ACTION
  • 24. @BruntyCSP: Let’s Break Stuff WORKER-SRC
 BASE-URI
 PLUGIN-TYPES
 SANDBOX
 FRAME-ANCESTORS
 CONNECT-SRC
 CHILD-SRC
 AND MANY MORE…
  • 25. @BruntyCSP: Let’s Break Stuff FULL REFERENCE:https://content-security-policy.com
 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
  • 26. @BruntyCSP: Let’s Break Stuff A FEW EXAMPLES OF DIRECTIVES
  • 27. @BruntyCSP: Let’s Break Stuff IMG-SRC * WILDCARD, ALLOWS ANY URL EXCEPT DATA: BLOB: FILESYSTEM: SCHEMES.
  • 28. @BruntyCSP: Let’s Break Stuff OBJECT-SRC 'NONE' DON’T LOAD RESOURCES FROM ANY SOURCE
  • 29. @BruntyCSP: Let’s Break Stuff STYLE-SRC ‘SELF' ALLOW LOADING FROM SAME ORIGIN (SAME SCHEME, HOST AND PORT)
  • 30. @BruntyCSP: Let’s Break Stuff SCRIPT-SRC 'UNSAFE-INLINE' ALLOWS USE OF INLINE SOURCE ELEMENTS SUCH AS STYLE ATTRIBUTE, ONCLICK, OR SCRIPT TAG BODIES
  • 31. @BruntyCSP: Let’s Break Stuff DON’T USE UNSAFE-INLINE
  • 32. @BruntyCSP: Let’s Break Stuff <script nonce="$RANDOM">...</script> script-src 'self' 'nonce-$RANDOM'
  • 33. @BruntyCSP: Let’s Break Stuff Content-Security-Policy: default-src: 'none'; script-src 'self' https://*.google.com 'nonce- pahsbdlensudsmslnaf7adn'; style-src ‘self'; img-src: 'self'; upgrade-insecure-requests; form-action ‘http:// mysite.com'; report-uri https://mfyu.report-uri.io/r/ default/csp/reportOnly;
  • 34. @BruntyCSP: Let’s Break Stuff I BROKE PRODUCTION WITH A BAD CSP LEARN FROM MY MISTAKES
  • 35. @BruntyCSP: Let’s Break Stuff DON’T DO WHAT I DID
  • 36. @BruntyCSP: Let’s Break Stuff IMPLEMENTATION ADVICE
  • 37. @BruntyCSP: Let’s Break Stuff REPORT-URI
  • 38. @BruntyCSP: Let’s Break Stuff WHEN A POLICY FAILURE OCCURS, THE BROWSER SENDS A JSON PAYLOAD TO THAT URL
  • 39. @BruntyCSP: Let’s Break Stuff { "csp-report": { "blocked-uri": "self", "document-uri": "https://mysite.com", "line-number": 1, "original-policy": "script-src 'self'", "script-sample": "try { for(var lastpass_iter=0; lastpass...", "source-file": "https://mysite.com", "violated-directive": "script-src 'self'" } }
  • 40. @BruntyCSP: Let’s Break Stuff REPORT-URI.IO
  • 41. @BruntyCSP: Let’s Break Stuff REPORT-ONLY
  • 42. @BruntyCSP: Let’s Break Stuff Content-Security-Policy-Report-Only: script-src 'self' https://*.google.com; style-src 'self'; report-uri https://mfyu.report-uri.io/r/default/csp/reportOnly;
  • 43. @BruntyCSP: Let’s Break Stuff USE REPORT-ONLY
  • 44. @BruntyCSP: Let’s Break Stuff TRIAL STUFF BEFORE ENFORCING
  • 45. @BruntyCSP: Let’s Break Stuff LOVE REPORT-ONLY
  • 46. @BruntyCSP: Let’s Break Stuff BUT THERE WILL BE NOISE, LOTS OF NOISE
  • 47. @BruntyCSP: Let’s Break Stuff HATE REPORT-ONLY
  • 48. @BruntyCSP: Let’s Break Stuff WAYS TO REMOVE BARRIERS IN DEVELOPMENT NONCES ▸ Don’t generate multiple nonces in the same request (but do generate a new nonce on each separate request) ▸ If using a templating engine (such as twig) - add the nonce as a global so it’s available in every template by default ▸ Write a helper to generate tags with a nonce if it’s available
  • 49. @BruntyCSP: Let’s Break Stuff WAYS TO MAKE DEALING WITH A CSP EASIER TIPS ▸ Have an easy and quick way to disable the CSP in production if required ▸ Better yet, have a way to switch it from enforced to report only so you can get violations reported to help you debug ▸ Add the CSP at an application level if you need a nonce - be careful with doing it at a vhost config level (as changes require web server config reload)
  • 50. @BruntyCSP: Let’s Break Stuff BROWSER SUPPORT
  • 53. @BruntyCSP: Let’s Break Stuff @SCOTT_HELME (HE KNOWS HIS STUFF!) (THIS ISN’T ME)
  • 54. @BruntyCSP: Let’s Break Stuff HOMEWORK TIME! LINKS & FURTHER READING ▸ https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) ▸ https://content-security-policy.com ▸ https://report-uri.io ▸ https://scotthelme.co.uk/just-how-much-traffic-can-you-generate-using-csp/ ▸ https://www.edgescan.com/assets/docs/reports/2016-edgescan-stats-report.pdf ▸ http://theharmonyguy.com/oldsite/2011/04/21/recent-facebook-xss-attacks-show- increasing-sophistication/ ▸ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy ▸ https://github.com/Brunty/csp-demo
  • 55. @BruntyCSP: Let’s Break Stuff THANK YOU
  • 56. @BruntyCSP: Let’s Break Stuff HTTPS://JOIND.IN/TALK/E45C8
  • 57. @BruntyCSP: Let’s Break Stuff QUESTIONS? @BRUNTY @PHPEM MFYU.CO.UK MATT@MFYU.CO.UK