SlideShare a Scribd company logo

Content Security Policy - Lessons learned at Yahoo

Binu Ramakrishnan
Binu Ramakrishnan

Content Security Policy (CSP) is a browser security mechanism against content injection. Using the CSP header, browsers can restrict content from just the domains whitelisted in the policy. This session shares lessons learned with deploying CSP at Yahoo.

1 of 35
Download to read offline
Content Security Policy Lessons learned at Yahoo B-Sides DC 10/17/2015 Binu Ramakrishnan & Vibha Sethi Yahoo Inc.
https://cwe.mitre.org/data/definitions/79.html http://bit.ly/1ZK9COc Cross-site Scripting ● Execution of malicious code injected by an attacker on victim’s web page ● Leads to credentials and data theft, malware distribution, site defacement etc. ● Primary reason: Improper neutralization of user input when it gets rendered on a web page ● Remained as a top threat on OWASP top ten list since its first publication in 2004
Common Remedies ● Input validation and output encoding ● Whitelist trusted contents and tags ● Isolation - e.g. safe iframes http://bit.ly/1VRI1Gb
source: https://www.cvedetails.com/vulnerabilities-by-types.php
CSP - An additional layer of protection
So what is CSP? ● Content Security Policy is a browser based mechanism that allow you to whitelist locations from which your web application can load resources. You can specify a policy on a web page with a CSP HTTP header like below: will allow resources to be only loaded from example.com ● Policy Delivery ○ content-security-policy ○ content-security-policy-report-only - for experimenting & monitoring ○ HTML meta tag content-security-policy: default-src https://example.com
Example <!DOCTYPE html> <html> <head> </head> <body> <img src="https://s.yimg.com/rz/uh/alphatars/B.png"> </body> </html> content-security-policy: default-src ‘self’; report-uri https://csp.example.com HTTP Header: https://example.com/test.html:
Violation report ● CSP facilitates generating and delivering violation reports to an endpoint in the report-uri directive. ● JSON format Sample CSP Report { "csp-report" : { "document-uri": "https://www.example.com/test.html" "referrer": "" "blocked-uri": "https://s.yimg.com/rz/uh/alphatars/B.png" "violated-directive": "default-src ‘self’" "effective-directive": "img-src" (CSP2.0 onwards) "original-policy": "default-src ‘self’" } }
Content Security Policy Directives
<html> <head> <link rel="stylesheet" href="https://style-example.com/pure.css"> <style type="text/css"> @font-face { font-family: "MyFont"; src: url(http://font-example.org/f.ttf); } </style> <script src="https://js-example.com/jsquery.js"></script> </head> <body> <img src="https://image-example.com/30d.png"> </img> <video controls> <source src="https://media-example.com//anpi.mp4" type=" video/mp4"> </video> <audio controls> <source src="https://media-example.com/horse.mp3" type=" audio/mpeg"> </audio> <object data="https://obj-example/bg.swf"></object> <embed src="https://obj-example/bg.swf"></embed> <iframe src="https://child-example.com"></iframe> <script> (new XMLHttpRequest()).open('GET', 'https://connect-example.com/'); </script> </body> </html> style-src font-src script-src img-src media-src object-src child-src (CSP 2.0) connect-src ----------- default-src Fetch directives Each directive corresponds to a specific type of resource
<html> <head> <base href="https://example.com/" target="_blank"> </head> <body> <form action='https://form-sub-example.com' id='theform' method='post'> <input type='text' name='fieldname' value='fieldvalue'> <input type='submit' id='submit' value='submit'> </form> </body> </html> frame-ancestors - controls who is allowed to frame your page (iframe, object, embed tags) plugin-types - whitelist MIME types for object and embed tags. e.g. application/pdf sandbox - similar to iframe sandbox attribute. supports allow-forms allow- same-origin allow-top-navigation report-uri - specifies a URL to which the user agent sends reports about policy violation base-uri form-action More directives
Directive keywords ● ‘none’ - content-security-policy: default-src ‘none’; ○ Disallows any urls ○ Helpful when you are building a CSP policy ● ‘self’ - content-security-policy: default-src ‘self’; ○ Restricts access to application’s own origin ○ Protocol and port must match as well ● ‘unsafe-inline’ - content-security-policy: script-src ‘unsafe- inline’; ○ allows inline scripts/style ● ‘unsafe-eval’ - content-security-policy: script-src ‘unsafe- eval’; ○ allows eval(untrusted_input), setTimeout(untrusted_string) and setInterval (untrusted_string) and Function constructor ● ‘*’ - wildcard to allow all - content-security-policy: default-src *;
CSP versions & browser support CSP 1.0 http://www.w3.org/TR/CSP1/ ○ Available since 2012 ○ Directives: connect-src, default-src, font-src, frame-src, img-src, media- src, objects-src, report-uri, script-src, and style-src CSP 2.0 http://www.w3.org/TR/CSP2/ (CSP 1.1) ○ Mid 2015 ○ New directives: base-uri, child-src, form-action, frame-ancestors, plugin- types. ○ Deprecates frame-src Browser support status ○ CSP 1.0 is supported by all modern browsers ○ CSP 2.0 is supported by latest Chrome (v.40+), FireFox (v.35+) and Opera (v27+)
Let’s look at some examples…. On https://csp.example.com content-security-policy: default-src ‘self’; ● https://csp.example.com/campaign.js ● https://csp.example.com/reporting/report.js ● http://csp.example.com/campaign.js ● https://test.csp.com/campaign.js ● https://csp.example.com:8443/campaign.js
Why inline Javascript is bad? Content-Type: text/html; charset=utf-8 <script>console.log("Legitimate javascript code as part of the page");</script> <div> Welcome, <script>alert("Attack!");</script></div> https://trusted.example.com/welcome.php?username=<script>alert("Attack!");</script> <?php echo '<script>console.log("This is a legitimate javascript code as part of the page");</script>' echo '<div class="header"> Welcome, ' . $_GET['username']; . '</div>'; ?> It is hard for the browser to distinguish trusted javascript with a malicious script
Mitigation for inline scripts ● Solution 1: Externalizing inline javascript and CSS ○ May involve significant effort for existing applications ○ In addition, there are cases that require inline Javascript, notably for performance. ● Solution 2: use unsafe-inline ○ Reduce the effectiveness of CSP ● Solution 3: CSP 2.0 script whitelisting features - nonce-source and hash-source: ○ nonce whitelisting: nonce-$random - Requires modification to CSP header for every req ○ hash whitelisting - hashAlgorithm-base64hash ○ Hash computation: % echo -n "alert('Hello, world');" | openssl dgst -sha1 -binary | openssl enc -base64 content-security-policy: script-src 'nonce-random01' <script nonce="random01"> alert('Hello, world'); </script> content-security-policy: script-src 'sha1-RgO/D2C8PM9lERhYHMbiSllxM4g=' <script> alert('Hello, world'); </script>
Cross-site Scripting ○ CSP prevents XSS from being exploited. How ever it does NOT fix XSS Unapproved third party beacons, tags and contents ○ Using CSP, restrict the resources to just the whitelisted domains Packet Sniffing ○ Using CSP, servers can enforce all content be loaded using HTTPS ○ e.g. Content-Security-Policy: default-src https:// Clickjacking - “Look before you click” ○ Use frame-ancestors to specify valid parents ○ Alternate to x-frame-options Block unwanted plugins ○ Use plugin-types to allow only valid plugins What are some of the most common attacks and how can CSP help mitigate?
Browser behavior Feature completeness Implementation disparities Mobile browsers https://www.flickr.com/photos/stargardener/5178063063/
CSP deployment ● Identify domains you trust and start with with a restrictive policy ● Initial policy sample: ● Use HTTPS and enable reporting ● Test this policy using a browser based CSP testing tool (e.g. caspr) ● Rinse and repeat! content-security-policy-report-only: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; font-src 'self'; report-uri https://csp.example.com
Automation with csp-validator.js % bin/phantomjs csp-validator.js Usage: csp-validator.js [--quiet] <URL> Returns: 0 => SUCCESS - No violations 1 => FAIL - System/parse/input error 2 => CSP-VIOLATION - Violation detected
Post deployment ● In theory, fully compliant CSP implementation can leverage reports to detect injection attacks; however.. ● Reports are noisy due to browser extension violations ● Detect malicious extensions in user browser
Browser extensions
Browser extension Javascript
content-security-policy: default-src ‘self’;
Browser extensions - To sum-up ● Extensions are considered as part of Trusted Computing Base ● They can ○ Interfere with our web pages ○ Alter and inject javascripts to our page ■ Ad injection ■ Malware, exfiltrate user information ■ Alter CSP header itself! ● May contain security vulnerabilities ● Generate large volume of CSP reports ● Make injection attack detection extremely hard http://bit.ly/1kbsLbp
● Not a solution for all content injection problems ○ E.g. SQL, Shell and other server side injections ● Loose policies ○ Render CSP less effective ● Browser extensions can override CSP policies, ○ Less effective against malicious extensions ● Whitelisted locations are fully trusted ○ CDN scenario Not so good side of CSP
● Maintain code hygiene ○ Keep HTML, CSS and Javascript separate ○ Use Javascript event handlers ● Automation ○ csp-validator.js protects against CSP misconfigurations and HTTPS enforcement ● Use stricter policies ○ Always use https: ○ Avoid the use of unsafe-inline and unsafe-eval ○ Use paths https://cdn.example.com/asset/path/ (CSP 2.0 feature) ○ Avoid wildcards if possible - *.example.com ● Enable reporting even on enforce mode ○ Help in detecting content injection in near real time CSP best practices
CSP - What else? ● Scan violation URLs for malwares ● Detect injection attacks in near real time by analyzing CSP violation reports ● Threat intelligence - IP and URL reputation based on blocked links https://www.flickr.com/photos/drp/34988312
CSP testing tools ● csptester.io - Open source tool ● csp-validator.js for CICD - PhantomJS headless script to audit CSP policy for the given URL ● GitHub: https://github.com/yahoo/csptester ● Chrome browser plugin - caspr
Demo ● csptester.io ● csp-validator.js
● ● ● ● ● ● ● Summary
Q & A Thank you!

Recommended

Distributed Tracing in Practice
Distributed Tracing in PracticeDistributed Tracing in Practice
Distributed Tracing in Practice
DevOps.com
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
 
Ransomware Resistance
Ransomware ResistanceRansomware Resistance
Ransomware Resistance
Florian Roth
 
gRPC Overview
gRPC OverviewgRPC Overview
gRPC Overview
Varun Talwar
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
 
gRPC Design and Implementation
gRPC Design and ImplementationgRPC Design and Implementation
gRPC Design and Implementation
Varun Talwar
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
gRPC
gRPCgRPC
gRPC
Majid Alaeinia
 

Recommended

Distributed Tracing in Practice
Distributed Tracing in PracticeDistributed Tracing in Practice
Distributed Tracing in Practice
DevOps.com
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
 
Ransomware Resistance
Ransomware ResistanceRansomware Resistance
Ransomware Resistance
Florian Roth
 
gRPC Overview
gRPC OverviewgRPC Overview
gRPC Overview
Varun Talwar
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
 
gRPC Design and Implementation
gRPC Design and ImplementationgRPC Design and Implementation
gRPC Design and Implementation
Varun Talwar
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
gRPC
gRPCgRPC
gRPC
Majid Alaeinia
 
F5 DDoS Protection
F5 DDoS ProtectionF5 DDoS Protection
F5 DDoS Protection
MarketingArrowECS_CZ
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
Anurag Srivastava
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
Thick Client Testing Advanced
Thick Client Testing AdvancedThick Client Testing Advanced
Thick Client Testing Advanced
NSConclave
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
bartblaze
 
Access Control Models: Controlling Resource Authorization
Access Control Models: Controlling Resource AuthorizationAccess Control Models: Controlling Resource Authorization
Access Control Models: Controlling Resource Authorization
Mark Niebergall
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to Vault
Knoldus Inc.
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
Will Schroeder
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
gRPC - RPC rebirth?
gRPC - RPC rebirth?gRPC - RPC rebirth?
gRPC - RPC rebirth?
Luís Barbosa
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
gRPC in Go
gRPC in GogRPC in Go
gRPC in Go
Almog Baku
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
Rinaldi Rampen
 
Docker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversDocker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan Drivers
Brent Salisbury
 
Introduction to gRPC: A general RPC framework that puts mobile and HTTP/2 fir...
Introduction to gRPC: A general RPC framework that puts mobile and HTTP/2 fir...Introduction to gRPC: A general RPC framework that puts mobile and HTTP/2 fir...
Introduction to gRPC: A general RPC framework that puts mobile and HTTP/2 fir...
Codemotion
 
Web application security
Web application securityWeb application security
Web application security
Akhil Raj
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Ryan LaBouve
 
Surfer en toute legalite sur le net
Surfer en toute legalite sur le netSurfer en toute legalite sur le net
Surfer en toute legalite sur le net
AAT's
 

More Related Content

What's hot

Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
Anurag Srivastava
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
Thick Client Testing Advanced
Thick Client Testing AdvancedThick Client Testing Advanced
Thick Client Testing Advanced
NSConclave
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
bartblaze
 
Access Control Models: Controlling Resource Authorization
Access Control Models: Controlling Resource AuthorizationAccess Control Models: Controlling Resource Authorization
Access Control Models: Controlling Resource Authorization
Mark Niebergall
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to Vault
Knoldus Inc.
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
Will Schroeder
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
gRPC - RPC rebirth?
gRPC - RPC rebirth?gRPC - RPC rebirth?
gRPC - RPC rebirth?
Luís Barbosa
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
gRPC in Go
gRPC in GogRPC in Go
gRPC in Go
Almog Baku
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
Rinaldi Rampen
 
Docker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversDocker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan Drivers
Brent Salisbury
 
Introduction to gRPC: A general RPC framework that puts mobile and HTTP/2 fir...
Introduction to gRPC: A general RPC framework that puts mobile and HTTP/2 fir...Introduction to gRPC: A general RPC framework that puts mobile and HTTP/2 fir...
Introduction to gRPC: A general RPC framework that puts mobile and HTTP/2 fir...
Codemotion
 
Web application security
Web application securityWeb application security
Web application security
Akhil Raj
 

What's hot (20)

F5 DDoS Protection
F5 DDoS ProtectionF5 DDoS Protection
F5 DDoS Protection
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
Thick Client Testing Advanced
Thick Client Testing AdvancedThick Client Testing Advanced
Thick Client Testing Advanced
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
Access Control Models: Controlling Resource Authorization
Access Control Models: Controlling Resource AuthorizationAccess Control Models: Controlling Resource Authorization
Access Control Models: Controlling Resource Authorization
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to Vault
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
 
gRPC - RPC rebirth?
gRPC - RPC rebirth?gRPC - RPC rebirth?
gRPC - RPC rebirth?
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
gRPC in Go
gRPC in GogRPC in Go
gRPC in Go
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
 
Docker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversDocker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan Drivers
 
Introduction to gRPC: A general RPC framework that puts mobile and HTTP/2 fir...
Introduction to gRPC: A general RPC framework that puts mobile and HTTP/2 fir...Introduction to gRPC: A general RPC framework that puts mobile and HTTP/2 fir...
Introduction to gRPC: A general RPC framework that puts mobile and HTTP/2 fir...
 
Web application security
Web application securityWeb application security
Web application security
 

Viewers also liked

Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Ryan LaBouve
 
Surfer en toute legalite sur le net
Surfer en toute legalite sur le netSurfer en toute legalite sur le net
Surfer en toute legalite sur le net
AAT's
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
Jeremiah Grossman
 
AppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the UglyAppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the Ugly
Eli Nesterov
 
A Scalable Client Authentication & Authorization Service for Container-Based ...
A Scalable Client Authentication & Authorization Service for Container-Based ...A Scalable Client Authentication & Authorization Service for Container-Based ...
A Scalable Client Authentication & Authorization Service for Container-Based ...
Binu Ramakrishnan
 
AppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSPAppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSP
Eli Nesterov
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
Ksenia Peguero
 
Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy
RUY
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security Policy
Markus Wichmann
 
Securing application deployments in multi-tenant CI/CD environments
Securing application deployments in multi-tenant CI/CD environmentsSecuring application deployments in multi-tenant CI/CD environments
Securing application deployments in multi-tenant CI/CD environments
Binu Ramakrishnan
 
Getting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your WebappGetting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your Webapp
Francois Marier
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
George Boobyer
 
Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications
Amazon Web Services
 
Malaysia's National Cyber Security Policy
Malaysia's National Cyber Security PolicyMalaysia's National Cyber Security Policy
Malaysia's National Cyber Security Policy
Directorate of Information Security | Ditjen Aptika
 
Security HTTP Headers
Security HTTP HeadersSecurity HTTP Headers
Security HTTP Headers
Chang Yu-Sheng
 
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...
CNIL ..
 
Intervention CNIL : droit des internautes et obligations des e-marchands
Intervention CNIL : droit des internautes et obligations des e-marchandsIntervention CNIL : droit des internautes et obligations des e-marchands
Intervention CNIL : droit des internautes et obligations des e-marchands
Net Design
 

Viewers also liked (19)

Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
Surfer en toute legalite sur le net
Surfer en toute legalite sur le netSurfer en toute legalite sur le net
Surfer en toute legalite sur le net
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
AppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the UglyAppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the Ugly
 
A Scalable Client Authentication & Authorization Service for Container-Based ...
A Scalable Client Authentication & Authorization Service for Container-Based ...A Scalable Client Authentication & Authorization Service for Container-Based ...
A Scalable Client Authentication & Authorization Service for Container-Based ...
 
AppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSPAppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSP
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
 
Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy
 
Content security policy
Content security policyContent security policy
Content security policy
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security Policy
 
Securing application deployments in multi-tenant CI/CD environments
Securing application deployments in multi-tenant CI/CD environmentsSecuring application deployments in multi-tenant CI/CD environments
Securing application deployments in multi-tenant CI/CD environments
 
Getting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your WebappGetting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your Webapp
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 
Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications
 
Malaysia's National Cyber Security Policy
Malaysia's National Cyber Security PolicyMalaysia's National Cyber Security Policy
Malaysia's National Cyber Security Policy
 
Security HTTP Headers
Security HTTP HeadersSecurity HTTP Headers
Security HTTP Headers
 
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...
 
Intervention CNIL : droit des internautes et obligations des e-marchands
Intervention CNIL : droit des internautes et obligations des e-marchandsIntervention CNIL : droit des internautes et obligations des e-marchands
Intervention CNIL : droit des internautes et obligations des e-marchands
 

Similar to Content Security Policy - Lessons learned at Yahoo

Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header Security
Mikal Villa
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
Edouard de Lansalut
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
Matias Korhonen
 
Securing the client side web
Securing the client side webSecuring the client side web
Securing the client side web
SC5.io
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web Cryptography
Kevin Hakanson
 
Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)
Mike Tetreault
 
21 05-2018
21 05-201821 05-2018
21 05-2018
Praaveen Vr
 
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)
ColdFusionConference
 
Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdf
Abhi Jain
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
PROIDEA
 
Bp101-Can Domino Be Hacked
Bp101-Can Domino Be HackedBp101-Can Domino Be Hacked
Bp101-Can Domino Be Hacked
Howard Greenberg
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
George Boobyer
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Divyanshu
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
ksudhakarreddy5
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
John Ombagi
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
Kevin Hakanson
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
beched
 

Similar to Content Security Policy - Lessons learned at Yahoo (20)

Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
 
Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header Security
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Securing the client side web
Securing the client side webSecuring the client side web
Securing the client side web
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web Cryptography
 
Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)
 
21 05-2018
21 05-201821 05-2018
21 05-2018
 
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)
 
Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdf
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
 
Bp101-Can Domino Be Hacked
Bp101-Can Domino Be HackedBp101-Can Domino Be Hacked
Bp101-Can Domino Be Hacked
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
 

Recently uploaded

DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 

Recently uploaded (20)

DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 

Content Security Policy - Lessons learned at Yahoo

  • 1. Content Security Policy Lessons learned at Yahoo B-Sides DC 10/17/2015 Binu Ramakrishnan & Vibha Sethi Yahoo Inc.
  • 2. https://cwe.mitre.org/data/definitions/79.html http://bit.ly/1ZK9COc Cross-site Scripting ● Execution of malicious code injected by an attacker on victim’s web page ● Leads to credentials and data theft, malware distribution, site defacement etc. ● Primary reason: Improper neutralization of user input when it gets rendered on a web page ● Remained as a top threat on OWASP top ten list since its first publication in 2004
  • 3. Common Remedies ● Input validation and output encoding ● Whitelist trusted contents and tags ● Isolation - e.g. safe iframes http://bit.ly/1VRI1Gb
  • 5. CSP - An additional layer of protection
  • 6. So what is CSP? ● Content Security Policy is a browser based mechanism that allow you to whitelist locations from which your web application can load resources. You can specify a policy on a web page with a CSP HTTP header like below: will allow resources to be only loaded from example.com ● Policy Delivery ○ content-security-policy ○ content-security-policy-report-only - for experimenting & monitoring ○ HTML meta tag content-security-policy: default-src https://example.com
  • 7. Example <!DOCTYPE html> <html> <head> </head> <body> <img src="https://s.yimg.com/rz/uh/alphatars/B.png"> </body> </html> content-security-policy: default-src ‘self’; report-uri https://csp.example.com HTTP Header: https://example.com/test.html:
  • 8. Violation report ● CSP facilitates generating and delivering violation reports to an endpoint in the report-uri directive. ● JSON format Sample CSP Report { "csp-report" : { "document-uri": "https://www.example.com/test.html" "referrer": "" "blocked-uri": "https://s.yimg.com/rz/uh/alphatars/B.png" "violated-directive": "default-src ‘self’" "effective-directive": "img-src" (CSP2.0 onwards) "original-policy": "default-src ‘self’" } }
  • 10. <html> <head> <link rel="stylesheet" href="https://style-example.com/pure.css"> <style type="text/css"> @font-face { font-family: "MyFont"; src: url(http://font-example.org/f.ttf); } </style> <script src="https://js-example.com/jsquery.js"></script> </head> <body> <img src="https://image-example.com/30d.png"> </img> <video controls> <source src="https://media-example.com//anpi.mp4" type=" video/mp4"> </video> <audio controls> <source src="https://media-example.com/horse.mp3" type=" audio/mpeg"> </audio> <object data="https://obj-example/bg.swf"></object> <embed src="https://obj-example/bg.swf"></embed> <iframe src="https://child-example.com"></iframe> <script> (new XMLHttpRequest()).open('GET', 'https://connect-example.com/'); </script> </body> </html> style-src font-src script-src img-src media-src object-src child-src (CSP 2.0) connect-src ----------- default-src Fetch directives Each directive corresponds to a specific type of resource
  • 11. <html> <head> <base href="https://example.com/" target="_blank"> </head> <body> <form action='https://form-sub-example.com' id='theform' method='post'> <input type='text' name='fieldname' value='fieldvalue'> <input type='submit' id='submit' value='submit'> </form> </body> </html> frame-ancestors - controls who is allowed to frame your page (iframe, object, embed tags) plugin-types - whitelist MIME types for object and embed tags. e.g. application/pdf sandbox - similar to iframe sandbox attribute. supports allow-forms allow- same-origin allow-top-navigation report-uri - specifies a URL to which the user agent sends reports about policy violation base-uri form-action More directives
  • 12. Directive keywords ● ‘none’ - content-security-policy: default-src ‘none’; ○ Disallows any urls ○ Helpful when you are building a CSP policy ● ‘self’ - content-security-policy: default-src ‘self’; ○ Restricts access to application’s own origin ○ Protocol and port must match as well ● ‘unsafe-inline’ - content-security-policy: script-src ‘unsafe- inline’; ○ allows inline scripts/style ● ‘unsafe-eval’ - content-security-policy: script-src ‘unsafe- eval’; ○ allows eval(untrusted_input), setTimeout(untrusted_string) and setInterval (untrusted_string) and Function constructor ● ‘*’ - wildcard to allow all - content-security-policy: default-src *;
  • 13. CSP versions & browser support CSP 1.0 http://www.w3.org/TR/CSP1/ ○ Available since 2012 ○ Directives: connect-src, default-src, font-src, frame-src, img-src, media- src, objects-src, report-uri, script-src, and style-src CSP 2.0 http://www.w3.org/TR/CSP2/ (CSP 1.1) ○ Mid 2015 ○ New directives: base-uri, child-src, form-action, frame-ancestors, plugin- types. ○ Deprecates frame-src Browser support status ○ CSP 1.0 is supported by all modern browsers ○ CSP 2.0 is supported by latest Chrome (v.40+), FireFox (v.35+) and Opera (v27+)
  • 14. Let’s look at some examples…. On https://csp.example.com content-security-policy: default-src ‘self’; ● https://csp.example.com/campaign.js ● https://csp.example.com/reporting/report.js ● http://csp.example.com/campaign.js ● https://test.csp.com/campaign.js ● https://csp.example.com:8443/campaign.js
  • 15. Why inline Javascript is bad? Content-Type: text/html; charset=utf-8 <script>console.log("Legitimate javascript code as part of the page");</script> <div> Welcome, <script>alert("Attack!");</script></div> https://trusted.example.com/welcome.php?username=<script>alert("Attack!");</script> <?php echo '<script>console.log("This is a legitimate javascript code as part of the page");</script>' echo '<div class="header"> Welcome, ' . $_GET['username']; . '</div>'; ?> It is hard for the browser to distinguish trusted javascript with a malicious script
  • 16. Mitigation for inline scripts ● Solution 1: Externalizing inline javascript and CSS ○ May involve significant effort for existing applications ○ In addition, there are cases that require inline Javascript, notably for performance. ● Solution 2: use unsafe-inline ○ Reduce the effectiveness of CSP ● Solution 3: CSP 2.0 script whitelisting features - nonce-source and hash-source: ○ nonce whitelisting: nonce-$random - Requires modification to CSP header for every req ○ hash whitelisting - hashAlgorithm-base64hash ○ Hash computation: % echo -n "alert('Hello, world');" | openssl dgst -sha1 -binary | openssl enc -base64 content-security-policy: script-src 'nonce-random01' <script nonce="random01"> alert('Hello, world'); </script> content-security-policy: script-src 'sha1-RgO/D2C8PM9lERhYHMbiSllxM4g=' <script> alert('Hello, world'); </script>
  • 17. Cross-site Scripting ○ CSP prevents XSS from being exploited. How ever it does NOT fix XSS Unapproved third party beacons, tags and contents ○ Using CSP, restrict the resources to just the whitelisted domains Packet Sniffing ○ Using CSP, servers can enforce all content be loaded using HTTPS ○ e.g. Content-Security-Policy: default-src https:// Clickjacking - “Look before you click” ○ Use frame-ancestors to specify valid parents ○ Alternate to x-frame-options Block unwanted plugins ○ Use plugin-types to allow only valid plugins What are some of the most common attacks and how can CSP help mitigate?
  • 18. Browser behavior Feature completeness Implementation disparities Mobile browsers https://www.flickr.com/photos/stargardener/5178063063/
  • 19. CSP deployment ● Identify domains you trust and start with with a restrictive policy ● Initial policy sample: ● Use HTTPS and enable reporting ● Test this policy using a browser based CSP testing tool (e.g. caspr) ● Rinse and repeat! content-security-policy-report-only: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; font-src 'self'; report-uri https://csp.example.com
  • 20.
  • 21. Automation with csp-validator.js % bin/phantomjs csp-validator.js Usage: csp-validator.js [--quiet] <URL> Returns: 0 => SUCCESS - No violations 1 => FAIL - System/parse/input error 2 => CSP-VIOLATION - Violation detected
  • 22. Post deployment ● In theory, fully compliant CSP implementation can leverage reports to detect injection attacks; however.. ● Reports are noisy due to browser extension violations ● Detect malicious extensions in user browser
  • 26.
  • 27. Browser extensions - To sum-up ● Extensions are considered as part of Trusted Computing Base ● They can ○ Interfere with our web pages ○ Alter and inject javascripts to our page ■ Ad injection ■ Malware, exfiltrate user information ■ Alter CSP header itself! ● May contain security vulnerabilities ● Generate large volume of CSP reports ● Make injection attack detection extremely hard http://bit.ly/1kbsLbp
  • 28.
  • 29. ● Not a solution for all content injection problems ○ E.g. SQL, Shell and other server side injections ● Loose policies ○ Render CSP less effective ● Browser extensions can override CSP policies, ○ Less effective against malicious extensions ● Whitelisted locations are fully trusted ○ CDN scenario Not so good side of CSP
  • 30. ● Maintain code hygiene ○ Keep HTML, CSS and Javascript separate ○ Use Javascript event handlers ● Automation ○ csp-validator.js protects against CSP misconfigurations and HTTPS enforcement ● Use stricter policies ○ Always use https: ○ Avoid the use of unsafe-inline and unsafe-eval ○ Use paths https://cdn.example.com/asset/path/ (CSP 2.0 feature) ○ Avoid wildcards if possible - *.example.com ● Enable reporting even on enforce mode ○ Help in detecting content injection in near real time CSP best practices
  • 31. CSP - What else? ● Scan violation URLs for malwares ● Detect injection attacks in near real time by analyzing CSP violation reports ● Threat intelligence - IP and URL reputation based on blocked links https://www.flickr.com/photos/drp/34988312
  • 32. CSP testing tools ● csptester.io - Open source tool ● csp-validator.js for CICD - PhantomJS headless script to audit CSP policy for the given URL ● GitHub: https://github.com/yahoo/csptester ● Chrome browser plugin - caspr
  • 35. Q & A Thank you!