SlideShare une entreprise Scribd logo

W3C Content Security Policy

M
Markus Wichmann

What is Content Security Policy (CSP)? How to deploy it, what it's good for, what it's not good for.

Technologie
1  sur  23
Télécharger pour lire hors ligne
W3C Content Security Policy 1.0 One measure against web attacks. No less and no more. @m2w2 Markus Wichmann, May 2013
What is CSP about at all? Just some terms: Web Applications Web Application Security Cross-Site Scripting (XSS) XSS Prevention Policy Breach Reporting Content Security Policy 1.0 is a W3C candidate recommendation as of May 2013. I expect it to become a recommendation in the nearer future. @m2w2 Markus Wichmann, May 2013
Agenda W3C Content Security Policy (CSP) The Web without CSP Plain old HTML XSS (Cross-Site Scripting) Enter: CSP CSP Deployment CSP Reporting CSP Limitations Future of CSP How browsers show CSP violation attempts @m2w2 Markus Wichmann, May 2013
The Web... without CSP @m2w2 Markus Wichmann, May 2013 <html> <head> ...import style sheets... ...import JavaScript files... </head> <body> ...Forum Comments... <img src="..."> ...Google +1 Button... ...Facebook Like plugin... ...Twitter message... </body> </html> Web Server: Page, Basic JS, Style Sheets Database: Forum CommentsFB plugin G+ button Twitter
XSS (Cross-Site Scripting) Phase 1: Injection Attack. @m2w2 Markus Wichmann, May 2013 Server A Database: Forum entries <html> ... ...Forum Comments... <textarea> </textarea> </html> Hey folks, look at my evil site: http://bla.com/?q=% 3Cscript%3Ealert(% 91This%20is%20an% 20XSS% 20Vulnerability% 92)%3C%2Fscript%3E
XSS Phase 2: The Victim @m2w2 Markus Wichmann, May 2013 <html> ... Hey folks, look at my evil site: <script>alert(‘This is an XSS Vulnerability’)</script> ... </html> Server A Database: Forum Comments
XSS Phase 3: Send Victim to Hell – Just one Example @m2w2 Markus Wichmann, May 2013 http://www.evil.lab Evil Scripts, Cookie Stealing, Whatever! <html> <head> ... <script src="...evil.lab..."> </head> <body> <script ...> </body> </html> 1 2 3 4
XSS recap @m2w2 Markus Wichmann, May 2013 Hacker Victim Web Page W W W Infect with evil Script Visit Page Inject Script Do something evil
Enter: CSP Declarative Source Whitelisting „What am I allowed to fetch, and from where?“ @m2w2 Markus Wichmann, May 2013
Our example, revisited: What do we really need? @m2w2 Markus Wichmann, May 2013 <html> <head> ...import style sheets... ...import JavaScript files... </head> <body> ...Forum Comments... <img src="..."> ...Google +1 Button... ...Facebook Like plugin... ...Twitter message... </body> </html> Database: Forum Comments FB plugin G+ button Twitter Web Server: Page, Basic JS, Style Sheets
What do we really need? @m2w2 Markus Wichmann, May 2013 <html> <head> ...import style sheets... ...import JavaScript files... </head> <body> ...Forum Comments... <img src="..."> ...Google +1 Button... ...Facebook Like plugin... ...Twitter message... </body> </html> Database: Forum Comments FB plugin G+ button Twitter 1. Style Sheets from our own Web Server 2. JavaScript from our own Web Server 3. JavaScript from apis. google.com 4. iframe content from plusone.google.com 5. iframe content from facebook.com 6. JavaScript from platform.twitter.com 7. iframe content from platform.twitter.com We DON'T need inline scripts (scripts tags within the body tag)! Web Server: Page, Basic JS, Style Sheets
CSP Deployment Solution: HTTP header Name: Content-Security-Policy* Values: Resource Directives each with a Source List * see CSP's limitations (as of May 2013) 1/2 for special cases/special browsers @m2w2 Markus Wichmann, May 2013
CSP Deployment: Our recent example If you wrote it separately (don't do this, not correct, just for demonstration purposes): Content-Security-Policy: default-src 'self'; Content-Security-Policy: style-src 'self'; Content-Security-Policy: script-src 'self' https://apis.google.com https://platform. twitter.com; Content-Security-Policy: frame-src https: //plusone.google.com https://facebook.com https: //platform.twitter.com; Correct all-in-one notation: Content-Security-Policy: default-src 'self'; style-src 'self'; script-src 'self' https: //apis.google.com https://platform.twitter.com; frame-src https://plusone.google.com https: //facebook.com https://platform.twitter.com; @m2w2 Markus Wichmann, May 2013 1. Style Sheets from our own Web Server 2. JavaScript from our own Web Server 3. JavaScript from apis. google.com 4. iframe content from plusone.google.com 5. iframe content from facebook.com 6. JavaScript from platform.twitter.com 7. iframe content from platform.twitter.com We DON'T want inline scripts = script tags within the body tag!
CSP Directives default-src origin to fall back on if there's no rule that is more specific(e.g. see directives below) style-src origins for CSS stylesheets img-src origins for image files font-src origins to load web-fonts from frame-src origins embeddable into iframes media-src origins of HTML5 audio and video object-src origins of Flash and similar plugins connect-src origins to connect to using XHR, WebSockets, and EventSource @m2w2 Markus Wichmann, May 2013
CSP Source Lists 'none' restrict directive to nothing at all 'self' current origin, but not its subdomains 'unsafe-inline' allows inline JavaScript and CSS 'unsafe-eval' allows JavaScript's eval method http://uri.lab URI to allow, space-separated if multi @m2w2 Markus Wichmann, May 2013
CSP Deployment's effect Attacker finds hole? Bad enough. Attacker injects script? Bad enough. But: If script does not match whitelist, it cannot be executed. Bad enough... for the attacker. @m2w2 Markus Wichmann, May 2013
CSP Reporting Find weak pieces of your code: Let browser report attempted policy breaches! Content-Security-Policy: default-src 'self'; report-uri /csp_report_parser; CSP Violation Attempts are reported to specified URI in JSON format like this: { "csp-report": { "document-uri": "http://example.org/page.html", "referrer": "http://evil.example.com/", "blocked-uri": "http://evil.example.com/evil.js", "violated-directive": "script-src 'self' https://apis. google.com", "original-policy": "script-src 'self' https://apis. google.com; report-uri http://example. org/csp_report_parser" } } @m2w2 Markus Wichmann, May 2013
CSP's limitations (as of May 2013) 1/2 Browsers supporting CSP 1.0: Firefox 4–16 partial support, use X-Content-Security-Policy Firefox 17+ seems like full support, use X-Content-Security-Policy Chrome 14+ seems to me like full support IE 10+ very rudimentary support, see http://goo.gl/p5rke Safari 5.1 partial support, use X-WebKit-CSP as header name Safari 6.0+ seems to me like full support iOS 6.0 Safari seems to me like full support Chrome for Android 25+ seems to me like full support Sources: http://caniuse.com/contentsecuritypolicy and Mike West's Twitter Post above @m2w2 Markus Wichmann, May 2013
CSP's limitations (as of May 2013) 2/2 CSP protects users against Most Cross-Site Scripting attacks CSP does NOT protect against: Cross-Site Request Forgery (XSRF/CSRF) Session Riding Cookie Stealing (though this is a bit more difficult with CSP in place) SQL Injection And please use HTTPS wherever possible. HTTP over SSL @m2w2 Markus Wichmann, May 2013
Possible Future of CSP CSP 1.1 currently in draft status (as of 05/2013) Will mainly support more directives script-nonce allow specific(!) inline scripts plugin-types allow specific plugin MIME types form-action specify form action URIs to allow See https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#frame-options--experimental @m2w2 Markus Wichmann, May 2013
How browsers show CSP violations in their debuggers (Firebug, Developer Tools, etc.) Firefox: Chrome: @m2w2 Markus Wichmann, May 2013
Thanks to all authors of the following pages: http://www.w3.org/TR/CSP/ https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#frame-options--experimental http://www.html5rocks.com/en/tutorials/security/content-security-policy/ http://en.wikipedia.org/wiki/Cross-site_scripting http://de.wikipedia.org/wiki/Cross-Site-Request-Forgery http://en.wikipedia.org/wiki/Same_origin_policy http://en.wikipedia.org/wiki/JSONP https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Introduction http://en.wikipedia.org/wiki/Samy_worm http://maulwuff.de/pws/2012/web20sec/vortrag.html https://www.bsi.bund.de/cae/servlet/contentblob/476464/publicationFile/30632/WebSec_pdf http://www.linuxforu.com/2012/03/cyber-attacks-explained-web-exploitation/ http://www.linuxforu.com/2010/09/securing-apache-part-2-xss-injections/ https://wiki.mozilla.org/index.php?title=Security/CSP/Spec&oldid=133465 https://twitter.com/mikewest/status/268721123145957377 http://people.mozilla.com/~bsterne/content-security-policy/ http://people.mozilla.com/~bsterne/content-security-policy/origin-header-proposal.html http://de.slideshare.net/shreeraj/xss-and-csrf-with-html5 http://google-gruyere.appspot.com/part3#3__cross_site_script_inclusion http://intothesymmetry.blogspot.de/2012/06/facebook-logout-csrf-and-oauth-2.html http://www.kendoui.com/blogs/archive/11-10-03/using_cors_with_all_modern_browsers.aspx @m2w2 Markus Wichmann, May 2013
Thank you. @m2w2 Constructive criticism always welcome! Disclaimer: The author of these slides does not give and cannot give any kind of warranties or guarantees or anything the like on the correctness of any information provided in these slides. @m2w2 Markus Wichmann, May 2013

Recommandé

Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
Http security response headers
Http security response headers Http security response headers
Http security response headers mohammadhosseinrouha
 
Content security policy
Content security policyContent security policy
Content security policyRonan Dunne, CEH, SSCP
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyAustin Gil
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 

Recommandé

Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
Http security response headers
Http security response headers Http security response headers
Http security response headers mohammadhosseinrouha
 
Content security policy
Content security policyContent security policy
Content security policyRonan Dunne, CEH, SSCP
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyAustin Gil
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting GuideDaisuke_Dan
 
Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers zakieh alizadeh
 
AEM Sightly Deep Dive
AEM Sightly Deep DiveAEM Sightly Deep Dive
AEM Sightly Deep DiveGabriel Walt
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Breaking Bad CSP
Breaking Bad CSPBreaking Bad CSP
Breaking Bad CSPLukas Weichselbaum
 
VolgaCTF 2018 - Neatly bypassing CSP
VolgaCTF 2018 - Neatly bypassing CSPVolgaCTF 2018 - Neatly bypassing CSP
VolgaCTF 2018 - Neatly bypassing CSPДмитрий Бумов
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 
Pendahuluan Kuliah Pemrograman Web 1
Pendahuluan Kuliah Pemrograman Web 1Pendahuluan Kuliah Pemrograman Web 1
Pendahuluan Kuliah Pemrograman Web 1Sandhika Galih
 
Sightly - Part 2
Sightly - Part 2Sightly - Part 2
Sightly - Part 2Prabhdeep Singh
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource SharingLuke Weerasooriya
 
Css
CssCss
CssHemant Saini
 
WordPress Security for Beginners
WordPress Security for BeginnersWordPress Security for Beginners
WordPress Security for BeginnersAdam W. Warner
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...
Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...
Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...Nicola Marae Allain, PhD
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyRyan LaBouve
 

Contenu connexe

Tendances

The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting GuideDaisuke_Dan
 
Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers zakieh alizadeh
 
AEM Sightly Deep Dive
AEM Sightly Deep DiveAEM Sightly Deep Dive
AEM Sightly Deep DiveGabriel Walt
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 
Pendahuluan Kuliah Pemrograman Web 1
Pendahuluan Kuliah Pemrograman Web 1Pendahuluan Kuliah Pemrograman Web 1
Pendahuluan Kuliah Pemrograman Web 1Sandhika Galih
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource SharingLuke Weerasooriya
 
WordPress Security for Beginners
WordPress Security for BeginnersWordPress Security for Beginners
WordPress Security for BeginnersAdam W. Warner
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 

Tendances (20)

The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
 
Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers
 
AEM Sightly Deep Dive
AEM Sightly Deep DiveAEM Sightly Deep Dive
AEM Sightly Deep Dive
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Breaking Bad CSP
Breaking Bad CSPBreaking Bad CSP
Breaking Bad CSP
 
VolgaCTF 2018 - Neatly bypassing CSP
VolgaCTF 2018 - Neatly bypassing CSPVolgaCTF 2018 - Neatly bypassing CSP
VolgaCTF 2018 - Neatly bypassing CSP
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
 
Pendahuluan Kuliah Pemrograman Web 1
Pendahuluan Kuliah Pemrograman Web 1Pendahuluan Kuliah Pemrograman Web 1
Pendahuluan Kuliah Pemrograman Web 1
 
Sightly - Part 2
Sightly - Part 2Sightly - Part 2
Sightly - Part 2
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource Sharing
 
Css
CssCss
Css
 
WordPress Security for Beginners
WordPress Security for BeginnersWordPress Security for Beginners
WordPress Security for Beginners
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 

En vedette

Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...
Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...
Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...Nicola Marae Allain, PhD
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyRyan LaBouve
 
Surfer en toute legalite sur le net
Surfer en toute legalite sur le netSurfer en toute legalite sur le net
Surfer en toute legalite sur le netAAT's
 
AppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the UglyAppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the UglyEli Nesterov
 
AppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSPAppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSPEli Nesterov
 
Health Development Strategies 2014
Health Development Strategies 2014Health Development Strategies 2014
Health Development Strategies 2014Elevate
 
Communicating risk and hazard to policy-makers
Communicating risk and hazard to policy-makers Communicating risk and hazard to policy-makers
Communicating risk and hazard to policy-makers bis_foresight
 
Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy RUY
 
Getting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your WebappGetting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your WebappFrancois Marier
 
King Holmes, MD, PhD: Present and Future Challenges in Global Public Health
King Holmes, MD, PhD: Present and Future Challenges in Global Public HealthKing Holmes, MD, PhD: Present and Future Challenges in Global Public Health
King Holmes, MD, PhD: Present and Future Challenges in Global Public HealthUWGlobalHealth
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity George Boobyer
 
National health policy
National health policyNational health policy
National health policypramod kumar
 
The results are in: how can innovation win?
The results are in: how can innovation win?The results are in: how can innovation win?
The results are in: how can innovation win?Jill Gilbert
 
National health policy
National health policyNational health policy
National health policysoumya deepa
 
Global Health the Changes, the Challenges, the Opportunity
Global Health the Changes, the Challenges, the Opportunity Global Health the Changes, the Challenges, the Opportunity
Global Health the Changes, the Challenges, the Opportunity Jill Gilbert
 
Policy Analysis Process by Willy Ruin
Policy Analysis Process by Willy RuinPolicy Analysis Process by Willy Ruin
Policy Analysis Process by Willy RuinWilfredo Ruin
 
Public policy and subsystem politics
Public policy and subsystem politicsPublic policy and subsystem politics
Public policy and subsystem politicstaratoot
 
Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your ApplicationsAmazon Web Services
 

En vedette (20)

Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...
Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...
Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
Surfer en toute legalite sur le net
Surfer en toute legalite sur le netSurfer en toute legalite sur le net
Surfer en toute legalite sur le net
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
AppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the UglyAppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the Ugly
 
AppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSPAppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSP
 
Health Development Strategies 2014
Health Development Strategies 2014Health Development Strategies 2014
Health Development Strategies 2014
 
Communicating risk and hazard to policy-makers
Communicating risk and hazard to policy-makers Communicating risk and hazard to policy-makers
Communicating risk and hazard to policy-makers
 
Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy
 
Getting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your WebappGetting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your Webapp
 
King Holmes, MD, PhD: Present and Future Challenges in Global Public Health
King Holmes, MD, PhD: Present and Future Challenges in Global Public HealthKing Holmes, MD, PhD: Present and Future Challenges in Global Public Health
King Holmes, MD, PhD: Present and Future Challenges in Global Public Health
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 
National health policy
National health policyNational health policy
National health policy
 
Hec policy analysis
Hec policy analysisHec policy analysis
Hec policy analysis
 
The results are in: how can innovation win?
The results are in: how can innovation win?The results are in: how can innovation win?
The results are in: how can innovation win?
 
National health policy
National health policyNational health policy
National health policy
 
Global Health the Changes, the Challenges, the Opportunity
Global Health the Changes, the Challenges, the Opportunity Global Health the Changes, the Challenges, the Opportunity
Global Health the Changes, the Challenges, the Opportunity
 
Policy Analysis Process by Willy Ruin
Policy Analysis Process by Willy RuinPolicy Analysis Process by Willy Ruin
Policy Analysis Process by Willy Ruin
 
Public policy and subsystem politics
Public policy and subsystem politicsPublic policy and subsystem politics
Public policy and subsystem politics
 
Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications
 

Similaire à W3C Content Security Policy

Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)Arun Kumar
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeScott Helme
 
10X More Secure with Content Security Policy
10X More Secure with Content Security Policy10X More Secure with Content Security Policy
10X More Secure with Content Security Policychw
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web securityOlatunji Adetunji
 
Evolving web security model v1.1 - Portland OWASP May 29 2014
Evolving web security model v1.1 - Portland OWASP May 29 2014Evolving web security model v1.1 - Portland OWASP May 29 2014
Evolving web security model v1.1 - Portland OWASP May 29 2014imelven
 
Future of Web Security Opened up by CSP
Future of Web Security Opened up by CSPFuture of Web Security Opened up by CSP
Future of Web Security Opened up by CSPMuneaki Nishimura
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdfksudhakarreddy5
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Ignite content security policy
Ignite content security policyIgnite content security policy
Ignite content security policyjstack
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Miriam Schwab
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Miriam Schwab
 
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Research
 
Cabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTPCabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTPIsmael Goncalves
 
D3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the BrowserD3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the BrowserImperva Incapsula
 
On-Page SEO EXTREME - SEOZone Istanbul 2013
On-Page SEO EXTREME - SEOZone Istanbul 2013On-Page SEO EXTREME - SEOZone Istanbul 2013
On-Page SEO EXTREME - SEOZone Istanbul 2013Bastian Grimm
 
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Matt Raible
 

Similaire à W3C Content Security Policy (20)

Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
 
Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army Knife
 
10X More Secure with Content Security Policy
10X More Secure with Content Security Policy10X More Secure with Content Security Policy
10X More Secure with Content Security Policy
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web security
 
Evolving web security model v1.1 - Portland OWASP May 29 2014
Evolving web security model v1.1 - Portland OWASP May 29 2014Evolving web security model v1.1 - Portland OWASP May 29 2014
Evolving web security model v1.1 - Portland OWASP May 29 2014
 
Future of Web Security Opened up by CSP
Future of Web Security Opened up by CSPFuture of Web Security Opened up by CSP
Future of Web Security Opened up by CSP
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Ignite content security policy
Ignite content security policyIgnite content security policy
Ignite content security policy
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
 
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
 
Cabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTPCabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTP
 
D3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the BrowserD3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the Browser
 
On-Page SEO EXTREME - SEOZone Istanbul 2013
On-Page SEO EXTREME - SEOZone Istanbul 2013On-Page SEO EXTREME - SEOZone Istanbul 2013
On-Page SEO EXTREME - SEOZone Istanbul 2013
 
Csp july2015
Csp july2015Csp july2015
Csp july2015
 
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021
 
Csp vortrag
Csp vortragCsp vortrag
Csp vortrag
 

Dernier

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

Dernier (20)

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 

W3C Content Security Policy

  • 1. W3C Content Security Policy 1.0 One measure against web attacks. No less and no more. @m2w2 Markus Wichmann, May 2013
  • 2. What is CSP about at all? Just some terms: Web Applications Web Application Security Cross-Site Scripting (XSS) XSS Prevention Policy Breach Reporting Content Security Policy 1.0 is a W3C candidate recommendation as of May 2013. I expect it to become a recommendation in the nearer future. @m2w2 Markus Wichmann, May 2013
  • 3. Agenda W3C Content Security Policy (CSP) The Web without CSP Plain old HTML XSS (Cross-Site Scripting) Enter: CSP CSP Deployment CSP Reporting CSP Limitations Future of CSP How browsers show CSP violation attempts @m2w2 Markus Wichmann, May 2013
  • 4. The Web... without CSP @m2w2 Markus Wichmann, May 2013 <html> <head> ...import style sheets... ...import JavaScript files... </head> <body> ...Forum Comments... <img src="..."> ...Google +1 Button... ...Facebook Like plugin... ...Twitter message... </body> </html> Web Server: Page, Basic JS, Style Sheets Database: Forum CommentsFB plugin G+ button Twitter
  • 5. XSS (Cross-Site Scripting) Phase 1: Injection Attack. @m2w2 Markus Wichmann, May 2013 Server A Database: Forum entries <html> ... ...Forum Comments... <textarea> </textarea> </html> Hey folks, look at my evil site: http://bla.com/?q=% 3Cscript%3Ealert(% 91This%20is%20an% 20XSS% 20Vulnerability% 92)%3C%2Fscript%3E
  • 6. XSS Phase 2: The Victim @m2w2 Markus Wichmann, May 2013 <html> ... Hey folks, look at my evil site: <script>alert(‘This is an XSS Vulnerability’)</script> ... </html> Server A Database: Forum Comments
  • 7. XSS Phase 3: Send Victim to Hell – Just one Example @m2w2 Markus Wichmann, May 2013 http://www.evil.lab Evil Scripts, Cookie Stealing, Whatever! <html> <head> ... <script src="...evil.lab..."> </head> <body> <script ...> </body> </html> 1 2 3 4
  • 8. XSS recap @m2w2 Markus Wichmann, May 2013 Hacker Victim Web Page W W W Infect with evil Script Visit Page Inject Script Do something evil
  • 9. Enter: CSP Declarative Source Whitelisting „What am I allowed to fetch, and from where?“ @m2w2 Markus Wichmann, May 2013
  • 10. Our example, revisited: What do we really need? @m2w2 Markus Wichmann, May 2013 <html> <head> ...import style sheets... ...import JavaScript files... </head> <body> ...Forum Comments... <img src="..."> ...Google +1 Button... ...Facebook Like plugin... ...Twitter message... </body> </html> Database: Forum Comments FB plugin G+ button Twitter Web Server: Page, Basic JS, Style Sheets
  • 11. What do we really need? @m2w2 Markus Wichmann, May 2013 <html> <head> ...import style sheets... ...import JavaScript files... </head> <body> ...Forum Comments... <img src="..."> ...Google +1 Button... ...Facebook Like plugin... ...Twitter message... </body> </html> Database: Forum Comments FB plugin G+ button Twitter 1. Style Sheets from our own Web Server 2. JavaScript from our own Web Server 3. JavaScript from apis. google.com 4. iframe content from plusone.google.com 5. iframe content from facebook.com 6. JavaScript from platform.twitter.com 7. iframe content from platform.twitter.com We DON'T need inline scripts (scripts tags within the body tag)! Web Server: Page, Basic JS, Style Sheets
  • 12. CSP Deployment Solution: HTTP header Name: Content-Security-Policy* Values: Resource Directives each with a Source List * see CSP's limitations (as of May 2013) 1/2 for special cases/special browsers @m2w2 Markus Wichmann, May 2013
  • 13. CSP Deployment: Our recent example If you wrote it separately (don't do this, not correct, just for demonstration purposes): Content-Security-Policy: default-src 'self'; Content-Security-Policy: style-src 'self'; Content-Security-Policy: script-src 'self' https://apis.google.com https://platform. twitter.com; Content-Security-Policy: frame-src https: //plusone.google.com https://facebook.com https: //platform.twitter.com; Correct all-in-one notation: Content-Security-Policy: default-src 'self'; style-src 'self'; script-src 'self' https: //apis.google.com https://platform.twitter.com; frame-src https://plusone.google.com https: //facebook.com https://platform.twitter.com; @m2w2 Markus Wichmann, May 2013 1. Style Sheets from our own Web Server 2. JavaScript from our own Web Server 3. JavaScript from apis. google.com 4. iframe content from plusone.google.com 5. iframe content from facebook.com 6. JavaScript from platform.twitter.com 7. iframe content from platform.twitter.com We DON'T want inline scripts = script tags within the body tag!
  • 14. CSP Directives default-src origin to fall back on if there's no rule that is more specific(e.g. see directives below) style-src origins for CSS stylesheets img-src origins for image files font-src origins to load web-fonts from frame-src origins embeddable into iframes media-src origins of HTML5 audio and video object-src origins of Flash and similar plugins connect-src origins to connect to using XHR, WebSockets, and EventSource @m2w2 Markus Wichmann, May 2013
  • 15. CSP Source Lists 'none' restrict directive to nothing at all 'self' current origin, but not its subdomains 'unsafe-inline' allows inline JavaScript and CSS 'unsafe-eval' allows JavaScript's eval method http://uri.lab URI to allow, space-separated if multi @m2w2 Markus Wichmann, May 2013
  • 16. CSP Deployment's effect Attacker finds hole? Bad enough. Attacker injects script? Bad enough. But: If script does not match whitelist, it cannot be executed. Bad enough... for the attacker. @m2w2 Markus Wichmann, May 2013
  • 17. CSP Reporting Find weak pieces of your code: Let browser report attempted policy breaches! Content-Security-Policy: default-src 'self'; report-uri /csp_report_parser; CSP Violation Attempts are reported to specified URI in JSON format like this: { "csp-report": { "document-uri": "http://example.org/page.html", "referrer": "http://evil.example.com/", "blocked-uri": "http://evil.example.com/evil.js", "violated-directive": "script-src 'self' https://apis. google.com", "original-policy": "script-src 'self' https://apis. google.com; report-uri http://example. org/csp_report_parser" } } @m2w2 Markus Wichmann, May 2013
  • 18. CSP's limitations (as of May 2013) 1/2 Browsers supporting CSP 1.0: Firefox 4–16 partial support, use X-Content-Security-Policy Firefox 17+ seems like full support, use X-Content-Security-Policy Chrome 14+ seems to me like full support IE 10+ very rudimentary support, see http://goo.gl/p5rke Safari 5.1 partial support, use X-WebKit-CSP as header name Safari 6.0+ seems to me like full support iOS 6.0 Safari seems to me like full support Chrome for Android 25+ seems to me like full support Sources: http://caniuse.com/contentsecuritypolicy and Mike West's Twitter Post above @m2w2 Markus Wichmann, May 2013
  • 19. CSP's limitations (as of May 2013) 2/2 CSP protects users against Most Cross-Site Scripting attacks CSP does NOT protect against: Cross-Site Request Forgery (XSRF/CSRF) Session Riding Cookie Stealing (though this is a bit more difficult with CSP in place) SQL Injection And please use HTTPS wherever possible. HTTP over SSL @m2w2 Markus Wichmann, May 2013
  • 20. Possible Future of CSP CSP 1.1 currently in draft status (as of 05/2013) Will mainly support more directives script-nonce allow specific(!) inline scripts plugin-types allow specific plugin MIME types form-action specify form action URIs to allow See https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#frame-options--experimental @m2w2 Markus Wichmann, May 2013
  • 21. How browsers show CSP violations in their debuggers (Firebug, Developer Tools, etc.) Firefox: Chrome: @m2w2 Markus Wichmann, May 2013
  • 22. Thanks to all authors of the following pages: http://www.w3.org/TR/CSP/ https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#frame-options--experimental http://www.html5rocks.com/en/tutorials/security/content-security-policy/ http://en.wikipedia.org/wiki/Cross-site_scripting http://de.wikipedia.org/wiki/Cross-Site-Request-Forgery http://en.wikipedia.org/wiki/Same_origin_policy http://en.wikipedia.org/wiki/JSONP https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Introduction http://en.wikipedia.org/wiki/Samy_worm http://maulwuff.de/pws/2012/web20sec/vortrag.html https://www.bsi.bund.de/cae/servlet/contentblob/476464/publicationFile/30632/WebSec_pdf http://www.linuxforu.com/2012/03/cyber-attacks-explained-web-exploitation/ http://www.linuxforu.com/2010/09/securing-apache-part-2-xss-injections/ https://wiki.mozilla.org/index.php?title=Security/CSP/Spec&oldid=133465 https://twitter.com/mikewest/status/268721123145957377 http://people.mozilla.com/~bsterne/content-security-policy/ http://people.mozilla.com/~bsterne/content-security-policy/origin-header-proposal.html http://de.slideshare.net/shreeraj/xss-and-csrf-with-html5 http://google-gruyere.appspot.com/part3#3__cross_site_script_inclusion http://intothesymmetry.blogspot.de/2012/06/facebook-logout-csrf-and-oauth-2.html http://www.kendoui.com/blogs/archive/11-10-03/using_cors_with_all_modern_browsers.aspx @m2w2 Markus Wichmann, May 2013
  • 23. Thank you. @m2w2 Constructive criticism always welcome! Disclaimer: The author of these slides does not give and cannot give any kind of warranties or guarantees or anything the like on the correctness of any information provided in these slides. @m2w2 Markus Wichmann, May 2013