2. What is CSP about at all?
Just some terms:
Web Applications
Web Application Security
Cross-Site Scripting (XSS)
XSS Prevention
Policy Breach Reporting
Content Security Policy 1.0 is a
W3C candidate recommendation as of May 2013.
I expect it to become a recommendation in the nearer future.
@m2w2 Markus Wichmann, May 2013
3. Agenda
W3C Content Security Policy (CSP)
The Web without CSP
Plain old HTML
XSS (Cross-Site Scripting)
Enter: CSP
CSP Deployment
CSP Reporting
CSP Limitations
Future of CSP
How browsers show CSP violation attempts
@m2w2 Markus Wichmann, May 2013
4. The Web... without CSP
@m2w2 Markus Wichmann, May 2013
<html>
<head>
...import style sheets...
...import JavaScript files...
</head>
<body>
...Forum Comments...
<img src="...">
...Google +1 Button...
...Facebook Like plugin...
...Twitter message...
</body>
</html>
Web Server:
Page, Basic JS,
Style Sheets
Database:
Forum
CommentsFB plugin
G+ button
Twitter
5. XSS (Cross-Site Scripting)
Phase 1: Injection Attack.
@m2w2 Markus Wichmann, May 2013
Server A
Database:
Forum
entries
<html>
...
...Forum Comments...
<textarea>
</textarea>
</html>
Hey folks, look at
my evil site:
http://bla.com/?q=%
3Cscript%3Ealert(%
91This%20is%20an%
20XSS%
20Vulnerability%
92)%3C%2Fscript%3E
6. XSS Phase 2: The Victim
@m2w2 Markus Wichmann, May 2013
<html>
...
Hey folks, look at my evil
site: <script>alert(‘This is an
XSS Vulnerability’)</script>
...
</html>
Server A
Database:
Forum
Comments
7. XSS Phase 3:
Send Victim to Hell – Just one Example
@m2w2 Markus Wichmann, May 2013
http://www.evil.lab
Evil Scripts, Cookie
Stealing, Whatever!
<html>
<head>
...
<script src="...evil.lab...">
</head>
<body>
<script ...>
</body>
</html>
1
2
3
4
8. XSS recap
@m2w2 Markus Wichmann, May 2013
Hacker Victim Web Page W W W
Infect with evil Script
Visit Page
Inject Script
Do something evil
9. Enter: CSP
Declarative Source Whitelisting
„What am I allowed to fetch, and from where?“
@m2w2 Markus Wichmann, May 2013
10. Our example, revisited:
What do we really need?
@m2w2 Markus Wichmann, May 2013
<html>
<head>
...import style sheets...
...import JavaScript files...
</head>
<body>
...Forum Comments...
<img src="...">
...Google +1 Button...
...Facebook Like plugin...
...Twitter message...
</body>
</html>
Database:
Forum
Comments
FB plugin
G+
button
Twitter
Web Server:
Page, Basic JS,
Style Sheets
11. What do we really need?
@m2w2 Markus Wichmann, May 2013
<html>
<head>
...import style sheets...
...import JavaScript files...
</head>
<body>
...Forum Comments...
<img src="...">
...Google +1 Button...
...Facebook Like plugin...
...Twitter message...
</body>
</html>
Database:
Forum
Comments
FB plugin
G+
button
Twitter
1. Style Sheets from our
own Web Server
2. JavaScript from our
own Web Server
3. JavaScript from apis.
google.com
4. iframe content from
plusone.google.com
5. iframe content from
facebook.com
6. JavaScript from
platform.twitter.com
7. iframe content from
platform.twitter.com
We DON'T need inline
scripts (scripts tags within
the body tag)!
Web Server:
Page, Basic JS,
Style Sheets
12. CSP Deployment
Solution: HTTP header
Name: Content-Security-Policy*
Values:
Resource Directives
each with a Source List
* see CSP's limitations (as of May 2013) 1/2 for special cases/special browsers
@m2w2 Markus Wichmann, May 2013
13. CSP Deployment: Our recent example
If you wrote it separately (don't do this, not correct,
just for demonstration purposes):
Content-Security-Policy: default-src 'self';
Content-Security-Policy: style-src 'self';
Content-Security-Policy: script-src 'self'
https://apis.google.com https://platform.
twitter.com;
Content-Security-Policy: frame-src https:
//plusone.google.com https://facebook.com https:
//platform.twitter.com;
Correct all-in-one notation:
Content-Security-Policy: default-src 'self';
style-src 'self'; script-src 'self' https:
//apis.google.com https://platform.twitter.com;
frame-src https://plusone.google.com https:
//facebook.com https://platform.twitter.com;
@m2w2 Markus Wichmann, May 2013
1. Style Sheets from our
own Web Server
2. JavaScript from our
own Web Server
3. JavaScript from apis.
google.com
4. iframe content from
plusone.google.com
5. iframe content from
facebook.com
6. JavaScript from
platform.twitter.com
7. iframe content from
platform.twitter.com
We DON'T want inline
scripts = script tags within
the body tag!
14. CSP Directives
default-src origin to fall back on if there's no rule
that is more specific(e.g. see directives below)
style-src origins for CSS stylesheets
img-src origins for image files
font-src origins to load web-fonts from
frame-src origins embeddable into iframes
media-src origins of HTML5 audio and video
object-src origins of Flash and similar plugins
connect-src origins to connect to using XHR,
WebSockets, and EventSource
@m2w2 Markus Wichmann, May 2013
15. CSP Source Lists
'none' restrict directive to nothing at all
'self' current origin, but not its subdomains
'unsafe-inline' allows inline JavaScript and CSS
'unsafe-eval' allows JavaScript's eval method
http://uri.lab URI to allow, space-separated if multi
@m2w2 Markus Wichmann, May 2013
16. CSP Deployment's effect
Attacker finds hole? Bad enough.
Attacker injects script? Bad enough.
But:
If script does not match whitelist, it cannot
be executed.
Bad enough... for the attacker.
@m2w2 Markus Wichmann, May 2013
17. CSP Reporting
Find weak pieces of your code: Let browser report attempted policy breaches!
Content-Security-Policy: default-src 'self'; report-uri
/csp_report_parser;
CSP Violation Attempts are reported to specified URI in JSON format like this:
{
"csp-report": {
"document-uri": "http://example.org/page.html",
"referrer": "http://evil.example.com/",
"blocked-uri": "http://evil.example.com/evil.js",
"violated-directive": "script-src 'self' https://apis.
google.com",
"original-policy": "script-src 'self' https://apis.
google.com; report-uri http://example.
org/csp_report_parser"
}
}
@m2w2 Markus Wichmann, May 2013
18. CSP's limitations (as of May 2013) 1/2
Browsers supporting CSP 1.0:
Firefox 4–16 partial support, use X-Content-Security-Policy
Firefox 17+ seems like full support, use X-Content-Security-Policy
Chrome 14+ seems to me like full support
IE 10+ very rudimentary support, see http://goo.gl/p5rke
Safari 5.1 partial support, use X-WebKit-CSP as header name
Safari 6.0+ seems to me like full support
iOS 6.0 Safari seems to me like full support
Chrome for Android 25+ seems to me like full support
Sources: http://caniuse.com/contentsecuritypolicy and
Mike West's Twitter Post above
@m2w2 Markus Wichmann, May 2013
19. CSP's limitations (as of May 2013) 2/2
CSP protects users against
Most Cross-Site Scripting attacks
CSP does NOT protect against:
Cross-Site Request Forgery (XSRF/CSRF)
Session Riding
Cookie Stealing (though this is a bit more difficult with CSP in place)
SQL Injection
And please use HTTPS wherever possible.
HTTP over SSL
@m2w2 Markus Wichmann, May 2013
20. Possible Future of CSP
CSP 1.1 currently in draft status (as of 05/2013)
Will mainly support more directives
script-nonce allow specific(!) inline scripts
plugin-types allow specific plugin MIME types
form-action specify form action URIs to allow
See https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#frame-options--experimental
@m2w2 Markus Wichmann, May 2013
21. How browsers show CSP violations
in their debuggers (Firebug, Developer Tools, etc.)
Firefox:
Chrome:
@m2w2 Markus Wichmann, May 2013
22. Thanks to all authors
of the following pages:
http://www.w3.org/TR/CSP/
https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#frame-options--experimental
http://www.html5rocks.com/en/tutorials/security/content-security-policy/
http://en.wikipedia.org/wiki/Cross-site_scripting
http://de.wikipedia.org/wiki/Cross-Site-Request-Forgery
http://en.wikipedia.org/wiki/Same_origin_policy
http://en.wikipedia.org/wiki/JSONP
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Introduction
http://en.wikipedia.org/wiki/Samy_worm
http://maulwuff.de/pws/2012/web20sec/vortrag.html
https://www.bsi.bund.de/cae/servlet/contentblob/476464/publicationFile/30632/WebSec_pdf
http://www.linuxforu.com/2012/03/cyber-attacks-explained-web-exploitation/
http://www.linuxforu.com/2010/09/securing-apache-part-2-xss-injections/
https://wiki.mozilla.org/index.php?title=Security/CSP/Spec&oldid=133465
https://twitter.com/mikewest/status/268721123145957377
http://people.mozilla.com/~bsterne/content-security-policy/
http://people.mozilla.com/~bsterne/content-security-policy/origin-header-proposal.html
http://de.slideshare.net/shreeraj/xss-and-csrf-with-html5
http://google-gruyere.appspot.com/part3#3__cross_site_script_inclusion
http://intothesymmetry.blogspot.de/2012/06/facebook-logout-csrf-and-oauth-2.html
http://www.kendoui.com/blogs/archive/11-10-03/using_cors_with_all_modern_browsers.aspx
@m2w2 Markus Wichmann, May 2013
23. Thank you.
@m2w2
Constructive criticism always welcome!
Disclaimer:
The author of these slides does not give and cannot give any kind of warranties or
guarantees or anything the like on the correctness of any information provided in these
slides.
@m2w2 Markus Wichmann, May 2013