SlideShare une entreprise Scribd logo

Future of Web Security Opened up by CSP

Muneaki Nishimura
Muneaki Nishimura

Presentation materials of hasemunea (Yosuke HASEGAWA & nishimunea) for AVTOKYO2014.

Ingénierie
1  sur  11
Télécharger pour lire hors ligne
AVTOKYO2014 HASEMUNEA (Nishimunea & Yosuke HASEGAWA) Future of Web Security Opened up by CSP
Nishimunea (Muneaki Nishimura) Firefox OS Community, Japan Lecturer of Security Camp 2014
Yosuke HASEGAWA Shibuya.XSS / utf-8.jp Lecturer of Security Camp 2014
Content Security Policy (CSP) • Browser feature to mitigate common attacks, e.g., XSS • Set Content-Security-Policy header in HTTP responses • W3C candidate recommendation, as of 2012 • Next generation, CSP Level 2, is under development
Browser Support • Supported by all major browsers except IE – IE is in development for future release • Forms of expressions – Content-Security-Policy : the W3C specs. – X-Content-Security-Policy : for Firefox 4-22, removed on 33 – X-WebKit-CSP : for earlier ver. of WebKit 4+ 4+ 6+5+ 25+ 4.4+N/A
Syntax • When you allow to load sub resources from any origin • If you allow loading of scripts only from jQuery's CDN • And if you ignore any plugins default-src * default-src *; script-src https://code.jquery.com default-src *; script-src https://code.jquery.com; object-src 'none'
CSP Directives default-src Default policy for resources that have no specific policy script-src Policy for script execution object-src Policy for plugins style-src Policy for stylesheets img-src Policy for image files media-src Policy for media files, e.g., <audio> and <video> frame-src Policy for frame contents font-src Policy for web fonts connect-src Policy for async. connections, e.g., XMLHttpRequest
CSP Level2 Directives base-uri Policy for base[href] form-action Policy for form[action] plugin-types Policy for executable plugin MIME types referrer Nearly identical to meta[name=referrer] frame-ancestors Nearly identical to X-Frame-Options xss-protection Nearly identical to X-XSS-Protection child-src Policy for child contents e.g., frames and workers sandbox Sandbox that is applied to the document
Violation Report • If 'report-uri' is set in CSP, browser lets the webmaster know violation of CSP including attempts of attack script-src 'self'; report-uri report.php • In the report, some details of violations are included. With them, webmaster can find causes of violation {"csp-report":{ "original-policy":"script-src 'self'; report-uri report.php", "script-sample":"alert(1);", "source-file":"http://example.com/login.php" }}
Abusing CSP Violation Report • In some parts of a report, HTML tags can be included without proper escaping • Or, with a proxy tool, attacker can send malformed reports to webmaster's console {"csp-report":{ "document-uri":"http://%3Cauth@example.com/%3Cpath/?q=%3Cquery, "referrer":"http://example.com/redirector/%3Cpath/?q=%3Cquery", "blocked-uri":"data:text/html,<script>alert(1)</script>", "script-sample":"javascript:alert('<script>alert(1);</script>')" }}
DEMO

Recommandé

[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)OWASP EEE
 
Virtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityVirtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityEng Teong Cheah
 
2015-04-25-content-security-policy
2015-04-25-content-security-policy2015-04-25-content-security-policy
2015-04-25-content-security-policySastry Tumuluri
 
Kevin wharram
Kevin wharramKevin wharram
Kevin wharramKevin Wharram
 
Enabling Access to Web Resources through SecPODE-based Annotations
Enabling Access to Web Resources through SecPODE-based AnnotationsEnabling Access to Web Resources through SecPODE-based Annotations
Enabling Access to Web Resources through SecPODE-based AnnotationsQuentin Reul
 
Dave Lewis - The Se7en Deadly Sins Of Web Security - Codemotion Berlin 2018
Dave Lewis - The Se7en Deadly Sins Of Web Security - Codemotion Berlin 2018Dave Lewis - The Se7en Deadly Sins Of Web Security - Codemotion Berlin 2018
Dave Lewis - The Se7en Deadly Sins Of Web Security - Codemotion Berlin 2018Codemotion
 
Securing the Foundation to Secure the Cloud
Securing the Foundation to Secure the CloudSecuring the Foundation to Secure the Cloud
Securing the Foundation to Secure the CloudTrent Adams
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeScott Helme
 

Recommandé

[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)OWASP EEE
 
Virtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityVirtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityEng Teong Cheah
 
2015-04-25-content-security-policy
2015-04-25-content-security-policy2015-04-25-content-security-policy
2015-04-25-content-security-policySastry Tumuluri
 
Kevin wharram
Kevin wharramKevin wharram
Kevin wharramKevin Wharram
 
Enabling Access to Web Resources through SecPODE-based Annotations
Enabling Access to Web Resources through SecPODE-based AnnotationsEnabling Access to Web Resources through SecPODE-based Annotations
Enabling Access to Web Resources through SecPODE-based AnnotationsQuentin Reul
 
Dave Lewis - The Se7en Deadly Sins Of Web Security - Codemotion Berlin 2018
Dave Lewis - The Se7en Deadly Sins Of Web Security - Codemotion Berlin 2018Dave Lewis - The Se7en Deadly Sins Of Web Security - Codemotion Berlin 2018
Dave Lewis - The Se7en Deadly Sins Of Web Security - Codemotion Berlin 2018Codemotion
 
Securing the Foundation to Secure the Cloud
Securing the Foundation to Secure the CloudSecuring the Foundation to Secure the Cloud
Securing the Foundation to Secure the CloudTrent Adams
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeScott Helme
 
Web Development Security
Web Development SecurityWeb Development Security
Web Development SecurityRafael Monteiro
 
Flash Security
Flash SecurityFlash Security
Flash SecurityFerruh Mavituna
 
Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)Arun Kumar
 
Design highly available and secure system
Design highly available and secure systemDesign highly available and secure system
Design highly available and secure systemAndi Pangeran
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web securityOlatunji Adetunji
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyRyan LaBouve
 
Matriux
MatriuxMatriux
MatriuxPrajwal Panchmahalkar
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyAustin Gil
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Rahul
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3Naoya Nakazawa
 
Http security response headers
Http security response headers Http security response headers
Http security response headers mohammadhosseinrouha
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod securityRomansh Yadav
 
DDoS Attack Network Projects Assistance
DDoS Attack Network Projects AssistanceDDoS Attack Network Projects Assistance
DDoS Attack Network Projects AssistanceNetwork Simulation Tools
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
Identity Security - Azure Identity Protection
Identity Security - Azure Identity ProtectionIdentity Security - Azure Identity Protection
Identity Security - Azure Identity ProtectionEng Teong Cheah
 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets MalloryEmily Stark
 
Physical data security &amp; security of data over network by team netnepz- A...
Physical data security &amp; security of data over network by team netnepz- A...Physical data security &amp; security of data over network by team netnepz- A...
Physical data security &amp; security of data over network by team netnepz- A...SandipAryal5
 
VMware ESX 3.5
VMware ESX 3.5VMware ESX 3.5
VMware ESX 3.5Mehdi Poustchi Amin
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
Evolving web security model v1.1 - Portland OWASP May 29 2014
Evolving web security model v1.1 - Portland OWASP May 29 2014Evolving web security model v1.1 - Portland OWASP May 29 2014
Evolving web security model v1.1 - Portland OWASP May 29 2014imelven
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdfksudhakarreddy5
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security PoliciesMatias Korhonen
 

Contenu connexe

Tendances

Web Development Security
Web Development SecurityWeb Development Security
Web Development SecurityRafael Monteiro
 
Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)Arun Kumar
 
Design highly available and secure system
Design highly available and secure systemDesign highly available and secure system
Design highly available and secure systemAndi Pangeran
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web securityOlatunji Adetunji
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyRyan LaBouve
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyAustin Gil
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Rahul
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3Naoya Nakazawa
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod securityRomansh Yadav
 
Identity Security - Azure Identity Protection
Identity Security - Azure Identity ProtectionIdentity Security - Azure Identity Protection
Identity Security - Azure Identity ProtectionEng Teong Cheah
 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets MalloryEmily Stark
 
Physical data security &amp; security of data over network by team netnepz- A...
Physical data security &amp; security of data over network by team netnepz- A...Physical data security &amp; security of data over network by team netnepz- A...
Physical data security &amp; security of data over network by team netnepz- A...SandipAryal5
 

Tendances (18)

Web Development Security
Web Development SecurityWeb Development Security
Web Development Security
 
Flash Security
Flash SecurityFlash Security
Flash Security
 
Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)
 
Design highly available and secure system
Design highly available and secure systemDesign highly available and secure system
Design highly available and secure system
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web security
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
Matriux
MatriuxMatriux
Matriux
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3
 
Http security response headers
Http security response headers Http security response headers
Http security response headers
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod security
 
DDoS Attack Network Projects Assistance
DDoS Attack Network Projects AssistanceDDoS Attack Network Projects Assistance
DDoS Attack Network Projects Assistance
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
 
Identity Security - Azure Identity Protection
Identity Security - Azure Identity ProtectionIdentity Security - Azure Identity Protection
Identity Security - Azure Identity Protection
 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets Mallory
 
Physical data security &amp; security of data over network by team netnepz- A...
Physical data security &amp; security of data over network by team netnepz- A...Physical data security &amp; security of data over network by team netnepz- A...
Physical data security &amp; security of data over network by team netnepz- A...
 
VMware ESX 3.5
VMware ESX 3.5VMware ESX 3.5
VMware ESX 3.5
 

Similaire à Future of Web Security Opened up by CSP

[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
Evolving web security model v1.1 - Portland OWASP May 29 2014
Evolving web security model v1.1 - Portland OWASP May 29 2014Evolving web security model v1.1 - Portland OWASP May 29 2014
Evolving web security model v1.1 - Portland OWASP May 29 2014imelven
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdfksudhakarreddy5
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security PoliciesMatias Korhonen
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security PolicyMarkus Wichmann
 
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
Supply Chain Security for Containerised Workloads - Lee Chuk MunnSupply Chain Security for Containerised Workloads - Lee Chuk Munn
Supply Chain Security for Containerised Workloads - Lee Chuk MunnNUS-ISS
 
10X More Secure with Content Security Policy
10X More Secure with Content Security Policy10X More Secure with Content Security Policy
10X More Secure with Content Security Policychw
 
Ignite content security policy
Ignite content security policyIgnite content security policy
Ignite content security policyjstack
 
On demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_aws
On demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_awsOn demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_aws
On demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_awsSumit Arora
 
Running Java Applications on Cloud Foundry
Running Java Applications on Cloud FoundryRunning Java Applications on Cloud Foundry
Running Java Applications on Cloud FoundryVMware Tanzu
 
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response Headers
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response HeadersUSENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response Headers
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response HeadersAditya K Sood
 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyDr. Emin İslam Tatlı
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyGeorge Boobyer
 
Security trend analysis with CVE topic models
Security trend analysis with CVE topic modelsSecurity trend analysis with CVE topic models
Security trend analysis with CVE topic modelsThomas Zimmermann
 
Devopsdays london: Let’s talk about security
Devopsdays london: Let’s talk about securityDevopsdays london: Let’s talk about security
Devopsdays london: Let’s talk about securityJustin Cormack
 
CMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemCMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemEditor IJCATR
 
Expanding XPages with Bootstrap Plugins for Ultimate Usability
Expanding XPages with Bootstrap Plugins for Ultimate UsabilityExpanding XPages with Bootstrap Plugins for Ultimate Usability
Expanding XPages with Bootstrap Plugins for Ultimate UsabilityTeamstudio
 
AppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the UglyAppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the UglyEli Nesterov
 

Similaire à Future of Web Security Opened up by CSP (20)

[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
 
Evolving web security model v1.1 - Portland OWASP May 29 2014
Evolving web security model v1.1 - Portland OWASP May 29 2014Evolving web security model v1.1 - Portland OWASP May 29 2014
Evolving web security model v1.1 - Portland OWASP May 29 2014
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security Policies
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security Policy
 
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
Supply Chain Security for Containerised Workloads - Lee Chuk MunnSupply Chain Security for Containerised Workloads - Lee Chuk Munn
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
 
10X More Secure with Content Security Policy
10X More Secure with Content Security Policy10X More Secure with Content Security Policy
10X More Secure with Content Security Policy
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
 
Content security policy
Content security policyContent security policy
Content security policy
 
Ignite content security policy
Ignite content security policyIgnite content security policy
Ignite content security policy
 
On demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_aws
On demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_awsOn demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_aws
On demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_aws
 
Running Java Applications on Cloud Foundry
Running Java Applications on Cloud FoundryRunning Java Applications on Cloud Foundry
Running Java Applications on Cloud Foundry
 
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response Headers
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response HeadersUSENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response Headers
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response Headers
 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in Turkey
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
 
Security trend analysis with CVE topic models
Security trend analysis with CVE topic modelsSecurity trend analysis with CVE topic models
Security trend analysis with CVE topic models
 
Devopsdays london: Let’s talk about security
Devopsdays london: Let’s talk about securityDevopsdays london: Let’s talk about security
Devopsdays london: Let’s talk about security
 
CMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemCMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer System
 
Expanding XPages with Bootstrap Plugins for Ultimate Usability
Expanding XPages with Bootstrap Plugins for Ultimate UsabilityExpanding XPages with Bootstrap Plugins for Ultimate Usability
Expanding XPages with Bootstrap Plugins for Ultimate Usability
 
AppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the UglyAppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the Ugly
 

Plus de Muneaki Nishimura

Find Blue Oceans - Through the Competitive World of Bug Bounty
Find Blue Oceans - Through the Competitive World of Bug BountyFind Blue Oceans - Through the Competitive World of Bug Bounty
Find Blue Oceans - Through the Competitive World of Bug BountyMuneaki Nishimura
 
OWASP Testing Guide からはじめよう - セキュリティ診断技術の共有、そして横展開
OWASP Testing Guide からはじめよう - セキュリティ診断技術の共有、そして横展開OWASP Testing Guide からはじめよう - セキュリティ診断技術の共有、そして横展開
OWASP Testing Guide からはじめよう - セキュリティ診断技術の共有、そして横展開Muneaki Nishimura
 
Webプラットフォームのセキュリティ
WebプラットフォームのセキュリティWebプラットフォームのセキュリティ
WebプラットフォームのセキュリティMuneaki Nishimura
 
Firefoxの日和見暗号がカジュアルに無効化された話
Firefoxの日和見暗号がカジュアルに無効化された話Firefoxの日和見暗号がカジュアルに無効化された話
Firefoxの日和見暗号がカジュアルに無効化された話Muneaki Nishimura
 
Mozillaの報奨金制度で200万円ほど稼いだ話
Mozillaの報奨金制度で200万円ほど稼いだ話Mozillaの報奨金制度で200万円ほど稼いだ話
Mozillaの報奨金制度で200万円ほど稼いだ話Muneaki Nishimura
 
HPKP Supercookies (公開鍵ピンニングによるユーザ追跡)
HPKP Supercookies (公開鍵ピンニングによるユーザ追跡)HPKP Supercookies (公開鍵ピンニングによるユーザ追跡)
HPKP Supercookies (公開鍵ピンニングによるユーザ追跡)Muneaki Nishimura
 
Mozillaの報奨金制度で100万円ほど稼いだ話
Mozillaの報奨金制度で100万円ほど稼いだ話Mozillaの報奨金制度で100万円ほど稼いだ話
Mozillaの報奨金制度で100万円ほど稼いだ話Muneaki Nishimura
 
Welcome to the Black Hole of Bug Bounty Program Rebooted
Welcome to the Black Hole of Bug Bounty Program RebootedWelcome to the Black Hole of Bug Bounty Program Rebooted
Welcome to the Black Hole of Bug Bounty Program RebootedMuneaki Nishimura
 
そろそろ押さえておきたい AngularJSのセキュリティ
そろそろ押さえておきたい AngularJSのセキュリティそろそろ押さえておきたい AngularJSのセキュリティ
そろそろ押さえておきたい AngularJSのセキュリティMuneaki Nishimura
 
Welcome to the Black Hole of Bug Bounty Program
Welcome to the Black Hole of Bug Bounty ProgramWelcome to the Black Hole of Bug Bounty Program
Welcome to the Black Hole of Bug Bounty ProgramMuneaki Nishimura
 
Webアプリ開発者のためのHTML5セキュリティ入門
Webアプリ開発者のためのHTML5セキュリティ入門Webアプリ開発者のためのHTML5セキュリティ入門
Webアプリ開発者のためのHTML5セキュリティ入門Muneaki Nishimura
 
GeckoのLocal Storageについて調べてみた
GeckoのLocal Storageについて調べてみたGeckoのLocal Storageについて調べてみた
GeckoのLocal Storageについて調べてみたMuneaki Nishimura
 
Firefox OS パッケージ型アプリ インストールの仕組みを調べてみた
Firefox OS パッケージ型アプリ インストールの仕組みを調べてみたFirefox OS パッケージ型アプリ インストールの仕組みを調べてみた
Firefox OS パッケージ型アプリ インストールの仕組みを調べてみたMuneaki Nishimura
 
Firefox OS 起動の仕組みを調べてみた
Firefox OS 起動の仕組みを調べてみたFirefox OS 起動の仕組みを調べてみた
Firefox OS 起動の仕組みを調べてみたMuneaki Nishimura
 

Plus de Muneaki Nishimura (15)

Find Blue Oceans - Through the Competitive World of Bug Bounty
Find Blue Oceans - Through the Competitive World of Bug BountyFind Blue Oceans - Through the Competitive World of Bug Bounty
Find Blue Oceans - Through the Competitive World of Bug Bounty
 
OWASP Testing Guide からはじめよう - セキュリティ診断技術の共有、そして横展開
OWASP Testing Guide からはじめよう - セキュリティ診断技術の共有、そして横展開OWASP Testing Guide からはじめよう - セキュリティ診断技術の共有、そして横展開
OWASP Testing Guide からはじめよう - セキュリティ診断技術の共有、そして横展開
 
Firefoxの倒し方
Firefoxの倒し方Firefoxの倒し方
Firefoxの倒し方
 
Webプラットフォームのセキュリティ
WebプラットフォームのセキュリティWebプラットフォームのセキュリティ
Webプラットフォームのセキュリティ
 
Firefoxの日和見暗号がカジュアルに無効化された話
Firefoxの日和見暗号がカジュアルに無効化された話Firefoxの日和見暗号がカジュアルに無効化された話
Firefoxの日和見暗号がカジュアルに無効化された話
 
Mozillaの報奨金制度で200万円ほど稼いだ話
Mozillaの報奨金制度で200万円ほど稼いだ話Mozillaの報奨金制度で200万円ほど稼いだ話
Mozillaの報奨金制度で200万円ほど稼いだ話
 
HPKP Supercookies (公開鍵ピンニングによるユーザ追跡)
HPKP Supercookies (公開鍵ピンニングによるユーザ追跡)HPKP Supercookies (公開鍵ピンニングによるユーザ追跡)
HPKP Supercookies (公開鍵ピンニングによるユーザ追跡)
 
Mozillaの報奨金制度で100万円ほど稼いだ話
Mozillaの報奨金制度で100万円ほど稼いだ話Mozillaの報奨金制度で100万円ほど稼いだ話
Mozillaの報奨金制度で100万円ほど稼いだ話
 
Welcome to the Black Hole of Bug Bounty Program Rebooted
Welcome to the Black Hole of Bug Bounty Program RebootedWelcome to the Black Hole of Bug Bounty Program Rebooted
Welcome to the Black Hole of Bug Bounty Program Rebooted
 
そろそろ押さえておきたい AngularJSのセキュリティ
そろそろ押さえておきたい AngularJSのセキュリティそろそろ押さえておきたい AngularJSのセキュリティ
そろそろ押さえておきたい AngularJSのセキュリティ
 
Welcome to the Black Hole of Bug Bounty Program
Welcome to the Black Hole of Bug Bounty ProgramWelcome to the Black Hole of Bug Bounty Program
Welcome to the Black Hole of Bug Bounty Program
 
Webアプリ開発者のためのHTML5セキュリティ入門
Webアプリ開発者のためのHTML5セキュリティ入門Webアプリ開発者のためのHTML5セキュリティ入門
Webアプリ開発者のためのHTML5セキュリティ入門
 
GeckoのLocal Storageについて調べてみた
GeckoのLocal Storageについて調べてみたGeckoのLocal Storageについて調べてみた
GeckoのLocal Storageについて調べてみた
 
Firefox OS パッケージ型アプリ インストールの仕組みを調べてみた
Firefox OS パッケージ型アプリ インストールの仕組みを調べてみたFirefox OS パッケージ型アプリ インストールの仕組みを調べてみた
Firefox OS パッケージ型アプリ インストールの仕組みを調べてみた
 
Firefox OS 起動の仕組みを調べてみた
Firefox OS 起動の仕組みを調べてみたFirefox OS 起動の仕組みを調べてみた
Firefox OS 起動の仕組みを調べてみた
 

Dernier

Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)dollysharma2066
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girlsssuser7cb4ff
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerAnamika Sarkar
 
8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitter8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitterShivangiSharma879191
 
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEINFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEroselinkalist12
 
Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Satyam Kumar
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...VICTOR MAESTRE RAMIREZ
 
Correctly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleCorrectly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleAlluxio, Inc.
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile servicerehmti665
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024hassan khalil
 
Heart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxHeart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxPoojaBan
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxJoão Esperancinha
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncssuser2ae721
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfAsst.prof M.Gokilavani
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidNikhilNagaraju
 
Comparative Analysis of Text Summarization Techniques
Comparative Analysis of Text Summarization TechniquesComparative Analysis of Text Summarization Techniques
Comparative Analysis of Text Summarization Techniquesugginaramesh
 
Arduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptArduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptSAURABHKUMAR892774
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...srsj9000
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxKartikeyaDwivedi3
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxDeepakSakkari2
 

Dernier (20)

Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girls
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
 
8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitter8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitter
 
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEINFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
 
Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...
 
Correctly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleCorrectly Loading Incremental Data at Scale
Correctly Loading Incremental Data at Scale
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile service
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024
 
Heart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxHeart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptx
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfid
 
Comparative Analysis of Text Summarization Techniques
Comparative Analysis of Text Summarization TechniquesComparative Analysis of Text Summarization Techniques
Comparative Analysis of Text Summarization Techniques
 
Arduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptArduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.ppt
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptx
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptx
 

Future of Web Security Opened up by CSP

  • 1. AVTOKYO2014 HASEMUNEA (Nishimunea & Yosuke HASEGAWA) Future of Web Security Opened up by CSP
  • 2. Nishimunea (Muneaki Nishimura) Firefox OS Community, Japan Lecturer of Security Camp 2014
  • 3. Yosuke HASEGAWA Shibuya.XSS / utf-8.jp Lecturer of Security Camp 2014
  • 4. Content Security Policy (CSP) • Browser feature to mitigate common attacks, e.g., XSS • Set Content-Security-Policy header in HTTP responses • W3C candidate recommendation, as of 2012 • Next generation, CSP Level 2, is under development
  • 5. Browser Support • Supported by all major browsers except IE – IE is in development for future release • Forms of expressions – Content-Security-Policy : the W3C specs. – X-Content-Security-Policy : for Firefox 4-22, removed on 33 – X-WebKit-CSP : for earlier ver. of WebKit 4+ 4+ 6+5+ 25+ 4.4+N/A
  • 6. Syntax • When you allow to load sub resources from any origin • If you allow loading of scripts only from jQuery's CDN • And if you ignore any plugins default-src * default-src *; script-src https://code.jquery.com default-src *; script-src https://code.jquery.com; object-src 'none'
  • 7. CSP Directives default-src Default policy for resources that have no specific policy script-src Policy for script execution object-src Policy for plugins style-src Policy for stylesheets img-src Policy for image files media-src Policy for media files, e.g., <audio> and <video> frame-src Policy for frame contents font-src Policy for web fonts connect-src Policy for async. connections, e.g., XMLHttpRequest
  • 8. CSP Level2 Directives base-uri Policy for base[href] form-action Policy for form[action] plugin-types Policy for executable plugin MIME types referrer Nearly identical to meta[name=referrer] frame-ancestors Nearly identical to X-Frame-Options xss-protection Nearly identical to X-XSS-Protection child-src Policy for child contents e.g., frames and workers sandbox Sandbox that is applied to the document
  • 9. Violation Report • If 'report-uri' is set in CSP, browser lets the webmaster know violation of CSP including attempts of attack script-src 'self'; report-uri report.php • In the report, some details of violations are included. With them, webmaster can find causes of violation {"csp-report":{ "original-policy":"script-src 'self'; report-uri report.php", "script-sample":"alert(1);", "source-file":"http://example.com/login.php" }}
  • 10. Abusing CSP Violation Report • In some parts of a report, HTML tags can be included without proper escaping • Or, with a proxy tool, attacker can send malformed reports to webmaster's console {"csp-report":{ "document-uri":"http://%3Cauth@example.com/%3Cpath/?q=%3Cquery, "referrer":"http://example.com/redirector/%3Cpath/?q=%3Cquery", "blocked-uri":"data:text/html,<script>alert(1)</script>", "script-sample":"javascript:alert('<script>alert(1);</script>')" }}
  • 11. DEMO