SlideShare ist ein Scribd-Unternehmen logo

W3C Content Security Policy

M
Markus Wichmann

What is Content Security Policy (CSP)? How to deploy it, what it's good for, what it's not good for.

Technologie
1 von 23
Downloaden Sie, um offline zu lesen
W3C Content Security Policy 1.0 One measure against web attacks. No less and no more. @m2w2 Markus Wichmann, May 2013
What is CSP about at all? Just some terms: Web Applications Web Application Security Cross-Site Scripting (XSS) XSS Prevention Policy Breach Reporting Content Security Policy 1.0 is a W3C candidate recommendation as of May 2013. I expect it to become a recommendation in the nearer future. @m2w2 Markus Wichmann, May 2013
Agenda W3C Content Security Policy (CSP) The Web without CSP Plain old HTML XSS (Cross-Site Scripting) Enter: CSP CSP Deployment CSP Reporting CSP Limitations Future of CSP How browsers show CSP violation attempts @m2w2 Markus Wichmann, May 2013
The Web... without CSP @m2w2 Markus Wichmann, May 2013 <html> <head> ...import style sheets... ...import JavaScript files... </head> <body> ...Forum Comments... <img src="..."> ...Google +1 Button... ...Facebook Like plugin... ...Twitter message... </body> </html> Web Server: Page, Basic JS, Style Sheets Database: Forum CommentsFB plugin G+ button Twitter
XSS (Cross-Site Scripting) Phase 1: Injection Attack. @m2w2 Markus Wichmann, May 2013 Server A Database: Forum entries <html> ... ...Forum Comments... <textarea> </textarea> </html> Hey folks, look at my evil site: http://bla.com/?q=% 3Cscript%3Ealert(% 91This%20is%20an% 20XSS% 20Vulnerability% 92)%3C%2Fscript%3E
XSS Phase 2: The Victim @m2w2 Markus Wichmann, May 2013 <html> ... Hey folks, look at my evil site: <script>alert(‘This is an XSS Vulnerability’)</script> ... </html> Server A Database: Forum Comments
XSS Phase 3: Send Victim to Hell – Just one Example @m2w2 Markus Wichmann, May 2013 http://www.evil.lab Evil Scripts, Cookie Stealing, Whatever! <html> <head> ... <script src="...evil.lab..."> </head> <body> <script ...> </body> </html> 1 2 3 4
XSS recap @m2w2 Markus Wichmann, May 2013 Hacker Victim Web Page W W W Infect with evil Script Visit Page Inject Script Do something evil
Enter: CSP Declarative Source Whitelisting „What am I allowed to fetch, and from where?“ @m2w2 Markus Wichmann, May 2013
Our example, revisited: What do we really need? @m2w2 Markus Wichmann, May 2013 <html> <head> ...import style sheets... ...import JavaScript files... </head> <body> ...Forum Comments... <img src="..."> ...Google +1 Button... ...Facebook Like plugin... ...Twitter message... </body> </html> Database: Forum Comments FB plugin G+ button Twitter Web Server: Page, Basic JS, Style Sheets
What do we really need? @m2w2 Markus Wichmann, May 2013 <html> <head> ...import style sheets... ...import JavaScript files... </head> <body> ...Forum Comments... <img src="..."> ...Google +1 Button... ...Facebook Like plugin... ...Twitter message... </body> </html> Database: Forum Comments FB plugin G+ button Twitter 1. Style Sheets from our own Web Server 2. JavaScript from our own Web Server 3. JavaScript from apis. google.com 4. iframe content from plusone.google.com 5. iframe content from facebook.com 6. JavaScript from platform.twitter.com 7. iframe content from platform.twitter.com We DON'T need inline scripts (scripts tags within the body tag)! Web Server: Page, Basic JS, Style Sheets
CSP Deployment Solution: HTTP header Name: Content-Security-Policy* Values: Resource Directives each with a Source List * see CSP's limitations (as of May 2013) 1/2 for special cases/special browsers @m2w2 Markus Wichmann, May 2013
CSP Deployment: Our recent example If you wrote it separately (don't do this, not correct, just for demonstration purposes): Content-Security-Policy: default-src 'self'; Content-Security-Policy: style-src 'self'; Content-Security-Policy: script-src 'self' https://apis.google.com https://platform. twitter.com; Content-Security-Policy: frame-src https: //plusone.google.com https://facebook.com https: //platform.twitter.com; Correct all-in-one notation: Content-Security-Policy: default-src 'self'; style-src 'self'; script-src 'self' https: //apis.google.com https://platform.twitter.com; frame-src https://plusone.google.com https: //facebook.com https://platform.twitter.com; @m2w2 Markus Wichmann, May 2013 1. Style Sheets from our own Web Server 2. JavaScript from our own Web Server 3. JavaScript from apis. google.com 4. iframe content from plusone.google.com 5. iframe content from facebook.com 6. JavaScript from platform.twitter.com 7. iframe content from platform.twitter.com We DON'T want inline scripts = script tags within the body tag!
CSP Directives default-src origin to fall back on if there's no rule that is more specific(e.g. see directives below) style-src origins for CSS stylesheets img-src origins for image files font-src origins to load web-fonts from frame-src origins embeddable into iframes media-src origins of HTML5 audio and video object-src origins of Flash and similar plugins connect-src origins to connect to using XHR, WebSockets, and EventSource @m2w2 Markus Wichmann, May 2013
CSP Source Lists 'none' restrict directive to nothing at all 'self' current origin, but not its subdomains 'unsafe-inline' allows inline JavaScript and CSS 'unsafe-eval' allows JavaScript's eval method http://uri.lab URI to allow, space-separated if multi @m2w2 Markus Wichmann, May 2013
CSP Deployment's effect Attacker finds hole? Bad enough. Attacker injects script? Bad enough. But: If script does not match whitelist, it cannot be executed. Bad enough... for the attacker. @m2w2 Markus Wichmann, May 2013
CSP Reporting Find weak pieces of your code: Let browser report attempted policy breaches! Content-Security-Policy: default-src 'self'; report-uri /csp_report_parser; CSP Violation Attempts are reported to specified URI in JSON format like this: { "csp-report": { "document-uri": "http://example.org/page.html", "referrer": "http://evil.example.com/", "blocked-uri": "http://evil.example.com/evil.js", "violated-directive": "script-src 'self' https://apis. google.com", "original-policy": "script-src 'self' https://apis. google.com; report-uri http://example. org/csp_report_parser" } } @m2w2 Markus Wichmann, May 2013
CSP's limitations (as of May 2013) 1/2 Browsers supporting CSP 1.0: Firefox 4–16 partial support, use X-Content-Security-Policy Firefox 17+ seems like full support, use X-Content-Security-Policy Chrome 14+ seems to me like full support IE 10+ very rudimentary support, see http://goo.gl/p5rke Safari 5.1 partial support, use X-WebKit-CSP as header name Safari 6.0+ seems to me like full support iOS 6.0 Safari seems to me like full support Chrome for Android 25+ seems to me like full support Sources: http://caniuse.com/contentsecuritypolicy and Mike West's Twitter Post above @m2w2 Markus Wichmann, May 2013
CSP's limitations (as of May 2013) 2/2 CSP protects users against Most Cross-Site Scripting attacks CSP does NOT protect against: Cross-Site Request Forgery (XSRF/CSRF) Session Riding Cookie Stealing (though this is a bit more difficult with CSP in place) SQL Injection And please use HTTPS wherever possible. HTTP over SSL @m2w2 Markus Wichmann, May 2013
Possible Future of CSP CSP 1.1 currently in draft status (as of 05/2013) Will mainly support more directives script-nonce allow specific(!) inline scripts plugin-types allow specific plugin MIME types form-action specify form action URIs to allow See https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#frame-options--experimental @m2w2 Markus Wichmann, May 2013
How browsers show CSP violations in their debuggers (Firebug, Developer Tools, etc.) Firefox: Chrome: @m2w2 Markus Wichmann, May 2013
Thanks to all authors of the following pages: http://www.w3.org/TR/CSP/ https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#frame-options--experimental http://www.html5rocks.com/en/tutorials/security/content-security-policy/ http://en.wikipedia.org/wiki/Cross-site_scripting http://de.wikipedia.org/wiki/Cross-Site-Request-Forgery http://en.wikipedia.org/wiki/Same_origin_policy http://en.wikipedia.org/wiki/JSONP https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Introduction http://en.wikipedia.org/wiki/Samy_worm http://maulwuff.de/pws/2012/web20sec/vortrag.html https://www.bsi.bund.de/cae/servlet/contentblob/476464/publicationFile/30632/WebSec_pdf http://www.linuxforu.com/2012/03/cyber-attacks-explained-web-exploitation/ http://www.linuxforu.com/2010/09/securing-apache-part-2-xss-injections/ https://wiki.mozilla.org/index.php?title=Security/CSP/Spec&oldid=133465 https://twitter.com/mikewest/status/268721123145957377 http://people.mozilla.com/~bsterne/content-security-policy/ http://people.mozilla.com/~bsterne/content-security-policy/origin-header-proposal.html http://de.slideshare.net/shreeraj/xss-and-csrf-with-html5 http://google-gruyere.appspot.com/part3#3__cross_site_script_inclusion http://intothesymmetry.blogspot.de/2012/06/facebook-logout-csrf-and-oauth-2.html http://www.kendoui.com/blogs/archive/11-10-03/using_cors_with_all_modern_browsers.aspx @m2w2 Markus Wichmann, May 2013
Thank you. @m2w2 Constructive criticism always welcome! Disclaimer: The author of these slides does not give and cannot give any kind of warranties or guarantees or anything the like on the correctness of any information provided in these slides. @m2w2 Markus Wichmann, May 2013

Empfohlen

Http security response headers
Http security response headers Http security response headers
Http security response headers
mohammadhosseinrouha
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
Ksenia Peguero
 
Content security policy
Content security policyContent security policy
Content security policy
Ronan Dunne, CEH, SSCP
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
Ismael Goncalves
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Austin Gil
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Yurii Bilyk
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
Mikhail Egorov
 

Empfohlen

Http security response headers
Http security response headers Http security response headers
Http security response headers
mohammadhosseinrouha
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
Ksenia Peguero
 
Content security policy
Content security policyContent security policy
Content security policy
Ronan Dunne, CEH, SSCP
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
Ismael Goncalves
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Austin Gil
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Yurii Bilyk
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
Mikhail Egorov
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
Mikhail Egorov
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
Mario Heiderich
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
kinish kumar
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
Дмитрий Бумов
 
XSS
XSSXSS
XSS
Hrishikesh Mishra
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
Mario Heiderich
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSS
Дмитрий Бумов
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
Blueinfy Solutions
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
Barrel Software
 
Dom based xss
Dom based xssDom based xss
Dom based xss
Lê Giáp
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
n|u - The Open Security Community
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
Tony Bibbs
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 
Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...
Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...
Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...
Nicola Marae Allain, PhD
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Ryan LaBouve
 

Weitere ähnliche Inhalte

Was ist angesagt?

XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
Mario Heiderich
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
Mario Heiderich
 
Dom based xss
Dom based xssDom based xss
Dom based xss
Lê Giáp
 

Was ist angesagt? (20)

XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
 
XSS
XSSXSS
XSS
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSS
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
Dom based xss
Dom based xssDom based xss
Dom based xss
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 

Andere mochten auch

Health Development Strategies 2014
Health Development Strategies 2014Health Development Strategies 2014
Health Development Strategies 2014
Elevate
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
George Boobyer
 
The results are in: how can innovation win?
The results are in: how can innovation win?The results are in: how can innovation win?
The results are in: how can innovation win?
Jill Gilbert
 
Global Health the Changes, the Challenges, the Opportunity
Global Health the Changes, the Challenges, the Opportunity Global Health the Changes, the Challenges, the Opportunity
Global Health the Changes, the Challenges, the Opportunity
Jill Gilbert
 

Andere mochten auch (20)

Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...
Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...
Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
Surfer en toute legalite sur le net
Surfer en toute legalite sur le netSurfer en toute legalite sur le net
Surfer en toute legalite sur le net
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
AppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the UglyAppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the Ugly
 
AppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSPAppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSP
 
Health Development Strategies 2014
Health Development Strategies 2014Health Development Strategies 2014
Health Development Strategies 2014
 
Communicating risk and hazard to policy-makers
Communicating risk and hazard to policy-makers Communicating risk and hazard to policy-makers
Communicating risk and hazard to policy-makers
 
Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy
 
Getting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your WebappGetting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your Webapp
 
King Holmes, MD, PhD: Present and Future Challenges in Global Public Health
King Holmes, MD, PhD: Present and Future Challenges in Global Public HealthKing Holmes, MD, PhD: Present and Future Challenges in Global Public Health
King Holmes, MD, PhD: Present and Future Challenges in Global Public Health
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 
National health policy
National health policyNational health policy
National health policy
 
Hec policy analysis
Hec policy analysisHec policy analysis
Hec policy analysis
 
The results are in: how can innovation win?
The results are in: how can innovation win?The results are in: how can innovation win?
The results are in: how can innovation win?
 
National health policy
National health policyNational health policy
National health policy
 
Global Health the Changes, the Challenges, the Opportunity
Global Health the Changes, the Challenges, the Opportunity Global Health the Changes, the Challenges, the Opportunity
Global Health the Changes, the Challenges, the Opportunity
 
Policy Analysis Process by Willy Ruin
Policy Analysis Process by Willy RuinPolicy Analysis Process by Willy Ruin
Policy Analysis Process by Willy Ruin
 
Public policy and subsystem politics
Public policy and subsystem politicsPublic policy and subsystem politics
Public policy and subsystem politics
 

Ähnlich wie W3C Content Security Policy

W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Research
 
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021
Matt Raible
 

Ähnlich wie W3C Content Security Policy (20)

Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
 
Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army Knife
 
10X More Secure with Content Security Policy
10X More Secure with Content Security Policy10X More Secure with Content Security Policy
10X More Secure with Content Security Policy
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web security
 
Evolving web security model v1.1 - Portland OWASP May 29 2014
Evolving web security model v1.1 - Portland OWASP May 29 2014Evolving web security model v1.1 - Portland OWASP May 29 2014
Evolving web security model v1.1 - Portland OWASP May 29 2014
 
Future of Web Security Opened up by CSP
Future of Web Security Opened up by CSPFuture of Web Security Opened up by CSP
Future of Web Security Opened up by CSP
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Ignite content security policy
Ignite content security policyIgnite content security policy
Ignite content security policy
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
 
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
 
Cabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTPCabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTP
 
D3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the BrowserD3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the Browser
 
On-Page SEO EXTREME - SEOZone Istanbul 2013
On-Page SEO EXTREME - SEOZone Istanbul 2013On-Page SEO EXTREME - SEOZone Istanbul 2013
On-Page SEO EXTREME - SEOZone Istanbul 2013
 
Csp july2015
Csp july2015Csp july2015
Csp july2015
 
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021
 
Csp vortrag
Csp vortragCsp vortrag
Csp vortrag
 

Kürzlich hochgeladen

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Kürzlich hochgeladen (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

W3C Content Security Policy

  • 1. W3C Content Security Policy 1.0 One measure against web attacks. No less and no more. @m2w2 Markus Wichmann, May 2013
  • 2. What is CSP about at all? Just some terms: Web Applications Web Application Security Cross-Site Scripting (XSS) XSS Prevention Policy Breach Reporting Content Security Policy 1.0 is a W3C candidate recommendation as of May 2013. I expect it to become a recommendation in the nearer future. @m2w2 Markus Wichmann, May 2013
  • 3. Agenda W3C Content Security Policy (CSP) The Web without CSP Plain old HTML XSS (Cross-Site Scripting) Enter: CSP CSP Deployment CSP Reporting CSP Limitations Future of CSP How browsers show CSP violation attempts @m2w2 Markus Wichmann, May 2013
  • 4. The Web... without CSP @m2w2 Markus Wichmann, May 2013 <html> <head> ...import style sheets... ...import JavaScript files... </head> <body> ...Forum Comments... <img src="..."> ...Google +1 Button... ...Facebook Like plugin... ...Twitter message... </body> </html> Web Server: Page, Basic JS, Style Sheets Database: Forum CommentsFB plugin G+ button Twitter
  • 5. XSS (Cross-Site Scripting) Phase 1: Injection Attack. @m2w2 Markus Wichmann, May 2013 Server A Database: Forum entries <html> ... ...Forum Comments... <textarea> </textarea> </html> Hey folks, look at my evil site: http://bla.com/?q=% 3Cscript%3Ealert(% 91This%20is%20an% 20XSS% 20Vulnerability% 92)%3C%2Fscript%3E
  • 6. XSS Phase 2: The Victim @m2w2 Markus Wichmann, May 2013 <html> ... Hey folks, look at my evil site: <script>alert(‘This is an XSS Vulnerability’)</script> ... </html> Server A Database: Forum Comments
  • 7. XSS Phase 3: Send Victim to Hell – Just one Example @m2w2 Markus Wichmann, May 2013 http://www.evil.lab Evil Scripts, Cookie Stealing, Whatever! <html> <head> ... <script src="...evil.lab..."> </head> <body> <script ...> </body> </html> 1 2 3 4
  • 8. XSS recap @m2w2 Markus Wichmann, May 2013 Hacker Victim Web Page W W W Infect with evil Script Visit Page Inject Script Do something evil
  • 9. Enter: CSP Declarative Source Whitelisting „What am I allowed to fetch, and from where?“ @m2w2 Markus Wichmann, May 2013
  • 10. Our example, revisited: What do we really need? @m2w2 Markus Wichmann, May 2013 <html> <head> ...import style sheets... ...import JavaScript files... </head> <body> ...Forum Comments... <img src="..."> ...Google +1 Button... ...Facebook Like plugin... ...Twitter message... </body> </html> Database: Forum Comments FB plugin G+ button Twitter Web Server: Page, Basic JS, Style Sheets
  • 11. What do we really need? @m2w2 Markus Wichmann, May 2013 <html> <head> ...import style sheets... ...import JavaScript files... </head> <body> ...Forum Comments... <img src="..."> ...Google +1 Button... ...Facebook Like plugin... ...Twitter message... </body> </html> Database: Forum Comments FB plugin G+ button Twitter 1. Style Sheets from our own Web Server 2. JavaScript from our own Web Server 3. JavaScript from apis. google.com 4. iframe content from plusone.google.com 5. iframe content from facebook.com 6. JavaScript from platform.twitter.com 7. iframe content from platform.twitter.com We DON'T need inline scripts (scripts tags within the body tag)! Web Server: Page, Basic JS, Style Sheets
  • 12. CSP Deployment Solution: HTTP header Name: Content-Security-Policy* Values: Resource Directives each with a Source List * see CSP's limitations (as of May 2013) 1/2 for special cases/special browsers @m2w2 Markus Wichmann, May 2013
  • 13. CSP Deployment: Our recent example If you wrote it separately (don't do this, not correct, just for demonstration purposes): Content-Security-Policy: default-src 'self'; Content-Security-Policy: style-src 'self'; Content-Security-Policy: script-src 'self' https://apis.google.com https://platform. twitter.com; Content-Security-Policy: frame-src https: //plusone.google.com https://facebook.com https: //platform.twitter.com; Correct all-in-one notation: Content-Security-Policy: default-src 'self'; style-src 'self'; script-src 'self' https: //apis.google.com https://platform.twitter.com; frame-src https://plusone.google.com https: //facebook.com https://platform.twitter.com; @m2w2 Markus Wichmann, May 2013 1. Style Sheets from our own Web Server 2. JavaScript from our own Web Server 3. JavaScript from apis. google.com 4. iframe content from plusone.google.com 5. iframe content from facebook.com 6. JavaScript from platform.twitter.com 7. iframe content from platform.twitter.com We DON'T want inline scripts = script tags within the body tag!
  • 14. CSP Directives default-src origin to fall back on if there's no rule that is more specific(e.g. see directives below) style-src origins for CSS stylesheets img-src origins for image files font-src origins to load web-fonts from frame-src origins embeddable into iframes media-src origins of HTML5 audio and video object-src origins of Flash and similar plugins connect-src origins to connect to using XHR, WebSockets, and EventSource @m2w2 Markus Wichmann, May 2013
  • 15. CSP Source Lists 'none' restrict directive to nothing at all 'self' current origin, but not its subdomains 'unsafe-inline' allows inline JavaScript and CSS 'unsafe-eval' allows JavaScript's eval method http://uri.lab URI to allow, space-separated if multi @m2w2 Markus Wichmann, May 2013
  • 16. CSP Deployment's effect Attacker finds hole? Bad enough. Attacker injects script? Bad enough. But: If script does not match whitelist, it cannot be executed. Bad enough... for the attacker. @m2w2 Markus Wichmann, May 2013
  • 17. CSP Reporting Find weak pieces of your code: Let browser report attempted policy breaches! Content-Security-Policy: default-src 'self'; report-uri /csp_report_parser; CSP Violation Attempts are reported to specified URI in JSON format like this: { "csp-report": { "document-uri": "http://example.org/page.html", "referrer": "http://evil.example.com/", "blocked-uri": "http://evil.example.com/evil.js", "violated-directive": "script-src 'self' https://apis. google.com", "original-policy": "script-src 'self' https://apis. google.com; report-uri http://example. org/csp_report_parser" } } @m2w2 Markus Wichmann, May 2013
  • 18. CSP's limitations (as of May 2013) 1/2 Browsers supporting CSP 1.0: Firefox 4–16 partial support, use X-Content-Security-Policy Firefox 17+ seems like full support, use X-Content-Security-Policy Chrome 14+ seems to me like full support IE 10+ very rudimentary support, see http://goo.gl/p5rke Safari 5.1 partial support, use X-WebKit-CSP as header name Safari 6.0+ seems to me like full support iOS 6.0 Safari seems to me like full support Chrome for Android 25+ seems to me like full support Sources: http://caniuse.com/contentsecuritypolicy and Mike West's Twitter Post above @m2w2 Markus Wichmann, May 2013
  • 19. CSP's limitations (as of May 2013) 2/2 CSP protects users against Most Cross-Site Scripting attacks CSP does NOT protect against: Cross-Site Request Forgery (XSRF/CSRF) Session Riding Cookie Stealing (though this is a bit more difficult with CSP in place) SQL Injection And please use HTTPS wherever possible. HTTP over SSL @m2w2 Markus Wichmann, May 2013
  • 20. Possible Future of CSP CSP 1.1 currently in draft status (as of 05/2013) Will mainly support more directives script-nonce allow specific(!) inline scripts plugin-types allow specific plugin MIME types form-action specify form action URIs to allow See https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#frame-options--experimental @m2w2 Markus Wichmann, May 2013
  • 21. How browsers show CSP violations in their debuggers (Firebug, Developer Tools, etc.) Firefox: Chrome: @m2w2 Markus Wichmann, May 2013
  • 22. Thanks to all authors of the following pages: http://www.w3.org/TR/CSP/ https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#frame-options--experimental http://www.html5rocks.com/en/tutorials/security/content-security-policy/ http://en.wikipedia.org/wiki/Cross-site_scripting http://de.wikipedia.org/wiki/Cross-Site-Request-Forgery http://en.wikipedia.org/wiki/Same_origin_policy http://en.wikipedia.org/wiki/JSONP https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Introduction http://en.wikipedia.org/wiki/Samy_worm http://maulwuff.de/pws/2012/web20sec/vortrag.html https://www.bsi.bund.de/cae/servlet/contentblob/476464/publicationFile/30632/WebSec_pdf http://www.linuxforu.com/2012/03/cyber-attacks-explained-web-exploitation/ http://www.linuxforu.com/2010/09/securing-apache-part-2-xss-injections/ https://wiki.mozilla.org/index.php?title=Security/CSP/Spec&oldid=133465 https://twitter.com/mikewest/status/268721123145957377 http://people.mozilla.com/~bsterne/content-security-policy/ http://people.mozilla.com/~bsterne/content-security-policy/origin-header-proposal.html http://de.slideshare.net/shreeraj/xss-and-csrf-with-html5 http://google-gruyere.appspot.com/part3#3__cross_site_script_inclusion http://intothesymmetry.blogspot.de/2012/06/facebook-logout-csrf-and-oauth-2.html http://www.kendoui.com/blogs/archive/11-10-03/using_cors_with_all_modern_browsers.aspx @m2w2 Markus Wichmann, May 2013
  • 23. Thank you. @m2w2 Constructive criticism always welcome! Disclaimer: The author of these slides does not give and cannot give any kind of warranties or guarantees or anything the like on the correctness of any information provided in these slides. @m2w2 Markus Wichmann, May 2013