Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
AVTOKYO2014
HASEMUNEA (Nishimunea & Yosuke HASEGAWA)
Future of Web Security
Opened up by CSP
Nishimunea (Muneaki Nishimura)
Firefox OS Community, Japan
Lecturer of Security Camp 2014
Yosuke HASEGAWA
Shibuya.XSS / utf-8.jp
Lecturer of Security Camp 2014
Content Security Policy (CSP)
• Browser feature to mitigate common attacks, e.g., XSS
• Set Content-Security-Policy header...
Browser Support
• Supported by all major browsers except IE
– IE is in development for future release
• Forms of expressio...
Syntax
• When you allow to load sub resources from any origin
• If you allow loading of scripts only from jQuery's CDN
• A...
CSP Directives
default-src Default policy for resources that have no specific policy
script-src Policy for script executio...
CSP Level2 Directives
base-uri Policy for base[href]
form-action Policy for form[action]
plugin-types Policy for executabl...
Violation Report
• If 'report-uri' is set in CSP, browser lets the webmaster
know violation of CSP including attempts of a...
Abusing CSP Violation Report
• In some parts of a report, HTML tags can be included
without proper escaping
• Or, with a p...
DEMO
Nächste SlideShare
Wird geladen in …5
×

Future of Web Security Opened up by CSP

Presentation materials of hasemunea (Yosuke HASEGAWA & nishimunea) for AVTOKYO2014.

Ähnliche Bücher

Kostenlos mit einer 30-tägigen Testversion von Scribd

Alle anzeigen

Ähnliche Hörbücher

Kostenlos mit einer 30-tägigen Testversion von Scribd

Alle anzeigen
  • Als Erste(r) kommentieren

Future of Web Security Opened up by CSP

  1. 1. AVTOKYO2014 HASEMUNEA (Nishimunea & Yosuke HASEGAWA) Future of Web Security Opened up by CSP
  2. 2. Nishimunea (Muneaki Nishimura) Firefox OS Community, Japan Lecturer of Security Camp 2014
  3. 3. Yosuke HASEGAWA Shibuya.XSS / utf-8.jp Lecturer of Security Camp 2014
  4. 4. Content Security Policy (CSP) • Browser feature to mitigate common attacks, e.g., XSS • Set Content-Security-Policy header in HTTP responses • W3C candidate recommendation, as of 2012 • Next generation, CSP Level 2, is under development
  5. 5. Browser Support • Supported by all major browsers except IE – IE is in development for future release • Forms of expressions – Content-Security-Policy : the W3C specs. – X-Content-Security-Policy : for Firefox 4-22, removed on 33 – X-WebKit-CSP : for earlier ver. of WebKit 4+ 4+ 6+5+ 25+ 4.4+N/A
  6. 6. Syntax • When you allow to load sub resources from any origin • If you allow loading of scripts only from jQuery's CDN • And if you ignore any plugins default-src * default-src *; script-src https://code.jquery.com default-src *; script-src https://code.jquery.com; object-src 'none'
  7. 7. CSP Directives default-src Default policy for resources that have no specific policy script-src Policy for script execution object-src Policy for plugins style-src Policy for stylesheets img-src Policy for image files media-src Policy for media files, e.g., <audio> and <video> frame-src Policy for frame contents font-src Policy for web fonts connect-src Policy for async. connections, e.g., XMLHttpRequest
  8. 8. CSP Level2 Directives base-uri Policy for base[href] form-action Policy for form[action] plugin-types Policy for executable plugin MIME types referrer Nearly identical to meta[name=referrer] frame-ancestors Nearly identical to X-Frame-Options xss-protection Nearly identical to X-XSS-Protection child-src Policy for child contents e.g., frames and workers sandbox Sandbox that is applied to the document
  9. 9. Violation Report • If 'report-uri' is set in CSP, browser lets the webmaster know violation of CSP including attempts of attack script-src 'self'; report-uri report.php • In the report, some details of violations are included. With them, webmaster can find causes of violation {"csp-report":{ "original-policy":"script-src 'self'; report-uri report.php", "script-sample":"alert(1);", "source-file":"http://example.com/login.php" }}
  10. 10. Abusing CSP Violation Report • In some parts of a report, HTML tags can be included without proper escaping • Or, with a proxy tool, attacker can send malformed reports to webmaster's console {"csp-report":{ "document-uri":"http://%3Cauth@example.com/%3Cpath/?q=%3Cquery, "referrer":"http://example.com/redirector/%3Cpath/?q=%3Cquery", "blocked-uri":"data:text/html,<script>alert(1)</script>", "script-sample":"javascript:alert('<script>alert(1);</script>')" }}
  11. 11. DEMO

×