Presentation materials of hasemunea (Yosuke HASEGAWA & nishimunea) for AVTOKYO2014.

1. AVTOKYO2014
HASEMUNEA (Nishimunea & Yosuke HASEGAWA)
Future of Web Security
Opened up by CSP

2. Nishimunea (Muneaki Nishimura)
Firefox OS Community, Japan
Lecturer of Security Camp 2014

3. Yosuke HASEGAWA
Shibuya.XSS / utf-8.jp
Lecturer of Security Camp 2014

4. Content Security Policy (CSP)
• Browser feature to mitigate common attacks, e.g., XSS
• Set Content-Security-Policy header in HTTP responses
• W3C candidate recommendation, as of 2012
• Next generation, CSP Level 2, is under development

5. Browser Support
• Supported by all major browsers except IE
– IE is in development for future release
• Forms of expressions
– Content-Security-Policy : the W3C specs.
– X-Content-Security-Policy : for Firefox 4-22, removed on 33
– X-WebKit-CSP : for earlier ver. of WebKit
4+ 4+ 6+5+ 25+ 4.4+N/A

6. Syntax
• When you allow to load sub resources from any origin
• If you allow loading of scripts only from jQuery's CDN
• And if you ignore any plugins
default-src *
default-src *; script-src https://code.jquery.com
default-src *; script-src https://code.jquery.com; object-src 'none'

7. CSP Directives
default-src Default policy for resources that have no specific policy
script-src Policy for script execution
object-src Policy for plugins
style-src Policy for stylesheets
img-src Policy for image files
media-src Policy for media files, e.g., <audio> and <video>
frame-src Policy for frame contents
font-src Policy for web fonts
connect-src Policy for async. connections, e.g., XMLHttpRequest

8. CSP Level2 Directives
base-uri Policy for base[href]
form-action Policy for form[action]
plugin-types Policy for executable plugin MIME types
referrer Nearly identical to meta[name=referrer]
frame-ancestors Nearly identical to X-Frame-Options
xss-protection Nearly identical to X-XSS-Protection
child-src Policy for child contents e.g., frames and workers
sandbox Sandbox that is applied to the document

9. Violation Report
• If 'report-uri' is set in CSP, browser lets the webmaster
know violation of CSP including attempts of attack
script-src 'self'; report-uri report.php
• In the report, some details of violations are included.
With them, webmaster can find causes of violation
{"csp-report":{
"original-policy":"script-src 'self'; report-uri report.php",
"script-sample":"alert(1);",
"source-file":"http://example.com/login.php" }}

10. Abusing CSP Violation Report
• In some parts of a report, HTML tags can be included
without proper escaping
• Or, with a proxy tool, attacker can send malformed reports to
webmaster's console
{"csp-report":{
"document-uri":"http://%3Cauth@example.com/%3Cpath/?q=%3Cquery,
"referrer":"http://example.com/redirector/%3Cpath/?q=%3Cquery",
"blocked-uri":"data:text/html,<script>alert(1)</script>",
"script-sample":"javascript:alert('<script>alert(1);</script>')" }}

11. DEMO