SlideShare ist ein Scribd-Unternehmen logo

Csp july2015

Als PPTX, PDF herunterladen
n|u - The Open Security Community
n|u - The Open Security Community

content security policy talk during null/g4h/owasp meet on 26th July 2015

Technologie
1 von 19
Content Security Policy OR HOW TO MAKE DEVELOPERS EVEN MORE LAZIER RIYAZ WALIKAR
whoami  Security evangelist  Do not work at a Big 4  One of the 3 OWASP Bangalore chapter leaders  Extremely talkative
Same Origin Policy  So you own http://banana.com  Code from http://potato.com should not be able to access data from http://banana.com  Browser’s sandbox and Origin protection  XSS to bypass SOP
For the love of XSS  Reflected, Stored, DOM based
Content Security Policy
The core issue exploited by XSS attacks is the browser’s inability to distinguish between script that’s intended to be part of your application, and script that’s been maliciously injected by a third-party. http://www.html5rocks.com/en/tutorials/security/content-security-policy/
I had you at Header  Content Security Policy (CSP) defines the Content-Security-Policy HTTP header  Whitelist script sources of trusted content  Even if vulnerable to XSS, injected script will not trigger due to header definition
Building the policy  So you trust scripts only from http://banana.com and your own domain (non inline) Content-Security-Policy: script-src 'self' http://banana.com  So you want to load images only from http://potato.com and flash content from your own domain. Also, absolutely no scripts. Content-Security-Policy: script-src 'none'; img-src http://potato.com; object-src 'self'
CSP Directives  default-src  script-src  style-src  img-src  connect-src  font-src  object-src  media-src  child-src  sandbox  report-uri The default-src is the default policy for loading content such as JavaScript, Images, CSS, fonts, AJAX requests, Frames and HTML5 Media Defines valid sources of JavaScript Defines valid sources of css (stylesheets) Defines valid sources of images Defines sources to which XMLHTTPRequest (AJAX), WebSocket or EventSource can fetch data from Defines valid sources of fontsDefines valid sources of plugins (for example: flash, embed tag, applet etc.) Defines valid source of audio and video Defines valid source for workers and embedded frame contents. frame-src is deprecated. child-src should be used. More about this laterInstructs the browser to POST a reports of policy failures to a specified URI.
CSP Source Declarations Source Value Meaning * Wildcard, allows all origins. 'self' Allow same origin (current origin). 'none' Don't allow any resources of this directive to load. domain.example.com Allow a domain (explicit declaration) *.example.com Allow all subdomains on a domain. Exclude TLD. https://example.com Exact match including protocol https: Load from any domain but https data: Allow data uri (eg: Base64 encoded image)
unsafe-inline  When script-src or style-src are declared, inline script tags and css are disabled  You can specify 'unsafe-inline' to execute inline script but that is precisely what CSP was designed to prevent!
unsafe-eval  CSP disables the JavaScript function eval() by design  To enable this explicitly, add 'unsafe-eval' to a script-src directive  Not advised!
sandbox  If present, browser treats the page as if it loaded inside an iframe with a sandbox attribute  The browser severely restricts the page’s functionality, disabling JS, form submissions, plugins and objects  You can keep the sandbox value empty to keep all restrictions in place, or add values: allow-forms allow-same-origin allow-scripts, and allow-top-navigation
DEMO TIME
Sources: caniuse.com/contentsecuritypolicy & Mozilla
CSP 2.0!  Several new enhancements including support for inline scripts in combination with a cryptographic nonce or hash sharing of the script itself Content-Security-Policy: script-src 'nonce-AY778asa229b2DEADBEEF' http://www.w3.org/TR/CSP2/
I read the following to make this presentation  http://www.w3.org/TR/2012/CR-CSP-20121115/  http://www.html5rocks.com/en/tutorials/security/content-security- policy/  http://content-security-policy.com/  http://caniuse.com/#feat=contentsecuritypolicy  https://html.spec.whatwg.org/multipage/browsers.html#sandboxin g-flag-set  http://www.w3.org/TR/CSP2/
Riyaz Walikar http://www.riyazwalikar.com @riyazwalikar @wincmdfu

Empfohlen

Joomla spécialiste
Joomla spécialisteJoomla spécialiste
Joomla spécialisteRomain Caisse
 
Csrf protector
Csrf protectorCsrf protector
Csrf protectorMinhaz A V
 
OWASP CSRF Protector
OWASP CSRF ProtectorOWASP CSRF Protector
OWASP CSRF ProtectorMinhaz A V
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Tale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedTale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedAnant Shrivastava
 
Locker services and lightning components
Locker services and lightning componentsLocker services and lightning components
Locker services and lightning componentsSuraj Tripathi
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSAnant Shrivastava
 
Don't Get Stung
Don't Get StungDon't Get Stung
Don't Get StungBarry Dorrans
 

Empfohlen

Joomla spécialiste
Joomla spécialisteJoomla spécialiste
Joomla spécialisteRomain Caisse
 
Csrf protector
Csrf protectorCsrf protector
Csrf protectorMinhaz A V
 
OWASP CSRF Protector
OWASP CSRF ProtectorOWASP CSRF Protector
OWASP CSRF ProtectorMinhaz A V
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Tale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedTale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedAnant Shrivastava
 
Locker services and lightning components
Locker services and lightning componentsLocker services and lightning components
Locker services and lightning componentsSuraj Tripathi
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSAnant Shrivastava
 
Don't Get Stung
Don't Get StungDon't Get Stung
Don't Get StungBarry Dorrans
 
XSS - Presented at EPiServer Meetup in Oslo 25th May 2011
XSS - Presented at EPiServer Meetup in Oslo 25th May 2011XSS - Presented at EPiServer Meetup in Oslo 25th May 2011
XSS - Presented at EPiServer Meetup in Oslo 25th May 2011Johannes Østensjø
 
Exploiting publically exposed Version Control System
Exploiting publically exposed Version Control SystemExploiting publically exposed Version Control System
Exploiting publically exposed Version Control SystemAnant Shrivastava
 
Ruby and Framework Security
Ruby and Framework SecurityRuby and Framework Security
Ruby and Framework SecurityCreston Jamison
 
Recon
ReconRecon
ReconUTD Computer Security Group
 
Ground Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For WebGround Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For WebNipun Jaswal
 
Developer guide
Developer guideDeveloper guide
Developer guideShrey Jairath
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege EscalationRiyaz Walikar
 
Grinder talk
Grinder talk Grinder talk
Grinder talk n|u - The Open Security Community
 
Threat intelligence - nullmeetblr 21st June 2015
Threat intelligence - nullmeetblr 21st June 2015Threat intelligence - nullmeetblr 21st June 2015
Threat intelligence - nullmeetblr 21st June 2015n|u - The Open Security Community
 
Panel discussion social engineering - manasdeep - nullmeetblr 21st June 2015
Panel discussion social engineering - manasdeep - nullmeetblr 21st June 2015Panel discussion social engineering - manasdeep - nullmeetblr 21st June 2015
Panel discussion social engineering - manasdeep - nullmeetblr 21st June 2015n|u - The Open Security Community
 
Radare2 - An Introduction by Anto Joseph
Radare2 - An Introduction by Anto JosephRadare2 - An Introduction by Anto Joseph
Radare2 - An Introduction by Anto JosephAnthony Jose
 
Netcat - A Swiss Army Tool
Netcat - A Swiss Army ToolNetcat - A Swiss Army Tool
Netcat - A Swiss Army ToolChandrapal Badshah
 
IOS Security Basics - NULL/ OWASP/G4H Meet
IOS Security Basics - NULL/ OWASP/G4H MeetIOS Security Basics - NULL/ OWASP/G4H Meet
IOS Security Basics - NULL/ OWASP/G4H MeetAnthony Jose
 
Owasp m7-m8-shivang nullmeetblr 21june2015
Owasp m7-m8-shivang nullmeetblr 21june2015Owasp m7-m8-shivang nullmeetblr 21june2015
Owasp m7-m8-shivang nullmeetblr 21june2015n|u - The Open Security Community
 
Dark Arts Of Social Engineering
Dark Arts Of Social EngineeringDark Arts Of Social Engineering
Dark Arts Of Social EngineeringNutan Kumar Panda
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoAkash Mahajan
 
Null bufferoverflow
Null bufferoverflowNull bufferoverflow
Null bufferoverflowAbhinav Chourasia, GMOB
 
Owasp top 10
Owasp top 10 Owasp top 10
Owasp top 10 veerababu penugonda(Mr-IoT)
 
What is a VLAN and DMZ
What is a VLAN and DMZWhat is a VLAN and DMZ
What is a VLAN and DMZAvradeep Bhattacharya
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For BeginnersRamnath Shenoy
 
Saml sso by Tamil on nullblrmeet 21st July 2015
Saml sso by Tamil on nullblrmeet 21st July 2015Saml sso by Tamil on nullblrmeet 21st July 2015
Saml sso by Tamil on nullblrmeet 21st July 2015n|u - The Open Security Community
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM ArchitectureNishanth Kumar Pathi
 

Weitere ähnliche Inhalte

Was ist angesagt?

XSS - Presented at EPiServer Meetup in Oslo 25th May 2011
XSS - Presented at EPiServer Meetup in Oslo 25th May 2011XSS - Presented at EPiServer Meetup in Oslo 25th May 2011
XSS - Presented at EPiServer Meetup in Oslo 25th May 2011Johannes Østensjø
 
Exploiting publically exposed Version Control System
Exploiting publically exposed Version Control SystemExploiting publically exposed Version Control System
Exploiting publically exposed Version Control SystemAnant Shrivastava
 
Ruby and Framework Security
Ruby and Framework SecurityRuby and Framework Security
Ruby and Framework SecurityCreston Jamison
 
Ground Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For WebGround Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For WebNipun Jaswal
 

Was ist angesagt? (6)

XSS - Presented at EPiServer Meetup in Oslo 25th May 2011
XSS - Presented at EPiServer Meetup in Oslo 25th May 2011XSS - Presented at EPiServer Meetup in Oslo 25th May 2011
XSS - Presented at EPiServer Meetup in Oslo 25th May 2011
 
Exploiting publically exposed Version Control System
Exploiting publically exposed Version Control SystemExploiting publically exposed Version Control System
Exploiting publically exposed Version Control System
 
Ruby and Framework Security
Ruby and Framework SecurityRuby and Framework Security
Ruby and Framework Security
 
Recon
ReconRecon
Recon
 
Ground Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For WebGround Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For Web
 
Developer guide
Developer guideDeveloper guide
Developer guide
 

Andere mochten auch

Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege EscalationRiyaz Walikar
 
Panel discussion social engineering - manasdeep - nullmeetblr 21st June 2015
Panel discussion social engineering - manasdeep - nullmeetblr 21st June 2015Panel discussion social engineering - manasdeep - nullmeetblr 21st June 2015
Panel discussion social engineering - manasdeep - nullmeetblr 21st June 2015n|u - The Open Security Community
 
Radare2 - An Introduction by Anto Joseph
Radare2 - An Introduction by Anto JosephRadare2 - An Introduction by Anto Joseph
Radare2 - An Introduction by Anto JosephAnthony Jose
 
IOS Security Basics - NULL/ OWASP/G4H Meet
IOS Security Basics - NULL/ OWASP/G4H MeetIOS Security Basics - NULL/ OWASP/G4H Meet
IOS Security Basics - NULL/ OWASP/G4H MeetAnthony Jose
 
Dark Arts Of Social Engineering
Dark Arts Of Social EngineeringDark Arts Of Social Engineering
Dark Arts Of Social EngineeringNutan Kumar Panda
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoAkash Mahajan
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For BeginnersRamnath Shenoy
 
Slides null puliya linux basics
Slides null puliya linux basicsSlides null puliya linux basics
Slides null puliya linux basicsAnant Shrivastava
 

Andere mochten auch (17)

Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege Escalation
 
Grinder talk
Grinder talk Grinder talk
Grinder talk
 
Threat intelligence - nullmeetblr 21st June 2015
Threat intelligence - nullmeetblr 21st June 2015Threat intelligence - nullmeetblr 21st June 2015
Threat intelligence - nullmeetblr 21st June 2015
 
Panel discussion social engineering - manasdeep - nullmeetblr 21st June 2015
Panel discussion social engineering - manasdeep - nullmeetblr 21st June 2015Panel discussion social engineering - manasdeep - nullmeetblr 21st June 2015
Panel discussion social engineering - manasdeep - nullmeetblr 21st June 2015
 
Radare2 - An Introduction by Anto Joseph
Radare2 - An Introduction by Anto JosephRadare2 - An Introduction by Anto Joseph
Radare2 - An Introduction by Anto Joseph
 
Netcat - A Swiss Army Tool
Netcat - A Swiss Army ToolNetcat - A Swiss Army Tool
Netcat - A Swiss Army Tool
 
IOS Security Basics - NULL/ OWASP/G4H Meet
IOS Security Basics - NULL/ OWASP/G4H MeetIOS Security Basics - NULL/ OWASP/G4H Meet
IOS Security Basics - NULL/ OWASP/G4H Meet
 
Owasp m7-m8-shivang nullmeetblr 21june2015
Owasp m7-m8-shivang nullmeetblr 21june2015Owasp m7-m8-shivang nullmeetblr 21june2015
Owasp m7-m8-shivang nullmeetblr 21june2015
 
Dark Arts Of Social Engineering
Dark Arts Of Social EngineeringDark Arts Of Social Engineering
Dark Arts Of Social Engineering
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demo
 
Null bufferoverflow
Null bufferoverflowNull bufferoverflow
Null bufferoverflow
 
Owasp top 10
Owasp top 10 Owasp top 10
Owasp top 10
 
What is a VLAN and DMZ
What is a VLAN and DMZWhat is a VLAN and DMZ
What is a VLAN and DMZ
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
 
Saml sso by Tamil on nullblrmeet 21st July 2015
Saml sso by Tamil on nullblrmeet 21st July 2015Saml sso by Tamil on nullblrmeet 21st July 2015
Saml sso by Tamil on nullblrmeet 21st July 2015
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 
Slides null puliya linux basics
Slides null puliya linux basicsSlides null puliya linux basics
Slides null puliya linux basics
 

Ähnlich wie Csp july2015

Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)Arun Kumar
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web securityOlatunji Adetunji
 
Let's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a CertificateLet's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a CertificateSteffen Gebert
 
Secure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior
 
Developer guide
Developer guideDeveloper guide
Developer guidemali chum
 

Ähnlich wie Csp july2015 (20)

Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web security
 
Let's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a CertificateLet's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a Certificate
 
Secure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior - Issues with origins
Secure Code Warrior - Issues with origins
 
lead campaign new
lead campaign newlead campaign new
lead campaign new
 
Developer guide
Developer guideDeveloper guide
Developer guide
 
Developer guide
Developer guideDeveloper guide
Developer guide
 
Developer guide
Developer guideDeveloper guide
Developer guide
 
Developer guide
Developer guideDeveloper guide
Developer guide
 
Developer guide
Developer guideDeveloper guide
Developer guide
 
Developer guide
Developer guideDeveloper guide
Developer guide
 
Developer guide
Developer guideDeveloper guide
Developer guide
 
Developer guide
Developer guideDeveloper guide
Developer guide
 
Developer guide
Developer guideDeveloper guide
Developer guide
 
Developer guide
Developer guideDeveloper guide
Developer guide
 
Developer guide
Developer guideDeveloper guide
Developer guide
 
lead formed 2
lead formed 2lead formed 2
lead formed 2
 
Developer guide
Developer guideDeveloper guide
Developer guide
 
Developer guide
Developer guideDeveloper guide
Developer guide
 
Developer guide
Developer guideDeveloper guide
Developer guide
 

Mehr von n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

Mehr von n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Kürzlich hochgeladen

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

Kürzlich hochgeladen (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

Csp july2015

  • 1. Content Security Policy OR HOW TO MAKE DEVELOPERS EVEN MORE LAZIER RIYAZ WALIKAR
  • 2. whoami  Security evangelist  Do not work at a Big 4  One of the 3 OWASP Bangalore chapter leaders  Extremely talkative
  • 3. Same Origin Policy  So you own http://banana.com  Code from http://potato.com should not be able to access data from http://banana.com  Browser’s sandbox and Origin protection  XSS to bypass SOP
  • 4. For the love of XSS  Reflected, Stored, DOM based
  • 5.
  • 7. The core issue exploited by XSS attacks is the browser’s inability to distinguish between script that’s intended to be part of your application, and script that’s been maliciously injected by a third-party. http://www.html5rocks.com/en/tutorials/security/content-security-policy/
  • 8. I had you at Header  Content Security Policy (CSP) defines the Content-Security-Policy HTTP header  Whitelist script sources of trusted content  Even if vulnerable to XSS, injected script will not trigger due to header definition
  • 9. Building the policy  So you trust scripts only from http://banana.com and your own domain (non inline) Content-Security-Policy: script-src 'self' http://banana.com  So you want to load images only from http://potato.com and flash content from your own domain. Also, absolutely no scripts. Content-Security-Policy: script-src 'none'; img-src http://potato.com; object-src 'self'
  • 10. CSP Directives  default-src  script-src  style-src  img-src  connect-src  font-src  object-src  media-src  child-src  sandbox  report-uri The default-src is the default policy for loading content such as JavaScript, Images, CSS, fonts, AJAX requests, Frames and HTML5 Media Defines valid sources of JavaScript Defines valid sources of css (stylesheets) Defines valid sources of images Defines sources to which XMLHTTPRequest (AJAX), WebSocket or EventSource can fetch data from Defines valid sources of fontsDefines valid sources of plugins (for example: flash, embed tag, applet etc.) Defines valid source of audio and video Defines valid source for workers and embedded frame contents. frame-src is deprecated. child-src should be used. More about this laterInstructs the browser to POST a reports of policy failures to a specified URI.
  • 11. CSP Source Declarations Source Value Meaning * Wildcard, allows all origins. 'self' Allow same origin (current origin). 'none' Don't allow any resources of this directive to load. domain.example.com Allow a domain (explicit declaration) *.example.com Allow all subdomains on a domain. Exclude TLD. https://example.com Exact match including protocol https: Load from any domain but https data: Allow data uri (eg: Base64 encoded image)
  • 12. unsafe-inline  When script-src or style-src are declared, inline script tags and css are disabled  You can specify 'unsafe-inline' to execute inline script but that is precisely what CSP was designed to prevent!
  • 13. unsafe-eval  CSP disables the JavaScript function eval() by design  To enable this explicitly, add 'unsafe-eval' to a script-src directive  Not advised!
  • 14. sandbox  If present, browser treats the page as if it loaded inside an iframe with a sandbox attribute  The browser severely restricts the page’s functionality, disabling JS, form submissions, plugins and objects  You can keep the sandbox value empty to keep all restrictions in place, or add values: allow-forms allow-same-origin allow-scripts, and allow-top-navigation
  • 17. CSP 2.0!  Several new enhancements including support for inline scripts in combination with a cryptographic nonce or hash sharing of the script itself Content-Security-Policy: script-src 'nonce-AY778asa229b2DEADBEEF' http://www.w3.org/TR/CSP2/
  • 18. I read the following to make this presentation  http://www.w3.org/TR/2012/CR-CSP-20121115/  http://www.html5rocks.com/en/tutorials/security/content-security- policy/  http://content-security-policy.com/  http://caniuse.com/#feat=contentsecuritypolicy  https://html.spec.whatwg.org/multipage/browsers.html#sandboxin g-flag-set  http://www.w3.org/TR/CSP2/