CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product...
Transcript of CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product...
![Page 1: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/1.jpg)
Taras IvashchenkoInformation Security Officer
CSP - the panacea for XSS or placebo?
![Page 2: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/2.jpg)
2
$ whoami
Information security officer at Yandex's product security teamWeb application security researcherYet another security blogger www.oxdef.info
![Page 3: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/3.jpg)
XSS
![Page 4: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/4.jpg)
4
XSS
Why again about XSS?!Still one of the the most common web application security issuesOk, but please don't show me those alerts
![Page 5: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/5.jpg)
5
Prevention
Input validationOutput escaping depending on context httponly session cookieBrowser based solutions: IE filter, NoScript?
![Page 6: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/6.jpg)
CSP
![Page 7: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/7.jpg)
7
Content Security Policy
Browser side mechanism to mitigate XSS attacksSource whitelists for client side resources of web applicationContent-Security-Policy HTTP headerW3C Candidate Recommendation
![Page 8: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/8.jpg)
8
HTML Template
<h1>Test XSS page</h1><h3>Hello, <i> {{ foo | safe }}!</i></h3>
How it Works
Demo URL
http://127.0.0.1:5000/xss?foo= <img src="http://www.oxdef.info/exploit.png">
![Page 9: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/9.jpg)
9 Without CSP
![Page 10: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/10.jpg)
10
Content-Security-Policy: img-src 'self'
CSP in Action
![Page 11: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/11.jpg)
11
Policy
Content-Security-Policy: default-src 'self'; script-src 'self' static.example.com
Control JavaScript
HTML
<!doctype html><html><head> <meta charset="utf-8"> <script src="/js/jquery-1.10.2.js"></script> <script src="//evil.net/evil.js"></script>...
console.log
Refused to load the script 'http://evil.net/evil.js' because it violates...
![Page 12: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/12.jpg)
12
Unsafe-inline and unsafe-eval
• unsafe-inline allows:– Inline scripts and styles–onclick=”...”–javascrtipt:–You should not include it in the policy!
• unsafe-eval allows:–eval()–new Function–setTimeout, setInterval with string as a first argument–You should not include it in the policy!
![Page 13: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/13.jpg)
13
Other Directives
media-src – audio and videoobject-src - plugin objects (e.g. Flash)frame-src – iframe sourcesfont-src – font filesconnect-src – XMLHttpRequest, WebSockets, EventSource
![Page 14: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/14.jpg)
14
{ "csp-report": { "violated-directive": "img-src data: ... *.example.com", "referrer": "", "blocked-uri": "https://static.doubleclick.net", "document-uri": "https://example.com/foo", "original-policy": "default-src ...; report-uri csp.php" }}
Reporting
Content-Security-Policy-Report-Only: ...; report-uri csp.php
Policy
Log contents
![Page 15: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/15.jpg)
15
Browser Support
Content-Security-Policy 25+ 23+ 1.7+X-Content-Security-Policy 4 - 22 10 (sandbox)X-WebKit-CSP 14 - 25 5.1+Mobile browsers: 7.0+ 28+ 23+
![Page 16: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/16.jpg)
16
Bypass
Manipulating HTTP response headersImplementation bugs: MFSA 2012-36: Content Security Policy inline-script bypassJSONPXSS without JS
![Page 17: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/17.jpg)
17
<!doctype html><html><head> <meta charset="utf-8"> <script src="/js/jquery.min.js"></script></head><body> <script nonce="Nc3n83cnSAd"> // Some inline code here </script>
See in the Next Version: nonce-source
Content-Security-Policy: script-src 'self' nonce-Nc3n83cnSAd
Policy
HTML Code
![Page 18: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/18.jpg)
Case-study
![Page 19: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/19.jpg)
19
About the Service
One of the most popular mail services in Russia Over 12 million email messages dailyLots of client side code and hosts to communicate with
![Page 20: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/20.jpg)
20
CSP Tester
Extension for Chromium based browsersSimple and Advanced modesContent-Security-Policy and X-WebKit-CSP headersHelp links for directiveshttps://github.com/oxdef/csp-tester
![Page 21: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/21.jpg)
21 CSP Tester in action
![Page 22: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/22.jpg)
22
The Plan
1.Test it on the corporate mail2.It's ok - let's try it on production in Report-Only mode3.Analyze tons of logs ;-(4.Fix bugs and improve the policy5.Switch to block mode6.Profit! :-)
![Page 23: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/23.jpg)
23
Changes in service
Try to remove all inline code
![Page 24: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/24.jpg)
24
Log Analysis
awk, grep, sort,head for gigabytes of logs?Yes, but we can do it in more complex way with help of PythonCharts for directives and blocked URIs
![Page 25: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/25.jpg)
25
Problems
Browser implementations differ3rd party JS librariesInline styles in HTML lettersBrowser extensionsWhat is that *** external code doing in our DOM?
![Page 26: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/26.jpg)
26
From Report-Only to Block mode
Fix bugs from CSP logsUse only standard CSP HTTP headerAllow browser extensionsunsafe-inline for style-srcunsafe-eval for script-src
![Page 27: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/27.jpg)
27
Tips
Teach your front-end developersAdd CSP as security requirement for new productsDon't forget about mobile versions!Research your core front-end components to support CSPAssign developer responsible for CSP
![Page 28: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/28.jpg)
28
CSP Based IDS
Magic
XSS
XSS
XSS
Test & Fix
![Page 29: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/29.jpg)
29
Conclusion
CSP is not a panaceabut it's a good «yet another level» to
protect your users against XSS attacks
![Page 30: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/30.jpg)
30
To be continued ;-)
![Page 31: CSP - the panacea for XSS - OWASP · 2 $ whoami Information security officer at Yandex's product security team Web application security researcher Yet another security blogger](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f20b91c39992d62e062b9a2/html5/thumbnails/31.jpg)
Taras Ivashchenko
Information Security Officer
http://company.yandex.com/security
Thanks