Defeating Cross-Site Scripting with Content Security Policy
-
Upload
francois-marier -
Category
Technology
-
view
1.988 -
download
0
description
Transcript of Defeating Cross-Site Scripting with Content Security Policy
![Page 2: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/2.jpg)
what is a cross-site scripting(aka “XSS”) attack?
![Page 3: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/3.jpg)
![Page 4: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/4.jpg)
![Page 5: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/5.jpg)
![Page 6: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/6.jpg)
![Page 7: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/7.jpg)
preventing XSS attacks
![Page 8: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/8.jpg)
print <<<EOF<html>
<h1>$title</h1>
</html>EOF;
![Page 9: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/9.jpg)
$title = escape($title);
print <<<EOF<html>
<h1>$title</h1>
</html>EOF;
![Page 10: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/10.jpg)
templating system
![Page 11: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/11.jpg)
page.tpl:
<html><h1>{title}</h1></html>
page.php:
render(“page.tpl”, $title);
![Page 12: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/12.jpg)
auto-escaping turned ON
![Page 13: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/13.jpg)
page.tpl:
<html><h1>{title|raw}</h1></html>
page.php:
render(“page.tpl”, $title);
![Page 14: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/14.jpg)
auto-escaping turned ON
!=
escaping always ON
![Page 15: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/15.jpg)
browser default = allow all
the real problem:
![Page 16: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/16.jpg)
![Page 17: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/17.jpg)
a way to get the browserto enforce the restrictions
you want on your site
![Page 18: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/18.jpg)
$ curl --head https://www.libravatar.org/
X-Content-Security-Policy: default-src 'self' ; img-src 'self' data
![Page 19: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/19.jpg)
$ curl --head https://www.libravatar.org/account/login/
X-Content-Security-Policy: default-src 'self' ; img-src 'self' data ; frame-src 'self' https://browserid.org ; script-src 'self' https://browserid.org
![Page 20: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/20.jpg)
$ curl --head http://fmarier.org/
X-Content-Security-Policy: default-src 'none' ; img-src 'self' ; style-src 'self' ; font-src 'self'
![Page 21: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/21.jpg)
<object><script><style><img>
<audio> & <video><frame> & <iframe>
<font>
WebSocket & XMLHttpRequest
![Page 22: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/22.jpg)
>= 4 >= 13 >= 10>= 5
![Page 23: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/23.jpg)
what does a CSP-enabledwebsite look like?
![Page 24: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/24.jpg)
![Page 25: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/25.jpg)
![Page 26: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/26.jpg)
unless explicitly allowed by your policy
inline scripts are not executed
![Page 27: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/27.jpg)
![Page 28: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/28.jpg)
![Page 29: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/29.jpg)
unless explicitly allowed by your policy
external resources are not loaded
![Page 30: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/30.jpg)
preparing your website for CSP
(aka things you can do today)
![Page 31: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/31.jpg)
eliminate inline scripts and styles
![Page 32: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/32.jpg)
<script>do_stuff();</script>
![Page 33: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/33.jpg)
<script src=”do_stuff.js”>
</script>
![Page 34: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/34.jpg)
eliminate javascript: URIs
![Page 35: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/35.jpg)
<a href=”javascript:go()”>Go!</a>
![Page 36: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/36.jpg)
<a id=”go-button” href=”#”>Go!</a>
var button = document.getElementById('go-button');button.onclick = go;
![Page 37: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/37.jpg)
add headers in web server config
![Page 38: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/38.jpg)
<Location /some/page>
Header set X-Content-Security-Policy "default-src 'self' ; script-src 'self' http://example.org"
</Location>
![Page 39: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/39.jpg)
not a replacement forproper XSS hygiene
![Page 40: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/40.jpg)
great tool to increase thedepth of your defenses
![Page 41: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/41.jpg)
Spec:http://www.w3.org/TR/CSP/
HOWTO:https://developer.mozilla.org/en/Security/CSP
Copyright © 2012 François MarierReleased under the terms of the Creative CommonsAttribution Share Alike 3.0 Unported Licence
fmarier fmarier
![Page 42: Defeating Cross-Site Scripting with Content Security Policy](https://reader033.fdocuments.in/reader033/viewer/2022060107/554be384b4c90556328b48d2/html5/thumbnails/42.jpg)
Credits:
Biohazard wallpaper: http://www.flickr.com/photos/rockyx/4273385120/
Under Construction: https://secure.flickr.com/photos/aguichard/6864586905/