Ge#ng The Most Out Of CSP: A Deep Dive. Sergey Shekyan

Similar documents
CSP ODDITIES. Michele Spagnuolo Lukas Weichselbaum

High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018

Content Security Policy

Django-CSP Documentation

Content Security Policy

Know Your Own Risks: Content Security Policy Report Aggregation and Analysis

HTTP Security Headers Explained

Browser code isolation

Extending the browser to secure applications

October 08: Introduction to Web Security

So we broke all CSPs. You won't guess what happened next!

BOOSTING THE SECURITY

Defense-in-depth techniques. for modern web applications

Match the attack to its description:

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

BOOSTING THE SECURITY OF YOUR ANGULAR 2 APPLICATION

Moving your website to HTTPS - HSTS, TLS, HPKP, CSP and friends

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

NoScript, CSP and ABE: When The Browser Is Not Your Enemy

Northeastern University Systems Security Lab

Using HTTPS - HSTS, TLS, HPKP, CSP and friends

Content Security Policy. Vlastimil Zíma 24. listopadu 2017

W3Conf, November 15 & 16, Brad Scott

CSP STS PKP SRI ETC OMG WTF BBQ

HTML5 Unbound: A Security & Privacy Drama. Mike Shema Qualys

RKN 2015 Application Layer Short Summary

last time: command injection

Neat tricks to bypass CSRF-protection. Mikhail

Web Security. CSU CS557 - Fall 2017 Instructor: Lorenzo De Carli

Session 8. Reading and Reference. en.wikipedia.org/wiki/list_of_http_headers. en.wikipedia.org/wiki/http_status_codes

CORS Attacks. Author: Milad Khoshdel Blog: P a g e. CORS Attacks

Modern client-side defenses. Deian Stefan

Writing Secure Chrome Apps and Extensions

Sichere Webanwendungen mit Java

Static Webpage Development

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

ISSA: EXPLOITATION AND SECURITY OF SAAS APPLICATIONS. Waqas Nazir - CEO - DigitSec, Inc.

Web basics: HTTP cookies

Some Facts Web 2.0/Ajax Security

Clojure Web Security. FrOSCon Joy Clark & Simon Kölsch

MODERN WEB APPLICATION DEFENSES

Index. alt, 38, 57 class, 86, 88, 101, 107 href, 24, 51, 57 id, 86 88, 98 overview, 37. src, 37, 57. backend, WordPress, 146, 148

Executive Summary. Performance Report for: The web should be fast. Top 5 Priority Issues. How does this affect me?

Origin Policy Enforcement in Modern Browsers

Uniform Resource Locators (URL)

Session 9. Deployment Descriptor Http. Reading and Reference. en.wikipedia.org/wiki/http. en.wikipedia.org/wiki/list_of_http_headers

Index LICENSED PRODUCT NOT FOR RESALE

Hacking with WebSockets. Mike Shema Sergey Shekyan Vaagn Toukharian

Performance Report for: Report generated: Tuesday, June 30, 2015, 3:21 AM -0700

Web basics: HTTP cookies

Device Recognition Best Practices Guide

Project 3 Web Security Part 1. Outline

4D Live Window Addendum 1.1

Final exam in. Web Security EITF05. Department of Electrical and Information Technology Lund University

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Ajax- XMLHttpResponse. Returns a value such as ArrayBuffer, Blob, Document, JavaScript object, or a DOMString, based on the value of

How to Setup & Use the Direct Traffic Features in CPV Lab

JOE WIPING OUT CSRF

Application Boundaries Enforcer (ABE) NoScript Module Rules Syntax And Capabilities

Information Security. Gabriel Lawrence Director, IT Security UCSD

Among the many attacks on

WEB SECURITY: XSS & CSRF

CS 161 Computer Security

Tabular Presentation of the Application Software Extended Package for Web Browsers

Caching. Caching Overview

Web development using PHP & MySQL with HTML5, CSS, JavaScript

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Interface Reference. McAfee Application Control Windows Interface Reference Guide. Add Installer page. (McAfee epolicy Orchestrator)

Web Security: Vulnerabilities & Attacks

WHY CSRF WORKS. Implicit authentication by Web browsers

JOE WIPING OUT CSRF

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

Information Security CS 526 Topic 11

Website review dada-jd.com

Website review excitesubmit.com

Develop Mobile Front Ends Using Mobile Application Framework A - 2

Salesforce IoT REST API Getting Started Guide

Web System and Technologies (Objective + Subjective)

For Bitcoins and Bounties James Kettle

Security and Frontend Performance

RTCWEB Signaling. Ma/hew Kaufman

Website review google.com

Create and Apply Clientless SSL VPN Policies for Accessing. Connection Profile Attributes for Clientless SSL VPN

BIG-IP DataSafe Configuration. Version 13.1

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Integrating with ClearPass HTTP APIs

Web Security: XSS; Sessions

This course is designed for web developers that want to learn HTML5, CSS3, JavaScript and jquery.

Markup Language. Made up of elements Elements create a document tree

ICS 351: Today's plan. IPv6 routing protocols (summary) HTML HTTP web scripting languages certificates (review) cookies

Web API Lab folder 07_webApi : webapi.jsp your testapijs.html testapijq.html that works functionally the same as the page testapidomjs.

CS 161 Computer Security

EasyCrypt passes an independent security audit

The security of Mozilla Firefox s Extensions. Kristjan Krips

Lesson 14 SOA with REST (Part I)

HTML CS 4640 Programming Languages for Web Applications

Executive Summary. Performance Report for: The web should be fast. Top 5 Priority Issues. How does this affect me?

Website review facebook.com

Transcription:

Ge#ng The Most Out Of CSP: A Deep Dive Sergey Shekyan

Canadian Staging Professionals (CSP) CSP Home Staging CerFficaFon Course Is Simply The Best EducaFon and Support For Your New Career Mastering the Art of Difficult ConversaFons with Sellers Chemicals Hiding In Plain Sight Environmentally Responsible Home Design and Remodeling

Content Security Policy Sike!

Content Security Policy is a mechanism to declare content restricfons for web resources in a browser disables normally enabled capabilifes in web pages helps to detect and prevent XSS, UI Redressing, mixed-content and other axacks

History IniFal proposal by Brandon Sterne - 2009 CSP level 1 - Nov 2012 CSP level 2 - July 2014 CSP level 3 will introduces A LOT of changes

AdopFon: Browsers

AdopFon: Websites Less than 0.2% of Alexa top 100000 use CSP on landing page many nonsensical policies many invalid policies few web properfes use nonce-source/hash-source most use unsafe-inline and unsafe-eval some use deprecated policies

Content Security Policy source-list Delivered over HTTP header { Content-Security-Policy: script-src https: example.com 'self' directive-name{ { { { scheme-source host-source keyword-source Delivered over meta tag <meta http-equiv="content-security-policy" content="script-src https: example.com; 'self'">

Combining source expressions script-src self' https: *.example.com <= served by http://www.site.com A URL url is said to match a source list for protected resource if at least one source expression in the set of source expressions obtained by parsing the source list matches url for protected resource. <script src= http://www.site.com > <script src= http://api.site.com > <script src= https://google.com > <script src= http://example.com'> <script src= http://api.example.com'> <script src= http://api.example.com'>

Matching script-src https:; script-src a.com; <script src= https://a.com'> <script src= https://a.com:8080'> <script src= ws://a.com:80'> <script src= https://a.com'> <script src= http://a.com:8080'> <script src= http://a.com'> script-src a.com/b; <script src= http://a.com/b'> <script src= http://a.com/bbb'> <script src= http://a.com/b/'> script-src a.com/b/; <script src= https://a.com/b'> <script src= https://a.com/b/a'> <script src= https://a.com/b/'>

DirecFves source-list ancestor-source-list default-src child-src frame-ancestors script-src style-src img-src frame-src object-src connect-src media-type-list plugin-types font-src form-action media-src base-uri uri-reference report-uri

Dealing with keywords script-src none ; style-src none ; Good <script src= evil.com ></script> <body onclick= alert(1337) > <script>eval(evilcode);<script> HTML script-src * unsafe-inline ; style-src * unsafe-inline Bad <script src= evil.com ></script> <body onclick= alert(1337) > <script>eval(evilcode);<script> HTML script-src * unsafe-eval ; style-src * unsafe-eval Bad <script src= evil.com ></script> <body onclick= alert(1337) > <script>eval(evilcode);<script> HTML

Granular whitelisfng script-src sha256-nnn ; style-src sha256-mmm ; <script src= evil.com ></script> <body onclick= alert(1337) > <script>eval(evilcode);<script> <script>goodcode()<script> HTML Use hash (sha256, sha-384, sha-512) if have to have inline scripts or styles. Good for whitelisfng stafc content. script-src nonce-123 ; style-src nonce-123 ; <script src= evil.com ></script> HTML <body onclick= alert(1337) > <script>eval(evilcode);<script> <script nonce= 123 >goodcode()<script> Use nonce if have to have inline scripts or styles. Good for whitelisfng dynamic content.

CSP2 Cheatsheet script-src self nonce-123 sha256-xxx style-src self nonce-123 sha256-xxx referrer form-action self base-uri self img-src self plugin-types a/b default-src self nonce-123 sha256-xxx Inherit default-src Inherit child-src Inherit nonce and hash No inheritance Ignored in meta font-src self child-src self frame-src self object-src self connect-src self media-src self sandbox report-uri /csp-report frame-ancestors self upgrage-insecure-requests block-al-mixed-content

Combining source lists When mulfple policies are present, the resource must match all of them Content-Security-Policy: script-src *.example.com; Content-Security-Policy: script-src self ; Content-Security-Policy: script-src https: report-uri /report; == Combine mulfple headers into one by comma-separated Content-Security-Policy: script-src *.example.com, script-src self, script-src https: report-uri /report;

Combining source lists Content-Security-Policy: script-src *.example.com, script-src self, script-src https: report-uri /report;!= If you instead try to combine policies by combining source lists of given direcfves, the resulfng policy will behave differently Content-Security-Policy: script-src *.example.com self https:; report-uri /report; Content-Security-Policy: script-src *.example.com, script-src self, script-src https: report-uri /report; == Match all, remember? do not forget about reporfng context Content-Security-Policy: none ; report-uri /report;

Grammar & SemanFcs default-src a b c; script-src d; style-src d; img-src d; font-src d; child-src d; connect-src d; object-src d; == default-src d frame-src is missing. Are there policies identical? Yes, because: frame-src is always derived from child-src, if not explicitly specified frame-src => frame-src *

Grammar & SemanFcs script-src 'none' == script-src default-src 'none' == default-src

Defaults in scheme and port script-src http://example.com:80 == script-src http://example.com == script-src example.com Default scheme 4.2.2 Matching Source Expressions If the source expression does not have a scheme, return does not match if any of the following are true: the scheme of the protected resource s URL is a case insensifve match for HTTP, and url-scheme is not a case insensifve match for either HTTP or HTTPS the scheme of the protected resource s URL is not a case insensifve match for HTTP, and url-scheme is not a case insensifve match for the scheme of the protected resource s URL. In non-spec English, default scheme is http Default port lp 21 file gopher 70 hxp 80 hxps 443 ws 80 was 443

Most permissive policy == Content-Security-Policy: == Content-Security-Policy: default-src * unsafe-inline unsafe-eval data: filesystem: blob: Missing Content-Security doesn t touch any web page capabilifes

Most restricfve policy Content-Security-Policy: default-src; frame-ancestors none ; form-action none ; sandbox

CSP host-source connect-src self' https:; served by https://example.com XMLHttpRequest to http://example.com XMLHttpRequest to https://example.com:8080 XMLHttpRequest to https://example.com XMLHttpRequest to https://example.com:443 WebSocket to ws://example.com:80 WebSocket to wss://example.com

CSP Examples default-src 'self' ; script-src 'unsafe-inline' 'unsafe-eval' 'self' * ; style-src 'unsafe-inline' 'self' * ; frame-src 'self' * ; object-src 'self' * ; img-src 'self' data: * ; media-src 'self' * ; font-src 'self' * ; connect-src 'self' * Bad: default-src * unsafe-inline + unsafe-eval + allows data: for image

CSP Examples

CSP Examples

CSP Examples

CSP Examples

CSP Examples

CSP Examples Worst policy ever? allow 'self'; frame-ancestors 'self' "The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect." Didn't make into CSP level 1. "Unrecognized Content-Security- Policy directive 'frame-ancestors'." Introduced by CSP level 2, replaces frame-src

Browser Handling of Bad Policies script-src self foo.com/\u0001f4a9 The value for Content Security Policy directive 'script-src' contains an invalid character: 'http://google.com/ã '. Nonwhitespace characters outside ASCII 0x21-0x7E must be percent-encoded, as described in RFC 3986, section 2.1: http://tools.ietf.org/html/ rfc3986#section-2.1. Parsing error skips the whole direcfve Content Security Policy: Couldn't parse invalid source http://google.com/ð Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src 'none'"). Parsing error skips only bad source source expression

Some of Security Bugs script-src *.x.y <script src= //x.y/file > Chromium bug 534542 - *.x.y must match host that ends with.x.y, but not x.y script-src * <script src= data:applicication/ javascript, alert(1337) > Chromium bug 534570 - wildcard (*) should not match data:, filesystem:, blob:

CSP ReporFng report-uri /csp-report /another-endpoint sends report to every report URL mulfple policies do not share reporfng context, meaning every policy violafon will be reported to it s report-uri If the origin of report URL is the same as the origin of the protected resource, cookies will be sent too (except Firefox) there are as many report formats as there are browsers, so normalize

CSP ReporFng Content-Type: application/csp-report {"csp-report":{ "document-uri":"http://example.com", "referrer":"", "violated-directive":"script-src 'self'", "effective-directive":"script-src", "original-policy":"default-src 'none';script-src 'self' ;img-src 'self'; connect-src 'self';style-src 'self';frame-ancestors 'none';form-action 'self';report-uri /csp-report", "blocked-uri":"http://www.evil.com", status-code":200 }} Content-Type: application/json {"csp-report":{ "blocked-uri":"http://www.evil.com/animate.js", document-uri : http://example.com, "original-policy":"default-src 'none'; script-src http://example.com; img-srchttp:// example.com; connect-srchttp://example.com; style-src http://example.com; frameancestors 'none'; form-action http://example.com; report-uri http://example.com/csp-report, "referrer":"", "violated-directive":"script-srchttp://example.com", "user-agent":"mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/ 41.0", "level":"info", "message":"", "timestamp":"2015-10-20t19:54:51.248z" }}

Reports Can Leak Data make report URI query string unique for segmentafon and to avoid dealing with poisoned logs. It is harder to spoof report-uri /csp-report? id=nonce hacked server with big audience might become DDoS orchestrator

Evaluate before deploying Content-Security-Policy-Report-Only: self ; report-uri /csp-report Content-Securty-Policy-Report-Only header monitors, reports but doesn t enforce Try new policy with Content-Securty-Policy-Report-Only along with your current policy delivered by Content-Security-Policy to catch problems before it s too late

SalvaFon general purpose FOSS Java library supports: warnings and syntax errors with posifon info policy opfmisafon merging using union or intersecfon strategyanswering quesfons like allowsconnectto, allowsscriptfromsource, allowsstylewithhash, allowschildfromsource, etc is used in producfon the only CSP implementafon outside of the browser get it from: hxps://github.com/shapesecurity/salvafon Maven Central

Merging CSP policies Union, which is useful when craling a policy, starfng with a restricfve policy and allowing each resource that is needed. default-src a b default-src b c == default-src a b c

Merging CSP policies Intersec-on combines policies in such a way that the result will behave similar to how browsers enforce each policy individually. default-src a b default-src; script-src *; style-src c == default-src; script-src a b

hxps://cspvalidator.org

hxps://cspvalidator.org

hxps://cspvalidator.org

hxps://cspvalidator.org Exposes a subset of SalvaFon features validates, inspects, merges try random policy buxons compare raw policy served by web site with opfmised one share policies hxps://cspvalidator.org/#url=hxps://www.twixer.com/ hxps://cspvalidator.org/#headervalue%5b%5d=script-src+example.com&headervalue%5b %5D=&strategy=union Web app takes advantage of browser security features like HPKP, HSTS, CSP, security headers

How does good CSP policy look like? default-src ; script-src 'self' https://www.google-analytics.com https://code.jquery.com https:// maxcdn.bootstrapcdn.com ; img-src 'self' https://www.google-analytics.com ; font-src 'self' https://fonts.gstatic.com https:// bootswatch.com ; connect-src 'self' ; style-src 'self' https://bootswatch.com https:// fonts.googleapis.com ; frame-ancestors 'none' ; form-action 'self' ; report-uri https://cspvalidator.org/csp-report

ContribuFng to CSP While developing SalvaFon >10 bugs reported against the CSP specificafon >10 bugs reported against Chromium CSP implementafon Use SalvaFon! ParFcipate! We haven t looked at other browsers

Useful stuff https://github.com/w3c/webappsec-csp/issues https://oreoshake.github.io/csp/twitter/2014/07/25/twitters-csp-report-collectordesign.html https://github.com/yahoo/csptester https://github.com/slightlyoff/crisp

Thanks! @sshekyan @jspedant

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback