Know Your Own Risks: Content Security Policy Report Aggregation and Analysis

Similar documents
Content Security Policy

CSP ODDITIES. Michele Spagnuolo Lukas Weichselbaum

HTTP Security Headers Explained

DistriNet. Client-side security policies for the web. Lieven Desmet iminds-distrinet, KU Leuven

Northeastern University Systems Security Lab

Content Security Policy

Content Security Policy. Vlastimil Zíma 24. listopadu 2017

Extending the browser to secure applications

Protec'ng Java EE Web Apps with Secure HTTP Headers

Django-CSP Documentation

Recent Web Security Technology

NoScript, CSP and ABE: When The Browser Is Not Your Enemy

Security and Frontend Performance

So we broke all CSPs. You won't guess what happened next!

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Defense-in-depth techniques. for modern web applications

Client Side Injection on Web Applications

High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018

last time: command injection

Browser code isolation

Moving your website to HTTPS - HSTS, TLS, HPKP, CSP and friends

Recent Web Security Technology

BOOSTING THE SECURITY

Match the attack to its description:

RKN 2015 Application Layer Short Summary

Using HTTPS - HSTS, TLS, HPKP, CSP and friends

Ge#ng The Most Out Of CSP: A Deep Dive. Sergey Shekyan

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Writing Secure Chrome Apps and Extensions

Origin Policy Enforcement in Modern Browsers

Web basics: HTTP cookies

WEB SECURITY: XSS & CSRF

Modern client-side defenses. Deian Stefan

W3Conf, November 15 & 16, Brad Scott

HTML5 MOCK TEST HTML5 MOCK TEST I

Client Side Security And Testing Tools

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE

Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers. Sunny Wear OWASP Tampa Chapter December

WHY CSRF WORKS. Implicit authentication by Web browsers

Clojure Web Security. FrOSCon Joy Clark & Simon Kölsch

Basics of Web. First published on 3 July 2012 This is the 7 h Revised edition

BOOSTING THE SECURITY OF YOUR ANGULAR 2 APPLICATION

CSC 482/582: Computer Security. Cross-Site Security

Web Security: Vulnerabilities & Attacks

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

Web Security: Vulnerabilities & Attacks

Web basics: HTTP cookies

Web Security. CSU CS557 - Fall 2017 Instructor: Lorenzo De Carli

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Welcome to the OWASP TOP 10

Security. CSC309 TA: Sukwon Oh

Penetration Test Report

ThingLink User Guide. Andy Chen Eric Ouyang Giovanni Tenorio Ashton Yon

Design Document V2 ThingLink Startup

Client-Side XSS Filtering in Firefox

Among the many attacks on

Surrogate Dependencies (in

Standard 1 The student will author web pages using the HyperText Markup Language (HTML)

Attacks on Clients: JavaScript & XSS

MASTERS COURSE IN FULL STACK WEB APPLICATION DEVELOPMENT W W W. W E B S T A C K A C A D E M Y. C O M

UNIT 3 SECTION 1 Answer the following questions Q.1: What is an editor? editor editor Q.2: What do you understand by a web browser?

Sandboxing JavaScript. Lieven Desmet iminds-distrinet, KU Leuven OWASP BeNeLux Days 2012 (29/11/2012, Leuven) DistriNet

Browser Guide for PeopleSoft

Web Security IV: Cross-Site Attacks

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

The security of Mozilla Firefox s Extensions. Kristjan Krips

Exploiting and Defending: Common Web Application Vulnerabilities

The Evolution of Chrome Security Architecture. Huan Ren Director, Qihoo 360 Technology Ltd

Top 10 AJAX security holes & driving factors

Analysis of Hypertext Isolation Techniques for Cross-site Scripting Prevention. Mike Ter Louw Prithvi Bisht V.N. Venkatakrishnan

Lesson 4: Web Browsing

The course also includes an overview of some of the most popular frameworks that you will most likely encounter in your real work environments.

Web Application Security

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Trusted Types - W3C TPAC

October 08: Introduction to Web Security

Creating an Online Catalogue Search for CD Collection with AJAX, XML, and PHP Using a Relational Database Server on WAMP/LAMP Server

Sichere Webanwendungen mit Java

Markup Language. Made up of elements Elements create a document tree

Annoyed Users: Ads and Ad-Block Usage in the Wild

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

MODERN WEB APPLICATION DEFENSES

Uniform Resource Locators (URL)

Screw You and the Script You Rode in On

CS Paul Krzyzanowski

Computer Security. 14. Web Security. Paul Krzyzanowski. Rutgers University. Spring 2018

Application Design and Development: October 30

MTAT Research Seminar in Cryptography The Security of Mozilla Firefox s Extensions

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild

Cross-Site Request Forgery: The Sleeping Giant. Jeremiah Grossman Founder and CTO, WhiteHat Security

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

The Structure of the Web. Jim and Matthew

Web Security. New Browser Security Technologies

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

Master Project Software Engineering: Team-based Development WS 2010/11

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web

Matteo Fogli. Web Performance

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

Transcription:

SESSION ID: CDS-F03 Know Your Own Risks: Content Security Policy Report Aggregation and Analysis Ksenia Dmitrieva Senior Consultant Cigital, Inc. @KseniaDmitrieva

Agenda What is Content Security Policy (CSP) and why do we need it? CSP reporting functionality Extracting important information from reports at scale CSP support and adoption Real world examples of policies 2

Pop Quiz Which web application vulnerability was #4 in OWASP* Top 10 in 2003 #1 in OWASP Top 10 in 2007 #2 in OWASP Top 10 in 2010 #3 in OWASP Top 10 in 2013? * OWASP Open Web Application Security Project (https://www.owasp.org/) 3

Traditional Methods of XSS Protection Reflected Stored DOM-based DB 4

Execution of DOM-based XSS Traditional XSS payload payload Server XSS Filter payload DOM-based XSS request response Server XSS Filter 5

What is Content Security Policy? Content Security Policy: Restricts ad-hoc XSS vectors: inline scripts and eval-constructs Imposes restrictions on resources based on their origin CSP defines a list of resource directives: script-src object-src frame-src img-src media-src etc. First Name Last Name Address Email <script> Inline JavaScript </script> Submit third-party <iframe src= "http://attacker.com/ hello.htm"> </iframe> <script src="https://malicioussites.com/spam.js"/> <script src="https://jquery.org/libraries/jquery.js" /> 6

Sample CSP Policies X Policy is sent by the server as an HTTP header: Content-Security-Policy: script-src 'self' https://apis.google.com Any malicious inline scripts or scripts hosted elsewhere will not be executed. Can a Can a page a page with with the following the following policy policy load load a an CSS image a style script from sheet from http://www.bbc.com/? http://wordpress.org? http://attacker.com? Content-Security-Policy: default-src script-src 'self'; frame-src 'none'; https://*.mydomain.com; object-src 'none' img-src *; fonts-src https://themes.googleusercontent.com 7

CSP Reporting Browsers supporting CSP send policy violation reports in JSON format to the server Violation report may contain data about the attack { Where the violation occurred "csp-report": { "document-uri": "http://example.com/page.html", Where the attack is coming from "referrer": "http://evil.example.com/", What the attacker is trying to do "blocked-uri": "http://evil.example.com/evil.js", "violated-directive": "script-src 'self' https://apis.google.com", "original-policy": "default-src 'self'; script-src 'self' https://apis.google.com; report-uri http://example.com/reporting/parser.php" } Directive controlling the resource } 8

CSP Reporting and Enforcing Content-Security-Policy header with report-uri enforces the policy Content-Security-Policy-Report-Only header reports policy violations, but does not enforce the policy Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self' https://apis.google.com; report-uri http://example.com/reporting/parser.php Use both headers: one to enforce the old policy and another to test out the new policy Content-Security-Policy: default-src 'self' https://*.google.com; Content-Security-Policy-Report-Only: default-src 'self' *.google.com; script-src 'self' https://apis.google.com; frame-src 'self'; report-uri http://example.com/reporting/parser.php 9

Browser Dependent Report Formats Browsers use slightly different formats for the reports Google Chrome Mozilla Firefox Windows Edge document-uri referrer blocked-uri: violated-directive original-policy effective-directive status-code document-uri (with path) referrer blocked-uri (with path): self violated-directive original-policy? Coming soon July 29, 2015 Special tools are needed to process CSP reports at scale 10

Report Aggregation: Tools Aggregate Data Filter Normalize data coming from different browsers Add extra fields: application name, user agent According to Twitter, 80% is noise Filter out reports from browser plugins, proxy sites, ISP cache servers Graph Twitter created custom CSP report aggregation tool highly proprietary and will never be open sourced Yelp uses Elasticsearch/Logstash/Kibana trio Open source tool Caspr (http://www.caspr.io/) 11

Source: http://engineeringblog.yelp.com/2014/09/csp_reports_at_scale.html Yelp s Report Aggregation 12

Browser Support of CSP Source: http://caniuse.com/#feat=contentsecuritypolicy 13

CSP Adoption Number of sites using CSP out of Alexa Top 1 Million 2013 2014 Sources: https://www.veracode.com/blog/2013/11/security-headers-on-the-top-1000000-websites-november-2013-report/ https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers 14

CSP Level 2 Problem with CSP 1 Using CSP requires re-writing a whole application Frameworks still use inline JavaScript and eval-constructs CSP Level 2 (W3C Candidate Recommendation, July 21, 2015) Protecting inline JavaScript without re-writing an application: Nonce-source directive Hash-source directive Replacing X-Frame-Options with frame-ancestors 15

Real World CSP Adoption Example: Facebook Facebook uses CSP on www.facebook.com Content-Security-Policy: default-src *; script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' https://*.akamaihd.net http://*.akamaihd.net *.atlassolutions.com; stylesrc * 'unsafe-inline'; connect-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.spotilocal.com:* https://*.akamaihd.net wss://*.facebook.com:* ws://*.facebook.com:* http://*.akamaihd.net https://fb.scanandcleanlocal.com:* *.atlassolutions.com http://attachment.fbsbx.com https://attachment.fbsbx.com; 16

Real World CSP Adoption Example: Yelp Yelp uses CSP on www.yelp.com Content-Security-Policy-Report-Only: report-uri https://www.yelp.com/csp_report; default-src https:; img-src https: ; script-src https://*.facebook.com https://*.facebook.net https://*.googleapis.com https://*.quantserve.com https://*.yelp.com https://*.yelpcdn.com https://*.yelpassets.com https://*.googleanalytics.com https://*.scorecardresearch.com 'unsafe-inline' 'unsafe-eval'; style-src https: 'unsafe-inline'; connect-src https:; font-src https: data:; media-src https:; object-src https:; frameancestors 'self'; frame-src yelp-webview://* https://*.facebook.com 17

Real World CSP Adoption Example: Twitter Twitter uses CSP on all their services Content-Security-Policy: default-src 'none'; connect-src 'self'; font-src https://abs.twimg.com data:; frame-src 'self' twitter:; frame-ancestors 'none'; img-src https://abs.twimg.com https://*.twimg.com https://pbs.twimg.com data:; media-src 'none'; object-src 'none'; script-src https://abs.twimg.com https://abs-0.twimg.com; style-src https://abs.twimg.com https://abs-0.twimg.com; report-uri https://twitter.com/i/csp_report?a= NVQWGYLXFVWG6Z3JNY%3D%3D%3D%3D%3D%3D&ro=false; 18

Apply What You Have Learned Today If you want to use reporting functionality of CSP, next week answer the two questions: Do any of your applications use CSP? If they do, do you collect and analyze violation reports? In the next three months do the following: Not Using CSP Yet Run a pilot: Select an application developed from scratch. Understand technologies used by the application. Are there any that don t support CSP? Use technologies that support CSP (Angular JS, Django). Do not use unsafe-eval and unsafe-inline. Use Report-Only option to test the policy. Already Using CSP Start collecting and analyzing reports: Add the report-uri directive to the policy. Filter out the noise. Add extra information to easily identify the application/module. Provide analysis results to development teams and to the security team. Use Report-Only option to test a new policy. 19

Summary CSP protects applications from all types of XSS, including DOMbased XSS. CSP 1 is hard to implement on existing applications, but can be added to the newly developed applications. CSP 2 is on its way! CSP violation reports provide essential data about the application running in the users browsers. Use it! Normalize and filter CSP reports before analyzing and plotting data. 20

Questions? @KseniaDmitrieva kdmitrieva@cigital.com https://www.cigital.com/blog/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback