[Cluj] CSP (Content Security Policy)

CSP
(Content Security Policy)
- tricks to save your reputation and improve resilience -
Teofil Cojocariu (the brain)
Bogdan Oniga (the experimenter)
Lucian Corlan (the guy convincing the other 2 to showcase this)

What is Content Security Policy?
•An HTTP Header (+meta tag)
•Allows you to block what an application loads, connects to or
executes (e.g. restrict domains from which content is being
loaded and what it does)
•Blocking a wide range of attacks – Content Injection attacks
(XSS, Mixed-Content)
•Untested… "Upgrade Insecure Requests" CSP can be used to
automatically upgrade insecure requests to a secure alternative
before a browser fetches them
•Used successfully by businesses (e.g. Facebook, Twitter, PayPal,
GitHub… and even some darker sites ☺)
•CSP Report Only! – focus of this presentation..

History of CSP & Browsers Support
•Started at Mozilla and grown into own W3C specification
•v1.0 – Browsers support is very good, but the exception is IE, of course :x
•v2.0 – changes some directives, adds SecurityPolicyViolationEvent
•v3.0 – draft 2 days ago – “rewritten from the ground up in terms of
the [FETCH] specification – e.g. child-src, script-src”

What is CSP Report Only?CSP, but without blocking anything - this only reports information to an endpoint.
# Content-Security-Policy-Report-Only: default-src 'self' data: https://ajax.googleapis.com; report-uri
https://csplocal.betfair/?csp;
---
POST https://csplocal.betfair/?csp HTTP/1.1
Host: csplocal.betfair
Content-Type: application/json
POST_Data
{
"csp-report": {
"blocked-uri": "http://site.games.nxt.dev.betfair/?pi.localeId=en&pi.regionId=GBR&pi.brandId=betfair",
"document-uri": "https://games.nxt.dev.betfair/exchange-card-derby-racing/turbo/",
"original-policy": "default-src 'self' data: https://ajax.googleapis.com; report-uri https://csplocal.betfair/?csp;",
"referrer": "https://games.nxt.dev.betfair/",
"violated-directive": "frame-src https:"
}
}
--
document-uri - where error occurred
referrer - referrer
blocked-uri - the actually problem
violated-directive - what happen
source-file - where error occurred (file)
script-sample - sample of injected script

How is the content restricted?
•By Source: 'none', 'self', specific hostnames, *
•By Category
• unsafe-inline (script-src & style-src only)
• unsafe-eval (script-src only)
•No string-to-code functions or in-line scripts.
•Browser Extensions?
•Bug: CSP does not block cross-domain applets with
object-src 'self‘ Details here:
https://bugzilla.mozilla.org/show_bug.cgi?id=90893
3

Problems with restrictions?
•Remove patterns from the code that were banned by
unsafe-eval
•Covert text-to-JavaScript functions like eval()
•Remove all in-line JavaScript a
href="javascript:doSomething()". onkeyup() as well
•Third Party Scripts: can you host all resources?..

What we are trying to do?
•Report against mixed-content
•New XSS protection at browser level
•Protection against XSS in DOM (Mutation XSS) (devil)
•Protection against injection of unknown scripts/resources
Content-Security-Policy-Report-Only: default-src https:;script-src
'unsafe-inline';report-uri https://local.local/?csp;
Source: http://www.securitee.org/files/mixedinc_isc2013.pdf

Helpers
•There is no other way to get all mixed-content and security
reports from browser except by using CSP and JavaScript (this
will work only with some applications and it's hard to inject JS
anyway without breaking stuff)
•Don't push CSP to production directly, use CSP Report Only
first!.. (although some xxx sites are mature enough and do! ☺)
•Don't rely on CSP to protect the application against XSS
•Doesn't matter what backend you run (Java, PHP, ASP and so
on) ;)

Stats
veracode.com scanned 2 years ago first 1 million of sites from
Alexa.com and the results are below.

Python script.. 2 days ago scanned ~250k domains from Alexa.com.
# CSP Report Only
$ cat output.txt | grep -i "content-security-policy-report-only" | wc
> ~500
# CSP
$ cat output.txt | grep -i "content-security-policy'" | wc
> ~700
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' *.xvideos.com *.xnxx.com *.trafficfactory.biz
ajax.googleapis.com www.google-analytics.com *.addthis.com www.loading-delivery2.com www.google.com
Guess the website.. (?)
# Easter egg. Jobs in the headers… Haha!
$ cat output.txt | grep -i "job|hire|work" | grep http | wc
> ~1100
Our scanning

Dashboard (future project SecHunter)
Idea…
•1 Webserver (nginx), 1 DB Server
•Application:
• Backend: Python, Flask (framework) & Jade (Template Engine)
• Database: MongoDB
• Frontend: Bootstrap + gentelella theme

Demo!
•Demo CSP: Generate Header
•Demo CSP Report Only
•Push to production? Report Only!
Not me!
Others on the topic:
https://www.youtube.com/watch?v=9V64zQi2pX0&list=PLBcFXK_g1tl8ysm6zwZSlb6QliyKqTzVh&index=14
https://www.youtube.com/watch?v=93tIdSik9q8&index=6&list=PLBcFXK_g1tl8ysm6zwZSlb6QliyKqTzVh

[Cluj] CSP (Content Security Policy)

More Related Content

What's hot

Viewers also liked

Similar to [Cluj] CSP (Content Security Policy)

More from OWASP EEE

Recently uploaded

[Cluj] CSP (Content Security Policy)