appsec california 2017 csp: the good, the bad and the ugly
TRANSCRIPT
ContentSecurityPolicy:TheGood,theBadandtheUgly
IlyaNesterov,ShapeSecurity
Agenda
WhatdoesCSPstandfor?
ContentSecurityPolicy(CSP)-amechanismthatwebapplicationscanusetomitigateabroadclassofcontentinjectionvulnerabilities,suchasXSS.
CSPLevel1
CSPLevel1
• PolicydeliveryviaHTTPheaderonly• MultipleCSPheadersallowed• Sandboxdirectiveisoptional• script-srcgovernsworkers
CSPLevel2
NewinCSPLevel2
• Policydeliveryvia<meta>• Newdirectives:child-src,form-action,frame-ancestors,base-uri,plugin-types
• Source-expressionsupportshashandnonce• host-sourcecanusepathformatching• SecurityPolicyViolationEvent• Extendedviolationreport• child-srcgovernsworkers
CSPLevel3(draft13Sep2016)
NewinCSPLevel3
• Newdirectives:manifest-src,worker-src,report-to,block-mixed-content,upgrade-insecure-requests,require-sri-for
• frame-srcundeprecated• Newinsource-expression:'strict-dynamic'• Changesinurlandsource-expressionmatchingalgorithms
• Additionalchangestoviolationreports
BrowsercompatibilityCSPlevel1
BrowsercompatibilityCSPlevel2
CSPdirectivescompatibilitymatrix
IwantCSP,whatshouldIdo?
WherenottouseCSP:
–Staticwebsitewithpublicinformation–LargeapplicationwithmanyXSS
UnderstandwhattriggersaCSPviolation
CSPviolations
• object-srcanddefault-srcisnotdefined
• usageofunsafe-inline
• pathrestrictionandredirect
CSPviolationsduetoSOP
• CSPonlyonsomepages
StrictCSP
• Definedefault-srcorscript-src• Preventfetchingandexecutingpluginresourcesembedded:object-src‘none’
• Usenonce/hashtowhitelistinlinescripts• Donotuse'unsafe-eval'unlessyouuseeval()• Tightenyoursourceexpression
CSPadoptionsteps
• Refactor,refactor,refactor–nonceforinlinedscripts– inlineeventhandlersandjavascript:–document.write->document.createElement–strict-dynamic
• Deliverymechanism(headervs<meta>)• Startwithreport-only• Test,test,test• Analyzeviolationreports• Makeyoupolicybackwardcompatible
CSPBackwardcompatibility
object-src'none';script-src'nonce-{random}''unsafe-inline''strict-dynamic'https:;• CSP3browserview:object-src'none';script-src'nonce-{random}''strict-dynamic';• CSP2browserview:object-src'none';script-src'nonce-{random}'https:;• CSP1browserviewobject-src'none';script-src'unsafe-inline'https:;
Deploymentintoproduction
• PrepareCSPcollector• Startwithreportonly• A/Btesting• ContinuouslyanalyseCSPreports
CSPreportsarenoteasy
• Howto:– identifydifferentversions–reportonlyvsenforced–filternoise–filterwhatisimportant–findifsomeoneistryingtobreakin
• Thereisnoonesimplesolution
Alexatop1000000data
CSPpoliciescloserlook
CSPpoliciescloserlook(continued)
Alexatop1000000dataXSSprotectionvsStrictXSSprotectionpolicies
Alexatop1000000dataCommonerrorsfoundbyShapeSecuritysalvationlibrary
Resources:
• https://cspvalidator.org• https://csp-evaluator.withgoogle.com/• https://csp.withgoogle.com• https://github.com/shapesecurity/salvation• https://report-uri.io• https://www.w3.org/TR/CSP3/• https://www.w3.org/2011/webappsec/• [email protected]
