w3c content security policy
DESCRIPTION
What is Content Security Policy (CSP)? How to deploy it, what it's good for, what it's not good for.TRANSCRIPT
W3C Content Security Policy 1.0One measure against web attacks.No less and no more.
@m2w2 Markus Wichmann, May 2013
What is CSP about at all?
Just some terms:
Web Applications
Web Application Security
Cross-Site Scripting (XSS)
XSS Prevention
Policy Breach Reporting
Content Security Policy 1.0 is a W3C candidate recommendation as of May 2013. I expect it to become a recommendation in the nearer future.
@m2w2 Markus Wichmann, May 2013
Agenda W3C Content Security Policy (CSP)
The Web without CSPPlain old HTML
XSS (Cross-Site Scripting)
Enter: CSPCSP DeploymentCSP ReportingCSP Limitations Future of CSPHow browsers show CSP violation attempts
@m2w2 Markus Wichmann, May 2013
The Web... without CSP
@m2w2 Markus Wichmann, May 2013
<html> <head> ...import style sheets... ...import JavaScript files... </head>
<body> ...Forum Comments... <img src="..."> ...Google +1 Button... ...Facebook Like plugin... ...Twitter message... </body></html>
Web Server:Page, Basic JS, Style Sheets
Database:Forum
CommentsFB pluginG+ buttonTwitter
XSS (Cross-Site Scripting)Phase 1: Injection Attack.
@m2w2 Markus Wichmann, May 2013
Server A
Database:Forum entries
<html> ... ...Forum Comments... <textarea>
</textarea> </html>
Hey folks, look at my evil site:
http://bla.com/?q=%3Cscript%3Ealert(%91This%20is%20an%20XSS%20Vulnerability%92)%3C%2Fscript%3E
XSS Phase 2: The Victim
@m2w2 Markus Wichmann, May 2013
<html> ... Hey folks, look at my evil site: <script>alert(‘This is an XSS Vulnerability’)</script> ...</html>
Server A
Database:Forum
Comments
XSS Phase 3: Send Victim to Hell – Just one Example
@m2w2 Markus Wichmann, May 2013
http://www.evil.labEvil Scripts, Cookie Stealing, Whatever!
<html>
<head> ... <script src="...evil.lab..."> </head>
<body> <script ...> </body>
</html>
1
2
3
4
XSS recap
@m2w2 Markus Wichmann, May 2013
Hacker Victim Web Page W W W
Infect with evil Script
Visit Page
Inject Script
Do something evil
Enter: CSP
Declarative Source Whitelisting„What am I allowed to fetch, and from where?“
@m2w2 Markus Wichmann, May 2013
Our example, revisited:What do we really need?
@m2w2 Markus Wichmann, May 2013
<html> <head> ...import style sheets... ...import JavaScript files... </head>
<body> ...Forum Comments... <img src="..."> ...Google +1 Button... ...Facebook Like plugin... ...Twitter message... </body></html>
Database:Forum
CommentsFB pluginG+ buttonTwitter
Web Server:Page, Basic JS, Style Sheets
What do we really need?
@m2w2 Markus Wichmann, May 2013
<html> <head> ...import style sheets... ...import JavaScript files... </head>
<body> ...Forum Comments... <img src="..."> ...Google +1 Button... ...Facebook Like plugin... ...Twitter message... </body></html>
Database:Forum
CommentsFB pluginG+ buttonTwitter
1. Style Sheets from our own Web Server
2. JavaScript from our own Web Server
3. JavaScript from apis.google.com
4. iframe content from plusone.google.com
5. iframe content from facebook.com
6. JavaScript from platform.twitter.com
7. iframe content from platform.twitter.com
We DON'T need inline scripts (scripts tags within the body tag)!
Web Server:Page, Basic JS, Style Sheets
CSP Deployment
Solution: HTTP headerName: Content-Security-Policy*Values:
Resource Directives
each with a Source List
* see CSP's limitations (as of May 2013) 1/2 for special cases/special browsers
@m2w2 Markus Wichmann, May 2013
CSP Deployment: Our recent example
If you wrote it separately (don't do this, not correct, just for demonstration purposes):Content-Security-Policy: default-src 'self';
Content-Security-Policy: style-src 'self';
Content-Security-Policy: script-src 'self' https://apis.google.com https://platform.twitter.com;
Content-Security-Policy: frame-src https://plusone.google.com https://facebook.com https://platform.twitter.com;
Correct all-in-one notation:Content-Security-Policy: default-src 'self'; style-src 'self'; script-src 'self' https://apis.google.com https://platform.twitter.com; frame-src https://plusone.google.com https://facebook.com https://platform.twitter.com;
@m2w2 Markus Wichmann, May 2013
1. Style Sheets from our own Web Server
2. JavaScript from our own Web Server
3. JavaScript from apis.google.com
4. iframe content from plusone.google.com
5. iframe content from facebook.com
6. JavaScript from platform.twitter.com
7. iframe content from platform.twitter.com
We DON'T want inline scripts = script tags within the body tag!
CSP Directives
default-src origin to fall back on if there's no rule
that is more specific (e.g. see directives below)
style-src origins for CSS stylesheets
img-src origins for image files
font-src origins to load web-fonts from
frame-src origins embeddable into iframes
media-src origins of HTML5 audio and video
object-src origins of Flash and similar plugins
connect-src origins to connect to using XHR,
WebSockets, and EventSource
@m2w2 Markus Wichmann, May 2013
CSP Source Lists
'none' restrict directive to nothing at all
'self' current origin, but not its subdomains
'unsafe-inline' allows inline JavaScript and CSS
'unsafe-eval' allows JavaScript's eval method
http://uri.lab URI to allow, space-separated if multi
@m2w2 Markus Wichmann, May 2013
CSP Deployment's effect
Attacker finds hole? Bad enough.Attacker injects script? Bad enough.
But:If script does not match whitelist, it cannotbe executed.
Bad enough... for the attacker.
@m2w2 Markus Wichmann, May 2013
CSP Reporting
Find weak pieces of your code: Let browser report attempted policy breaches!Content-Security-Policy: default-src 'self'; report-uri /csp_report_parser;
CSP Violation Attempts are reported to specified URI in JSON format like this:{ "csp-report": { "document-uri": "http://example.org/page.html", "referrer": "http://evil.example.com/", "blocked-uri": "http://evil.example.com/evil.js", "violated-directive": "script-src 'self' https://apis.google.com", "original-policy": "script-src 'self' https://apis.google.com; report-uri http://example.org/csp_report_parser" }}
@m2w2 Markus Wichmann, May 2013
CSP's limitations (as of May 2013) 1/2
Browsers supporting CSP 1.0:
Firefox 4–16 partial support, use X-Content-Security-Policy
Firefox 17+ seems like full support, use X-Content-Security-Policy
Chrome 14+ seems to me like full support
IE 10+ very rudimentary support, see http://goo.gl/p5rke
Safari 5.1 partial support, use X-WebKit-CSP as header name
Safari 6.0+ seems to me like full support
iOS 6.0 Safari seems to me like full support
Chrome for Android 25+ seems to me like full support
Sources: http://caniuse.com/contentsecuritypolicy and Mike West's Twitter Post above
@m2w2 Markus Wichmann, May 2013
CSP's limitations (as of May 2013) 2/2
CSP protects users againstMost Cross-Site Scripting attacks
CSP does NOT protect against:Cross-Site Request Forgery (XSRF/CSRF)
Session Riding
Cookie Stealing (though this is a bit more difficult with CSP in place)
SQL Injection
And please use HTTPS wherever possible.HTTP over SSL
@m2w2 Markus Wichmann, May 2013
Possible Future of CSP
CSP 1.1 currently in draft status (as of 05/2013)Will mainly support more directives
script-nonce allow specific(!) inline scripts
plugin-types allow specific plugin MIME types
form-action specify form action URIs to allow
See https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#frame-options--experimental
@m2w2 Markus Wichmann, May 2013
How browsers show CSP violations in their debuggers (Firebug, Developer Tools, etc.)
Firefox:
Chrome:
@m2w2 Markus Wichmann, May 2013
Thanks to all authorsof the following pages:
http://www.w3.org/TR/CSP/
https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#frame-options--experimental
http://www.html5rocks.com/en/tutorials/security/content-security-policy/
http://en.wikipedia.org/wiki/Cross-site_scripting
http://de.wikipedia.org/wiki/Cross-Site-Request-Forgery
http://en.wikipedia.org/wiki/Same_origin_policy
http://en.wikipedia.org/wiki/JSONP
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Introduction
http://en.wikipedia.org/wiki/Samy_worm
http://maulwuff.de/pws/2012/web20sec/vortrag.html
https://www.bsi.bund.de/cae/servlet/contentblob/476464/publicationFile/30632/WebSec_pdf
http://www.linuxforu.com/2012/03/cyber-attacks-explained-web-exploitation/
http://www.linuxforu.com/2010/09/securing-apache-part-2-xss-injections/
https://wiki.mozilla.org/index.php?title=Security/CSP/Spec&oldid=133465
https://twitter.com/mikewest/status/268721123145957377
http://people.mozilla.com/~bsterne/content-security-policy/
http://people.mozilla.com/~bsterne/content-security-policy/origin-header-proposal.html
http://de.slideshare.net/shreeraj/xss-and-csrf-with-html5
http://google-gruyere.appspot.com/part3#3__cross_site_script_inclusion
http://intothesymmetry.blogspot.de/2012/06/facebook-logout-csrf-and-oauth-2.html
http://www.kendoui.com/blogs/archive/11-10-03/using_cors_with_all_modern_browsers.aspx
@m2w2 Markus Wichmann, May 2013
Thank you.
@m2w2Constructive criticism always welcome!
Disclaimer:The author of these slides does not give and cannot give any kind of warranties or guarantees or anything the like on the correctness of any information provided in these slides.
@m2w2 Markus Wichmann, May 2013