Future of Web Security Opened up by CSP
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Future of Web Security Opened up by CSP

  • 118 views
Uploaded on

Presentation materials of hasemunea (Yosuke HASEGAWA & nishimunea) for AVTOKYO2014.

Presentation materials of hasemunea (Yosuke HASEGAWA & nishimunea) for AVTOKYO2014.

More in: Engineering
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post
    Be the first to comment
    Be the first to like this

Views

Total Views
118
On Slideshare
105
From Embeds
13
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 13

https://twitter.com 11

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. AVTOKYO2014 HASEMUNEA (Nishimunea & Yosuke HASEGAWA) Future of Web Security Opened up by CSP
  • 2. Nishimunea (Muneaki Nishimura) Firefox OS Community, Japan Lecturer of Security Camp 2014
  • 3. Yosuke HASEGAWA Shibuya.XSS / utf-8.jp Lecturer of Security Camp 2014
  • 4. Content Security Policy (CSP) • Browser feature to mitigate common attacks, e.g., XSS • Set Content-Security-Policy header in HTTP responses • W3C candidate recommendation, as of 2012 • Next generation, CSP Level 2, is under development
  • 5. Browser Support • Supported by all major browsers except IE – IE is in development for future release • Forms of expressions – Content-Security-Policy : the W3C specs. – X-Content-Security-Policy : for Firefox 4-22, removed on 33 – X-WebKit-CSP : for earlier ver. of WebKit 4+ 4+ 6+5+ 25+ 4.4+N/A
  • 6. Syntax • When you allow to load sub resources from any origin • If you allow loading of scripts only from jQuery's CDN • And if you ignore any plugins default-src * default-src *; script-src https://code.jquery.com default-src *; script-src https://code.jquery.com; object-src 'none'
  • 7. CSP Directives default-src Default policy for resources that have no specific policy script-src Policy for script execution object-src Policy for plugins style-src Policy for stylesheets img-src Policy for image files media-src Policy for media files, e.g., <audio> and <video> frame-src Policy for frame contents font-src Policy for web fonts connect-src Policy for async. connections, e.g., XMLHttpRequest
  • 8. CSP Level2 Directives base-uri Policy for base[href] form-action Policy for form[action] plugin-types Policy for executable plugin MIME types referrer Nearly identical to meta[name=referrer] frame-ancestors Nearly identical to X-Frame-Options xss-protection Nearly identical to X-XSS-Protection child-src Policy for child contents e.g., frames and workers sandbox Sandbox that is applied to the document
  • 9. Violation Report • If 'report-uri' is set in CSP, browser lets the webmaster know violation of CSP including attempts of attack script-src 'self'; report-uri report.php • In the report, some details of violations are included. With them, webmaster can find causes of violation {"csp-report":{ "original-policy":"script-src 'self'; report-uri report.php", "script-sample":"alert(1);", "source-file":"http://example.com/login.php" }}
  • 10. Abusing CSP Violation Report • In some parts of a report, HTML tags can be included without proper escaping • Or, with a proxy tool, attacker can send malformed reports to webmaster's console {"csp-report":{ "document-uri":"http://%3Cauth@example.com/%3Cpath/?q=%3Cquery, "referrer":"http://example.com/redirector/%3Cpath/?q=%3Cquery", "blocked-uri":"data:text/html,<script>alert(1)</script>", "script-sample":"javascript:alert('<script>alert(1);</script>')" }}
  • 11. DEMO