SlideShare a Scribd company logo

Content Security Policies: Let's Break Stuff @ PHP South Coast 2017

Matt Brunt, profile picture
Matt Brunt

The document discusses the importance of Content Security Policies (CSP) in preventing Cross-Site Scripting (XSS) attacks, which are prevalent in web applications. It provides an overview of various types of XSS attacks and examples, along with practical advice for implementing CSP to mitigate risks. Additionally, it offers implementation tips, browser support information, and resources for further reading.

Technology
1 of 57
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
@BruntyCSP: Let’s Break Stuff CONTENT SECURITY POLICIES LET’S BREAK STUFF
@BruntyCSP: Let’s Break Stuff BECAUSE YOU ALL TOTALLY CARE ABOUT THIS, RIGHT?! ABOUT ME ▸ Senior Software Engineer at Viva IT
 (that group in orange hoodies at some conferences & events) ▸ @Brunty ▸ @PHPem ▸ mfyu.co.uk ▸ matt@mfyu.co.uk
@BruntyCSP: Let’s Break Stuff BECAUSE YOU ALL TOTALLY CARE ABOUT THIS, RIGHT?! THINGS I DO ▸ Dungeon master for D&D campaigns with friends ▸ Mentor, lead & teach apprentices and junior developers ▸ Run & organise PHP East Midlands ▸ Speak at user groups and conferences ▸ Break production sites with incorrectly configured content security policies
@BruntyCSP: Let’s Break Stuff WHY DO WE NEED A CSP?
@BruntyCSP: Let’s Break Stuff FIRST, SOME BACKGROUND WHAT IS CROSS-SITE-SCRIPTING (XSS)? ▸ XSS enables an attacker to inject client-side scripts into non-malicious web pages viewed by other users ▸ In 2016 there was a 61% likelihood of a browser-based vulnerability being found in a web application ▸ Of those browser based vulnerabilities, 86% were found to be XSS related ▸ That’s just over 52% of all web application vulnerabilities
 https://www.edgescan.com/assets/docs/reports/2016-edgescan-stats-report.pdf
@BruntyCSP: Let’s Break Stuff FIRST, SOME BACKGROUND WHAT CAN BE DONE WITH XSS? ▸ Things a site owner can do in JS can be done in an XSS attack ▸ Make modifications to the DOM (you could replace an entire page and control data going in/out) ▸ Use XMLHttpRequest to send HTTP requests ▸ Access HTML5 APIs - webcam, microphone, geolocation ▸ Steal cookies (and therefore steal session cookies)
@BruntyCSP: Let’s Break Stuff
@BruntyCSP: Let’s Break Stuff FIRST, SOME BACKGROUND WELL KNOWN XSS ATTACKS ▸ Twitter self-retweeting tweet
 https://www.youtube.com/watch?v=zv0kZKC6GAM ▸ Samy worm
 https://en.wikipedia.org/wiki/Samy_(computer_worm) ▸ Facebook XSS attacks
 http://theharmonyguy.com/oldsite/2011/04/21/recent-facebook-xss-attacks-show-increasing- sophistication/ ▸ And so many more…
@BruntyCSP: Let’s Break Stuff TYPES OF XSS ATTACK STORED XSS (AKA PERSISTENT OR TYPE I) ▸ Occurs when input is stored - generally in a server-side database, but not always ▸ This could also be within a HTML5 database, thus never being sent to the server at all ▸ who.is was a site Rickrolled by a TXT record in the DNS of a website (yes, really)
@BruntyCSP: Let’s Break Stuff TYPES OF XSS ATTACK REFLECTED XSS (AKA NON-PERSISTENT OR TYPE II) ▸ Occurs when user input provided in the request is immediately returned - such as in an error message, search string etc ▸ Data is not stored, and in some instances, may not even reach the server (see the next type of XSS)
@BruntyCSP: Let’s Break Stuff TYPES OF XSS ATTACK DOM-BASED XSS (AKA TYPE-0) ▸ The entire flow of the attack takes place within the browser ▸ For example, if JavaScript in the site takes input, and uses something like document.write based on that input, it can be vulnerable to a DOM-based XSS attack
@BruntyCSP: Let’s Break Stuff TYPES OF XSS ATTACK SELF XSS ▸ Social-engineering form of XSS ▸ Requires the user to execute code in the browser ▸ Doing so via the console can’t be protected by a lot of methods ▸ Not considered a ‘true’ XSS attack due to requiring the user to execute the code
@BruntyCSP: Let’s Break Stuff
@BruntyCSP: Let’s Break Stuff console.log("%cStop!", "font: 5em sans-serif; font-weight: bold; color: red;");
@BruntyCSP: Let’s Break Stuff STOP THE HACKERS LET’S FIGHT BACK
@BruntyCSP: Let’s Break Stuff HTTP RESPONSE HEADER TO HELP REDUCE XSS RISKS WHAT IS A CSP?
@BruntyCSP: Let’s Break Stuff DECLARES WHAT RESOURCES ARE ALLOWED TO LOAD HOW DOES A CSP WORK?
@BruntyCSP: Let’s Break Stuff WHAT CAN WE PROTECT?
@BruntyCSP: Let’s Break Stuff DEFAULT-SRC
@BruntyCSP: Let’s Break Stuff SCRIPT-SRC
@BruntyCSP: Let’s Break Stuff STYLE-SRC
@BruntyCSP: Let’s Break Stuff UPGRADE- INSECURE-REQUESTS
@BruntyCSP: Let’s Break Stuff FORM-ACTION
@BruntyCSP: Let’s Break Stuff WORKER-SRC
 BASE-URI
 PLUGIN-TYPES
 SANDBOX
 FRAME-ANCESTORS
 CONNECT-SRC
 CHILD-SRC
 AND MANY MORE…
@BruntyCSP: Let’s Break Stuff FULL REFERENCE:https://content-security-policy.com
 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
@BruntyCSP: Let’s Break Stuff A FEW EXAMPLES OF DIRECTIVES
@BruntyCSP: Let’s Break Stuff IMG-SRC * WILDCARD, ALLOWS ANY URL EXCEPT DATA: BLOB: FILESYSTEM: SCHEMES.
@BruntyCSP: Let’s Break Stuff OBJECT-SRC 'NONE' DON’T LOAD RESOURCES FROM ANY SOURCE
@BruntyCSP: Let’s Break Stuff STYLE-SRC ‘SELF' ALLOW LOADING FROM SAME ORIGIN (SAME SCHEME, HOST AND PORT)
@BruntyCSP: Let’s Break Stuff SCRIPT-SRC 'UNSAFE-INLINE' ALLOWS USE OF INLINE SOURCE ELEMENTS SUCH AS STYLE ATTRIBUTE, ONCLICK, OR SCRIPT TAG BODIES
@BruntyCSP: Let’s Break Stuff DON’T USE UNSAFE-INLINE
@BruntyCSP: Let’s Break Stuff <script nonce="$RANDOM">...</script> script-src 'self' 'nonce-$RANDOM'
@BruntyCSP: Let’s Break Stuff Content-Security-Policy: default-src: 'none'; script-src 'self' https://*.google.com 'nonce- pahsbdlensudsmslnaf7adn'; style-src ‘self'; img-src: 'self'; upgrade-insecure-requests; form-action ‘http:// mysite.com'; report-uri https://mfyu.report-uri.io/r/ default/csp/reportOnly;
@BruntyCSP: Let’s Break Stuff I BROKE PRODUCTION WITH A BAD CSP LEARN FROM MY MISTAKES
@BruntyCSP: Let’s Break Stuff DON’T DO WHAT I DID
@BruntyCSP: Let’s Break Stuff IMPLEMENTATION ADVICE
@BruntyCSP: Let’s Break Stuff REPORT-URI
@BruntyCSP: Let’s Break Stuff WHEN A POLICY FAILURE OCCURS, THE BROWSER SENDS A JSON PAYLOAD TO THAT URL
@BruntyCSP: Let’s Break Stuff { "csp-report": { "blocked-uri": "self", "document-uri": "https://mysite.com", "line-number": 1, "original-policy": "script-src 'self'", "script-sample": "try { for(var lastpass_iter=0; lastpass...", "source-file": "https://mysite.com", "violated-directive": "script-src 'self'" } }
@BruntyCSP: Let’s Break Stuff REPORT-URI.IO
@BruntyCSP: Let’s Break Stuff REPORT-ONLY
@BruntyCSP: Let’s Break Stuff Content-Security-Policy-Report-Only: script-src 'self' https://*.google.com; style-src 'self'; report-uri https://mfyu.report-uri.io/r/default/csp/reportOnly;
@BruntyCSP: Let’s Break Stuff USE REPORT-ONLY
@BruntyCSP: Let’s Break Stuff TRIAL STUFF BEFORE ENFORCING
@BruntyCSP: Let’s Break Stuff LOVE REPORT-ONLY
@BruntyCSP: Let’s Break Stuff BUT THERE WILL BE NOISE, LOTS OF NOISE
@BruntyCSP: Let’s Break Stuff HATE REPORT-ONLY
@BruntyCSP: Let’s Break Stuff WAYS TO REMOVE BARRIERS IN DEVELOPMENT NONCES ▸ Don’t generate multiple nonces in the same request (but do generate a new nonce on each separate request) ▸ If using a templating engine (such as twig) - add the nonce as a global so it’s available in every template by default ▸ Write a helper to generate tags with a nonce if it’s available
@BruntyCSP: Let’s Break Stuff WAYS TO MAKE DEALING WITH A CSP EASIER TIPS ▸ Have an easy and quick way to disable the CSP in production if required ▸ Better yet, have a way to switch it from enforced to report only so you can get violations reported to help you debug ▸ Add the CSP at an application level if you need a nonce - be careful with doing it at a vhost config level (as changes require web server config reload)
@BruntyCSP: Let’s Break Stuff BROWSER SUPPORT
@BruntyCSP: Let’s Break Stuff
@BruntyCSP: Let’s Break Stuff DEMO
@BruntyCSP: Let’s Break Stuff @SCOTT_HELME (HE KNOWS HIS STUFF!) (THIS ISN’T ME)
@BruntyCSP: Let’s Break Stuff HOMEWORK TIME! LINKS & FURTHER READING ▸ https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) ▸ https://content-security-policy.com ▸ https://report-uri.io ▸ https://scotthelme.co.uk/just-how-much-traffic-can-you-generate-using-csp/ ▸ https://www.edgescan.com/assets/docs/reports/2016-edgescan-stats-report.pdf ▸ http://theharmonyguy.com/oldsite/2011/04/21/recent-facebook-xss-attacks-show- increasing-sophistication/ ▸ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy ▸ https://github.com/Brunty/csp-demo
@BruntyCSP: Let’s Break Stuff THANK YOU
@BruntyCSP: Let’s Break Stuff HTTPS://JOIND.IN/TALK/E45C8
@BruntyCSP: Let’s Break Stuff QUESTIONS? @BRUNTY @PHPEM MFYU.CO.UK MATT@MFYU.CO.UK

More Related Content

PDF
Content Security Policies: Let's Break Stuff
Matt Brunt
 
PDF
Content Security Policies: Let's Break Stuff @ Scotland PHP
Matt Brunt
 
PDF
Content Security Policies: Let's Break Stuff for PHPSW at Bath Digital
Matt Brunt
 
PDF
Content Security Policies: Let's Break Stuff @ PHP London, Sept 2017
Matt Brunt
 
PDF
CSPs: Let's Break Stuff for PHP Benelux
Matt Brunt
 
PDF
Content Security Policies: Let's Break Stuff for WordCamp London
Matt Brunt
 
PPTX
XSS (Cross Site Scripting)
Shubham Gupta
 
PPTX
Word camp pune 2013 security
Gaurav Singh
 
Content Security Policies: Let's Break Stuff
Matt Brunt
 
Content Security Policies: Let's Break Stuff @ Scotland PHP
Matt Brunt
 
Content Security Policies: Let's Break Stuff for PHPSW at Bath Digital
Matt Brunt
 
Content Security Policies: Let's Break Stuff @ PHP London, Sept 2017
Matt Brunt
 
CSPs: Let's Break Stuff for PHP Benelux
Matt Brunt
 
Content Security Policies: Let's Break Stuff for WordCamp London
Matt Brunt
 
XSS (Cross Site Scripting)
Shubham Gupta
 
Word camp pune 2013 security
Gaurav Singh
 

Similar to Content Security Policies: Let's Break Stuff @ PHP South Coast 2017 (20)

PDF
DrupalCamp London 2017 - Web site insecurity
George Boobyer
 
PDF
Prototyping: Helping to take away the suck
Harvard Web Working Group
 
PDF
Smart mobile storytelling christy robinson - denver news train - april 11-1...
News Leaders Association's NewsTrain
 
PDF
Building Better Responsive Websites
Holger Bartel
 
PDF
Chaos Driven Development (Bruce Wong)
Future Insights
 
PDF
Chaos Driven Development
Bruce Wong
 
PPTX
Skynet vs planet of apes
Adrien Blind
 
PPTX
Protecting Web App users in today’s hostile environment
ajitdhumale
 
PDF
Christopher Guess presents Push
Reynolds Journalism Institute (RJI)
 
PDF
Content wants to be free (from projects) - J.boye Aarhus 2015
Rasmus Skjoldan
 
PDF
Enhance system transparency and truthfulness with request tracing
Sam Keen
 
PDF
Happy Browser, Happy User! WordSesh 2019
Katie Sylor-Miller
 
PDF
Tsc summit #2 - HTTP Header Security
Mikal Villa
 
PDF
Programming for non-programmers
Pancho Goldaracena
 
PDF
Beyond Mirai: The new age of MDDoS attacks
APNIC
 
PDF
Browser Wars 2019 - Implementing a Content Security Policy
George Boobyer
 
PDF
How Chunky Do You Need To Be?: Adaptive Content Strategies For The Real World
Christopher Grant Ward
 
PDF
Building a Modern Security Engineering Organization. Zane Lackey
Yandex
 
PDF
20160816 amlight popbahia_rnp_ansp
University of Twente
 
PDF
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
OWASP Kyiv
 
DrupalCamp London 2017 - Web site insecurity
George Boobyer
 
Prototyping: Helping to take away the suck
Harvard Web Working Group
 
Smart mobile storytelling christy robinson - denver news train - april 11-1...
News Leaders Association's NewsTrain
 
Building Better Responsive Websites
Holger Bartel
 
Chaos Driven Development (Bruce Wong)
Future Insights
 
Chaos Driven Development
Bruce Wong
 
Skynet vs planet of apes
Adrien Blind
 
Protecting Web App users in today’s hostile environment
ajitdhumale
 
Christopher Guess presents Push
Reynolds Journalism Institute (RJI)
 
Content wants to be free (from projects) - J.boye Aarhus 2015
Rasmus Skjoldan
 
Enhance system transparency and truthfulness with request tracing
Sam Keen
 
Happy Browser, Happy User! WordSesh 2019
Katie Sylor-Miller
 
Tsc summit #2 - HTTP Header Security
Mikal Villa
 
Programming for non-programmers
Pancho Goldaracena
 
Beyond Mirai: The new age of MDDoS attacks
APNIC
 
Browser Wars 2019 - Implementing a Content Security Policy
George Boobyer
 
How Chunky Do You Need To Be?: Adaptive Content Strategies For The Real World
Christopher Grant Ward
 
Building a Modern Security Engineering Organization. Zane Lackey
Yandex
 
20160816 amlight popbahia_rnp_ansp
University of Twente
 
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
OWASP Kyiv
 
Ad

More from Matt Brunt (10)

PDF
BDD & Behat for PHPUK
Matt Brunt
 
PDF
BDD & Behat for PHPNE
Matt Brunt
 
PDF
BDD & Behat for Glasgow PHP
Matt Brunt
 
PDF
BDD & Behat
Matt Brunt
 
PDF
BDD & Behat for Srijan Technologies
Matt Brunt
 
PDF
CSP - What? Why? How? PHPNW16
Matt Brunt
 
PDF
PHPNW16 Matt Brunt - BDD & Behat
Matt Brunt
 
PDF
BDD - telling stories through code for PHPem
Matt Brunt
 
PDF
BDD: Telling stories through code [For TechNotts]
Matt Brunt
 
PDF
Intro to Gulp
Matt Brunt
 
BDD & Behat for PHPUK
Matt Brunt
 
BDD & Behat for PHPNE
Matt Brunt
 
BDD & Behat for Glasgow PHP
Matt Brunt
 
BDD & Behat
Matt Brunt
 
BDD & Behat for Srijan Technologies
Matt Brunt
 
CSP - What? Why? How? PHPNW16
Matt Brunt
 
PHPNW16 Matt Brunt - BDD & Behat
Matt Brunt
 
BDD - telling stories through code for PHPem
Matt Brunt
 
BDD: Telling stories through code [For TechNotts]
Matt Brunt
 
Intro to Gulp
Matt Brunt
 
Ad

Recently uploaded (20)

PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
PDF
August Patch Tuesday
Ivanti
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
A Presentation on Artificial Intelligence
memembruh336
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
August Patch Tuesday
Ivanti
 

Content Security Policies: Let's Break Stuff @ PHP South Coast 2017

  • 1. @BruntyCSP: Let’s Break Stuff CONTENT SECURITY POLICIES LET’S BREAK STUFF
  • 2. @BruntyCSP: Let’s Break Stuff BECAUSE YOU ALL TOTALLY CARE ABOUT THIS, RIGHT?! ABOUT ME ▸ Senior Software Engineer at Viva IT
 (that group in orange hoodies at some conferences & events) ▸ @Brunty ▸ @PHPem ▸ mfyu.co.uk ▸ matt@mfyu.co.uk
  • 3. @BruntyCSP: Let’s Break Stuff BECAUSE YOU ALL TOTALLY CARE ABOUT THIS, RIGHT?! THINGS I DO ▸ Dungeon master for D&D campaigns with friends ▸ Mentor, lead & teach apprentices and junior developers ▸ Run & organise PHP East Midlands ▸ Speak at user groups and conferences ▸ Break production sites with incorrectly configured content security policies
  • 4. @BruntyCSP: Let’s Break Stuff WHY DO WE NEED A CSP?
  • 5. @BruntyCSP: Let’s Break Stuff FIRST, SOME BACKGROUND WHAT IS CROSS-SITE-SCRIPTING (XSS)? ▸ XSS enables an attacker to inject client-side scripts into non-malicious web pages viewed by other users ▸ In 2016 there was a 61% likelihood of a browser-based vulnerability being found in a web application ▸ Of those browser based vulnerabilities, 86% were found to be XSS related ▸ That’s just over 52% of all web application vulnerabilities
 https://www.edgescan.com/assets/docs/reports/2016-edgescan-stats-report.pdf
  • 6. @BruntyCSP: Let’s Break Stuff FIRST, SOME BACKGROUND WHAT CAN BE DONE WITH XSS? ▸ Things a site owner can do in JS can be done in an XSS attack ▸ Make modifications to the DOM (you could replace an entire page and control data going in/out) ▸ Use XMLHttpRequest to send HTTP requests ▸ Access HTML5 APIs - webcam, microphone, geolocation ▸ Steal cookies (and therefore steal session cookies)
  • 8. @BruntyCSP: Let’s Break Stuff FIRST, SOME BACKGROUND WELL KNOWN XSS ATTACKS ▸ Twitter self-retweeting tweet
 https://www.youtube.com/watch?v=zv0kZKC6GAM ▸ Samy worm
 https://en.wikipedia.org/wiki/Samy_(computer_worm) ▸ Facebook XSS attacks
 http://theharmonyguy.com/oldsite/2011/04/21/recent-facebook-xss-attacks-show-increasing- sophistication/ ▸ And so many more…
  • 9. @BruntyCSP: Let’s Break Stuff TYPES OF XSS ATTACK STORED XSS (AKA PERSISTENT OR TYPE I) ▸ Occurs when input is stored - generally in a server-side database, but not always ▸ This could also be within a HTML5 database, thus never being sent to the server at all ▸ who.is was a site Rickrolled by a TXT record in the DNS of a website (yes, really)
  • 10. @BruntyCSP: Let’s Break Stuff TYPES OF XSS ATTACK REFLECTED XSS (AKA NON-PERSISTENT OR TYPE II) ▸ Occurs when user input provided in the request is immediately returned - such as in an error message, search string etc ▸ Data is not stored, and in some instances, may not even reach the server (see the next type of XSS)
  • 11. @BruntyCSP: Let’s Break Stuff TYPES OF XSS ATTACK DOM-BASED XSS (AKA TYPE-0) ▸ The entire flow of the attack takes place within the browser ▸ For example, if JavaScript in the site takes input, and uses something like document.write based on that input, it can be vulnerable to a DOM-based XSS attack
  • 12. @BruntyCSP: Let’s Break Stuff TYPES OF XSS ATTACK SELF XSS ▸ Social-engineering form of XSS ▸ Requires the user to execute code in the browser ▸ Doing so via the console can’t be protected by a lot of methods ▸ Not considered a ‘true’ XSS attack due to requiring the user to execute the code
  • 14. @BruntyCSP: Let’s Break Stuff console.log("%cStop!", "font: 5em sans-serif; font-weight: bold; color: red;");
  • 15. @BruntyCSP: Let’s Break Stuff STOP THE HACKERS LET’S FIGHT BACK
  • 16. @BruntyCSP: Let’s Break Stuff HTTP RESPONSE HEADER TO HELP REDUCE XSS RISKS WHAT IS A CSP?
  • 17. @BruntyCSP: Let’s Break Stuff DECLARES WHAT RESOURCES ARE ALLOWED TO LOAD HOW DOES A CSP WORK?
  • 18. @BruntyCSP: Let’s Break Stuff WHAT CAN WE PROTECT?
  • 19. @BruntyCSP: Let’s Break Stuff DEFAULT-SRC
  • 20. @BruntyCSP: Let’s Break Stuff SCRIPT-SRC
  • 21. @BruntyCSP: Let’s Break Stuff STYLE-SRC
  • 22. @BruntyCSP: Let’s Break Stuff UPGRADE- INSECURE-REQUESTS
  • 23. @BruntyCSP: Let’s Break Stuff FORM-ACTION
  • 24. @BruntyCSP: Let’s Break Stuff WORKER-SRC
 BASE-URI
 PLUGIN-TYPES
 SANDBOX
 FRAME-ANCESTORS
 CONNECT-SRC
 CHILD-SRC
 AND MANY MORE…
  • 25. @BruntyCSP: Let’s Break Stuff FULL REFERENCE:https://content-security-policy.com
 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
  • 26. @BruntyCSP: Let’s Break Stuff A FEW EXAMPLES OF DIRECTIVES
  • 27. @BruntyCSP: Let’s Break Stuff IMG-SRC * WILDCARD, ALLOWS ANY URL EXCEPT DATA: BLOB: FILESYSTEM: SCHEMES.
  • 28. @BruntyCSP: Let’s Break Stuff OBJECT-SRC 'NONE' DON’T LOAD RESOURCES FROM ANY SOURCE
  • 29. @BruntyCSP: Let’s Break Stuff STYLE-SRC ‘SELF' ALLOW LOADING FROM SAME ORIGIN (SAME SCHEME, HOST AND PORT)
  • 30. @BruntyCSP: Let’s Break Stuff SCRIPT-SRC 'UNSAFE-INLINE' ALLOWS USE OF INLINE SOURCE ELEMENTS SUCH AS STYLE ATTRIBUTE, ONCLICK, OR SCRIPT TAG BODIES
  • 31. @BruntyCSP: Let’s Break Stuff DON’T USE UNSAFE-INLINE
  • 32. @BruntyCSP: Let’s Break Stuff <script nonce="$RANDOM">...</script> script-src 'self' 'nonce-$RANDOM'
  • 33. @BruntyCSP: Let’s Break Stuff Content-Security-Policy: default-src: 'none'; script-src 'self' https://*.google.com 'nonce- pahsbdlensudsmslnaf7adn'; style-src ‘self'; img-src: 'self'; upgrade-insecure-requests; form-action ‘http:// mysite.com'; report-uri https://mfyu.report-uri.io/r/ default/csp/reportOnly;
  • 34. @BruntyCSP: Let’s Break Stuff I BROKE PRODUCTION WITH A BAD CSP LEARN FROM MY MISTAKES
  • 35. @BruntyCSP: Let’s Break Stuff DON’T DO WHAT I DID
  • 36. @BruntyCSP: Let’s Break Stuff IMPLEMENTATION ADVICE
  • 37. @BruntyCSP: Let’s Break Stuff REPORT-URI
  • 38. @BruntyCSP: Let’s Break Stuff WHEN A POLICY FAILURE OCCURS, THE BROWSER SENDS A JSON PAYLOAD TO THAT URL
  • 39. @BruntyCSP: Let’s Break Stuff { "csp-report": { "blocked-uri": "self", "document-uri": "https://mysite.com", "line-number": 1, "original-policy": "script-src 'self'", "script-sample": "try { for(var lastpass_iter=0; lastpass...", "source-file": "https://mysite.com", "violated-directive": "script-src 'self'" } }
  • 40. @BruntyCSP: Let’s Break Stuff REPORT-URI.IO
  • 41. @BruntyCSP: Let’s Break Stuff REPORT-ONLY
  • 42. @BruntyCSP: Let’s Break Stuff Content-Security-Policy-Report-Only: script-src 'self' https://*.google.com; style-src 'self'; report-uri https://mfyu.report-uri.io/r/default/csp/reportOnly;
  • 43. @BruntyCSP: Let’s Break Stuff USE REPORT-ONLY
  • 44. @BruntyCSP: Let’s Break Stuff TRIAL STUFF BEFORE ENFORCING
  • 45. @BruntyCSP: Let’s Break Stuff LOVE REPORT-ONLY
  • 46. @BruntyCSP: Let’s Break Stuff BUT THERE WILL BE NOISE, LOTS OF NOISE
  • 47. @BruntyCSP: Let’s Break Stuff HATE REPORT-ONLY
  • 48. @BruntyCSP: Let’s Break Stuff WAYS TO REMOVE BARRIERS IN DEVELOPMENT NONCES ▸ Don’t generate multiple nonces in the same request (but do generate a new nonce on each separate request) ▸ If using a templating engine (such as twig) - add the nonce as a global so it’s available in every template by default ▸ Write a helper to generate tags with a nonce if it’s available
  • 49. @BruntyCSP: Let’s Break Stuff WAYS TO MAKE DEALING WITH A CSP EASIER TIPS ▸ Have an easy and quick way to disable the CSP in production if required ▸ Better yet, have a way to switch it from enforced to report only so you can get violations reported to help you debug ▸ Add the CSP at an application level if you need a nonce - be careful with doing it at a vhost config level (as changes require web server config reload)
  • 50. @BruntyCSP: Let’s Break Stuff BROWSER SUPPORT
  • 53. @BruntyCSP: Let’s Break Stuff @SCOTT_HELME (HE KNOWS HIS STUFF!) (THIS ISN’T ME)
  • 54. @BruntyCSP: Let’s Break Stuff HOMEWORK TIME! LINKS & FURTHER READING ▸ https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) ▸ https://content-security-policy.com ▸ https://report-uri.io ▸ https://scotthelme.co.uk/just-how-much-traffic-can-you-generate-using-csp/ ▸ https://www.edgescan.com/assets/docs/reports/2016-edgescan-stats-report.pdf ▸ http://theharmonyguy.com/oldsite/2011/04/21/recent-facebook-xss-attacks-show- increasing-sophistication/ ▸ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy ▸ https://github.com/Brunty/csp-demo
  • 55. @BruntyCSP: Let’s Break Stuff THANK YOU
  • 56. @BruntyCSP: Let’s Break Stuff HTTPS://JOIND.IN/TALK/E45C8
  • 57. @BruntyCSP: Let’s Break Stuff QUESTIONS? @BRUNTY @PHPEM MFYU.CO.UK MATT@MFYU.CO.UK