SlideShare a Scribd company logo

Defeating Cross-Site Scripting with Content Security Policy (updated)

F
Francois Marier

The document discusses Cross-Site Scripting (XSS) attacks and introduces Content Security Policy (CSP) as a preventive measure. It explains how to implement CSP by configuring web server headers and highlights steps to eliminate risky practices such as inline scripts. Additionally, it emphasizes that while CSP enhances security, it is not a substitute for basic XSS hygiene.

TechnologyNews & Politics
1 of 62
Downloaded 23 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
Defeating cross-site scripting with Content Security Policy François Marier – @fmarier
what is a cross-site scripting (aka “XSS”) attack?
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
preventing XSS attacks
print <<<EOF <html> <h1>$title</h1> </html> EOF;
$title = escape($title); print <<<EOF <html> <h1>$title</h1> </html> EOF;
templating system
page.tpl: <html> <h1>{title}</h1> </html> page.php: render(“page.tpl”, $title);
auto-escaping turned ON
page.tpl: <html> <h1>{title|raw}</h1> </html> page.php: render(“page.tpl”, $title);
auto-escaping turned ON escaping always ON
the real problem: browser default = allow all
Defeating Cross-Site Scripting with Content Security Policy (updated)
a way to get the browser to enforce the restrictions you want on your site
$ curl --head http://example.com/ Content-Security-Policy: default-src 'self' ; img-src 'self' data ;
$ curl --head https://example.com/login Content-Security-Policy: default-src 'self' ; img-src 'self' data ; frame-src 'self' https://login.persona.org ; script-src 'self' https://login.persona.org
$ curl --head http://fmarier.org/ Content-Security-Policy: default-src 'none' ; img-src 'self' ; style-src 'self' ; font-src 'self'
<object>, <applet> & <embed> <script> <style> & <link> <img> <audio>, <video>, <source> & <track> <frame> & <iframe> @font-face WebSocket, EventSource, & XMLHttpRequest
>= 10
what does a CSP-enabled website look like?
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
unless explicitly allowed by your policy inline scripts are not executed
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
unless explicitly allowed by your policy external resources are not loaded
preparing your website for CSP (aka things you can do today)
eliminate inline scripts and styles
<script> do_stuff(); </script>
<script src=”do_stuff.js”> </script>
eliminate javascript: URIs
<a href=”javascript:go()”> Go! </a>
<a id=”go-button” href=”#”> Go! </a> var button = document.getElementById('go-button'); button.onclick = go;
rolling out CSP
start with a loose policy
default-src 'self' *.example.com data;
default-src 'self' *.example.com data; options unsafe-inline
work towards a stricter policy
default-src 'self'; img-src 'self' static.example.com data; style-src static.example.com; script-src static.example.com
use the reporting mode
Content-Security-Policy-Report-Only: default-src 'none' ; report-uri http://example.com/report.cgi
{ "csp-report": { "document-uri": "http://example.com/page.html", "referrer": "http://evil.example.com/haxor.html", "blocked-uri": "http://evil.example.com/foo.png", "violated-directive": "default-src 'none'", "original-policy": "default-src 'none' ... " } }
add headers in web server config
<Location /some/page> Header set Content-Security-Policy "default-src 'self' ; script-src 'self' http://example.org" </Location>
not a replacement for proper XSS hygiene
great tool to increase the depth of your defenses
Spec: http://www.w3.org/TR/CSP/ HOWTO: https://developer.mozilla.org/en/Security/CSP @fmarier http://fmarier.org
100 % FREE! bonus HTTP header
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
wouldn't it be nice if the browser...
...blocked all HTTP requests there?
HTTP Strict Transport Security
$ curl --head https://login.persona.org HTTP/1.1 200 OK Vary: Accept-Encoding,Accept-Language Cache-Control: public, max-age=0 Content-Type: text/html; charset=utf8 Strict-Transport-Security: max-age= 2592000 Date: Thu, 16 Aug 2012 03:29:19 GMT ETag: "2943768d6a45793897e83bf8804cd711" Connection: keep-alive X-Frame-Options: DENY Content-Length: 5374
Defeating Cross-Site Scripting with Content Security Policy (updated)
HTTPS only site turn HSTS on
Spec: http://www.w3.org/TR/CSP/ https://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec HOWTO: https://developer.mozilla.org/en/Security/CSP https://developer.mozilla.org/en/Security/HTTP_Strict_Transport_Security @fmarier http://fmarier.org
Photo credits: Biohazard wallpaper: http://www.flickr.com/photos/rockyx/4273385120/ Under Construction: https://secure.flickr.com/photos/aguichard/6864586905/ Castle walls: https://secure.flickr.com/photos/rdale/585105348/ Wash hands: https://secure.flickr.com/photos/hygienematters/4504612019/ Copyright © 2012 François Marier Released under the terms of the Creative Commons Attribution Share Alike 3.0 Unported Licence

More Related Content

PDF
Content Security Policy
Ryan LaBouve
 
PDF
Integrity protection for third-party JavaScript
Francois Marier
 
PDF
Integrity protection for third-party JavaScript
Francois Marier
 
PDF
Security and Privacy on the Web in 2016
Francois Marier
 
PDF
Preventing XSS with Content Security Policy
Ksenia Peguero
 
PDF
Securing your AngularJS Application
Philippe De Ryck
 
PDF
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Philippe De Ryck
 
PPTX
Java script, security and you - Tri-Cities Javascript Developers Group
Adam Caudill
 
Content Security Policy
Ryan LaBouve
 
Integrity protection for third-party JavaScript
Francois Marier
 
Integrity protection for third-party JavaScript
Francois Marier
 
Security and Privacy on the Web in 2016
Francois Marier
 
Preventing XSS with Content Security Policy
Ksenia Peguero
 
Securing your AngularJS Application
Philippe De Ryck
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Philippe De Ryck
 
Java script, security and you - Tri-Cities Javascript Developers Group
Adam Caudill
 

What's hot (20)

PDF
Http security response headers
mohammadhosseinrouha
 
PDF
JavaScript Security
Jason Harwig
 
PPTX
Javascript Security
jgrahamc
 
PDF
URL to HTML
Francois Marier
 
PPTX
Phu appsec13
drewz lin
 
PDF
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
drewz lin
 
PDF
Modern Web Application Defense
Frank Kim
 
PDF
Protecting Java EE Web Apps with Secure HTTP Headers
Frank Kim
 
PDF
Web vulnerabilities
Oleksandr Kovalchuk
 
PDF
Java EE 6 Security in practice with GlassFish
Markus Eisele
 
PDF
HTTP Security Headers Every Java Developer Must Know
Ayoma Wijethunga
 
PPT
Web Apps Security
Victor Bucutea
 
PPTX
Client-side JavaScript Vulnerabilities
Ory Segal
 
PDF
HTTP Security Headers
Ismael Goncalves
 
PDF
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
PROIDEA
 
ODP
Csrf not-all-defenses-are-created-equal
drewz lin
 
PDF
Abusing & Securing XPC in macOS apps
SecuRing
 
PDF
Developer's Guide to JavaScript and Web Cryptography
Kevin Hakanson
 
PPTX
Web Application Security in front end
Erlend Oftedal
 
PPT
Same Origin Policy Weaknesses
kuza55
 
Http security response headers
mohammadhosseinrouha
 
JavaScript Security
Jason Harwig
 
Javascript Security
jgrahamc
 
URL to HTML
Francois Marier
 
Phu appsec13
drewz lin
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
drewz lin
 
Modern Web Application Defense
Frank Kim
 
Protecting Java EE Web Apps with Secure HTTP Headers
Frank Kim
 
Web vulnerabilities
Oleksandr Kovalchuk
 
Java EE 6 Security in practice with GlassFish
Markus Eisele
 
HTTP Security Headers Every Java Developer Must Know
Ayoma Wijethunga
 
Web Apps Security
Victor Bucutea
 
Client-side JavaScript Vulnerabilities
Ory Segal
 
HTTP Security Headers
Ismael Goncalves
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
PROIDEA
 
Csrf not-all-defenses-are-created-equal
drewz lin
 
Abusing & Securing XPC in macOS apps
SecuRing
 
Developer's Guide to JavaScript and Web Cryptography
Kevin Hakanson
 
Web Application Security in front end
Erlend Oftedal
 
Same Origin Policy Weaknesses
kuza55
 
Ad

Viewers also liked (20)

PPT
Reign Seven Nine; Web Designing India Company Profile
Raincheck Networks Pvt Ltd
 
PPTX
Megha india ppt
loveunona
 
PPTX
Global Software Solutions
Shray Jali
 
PPS
Hacking Client Side Insecurities
amiable_indian
 
PDF
Cisco IOS Attack & Defense - The State of the Art
amiable_indian
 
PPS
Workshop on Wireless Security
amiable_indian
 
PDF
Hack IBM Connections - Advance Use - Iframes & more...
Ulises Gascón González
 
PDF
Implications of Growing Differences in Life Expectancy Across Socioeconomic G...
Congressional Budget Office
 
PPTX
Building A Modern Security Policy For Social Media and Government
Michael Smith
 
PDF
Top Ten Web Hacking Techniques (2010)
Jeremiah Grossman
 
PDF
Implications of Differential Mortality for Analyses of Social Security Policy...
Congressional Budget Office
 
PPTX
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 
PDF
Gartner Magic Quadrant for Secure Email Gateways 2014
Michael Bunn
 
PPT
Network security chapter 6 and 7 internet architecture
Muhammad ismail Shah
 
PPT
Network Security Primer
Venkatesh Iyer
 
PDF
Saudi arabia's food security policy and nutrition
ExternalEvents
 
PDF
Security Policy Checklist
backdoor
 
PPT
develop security policy
Info-Tech Research Group
 
PPTX
A business driven approach to security policy management a technical perspec...
AlgoSec
 
PDF
National Cyber Security Policy 2013 (NCSP)
Gopal Choudhary
 
Reign Seven Nine; Web Designing India Company Profile
Raincheck Networks Pvt Ltd
 
Megha india ppt
loveunona
 
Global Software Solutions
Shray Jali
 
Hacking Client Side Insecurities
amiable_indian
 
Cisco IOS Attack & Defense - The State of the Art
amiable_indian
 
Workshop on Wireless Security
amiable_indian
 
Hack IBM Connections - Advance Use - Iframes & more...
Ulises Gascón González
 
Implications of Growing Differences in Life Expectancy Across Socioeconomic G...
Congressional Budget Office
 
Building A Modern Security Policy For Social Media and Government
Michael Smith
 
Top Ten Web Hacking Techniques (2010)
Jeremiah Grossman
 
Implications of Differential Mortality for Analyses of Social Security Policy...
Congressional Budget Office
 
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 
Gartner Magic Quadrant for Secure Email Gateways 2014
Michael Bunn
 
Network security chapter 6 and 7 internet architecture
Muhammad ismail Shah
 
Network Security Primer
Venkatesh Iyer
 
Saudi arabia's food security policy and nutrition
ExternalEvents
 
Security Policy Checklist
backdoor
 
develop security policy
Info-Tech Research Group
 
A business driven approach to security policy management a technical perspec...
AlgoSec
 
National Cyber Security Policy 2013 (NCSP)
Gopal Choudhary
 
Ad

Similar to Defeating Cross-Site Scripting with Content Security Policy (updated) (20)

PDF
Defeating Cross-Site Scripting with Content Security Policy
Francois Marier
 
PPTX
Analysis of HTTP Security Headers in Turkey
Dr. Emin İslam Tatlı
 
PDF
Csp and http headers
ColdFusionConference
 
PDF
Csp and http headers
devObjective
 
PDF
DefCamp 2013 - Http header analysis
DefCamp
 
PDF
HTTP_Header_Security.pdf
ksudhakarreddy5
 
PDF
Tsc summit #2 - HTTP Header Security
Mikal Villa
 
PDF
http security response headers for web security
Olatunji Adetunji
 
PDF
Rails security: above and beyond the defaults
Matias Korhonen
 
PDF
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
 
PPTX
Lec4-WebClientSideExploitation.pptxdslkjhgfkjdshgfkjfhdkjg
arfaouisalim
 
PDF
Securing the client side web
SC5.io
 
PDF
Content Security Policy
Austin Gil
 
PDF
Web Security - CSP & Web Cryptography
Samsung Open Source Group
 
PDF
Content Security Policy (CSP)
Arun Kumar
 
PDF
Future of Web Security Opened up by CSP
Muneaki Nishimura
 
PDF
W3C Content Security Policy
Markus Wichmann
 
PDF
2015-04-25-content-security-policy
Sastry Tumuluri
 
PPTX
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
Darren Duke
 
PDF
Browser Wars 2019 - Implementing a Content Security Policy
George Boobyer
 
Defeating Cross-Site Scripting with Content Security Policy
Francois Marier
 
Analysis of HTTP Security Headers in Turkey
Dr. Emin İslam Tatlı
 
Csp and http headers
ColdFusionConference
 
Csp and http headers
devObjective
 
DefCamp 2013 - Http header analysis
DefCamp
 
HTTP_Header_Security.pdf
ksudhakarreddy5
 
Tsc summit #2 - HTTP Header Security
Mikal Villa
 
http security response headers for web security
Olatunji Adetunji
 
Rails security: above and beyond the defaults
Matias Korhonen
 
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
 
Lec4-WebClientSideExploitation.pptxdslkjhgfkjdshgfkjfhdkjg
arfaouisalim
 
Securing the client side web
SC5.io
 
Content Security Policy
Austin Gil
 
Web Security - CSP & Web Cryptography
Samsung Open Source Group
 
Content Security Policy (CSP)
Arun Kumar
 
Future of Web Security Opened up by CSP
Muneaki Nishimura
 
W3C Content Security Policy
Markus Wichmann
 
2015-04-25-content-security-policy
Sastry Tumuluri
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
Darren Duke
 
Browser Wars 2019 - Implementing a Content Security Policy
George Boobyer
 

More from Francois Marier (20)

PDF
Security and Privacy settings for Firefox Power Users
Francois Marier
 
PDF
Getting Browsers to Improve the Security of Your Webapp
Francois Marier
 
PDF
Hardening Firefox for Security and Privacy
Francois Marier
 
PDF
Privacy and Tracking Protection in Firefox
Francois Marier
 
PDF
Security and Privacy on the Web in 2015
Francois Marier
 
PDF
URL to HTML
Francois Marier
 
PDF
Supporting Debian machines for friends and family
Francois Marier
 
PDF
Outsourcing your webapp maintenance to Debian
Francois Marier
 
PDF
Easy logins for Ruby web applications
Francois Marier
 
PDF
Easy logins for JavaScript web applications
Francois Marier
 
PDF
You're still using passwords on your site?
Francois Marier
 
PDF
Killing Passwords with JavaScript
Francois Marier
 
PDF
Securing the Web without site-specific passwords
Francois Marier
 
PDF
Easy logins for PHP web applications
Francois Marier
 
PDF
Persona: a federated and privacy-protecting login system for the whole Web
Francois Marier
 
PDF
Taking the pain out of signing users in
Francois Marier
 
PDF
Mozilla Persona for your domain
Francois Marier
 
PDF
Passwords and freedom: can we lose the former and retain the latter?
Francois Marier
 
PDF
Login de usuários: podemos fazer algo melhor que usar senhas ou serviços cent...
Francois Marier
 
PDF
The problem with passwords on the web and what to do about it
Francois Marier
 
Security and Privacy settings for Firefox Power Users
Francois Marier
 
Getting Browsers to Improve the Security of Your Webapp
Francois Marier
 
Hardening Firefox for Security and Privacy
Francois Marier
 
Privacy and Tracking Protection in Firefox
Francois Marier
 
Security and Privacy on the Web in 2015
Francois Marier
 
URL to HTML
Francois Marier
 
Supporting Debian machines for friends and family
Francois Marier
 
Outsourcing your webapp maintenance to Debian
Francois Marier
 
Easy logins for Ruby web applications
Francois Marier
 
Easy logins for JavaScript web applications
Francois Marier
 
You're still using passwords on your site?
Francois Marier
 
Killing Passwords with JavaScript
Francois Marier
 
Securing the Web without site-specific passwords
Francois Marier
 
Easy logins for PHP web applications
Francois Marier
 
Persona: a federated and privacy-protecting login system for the whole Web
Francois Marier
 
Taking the pain out of signing users in
Francois Marier
 
Mozilla Persona for your domain
Francois Marier
 
Passwords and freedom: can we lose the former and retain the latter?
Francois Marier
 
Login de usuários: podemos fazer algo melhor que usar senhas ou serviços cent...
Francois Marier
 
The problem with passwords on the web and what to do about it
Francois Marier
 

Recently uploaded (20)

PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PPTX
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PDF
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PPTX
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
The various Industrial Revolutions .pptx
bandileshozi3
 
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 

Defeating Cross-Site Scripting with Content Security Policy (updated)