defeating cross-site scripting with content security policy
DESCRIPTION
How a new proposed HTTP response header can help increase the depth of your web application defenses.TRANSCRIPT
Defeating cross-site scriptingwith Content Security Policy
Francois Marier <[email protected]>
what is a cross-site scripting(aka “XSS”) attack?
preventing XSS attacks
print <<<EOF<html>
<h1>$title</h1>
</html>EOF;
$title = escape($title);
print <<<EOF<html>
<h1>$title</h1>
</html>EOF;
templating system
page.tpl:
<html><h1>{title}</h1></html>
page.php:
render(“page.tpl”, $title);
auto-escaping turned ON
page.tpl:
<html><h1>{title|raw}</h1></html>
page.php:
render(“page.tpl”, $title);
auto-escaping turned ON
!=
escaping always ON
browser default = allow all
the real problem:
a way to get the browserto enforce the restrictions
you want on your site
$ curl --head https://www.libravatar.org/
X-Content-Security-Policy: default-src 'self' ; img-src 'self' data
$ curl --head https://www.libravatar.org/account/login/
X-Content-Security-Policy: default-src 'self' ; img-src 'self' data ; frame-src 'self' https://browserid.org ; script-src 'self' https://browserid.org
$ curl --head http://fmarier.org/
X-Content-Security-Policy: default-src 'none' ; img-src 'self' ; style-src 'self' ; font-src 'self'
<object><script><style><img>
<audio> & <video><frame> & <iframe>
<font>
WebSocket & XMLHttpRequest
>= 4 >= 13 >= 10>= 5
what does a CSP-enabledwebsite look like?
unless explicitly allowed by your policy
inline scripts are not executed
unless explicitly allowed by your policy
external resources are not loaded
preparing your website for CSP
(aka things you can do today)
eliminate inline scripts and styles
<script>do_stuff();</script>
<script src=”do_stuff.js”>
</script>
eliminate javascript: URIs
<a href=”javascript:go()”>Go!</a>
<a id=”go-button” href=”#”>Go!</a>
var button = document.getElementById('go-button');button.onclick = go;
add headers in web server config
<Location /some/page>
Header set X-Content-Security-Policy "default-src 'self' ; script-src 'self' http://example.org"
</Location>
not a replacement forproper XSS hygiene
great tool to increase thedepth of your defenses
Spec:http://www.w3.org/TR/CSP/
HOWTO:https://developer.mozilla.org/en/Security/CSP
Copyright © 2012 François MarierReleased under the terms of the Creative CommonsAttribution Share Alike 3.0 Unported Licence
fmarier fmarier
Credits:
Biohazard wallpaper: http://www.flickr.com/photos/rockyx/4273385120/
Under Construction: https://secure.flickr.com/photos/aguichard/6864586905/