17
Demystifying CSP Ilya Nesterov, Shape Security mailto: [email protected] @ilya_online

AppSec USA 2016: Demystifying CSP

Embed Size (px)

Citation preview

Page 1: AppSec USA 2016: Demystifying CSP

Demystifying CSP

Ilya Nesterov, Shape Securitymailto: [email protected]@ilya_online

mailto:[email protected]
Page 2: AppSec USA 2016: Demystifying CSP

What does CSP stand for?

Content Security Policy (CSP) - a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as XSS.

Page 3: AppSec USA 2016: Demystifying CSP

CSP Level 1

Page 4: AppSec USA 2016: Demystifying CSP

CSP Level 1

• Policy delivery via HTTP header only•Multiple CSP headers allowed• Sandbox directive is optional• script-src governs workers

Page 5: AppSec USA 2016: Demystifying CSP

CSP Level 2

Page 6: AppSec USA 2016: Demystifying CSP

New in CSP Level 2

• Policy delivery via <meta>• New directives: child-src, form-action, frame-

ancestors, base-uri, plugin-types• Source-expression supports hash and nonce• host-source can use path for matching• SecurityPolicyViolationEvent • Extended violation report• child-src governs workers

Page 7: AppSec USA 2016: Demystifying CSP

CSP Level 3

Page 8: AppSec USA 2016: Demystifying CSP

New in CSP Level 3

• New directives: manifest-src, worker-src, report-to, block-mixed-content, upgrade-insecure-requests, require-sri-for• frame-src undeprecated• New in source-expression: 'strict-dynamic'• Changes in url and source-expression matching

algorithms• Additional changes to violation reports

Page 9: AppSec USA 2016: Demystifying CSP

Browser compatibility CSP level 1

Page 10: AppSec USA 2016: Demystifying CSP

Browser compatibility CSP level 2

Page 11: AppSec USA 2016: Demystifying CSP

CSP directives compatibility matrix

Page 12: AppSec USA 2016: Demystifying CSP

Alexa top 1 000 000 data

• 1 000 000 sites landing pages• 4515 sites have CSP policies• 2339 individual policies• 116 sites have CSP-RO (25 policies) • 986 sites send violation reports • 1323 sites use only frame-ancestors • 102 upgrade-insecure-requests

Page 13: AppSec USA 2016: Demystifying CSP

CSP policies closer look

Page 14: AppSec USA 2016: Demystifying CSP

Alexa top 1 000 000 data

• 72.7% CSP (default-src OR script-src AND object-src)

• 7.52% CSP (no unsafe-inline)–1.84% whitelist via nonce/hash

• 3.04% CSP (nonce/hash + unsafe inline)

Page 15: AppSec USA 2016: Demystifying CSP

How to build good CSP

• Define default-src or script-src and object-src• Say NO to ‘unsafe-inline’•Whitelist via nonce/hash• Narrow down whitelist• strict-dynamic• Get continuous feedback via violation reports

Page 16: AppSec USA 2016: Demystifying CSP

CSP what is next?

• Decrease deployment friction:– ‘strict-dynamic’–middleware to build CSP automatically–support for legacy software (LB, RP)

• Faster adoption of new standards by Browsers• Education and documentation•More tools!

Page 17: AppSec USA 2016: Demystifying CSP

Resources:

• https://cspvalidator.org • https://csp-evaluator.withgoogle.com/• https://csp.withgoogle.com • https://github.com/shapesecurity/salvation • https://report-uri.io • https://www.w3.org/TR/CSP3/• https://www.w3.org/2011/webappsec/

https://cspvalidator.org/
https://csp-evaluator.withgoogle.com/
https://csp.withgoogle.com/
https://github.com/shapesecurity/salvation
https://report-uri.io/
https://www.w3.org/TR/CSP3/
https://www.w3.org/2011/webappsec/

AppSec 101 - Eivind Arvesen

AppSec 101 - Eivind Arvesen

Documents
Taking AppSec to 11 - Meetupfiles.meetup.com/18411966/Taking AppSec to 11... · Taking AppSec to 11: AppSec Pipelines, DevOps, and Making Things Better OWASP San Antonio, April 2016

Taking AppSec to 11 - Meetupfiles.meetup.com/18411966/Taking AppSec to 11... · Taking AppSec to 11: AppSec Pipelines, DevOps, and Making Things Better OWASP San Antonio, April 2016

Documents
Appsec usa2013 js_libinsecurity_stefanodipaola

Appsec usa2013 js_libinsecurity_stefanodipaola

Technology
AppSec Consulting Inc

AppSec Consulting Inc

Documents
Appsec usa roberthansen

Appsec usa roberthansen

Technology
WATERPROOFING AND PROTECTION SYSTEMSawazelkw.com/agen2/Company Profile.pdfConcrete Surface Profile Coating to be appplied CSP 1 CSP 2 CSP 3 CSP 4 CSP 5 CSP 6 CSP 7 CSP 8 CSP 9 Impregnations

WATERPROOFING AND PROTECTION SYSTEMSawazelkw.com/agen2/Company Profile.pdfConcrete Surface Profile Coating to be appplied CSP 1 CSP 2 CSP 3 CSP 4 CSP 5 CSP 6 CSP 7 CSP 8 CSP 9 Impregnations

Documents
CSP CSP CSP CSP CSP CSP CSP CSP CSP CSP CSP CSP … · Comissão Organizadora Rui Cardeira Bernardo Vilas Boas Alberto Oliveira Ângela Mota António Miguelote Dilermando Sobral Hugo

CSP CSP CSP CSP CSP CSP CSP CSP CSP CSP CSP CSP … · Comissão Organizadora Rui Cardeira Bernardo Vilas Boas Alberto Oliveira Ângela Mota António Miguelote Dilermando Sobral Hugo

Documents
The InvictiTM AppSec Indicator - Acunetix

The InvictiTM AppSec Indicator - Acunetix

Documents
Appsec obfuscator reloaded

Appsec obfuscator reloaded

Technology
5 5 APPSEC T AREN’T TRUE ODE GBOOK 2 3...But AppSec falls to software vendors. One single technology can secure all applications. 3 APPSEC FACTS THAT AREN’T TRUE 5 APPSEC FACTS

5 5 APPSEC T AREN’T TRUE ODE GBOOK 2 3...But AppSec falls to software vendors. One single technology can secure all applications. 3 APPSEC FACTS THAT AREN’T TRUE 5 APPSEC FACTS

Documents
Streamlining AppSec Policy Definition.pptx

Streamlining AppSec Policy Definition.pptx

Technology
Legacy-SecDevOps (AppSec Management Debrief)

Legacy-SecDevOps (AppSec Management Debrief)

Technology
 · CSP 1 CSP 1 CSP 2 CSP 2 CSP 3 CSP 3 INTERNATIONAL CONCRETE REPAIR Concrete Surface Profile CSP4 CSP5 CSP6 CSP7 Concrete Surface Profile CSP4 CSP5 CSP6 CSP7 CSP 8 CSP 8 CSP 9 CSP

 · CSP 1 CSP 1 CSP 2 CSP 2 CSP 3 CSP 3 INTERNATIONAL CONCRETE REPAIR Concrete Surface Profile CSP4 CSP5 CSP6 CSP7 Concrete Surface Profile CSP4 CSP5 CSP6 CSP7 CSP 8 CSP 8 CSP 9 CSP

Documents
Agile Appsec

Agile Appsec

Documents
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data

AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data

Technology
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better

Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better

Software
Practice of AppSec .NET

Practice of AppSec .NET

Software
AppSec And Microservices

AppSec And Microservices

Technology
OWASP ESAPI WAF AppSec DC 2009

OWASP ESAPI WAF AppSec DC 2009

Technology
Remediate the Flag - Global AppSec

Remediate the Flag - Global AppSec

Documents
OWASP AppSec 2004 Presentation

OWASP AppSec 2004 Presentation

Documents
Appsec SQL injection case study

Appsec SQL injection case study

Technology
AppSec & Microservices - Velocity 2016

AppSec & Microservices - Velocity 2016

Software
Appsec rump reverse-i_os_machook

Appsec rump reverse-i_os_machook

Technology
SC conference - Building AppSec Teams

SC conference - Building AppSec Teams

Software
20141104 appsec surveillance

20141104 appsec surveillance

Technology
Mobile Pentest Environment - AppSec Labs

Mobile Pentest Environment - AppSec Labs

Documents
Growing Up AppSec and ASVS

Growing Up AppSec and ASVS

Documents
The OWASP Foundation AppSec Research 2013 Amsterdam OWASP BeNeLux Candidacy AppSec Europe 2013

The OWASP Foundation AppSec Research 2013 Amsterdam OWASP BeNeLux Candidacy AppSec Europe 2013

Documents
APPSEC VULNERABILITY MANAGEMENT PIPELINES

APPSEC VULNERABILITY MANAGEMENT PIPELINES

Documents