How to use CSP to Stop XSS

Presented at DEF CON 21 (2013), Aug. 2, 2013, 3 p.m. (20 minutes).

Crosssite scripting attacks have always been a mainstay of the OWASP Top 10 list. The problem with detecting XSS is that you can't go looking at web log traffic to determine if a request contains an actual crosssite scripting attack attempt, much less one that will actually succeed against your defenses. Our work has helped reveal some nuances with implementing content security policy to help detect and prevent XSS attacks across a major website. This talk will demonstrate a new python based tool that we are open sourcing for Defcon that combines client and serverbased whitelisting mechanisms to verify unauthorized scripts (I.e. XSS) running on a page, mixed content, and inline javascript across a site.


Presenters:

Links:

Similar Presentations: