Content Security Policy: A successful mess between hardening and mitigation

Presented at LocoMocoSec 2019, April 17, 2019, 11:05 a.m. (45 minutes).

In this talk, we distill our multi-year experience fighting XSS at Google with nonce-based Content Security Policy (CSP), one of the most misunderstood and, arguably, most powerful web mitigation techniques. We aim to provide a technical in-depth analysis of the effectiveness of different flavors of CSP for the many classes of XSS vulnerabilities, busting myths and common misunderstandings, and explore the often fuzzy boundaries between hardening and mitigation techniques. In a world where there are a dozen major root causes of XSS, each with its own, distinct, preventive measures, we define a threat model in which CSP can provide strong defense-in-depth guarantees and enforce best coding practices, leading to a real hardening effect. We present advanced CSP kung-fu: setting more than one policy, pinning CSP to an origin with Origin-Policy manifests, and highlight special cases with Service Workers, Web Assembly and web modules. Finally, we share for the first time data on real-world sensitive applications where exploitation of XSS vulnerabilities has been prevented on modern browsers by CSP. After attending this talk you will finally understand CSP, knowing its strengths and limits while appreciating its complexity and multifaceted nature.

Presenters:

  • Michele Spagnuolo - Google
    Senior Information Security Engineer at Google Switzerland, Michele is a security researcher focused on web application security, and the Rosetta Flash guy. He is also author of BitIodine, a tool for extracting intelligence from the Bitcoin network.
  • Lukas Weichselbaum - Google
    Lukas Weichselbaum is a Staff Information Security Engineer at Google with 10+ years of industry experience who frequently speaks at international infosec and developer conferences. He's passionate about securing Web applications from common Web vulnerabilities and leads the Google-wide CSP adoption effort. Lukas also co-authored the CSP3 W3C specification and is the creator of the CSP Evaluator (csp-evaluator.withgoogle.com), a tool for developers and security experts to check if a Content Security Policy serves as a strong mitigation against XSS attacks. Before joining Google, Lukas worked as a Security Consultant and graduated from Vienna University of Technology in Austria where he researched dynamic analysis of Android malware and founded Andrubis - one of the very first large scale malware analysis platforms for Android applications.

Links:

Similar Presentations: