Content Security Policy - Lessons learned at Yahoo

Presented at BSidesDC 2015, Oct. 18, 2015, 9 a.m. (60 minutes)

Yahoo serves daily essentials such as mail, search, finance, sports, news and magazines to a large audience. While most of this content is created at Yahoo, there is content sourced from third parties for marketing, measurement and advertising purposes as well. As a result, protecting Yahoo users from content injection and malware injection attacks is vital and a big challenge due to a very large diverse audience. Furthermore, advertising being Yahoo’s main source of revenue, ad injection poses a big security and business risk. Content Security Policy (CSP) is a browser security mechanism against content injection. Using the CSP header, browsers can restrict content from just the domains whitelisted in the policy. Hence, we deployed CSP in report mode on Yahoo mail to analyze the impact of CSP to alleviate content injection; also on Yahoo search in enforced mode to evaluate the impact of CSP to eliminate ad injection. Based on our analysis, we found that CSP’s capability is limited due to browser extensions and add-ons ability to override the policy and furthermore we found browser inconsistencies in evaluating CSP policy. This talk will highlight to what degree CSP is helpful today in solving content and ad injection on websites based on our analysis and will introduce CSP testing tools - http://cspstester.io and phantonJS automation scripts. In addition, we share our recommendations to improve CSP for making it more useful to alleviate content and ad injection and discuss some improvements in CSP reporting side to make data analysis easier and more meaningful. Browser implementation inconsistencies including mobile is also highlighted as part of this session.

Presenters:

• Binu Ramakrishnan - Senior Security Engineer at Yahoo
  Binu Ramakrishnan is a senior security engineer at yahoo with extensive experience in Internet-scale systems development, anti-abuse and application security. In this role, Binu manages security engagements with yahoo mail, works with product engineers and leaders to help define and implement security strategy and programs with in yahoo mail. Prior to this role, Binu worked as a lead developer with Security and Platforms engineering team, built hosted key management service and managed various shared components that are used across yahoo.
• Vibha Sethi - Senior Secuirty Engineer at Yahoo
  Vibha is currently working as a paranoid at Yahoo. She has about 5 years of experience in application security engineering and is the lead for securing ad platforms at Yahoo. She has a MSc in Computer Science from the University of Texas At Dallas and also holds the Information Security certification from the university.

Links:

• https://bsidesdc2015.busyconf.com/schedule#activity_55920872a284e66cfd000002

Similar Presentations:

• AppSec USA 2013 / Pushing CSP to PROD: Case Study of a Real-World Content-Security Policy Implementation
• DeepSec 2016 „Ten“ / CSP Is Dead, Long Live Strict CSP!
• AppSec USA 2016 / Lightning Talk - Demystifying CSP