Fixing XSS with Content Security Policy

Presented at BSidesDC 2015, Oct. 18, 2015, 2:30 p.m. (50 minutes)

Cross-site scripting (XSS) has been dominating OWASP Top 10 for many years. Although input validation and output encoding are good traditional defenses against XSS, it is often difficult to ensure that they are used in all required places in large applications. Content Security Policy (CSP) is a promising new HTML5 feature that can help prevent traditional and DOM-based XSS on your website. If you keep dynamic data and static code separate, you can have conforming browsers enforce your CSP to ensure that the data never gets interpreted as code. The intricacies of the technology are in how CSP policies are combined and what limitations they place on web development. The first version of CSP, which is supported by most modern browsers, requires complete separation of JavaScript (static code) from HTML (which contains dynamic data). This is not feasible for large existing web applications as it can require completely rewriting the user interface. CSP version 2 introduces new keywords that can be used to apply policies to existing code bases without requiring a re-write from scratch. The talk will help the audience understand: • What the differences between CSP 1.0 and CSP 2 are, and what these mean for web application developers? • How CSP protects web applications from cross-site scripting? • Whether input validation and output encoding are necessary if CSP is used properly. • What is the different browser support for this technology? • How you can get started with using CSP on your website?

Presenters:

• Ksenia Dmitrieva - Senior Security Consultant at Cigital
  Ksenia Dmitrieva is a Senior Security Consultant at Cigital with over six years of experience developing and securing web applications. Ksenia holds a M.S. in Computer Science from George Washington University. As a Senior Consultant, she performs penetration testing and code review focusing on web applications, web services, new web technologies and frameworks for clients in financial services, entertainment, telecommunications, and enterprise security industries. Ksenia’s current concentration is on researching HTML5 technologies, their security implications and how their vulnerabilities could be discovered and remediated. Ksenia often delivers training sessions and has previously presented at Nullcon, BSidesLondon, BSidesIndy, LASCON, AppSec California, and AtlSecCon.

Links:

• https://bsidesdc2015.busyconf.com/schedule#activity_55648d4604eee08d2300000c

Similar Presentations:

• AppSec USA 2013 / Pushing CSP to PROD: Case Study of a Real-World Content-Security Policy Implementation
• DeepSec 2016 „Ten“ / CSP Is Dead, Long Live Strict CSP!
• AppSec USA 2016 / Lightning Talk - Demystifying CSP