You use Content Security Policy, don't you?

Kacper SokoLowski 

@KAAPA_S

Security

Security is HARD

$171 MILLION

samy KamkaR

...Within just 20 hours of its October 4, 2005 release, over one million users had run the payload making Samy the fastest spreading virus of all time...

XSS

Cross Site Scripting

=

Attacker is able to execute any JS code in

the context of our page.

  1. Steal cookies

  2. Steal localStorage data

  3. Break the layout and style of the page

  4. Whatever you can do with JavaScript...

DEMO

HOW TO be SAFE?!

Sanitizer?

CSP

Content security Policy

=

google.com

facebook.com

scam.com

cdnjs.com

getbootstrap.com

google.com

facebook.com

scam.com

cdnjs.com

getbootstrap.com

google.com

facebook.com

scam.com

cdnjs.com

getbootstrap.com

<script src="..."></script>

<script src="..."></script>

<script>

alert('hello JSConfBP!');

...

</script>

<script>

alert('hello JSConfBP!');

...

</script>

HTTP HEADERS

Content-Security-Policy: script-src 'self' http://google.com ...

Content-Security-Policy: script-src 'self' http://google.com ...

Header

Content-Security-Policy: script-src 'self' http://google.com ...

Directive

Content-Security-Policy: script-src 'self' http://google.com ...

URL List

DEMO

  1. connect-src

  2. img-src

  3. script-src

  4. style-src

  5. ....

CSP IS GREAT!

Many Parts OF your website

will probably Break

when you CSP FOR the first time

So, start using it as early as possible

/index.html

/style.css

/script.js

 

Content-Type

Expires

...

/index.html

/style.css

/script.js

 

CDN

/index.html

/style.css

/script.js

 

CDN

sUpported by FEW hosting providers

and CDNs

CROSS Site Scripting

Content Security POLICY

SECURITY IS HARD

Icons by: Laura Reen, Webalys, Everaldo Coelho. THX

LINKS

Thanks!

@kaapa_s

Kacper Sokolowski

Content Security Policy

By kaapa

Content Security Policy

  • 2,854