You use Content Security Policy, don't you?
Kacper SokoLowski
@KAAPA_S
Security
Security is HARD
$171 MILLION
samy KamkaR
...Within just 20 hours of its October 4, 2005 release, over one million users had run the payload making Samy the fastest spreading virus of all time...
XSS
Cross Site Scripting
=
Attacker is able to execute any JS code in
the context of our page.
-
Steal cookies
-
Steal localStorage data
-
Break the layout and style of the page
-
Whatever you can do with JavaScript...
DEMO
HOW TO be SAFE?!
Sanitizer?
CSP
Content security Policy
=
google.com
facebook.com
scam.com
cdnjs.com
getbootstrap.com
google.com
facebook.com
scam.com
cdnjs.com
getbootstrap.com
google.com
facebook.com
scam.com
cdnjs.com
getbootstrap.com
<script src="..."></script>
<script src="..."></script>
<script>
alert('hello JSConfBP!');
...
</script>
<script>
alert('hello JSConfBP!');
...
</script>
HTTP HEADERS
Content-Security-Policy: script-src 'self' http://google.com ...
Content-Security-Policy: script-src 'self' http://google.com ...
Header
Content-Security-Policy: script-src 'self' http://google.com ...
Directive
Content-Security-Policy: script-src 'self' http://google.com ...
URL List
DEMO
-
connect-src
-
img-src
-
script-src
-
style-src
-
....
CSP IS GREAT!
Many Parts OF your website
will probably Break
when you CSP FOR the first time
So, start using it as early as possible
/index.html
/style.css
/script.js
Content-Type
Expires
...
/index.html
/style.css
/script.js
CDN
/index.html
/style.css
/script.js
CDN
sUpported by FEW hosting providers
and CDNs
CROSS Site Scripting
Content Security POLICY
SECURITY IS HARD
Icons by: Laura Reen, Webalys, Everaldo Coelho. THX
LINKS
Thanks!
@kaapa_s
Kacper Sokolowski
