DeepSec 2016 Talk: CSP Is Dead, Long Live Strict CSP! – Lukas Weichselbaum
The Content Security Policy (CSP) is an additional layer of security for web applications. It is intended to detect and mitigate certain types of attacks. CSP is deployed by using the HTTP Content-Security-Policy
header for publishing a policy. The policy instructs the web client how various resources will be used, where they come from, and the like. Violations of the policy can be reported to an application. Basically you can give the web client important hints what to expect. The reporting helps your intrusion detection process since the web clients usually understand the Web better than IDS modules. Lukas Weichselbaum is working at Google, and he will explain how CSP can be bypassed.
In this presentation I’ll highlight the major roadblocks that make CSP deployment difficult. I talk about common mistakes, about how we automatically bypassed the CSP of more than 95% of ~1.6 Million domains e.g. by showing how easy it is to defeat the whitelist-based model with some juicy bypasses, for example thanks to JSONP endpoints, by abusing a CDN and loading outdated versions of AngularJS. Finally, I present a radically new way of doing CSP in a simpler, easier to maintain and more secure way based on nonces and making use of a new feature we contributed to CSP3.
Lukas will also show you how to deploy CSP is a more secure fashion. Everyone developing or deploying web applications should take a look at his research. Given the fact that CSP is around since 2004 and implemented beginning with Firefox 4, its use should be much more widespread. Therefore we ask you to attend Lukas’ presentation. Make good use of what he has to say!
Lukas Weichselbaum is an Information Security Researcher at Google focusing on security enhancements and mitigations for web applications. He co-authored the specification for ‘strict-dynamic’ in CSP3 and launched CSP-Evaluator, a small tool for developers and security experts to check if a Content Security Policy serves as a strong mitigation against cross-site scripting attacks. Lukas graduated from Vienna University of Technology in Austria where he worked on dynamic analysis of Android malware. He also founded Andrubis – one of the very first large scale malware analysis platforms for Android applications. Before joining Google in 2013, he worked as a security consultant leading numerous national and international projects in the area of information security.