2510, 2022

Reminder for your Training @DeepSec 2022: Bypassing Content Security Policy via ajax.googleapis.com – Dawid Czagan

Sanna/ October 25, 2022/ Training

Content Security Policy (CSP) is the number one defensive technology in modern web applications. Many developers add ajax.googleapis.com to CSP definitions, because they use libraries from this very popular CDN in their web applications. The problem is that it completely bypasses the CSP and obviously you don’t want that to happen. In a free video Dawid Czagan (DeepSec instructor) will show you step by step how your CSP can be bypassed by hackers. Watch this free video and feel the taste of Dawid Czagan’s training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (DeepSec 2022; 15-16 November; https://deepsec.net/speaker.html#WSLOT564)   Dawid Czagan (@dawidczagan) is an internationally recognized security researcher and trainer. He is listed among the top hackers at HackerOne. Dawid Czagan has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter and other companies.

Read More

2107, 2022

DeepSec 2022 Training: Bypassing Content Security Policy via ajax.googleapis.com – Dawid Czagan

Sanna/ July 21, 2022/ Training

Content Security Policy (CSP) is the number one defensive technology in modern web applications. Many developers add ajax.googleapis.com to CSP definitions, because they use libraries from this very popular CDN in their web applications. The problem is that it completely bypasses the CSP and obviously you don’t want that to happen. In a free video, Dawid Czagan (DeepSec instructor) will show you step by step how your CSP can be bypassed by hackers. Watch this free video and feel the taste of Dawid Czagan’s training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (DeepSec 2022; 15-16 November; https://deepsec.net/speaker.html#WSLOT564)   Dawid Czagan (@dawidczagan) is an internationally recognized security researcher and trainer. He is listed among the top hackers at HackerOne. Dawid Czagan has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter and other companies.

Read More

0707, 2020

Bypassing CSP via ajax.googleapis.com – Dawid Czagan

Sanna/ July 7, 2020/ Training

Content Security Policy (CSP) is the number one defensive technology in modern web applications. Many developers add ajax.googleapis.com to CSP definitions, because they use libraries from this very popular CDN in their web applications. The problem is that it completely bypasses the CSP and obviously you don’t want that to happen. Since CSP should be part of any modern application, you better get to work and brush up your knowledge. In a free video Dawid Czagan (DeepSec Instructor) will show you step-by-step how your CSP can be bypassed by hackers. Watch this free video and feel the taste of Dawid Czagan’s Live Online Training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (training at DeepSec 2020; 17/18 November)

0809, 2016

DeepSec 2016 Talk: CSP Is Dead, Long Live Strict CSP! – Lukas Weichselbaum

Sanna/ September 8, 2016/ Conference

The Content Security Policy (CSP) is an additional layer of security for web applications. It is intended to detect and mitigate certain types of attacks. CSP is deployed by using the HTTP Content-Security-Policy header for publishing a policy. The policy instructs the web client how various resources will be used, where they come from, and the like. Violations of the policy can be reported to an application. Basically you can give the web client important hints what to expect. The reporting helps your intrusion detection process since the web clients usually understand the Web better than IDS modules. Lukas Weichselbaum is working at Google, and he will explain how CSP can be bypassed. In this presentation I’ll highlight the major roadblocks that make CSP deployment difficult. I talk about common mistakes, about how we automatically bypassed

Read More