2. Intro CSP?
“Declarative policy to defend against
client-side Web attacks.”
“Declare what resources are allowed
to load and manage actions.”
❏ CSP Approach
❏ Server “sets” the policy
❏ Browser enforces the policy
❏ Policy allowed to run “js” ,
styles, frame etc ..
❏ Stopping XSS attacks
❏ Regulation of framing behavior
❏ Stopping of information
exfiltration
❏ UI consistency enforcement
3. CSP declaration
“It acts like a gatekeeper for your website”
Content-Security-Policy: default-src ‘self’;
➔ External libraries , CDN’s , frames lot other makes it harder to protect the Web
Use: script-src, style-src, img-src, font-src, object-src, frame-src, ...
4. Major attack factors
➔ Injection of inline scripts
◆ <script>alert(‘ping’);</script>
➔ Injection of script-tags to attackers controller endpoints
◆ <script src=”http://iamattacker.js”></script>
➔ Injection of dynamic scripts
◆ eval(‘i am attacker’);
➔ Lib like backbone | underscore | foundation modnizer versions are outdated
and use ‘eval’ based.
“unsafe-inline”
“unsafe-eval”
5. CSP Whitelist Techniques
❏ Nonce: ‘Number Used Once’ - Java Securerandom lib
❏ ‘nonce-tQPYyv07Gmdamiyb’
❏ Hashes: hashed value of “script” - npm module to get hashed
value
7. Recommendation
❏ Use of ‘nonce’
❏ Use of CSP Report Only Mode for the start otherwise we can break things
❏ Great resources
❏ https://owasp.org/www-chapter-belgium/assets/2019/2019-02-
20/CSP_Martin_Johns_OWASP_BE.pdf
❏ https://content-security-policy.com
❏ Chrome plugin: https://chrome.google.com/webstore/detail/csp-
evaluator/fjohamlofnakbnbfjkohkbdigoodcejf
❏ https://dev.to/mattferderer/what-is-csp-why--how-to-add-it-to-your-
website-28df