SlideShare a Scribd company logo

Web content security policies

Download as PPTX, PDF
D
Dhanu Gupta

Web Content Security Policies - CSP - Let's break Web !!

Technology
1 of 7
Content Security Policies Let’s Break Web Dhanu Gupta 06/22/2020
Intro CSP? “Declarative policy to defend against client-side Web attacks.” “Declare what resources are allowed to load and manage actions.” ❏ CSP Approach ❏ Server “sets” the policy ❏ Browser enforces the policy ❏ Policy allowed to run “js” , styles, frame etc .. ❏ Stopping XSS attacks ❏ Regulation of framing behavior ❏ Stopping of information exfiltration ❏ UI consistency enforcement
CSP declaration “It acts like a gatekeeper for your website” Content-Security-Policy: default-src ‘self’; ➔ External libraries , CDN’s , frames lot other makes it harder to protect the Web Use: script-src, style-src, img-src, font-src, object-src, frame-src, ...
Major attack factors ➔ Injection of inline scripts ◆ <script>alert(‘ping’);</script> ➔ Injection of script-tags to attackers controller endpoints ◆ <script src=”http://iamattacker.js”></script> ➔ Injection of dynamic scripts ◆ eval(‘i am attacker’); ➔ Lib like backbone | underscore | foundation modnizer versions are outdated and use ‘eval’ based. “unsafe-inline” “unsafe-eval”
CSP Whitelist Techniques ❏ Nonce: ‘Number Used Once’ - Java Securerandom lib ❏ ‘nonce-tQPYyv07Gmdamiyb’ ❏ Hashes: hashed value of “script” - npm module to get hashed value
Testing ways ❏ Chrome plugin: https://chrome.google.com/webstore/detail/csp- evaluator/fjohamlofnakbnbfjkohkbdigoodcejf ❏ Google Evaluator - https://csp-evaluator.withgoogle.com/ ❏ https://report-uri.com/home/hash
Recommendation ❏ Use of ‘nonce’ ❏ Use of CSP Report Only Mode for the start otherwise we can break things ❏ Great resources ❏ https://owasp.org/www-chapter-belgium/assets/2019/2019-02- 20/CSP_Martin_Johns_OWASP_BE.pdf ❏ https://content-security-policy.com ❏ Chrome plugin: https://chrome.google.com/webstore/detail/csp- evaluator/fjohamlofnakbnbfjkohkbdigoodcejf ❏ https://dev.to/mattferderer/what-is-csp-why--how-to-add-it-to-your- website-28df

Recommended

Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyRyan LaBouve
 
パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法
パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法
パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法inet-lab
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyAustin Gil
 
VolgaCTF 2018 - Neatly bypassing CSP
VolgaCTF 2018 - Neatly bypassing CSPVolgaCTF 2018 - Neatly bypassing CSP
VolgaCTF 2018 - Neatly bypassing CSPДмитрий Бумов
 
Http security response headers
Http security response headers Http security response headers
Http security response headers mohammadhosseinrouha
 
Web vulnerabilities
Web vulnerabilitiesWeb vulnerabilities
Web vulnerabilitiesOleksandr Kovalchuk
 
웹 개발을 위해 꼭 알아야하는 보안 공격
웹 개발을 위해 꼭 알아야하는 보안 공격웹 개발을 위해 꼭 알아야하는 보안 공격
웹 개발을 위해 꼭 알아야하는 보안 공격선협 이
 
Securing your Movable Type installation
Securing your Movable Type installationSecuring your Movable Type installation
Securing your Movable Type installationSix Apart KK
 

Recommended

Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyRyan LaBouve
 
パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法
パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法
パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法inet-lab
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyAustin Gil
 
VolgaCTF 2018 - Neatly bypassing CSP
VolgaCTF 2018 - Neatly bypassing CSPVolgaCTF 2018 - Neatly bypassing CSP
VolgaCTF 2018 - Neatly bypassing CSPДмитрий Бумов
 
Http security response headers
Http security response headers Http security response headers
Http security response headers mohammadhosseinrouha
 
Web vulnerabilities
Web vulnerabilitiesWeb vulnerabilities
Web vulnerabilitiesOleksandr Kovalchuk
 
웹 개발을 위해 꼭 알아야하는 보안 공격
웹 개발을 위해 꼭 알아야하는 보안 공격웹 개발을 위해 꼭 알아야하는 보안 공격
웹 개발을 위해 꼭 알아야하는 보안 공격선협 이
 
Securing your Movable Type installation
Securing your Movable Type installationSecuring your Movable Type installation
Securing your Movable Type installationSix Apart KK
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyGeorge Boobyer
 
An Overview of Common Vulnerabilities in Wordpress
An Overview of Common Vulnerabilities in WordpressAn Overview of Common Vulnerabilities in Wordpress
An Overview of Common Vulnerabilities in WordpressAnalytive
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
Xss what the heck-!
Xss what the heck-!Xss what the heck-!
Xss what the heck-!VodqaBLR
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
Protecting Java Microservices: Best Practices and Strategies
Protecting Java Microservices: Best Practices and StrategiesProtecting Java Microservices: Best Practices and Strategies
Protecting Java Microservices: Best Practices and StrategiesRodrigo Cândido da Silva
 
Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019
Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019
Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019PeckaDesign.cz
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...David Johansson
 
Beef saurabh
Beef saurabhBeef saurabh
Beef saurabhSaurav Chaudhary
 
Secure coding guidelines for content security policy
Secure coding guidelines for content security policySecure coding guidelines for content security policy
Secure coding guidelines for content security policyvivekanandan r
 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets MalloryEmily Stark
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017chw
 
[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)OWASP EEE
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersColdFusionConference
 
Data Security - Storage Security
Data Security - Storage SecurityData Security - Storage Security
Data Security - Storage SecurityEng Teong Cheah
 
SSL and Wordpress
SSL and WordpressSSL and Wordpress
SSL and WordpressPeg Perry
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishMarkus Eisele
 
2015-04-25-content-security-policy
2015-04-25-content-security-policy2015-04-25-content-security-policy
2015-04-25-content-security-policySastry Tumuluri
 
WordPress Security 101: Essential Security Practices Simplified
WordPress Security 101: Essential Security Practices SimplifiedWordPress Security 101: Essential Security Practices Simplified
WordPress Security 101: Essential Security Practices SimplifiedBlogVault Inc
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdfksudhakarreddy5
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographySamsung Open Source Group
 

More Related Content

What's hot

Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyGeorge Boobyer
 
An Overview of Common Vulnerabilities in Wordpress
An Overview of Common Vulnerabilities in WordpressAn Overview of Common Vulnerabilities in Wordpress
An Overview of Common Vulnerabilities in WordpressAnalytive
 
Xss what the heck-!
Xss what the heck-!Xss what the heck-!
Xss what the heck-!VodqaBLR
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
Protecting Java Microservices: Best Practices and Strategies
Protecting Java Microservices: Best Practices and StrategiesProtecting Java Microservices: Best Practices and Strategies
Protecting Java Microservices: Best Practices and StrategiesRodrigo Cândido da Silva
 
Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019
Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019
Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019PeckaDesign.cz
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...David Johansson
 
Secure coding guidelines for content security policy
Secure coding guidelines for content security policySecure coding guidelines for content security policy
Secure coding guidelines for content security policyvivekanandan r
 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets MalloryEmily Stark
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017chw
 
[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)OWASP EEE
 
Data Security - Storage Security
Data Security - Storage SecurityData Security - Storage Security
Data Security - Storage SecurityEng Teong Cheah
 
SSL and Wordpress
SSL and WordpressSSL and Wordpress
SSL and WordpressPeg Perry
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishMarkus Eisele
 
2015-04-25-content-security-policy
2015-04-25-content-security-policy2015-04-25-content-security-policy
2015-04-25-content-security-policySastry Tumuluri
 
WordPress Security 101: Essential Security Practices Simplified
WordPress Security 101: Essential Security Practices SimplifiedWordPress Security 101: Essential Security Practices Simplified
WordPress Security 101: Essential Security Practices SimplifiedBlogVault Inc
 

What's hot (20)

Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
 
An Overview of Common Vulnerabilities in Wordpress
An Overview of Common Vulnerabilities in WordpressAn Overview of Common Vulnerabilities in Wordpress
An Overview of Common Vulnerabilities in Wordpress
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
 
Xss what the heck-!
Xss what the heck-!Xss what the heck-!
Xss what the heck-!
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
 
Protecting Java Microservices: Best Practices and Strategies
Protecting Java Microservices: Best Practices and StrategiesProtecting Java Microservices: Best Practices and Strategies
Protecting Java Microservices: Best Practices and Strategies
 
Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019
Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019
Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
 
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
 
Beef saurabh
Beef saurabhBeef saurabh
Beef saurabh
 
Secure coding guidelines for content security policy
Secure coding guidelines for content security policySecure coding guidelines for content security policy
Secure coding guidelines for content security policy
 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets Mallory
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
 
[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Data Security - Storage Security
Data Security - Storage SecurityData Security - Storage Security
Data Security - Storage Security
 
SSL and Wordpress
SSL and WordpressSSL and Wordpress
SSL and Wordpress
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
 
2015-04-25-content-security-policy
2015-04-25-content-security-policy2015-04-25-content-security-policy
2015-04-25-content-security-policy
 
WordPress Security 101: Essential Security Practices Simplified
WordPress Security 101: Essential Security Practices SimplifiedWordPress Security 101: Essential Security Practices Simplified
WordPress Security 101: Essential Security Practices Simplified
 

Similar to Web content security policies

HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdfksudhakarreddy5
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Philippe Gamache
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security PoliciesMatias Korhonen
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
 
Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityMikal Villa
 
D3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the BrowserD3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the BrowserImperva Incapsula
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeScott Helme
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...PROIDEA
 
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsManish Shekhawat
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-mspMike Saunders
 
The High Performance Web Application Lifecycle
The High Performance Web Application LifecycleThe High Performance Web Application Lifecycle
The High Performance Web Application LifecycleAlois Reitbauer
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersdevObjective
 
Web Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernWeb Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernQuek Lilian
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
XSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareXSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareOmer Meshar
 

Similar to Web content security policies (20)

HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Content-Security-Policy 2018.0
Content-Security-Policy 2018.0
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security Policies
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header Security
 
D3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the BrowserD3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the Browser
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army Knife
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
 
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web Applications
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
 
The High Performance Web Application Lifecycle
The High Performance Web Application LifecycleThe High Performance Web Application Lifecycle
The High Performance Web Application Lifecycle
 
Breaking Bad CSP
Breaking Bad CSPBreaking Bad CSP
Breaking Bad CSP
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Web Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernWeb Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok Chern
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
XSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareXSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malware
 

Recently uploaded

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 

Recently uploaded (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 

Web content security policies

  • 1. Content Security Policies Let’s Break Web Dhanu Gupta 06/22/2020
  • 2. Intro CSP? “Declarative policy to defend against client-side Web attacks.” “Declare what resources are allowed to load and manage actions.” ❏ CSP Approach ❏ Server “sets” the policy ❏ Browser enforces the policy ❏ Policy allowed to run “js” , styles, frame etc .. ❏ Stopping XSS attacks ❏ Regulation of framing behavior ❏ Stopping of information exfiltration ❏ UI consistency enforcement
  • 3. CSP declaration “It acts like a gatekeeper for your website” Content-Security-Policy: default-src ‘self’; ➔ External libraries , CDN’s , frames lot other makes it harder to protect the Web Use: script-src, style-src, img-src, font-src, object-src, frame-src, ...
  • 4. Major attack factors ➔ Injection of inline scripts ◆ <script>alert(‘ping’);</script> ➔ Injection of script-tags to attackers controller endpoints ◆ <script src=”http://iamattacker.js”></script> ➔ Injection of dynamic scripts ◆ eval(‘i am attacker’); ➔ Lib like backbone | underscore | foundation modnizer versions are outdated and use ‘eval’ based. “unsafe-inline” “unsafe-eval”
  • 5. CSP Whitelist Techniques ❏ Nonce: ‘Number Used Once’ - Java Securerandom lib ❏ ‘nonce-tQPYyv07Gmdamiyb’ ❏ Hashes: hashed value of “script” - npm module to get hashed value
  • 6. Testing ways ❏ Chrome plugin: https://chrome.google.com/webstore/detail/csp- evaluator/fjohamlofnakbnbfjkohkbdigoodcejf ❏ Google Evaluator - https://csp-evaluator.withgoogle.com/ ❏ https://report-uri.com/home/hash
  • 7. Recommendation ❏ Use of ‘nonce’ ❏ Use of CSP Report Only Mode for the start otherwise we can break things ❏ Great resources ❏ https://owasp.org/www-chapter-belgium/assets/2019/2019-02- 20/CSP_Martin_Johns_OWASP_BE.pdf ❏ https://content-security-policy.com ❏ Chrome plugin: https://chrome.google.com/webstore/detail/csp- evaluator/fjohamlofnakbnbfjkohkbdigoodcejf ❏ https://dev.to/mattferderer/what-is-csp-why--how-to-add-it-to-your- website-28df