Content Security Policies: Let's Break Stuff

A presentation at Dutch PHP Conference in June 2018 in Amsterdam, Netherlands by Matt Brunt

Slide 1

Slide 1

@Brunty CSP: Let’s Break Stuff CONTENT SECURITY POLICIES LET’S BREAK STUFF

Slide 2

Slide 2

@Brunty CSP: Let’s Break Stuff BECAUSE YOU ALL TOTALLY CARE ABOUT THIS, RIGHT?! ABOUT ME ▸ Senior Software Engineer at Viva IT 
 (those folks in orange hoodies at some conferences & events you may have been to) ▸ @Brunty ▸ @PHPem ▸ mfyu.co.uk ▸ matt@mfyu.co.uk

Slide 3

Slide 3

@Brunty CSP: Let’s Break Stuff BLAH BLAH … JUST GET ON WITH THE TALK THINGS I DO ▸ Dungeon master for D&D campaigns ▸ Mentor, lead & teach apprentices & junior developers ▸ Run & organise PHP East Midlands ▸ Speak at user groups and conferences ▸ Break production sites with incorrectly configured content security policies

Slide 4

Slide 4

@Brunty CSP: Let’s Break Stuff OH GOOD, FINALLY WE’RE GETTING STARTED A TALK IN 3 PARTS ▸ XSS 
 ▸ CSP 
 ▸ Break stuff 


Slide 5

Slide 5

@Brunty CSP: Let’s Break Stuff THE SCARY STUFF

Slide 6

Slide 6

@Brunty CSP: Let’s Break Stuff FIRST, SOME BACKGROUND WHAT IS CROSS-SITE-SCRIPTING (XSS)? ▸ XSS enables an attacker to inject client-side scripts into non- malicious web pages viewed by other users ▸ In 2016 there was a 61% likelihood of a browser-based

vulnerability being found in a web application ▸ Of those browser based vulnerabilities, 86% were found to be XSS related ▸ That’s just over 52% of all web application vulnerabilities 
 https://www.edgescan.com/assets/docs/reports/2016-edgescan-stats-report.pdf

Slide 7

Slide 7

@Brunty CSP: Let’s Break Stuff I MEAN, IT’S JUST A JOKE VULNERABILITY, RIGHT?! WHAT CAN BE DONE WITH XSS? ▸ Put pictures of cats dogs in web pages ▸ alert(‘ ! ’); ▸ Rickroll a user ▸ Twitter self-retweeting tweet 
 https://www.youtube.com/watch?v=zv0kZKC6GAM

▸ Samy worm 
 https://en.wikipedia.org/wiki/Samy_(computer_worm)

Slide 8

Slide 8

@Brunty CSP: Let’s Break Stuff WELL … MAYBE IT’S NOT A JOKE VULNERABILITY WHAT CAN BE DONE WITH XSS? ▸ Make modifications to the DOM - replace a form action to point to your own script to capture credentials. ▸ Load in additional scripts, resources, styles, images etc ▸ Access HTML5 APIs - webcam, microphone, geolocation ▸ Steal cookies (and therefore steal session cookies)

Slide 9

Slide 9

@Brunty CSP: Let’s Break Stuff

Slide 10

Slide 10

@Brunty CSP: Let’s Break Stuff IT’S REALLY NOT A JOKE VULNERABILITY WHAT CAN BE DONE WITH XSS? https://www.wired.com/2008/03/hackers-assault-epilepsy-patients-via-computer/

Slide 11

Slide 11

@Brunty CSP: Let’s Break Stuff TYPES OF XSS ATTACK STORED XSS (AKA PERSISTENT OR TYPE I) ▸ Occurs when input is stored - generally in a server-side database, but not always ▸ This could also be within a HTML5 database, thus never being sent to the server at all ▸ who.is was a site Rickrolled by a TXT record in the DNS of a website (yes, really)

Slide 12

Slide 12

@Brunty CSP: Let’s Break Stuff TYPES OF XSS ATTACK REFLECTED XSS (AKA NON-PERSISTENT OR TYPE II) ▸ Occurs when user input provided in the request is immediately returned - such as in an error message, search string etc ▸ Data is not stored, and in some instances, may not even reach the server (see the next type of XSS)

Slide 13

Slide 13

@Brunty CSP: Let’s Break Stuff TYPES OF XSS ATTACK DOM-BASED XSS (AKA TYPE-0) ▸ The entire flow of the attack takes place within the browser ▸ For example, if JavaScript in the site takes input, and uses something like document.write based on that input, it can be vulnerable to a DOM-based XSS attack

Slide 14

Slide 14

@Brunty CSP: Let’s Break Stuff TYPES OF XSS ATTACK SELF XSS ▸ Social-engineering form of XSS ▸ Requires the user to execute code in the browser ▸ Doing so via the console can’t be protected by a lot of methods ▸ Not considered a ‘true’ XSS attack due to requiring the user to execute the code

Slide 15

Slide 15

@Brunty CSP: Let’s Break Stuff

Slide 16

Slide 16

TITLE TEXT BODY LEVEL ONE BODY LEVEL TWO BODY LEVEL THREE @Brunty CSP: Let’s Break Stuff @Brunty CSP: Let’s Break Stuff LET’S FIGHT BACK

Slide 17

Slide 17

@Brunty CSP: Let’s Break Stuff HTTP RESPONSE HEADER TO HELP REDUCE XSS RISKS WHAT IS A CSP?

Slide 18

Slide 18

@Brunty CSP: Let’s Break Stuff IT IS NOT A SILVER BULLET WHAT IS A CSP?

Slide 19

Slide 19

@Brunty CSP: Let’s Break Stuff IT IS AN EXTRA LAYER OF SECURITY WHAT IS A CSP?

Slide 20

Slide 20

@Brunty CSP: Let’s Break Stuff DECLARES WHAT RESOURCES ARE ALLOWED TO LOAD HOW DOES A CSP WORK?

Slide 21

Slide 21

@Brunty CSP: Let’s Break Stuff BLOCKING THOSE PESKY CRYPTO-MINING SCRIPTS THAT HAVE BEEN POPPING UP IT CAN EVEN HELP WITH

Slide 22

Slide 22

@Brunty CSP: Let’s Break Stuff BROWSER SUPPORT

Slide 23

Slide 23

@Brunty CSP: Let’s Break Stuff Meh, it’s alright(ish) Sorry IE users

Slide 24

Slide 24

@Brunty CSP: Let’s Break Stuff CSP TO THE RESCUE! WHAT CAN WE PROTECT? ▸ default-src ▸ script-src ▸ style-src ▸ img-src ▸ form-action ▸ update-insecure-requests ▸ and so much more…

Slide 25

Slide 25

@Brunty CSP: Let’s Break Stuff FULL REFERENCE: https://content-security-policy.com 
 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Slide 26

Slide 26

@Brunty CSP: Let’s Break Stuff img-src * ALLOWS ANY URL EXCEPT DATA: BLOB: FILESYSTEM: SCHEMES.

Slide 27

Slide 27

@Brunty CSP: Let’s Break Stuff object-src 'none' DON’T LOAD RESOURCES FROM ANY SOURCE

Slide 28

Slide 28

@Brunty CSP: Let’s Break Stuff style-src 'self' ALLOW LOADING FROM SAME SCHEME, HOST AND PORT

Slide 29

Slide 29

@Brunty CSP: Let’s Break Stuff script-src 'unsafe-inline'

ALLOWS USE OF INLINE SOURCE ELEMENTS SUCH AS STYLE ATTRIBUTE, ONCLICK, OR SCRIPT TAG BODIES

Slide 30

Slide 30

@Brunty CSP: Let’s Break Stuff DON’T USE UNSAFE- INLINE

Slide 31

Slide 31

@Brunty CSP: Let’s Break Stuff

<script nonce=" $RANDOM ">...</script>

script-src 'self' 'nonce- $RANDOM '

Slide 32

Slide 32

@Brunty CSP: Let’s Break Stuff Content-Security-Policy: default-src 'none'; script- src 'self' https://*.google.com 'nonce-random123'; style-src 'self'; img-src 'self'; upgrade-insecure- requests; form-action 'self';

Slide 33

Slide 33

@Brunty CSP: Let’s Break Stuff I BROKE PRODUCTION WITH A BAD CSP LEARN FROM MY MISTAKES

Slide 34

Slide 34

@Brunty CSP: Let’s Break Stuff DON’T DO WHAT I DID

Slide 35

Slide 35

@Brunty CSP: Let’s Break Stuff REPORT-URI

Slide 36

Slide 36

@Brunty CSP: Let’s Break Stuff WHEN A POLICY FAILURE OCCURS, THE BROWSER SENDS A JSON PAYLOAD TO THAT URL

Slide 37

Slide 37

@Brunty CSP: Let’s Break Stuff { "csp-report": { "blocked-uri": "self", "document-uri": "https://mysite.com", "line-number": 1, "original-policy": "script-src 'self'", "script-sample": "try { for(var lastpass_iter=0; lastpass...", "source-file": "https://mysite.com", "violated-directive": "script-src 'self'" } }

Slide 38

Slide 38

@Brunty CSP: Let’s Break Stuff REPORT-URI.IO

Slide 39

Slide 39

@Brunty CSP: Let’s Break Stuff

Slide 40

Slide 40

@Brunty CSP: Let’s Break Stuff REPORT-ONLY

Slide 41

Slide 41

@Brunty CSP: Let’s Break Stuff Content-Security-Policy -Report-Only : [policy]; report- uri https://app.report-uri.io/r/default/csp/reportOnly;

Slide 42

Slide 42

@Brunty CSP: Let’s Break Stuff TRIAL STUFF BEFORE ENFORCING

Slide 43

Slide 43

@Brunty CSP: Let’s Break Stuff THERE WILL BE NOISE, LOTS OF NOISE

Slide 44

Slide 44

@Brunty CSP: Let’s Break Stuff WAYS TO MAKE DEALING WITH A CSP EASIER TIPS ▸ Have an easy and quick way to disable the CSP in production if required ▸ Better yet, have a way to switch it from enforced to report only so you can get violations reported to help you debug ▸ Add the CSP at an application level if you need a nonce

Slide 45

Slide 45

@Brunty CSP: Let’s Break Stuff WAYS TO MAKE DEALING WITH A CSP EASIER MULTIPLE POLICIES ▸ They complicate things ▸ For a resource to be allowed, it must be allowed by all policies declared (problematic if an enforced policy) ▸ I tend to avoid them where possible on enforced policies ▸ But with report-only mode they can be very useful to deploy and test multiple policies at the same time (as nothing breaks for the user)

Slide 46

Slide 46

@Brunty CSP: Let’s Break Stuff WAYS TO REMOVE BARRIERS IN DEVELOPMENT NONCES ▸ Don’t generate multiple nonces in the same request (but do

generate a new nonce on each separate request) ▸ If using a templating engine (such as twig) - add the nonce as a global so it’s available in every template by default ▸ Write a helper in your template engine to generate script tags with a nonce if it’s available

Slide 47

Slide 47

@Brunty CSP: Let’s Break Stuff DEMO TIME! LET’S BREAK STUFF

Slide 48

Slide 48

@Brunty CSP: Let’s Break Stuff @SCOTT_HELME HE KNOWS HIS STUFF!

Slide 49

Slide 49

@Brunty CSP: Let’s Break Stuff @MR_GOODWIN HE FIRST INTRODUCED ME TO WHAT A CSP IS

Slide 50

Slide 50

@Brunty CSP: Let’s Break Stuff HOMEWORK TIME! LINKS & FURTHER READING ▸ https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) ▸ https://content-security-policy.com ▸ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy ▸ https://report-uri.io ▸ https://scotthelme.co.uk/just-how-much-traffic-can-you-generate-using-csp/ ▸ https://www.edgescan.com/assets/docs/reports/2016-edgescan-stats-report.pdf ▸ http://theharmonyguy.com/oldsite/2011/04/21/recent-facebook-xss-attacks-show-increasing- sophistication/ ▸ https://github.com/Brunty/csp-demo

Slide 51

Slide 51

@Brunty CSP: Let’s Break Stuff THANK YOU

Slide 52

Slide 52

@Brunty CSP: Let’s Break Stuff QUESTIONS? 
 @BRUNTY 
 JOIND.IN/TALK/9A570

NOTI.ST/BRUNTY MFYU.CO.UK