Web Platform Security (dotSecurity, April 2016)

Transcript

1. Web Platform Security Mike West / @mikewest / [email protected]

2. Ulysses and the Sirens - John William Waterhouse

3. XSS <style> p { color: {{USER_COLOR}}; } </style> <p> {{USER_NAME}},

   hello! Visit this nice <a href="{{USER_URL}}">link</a>. </p> <script> var id = {{USER_ID}}; </script> <!-- DEBUG: {{INFO}} -->

4. CSRF/XSSI innocent-victim.com evil.com

5. Google's VRP

6. None
7. None

8. Privilege Reduction

9. Content Security Policy

10. Content-Security-Policy: script-src https://connect.facebook.net https://cm.g.doubleclick.net https: //ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.

    com https://api.twitter.com https://analytics.twitter.com https://publish.twitter.com https://ton. twitter.com https://syndication.twitter.com 'nonce-uogXos0C/8QDBoxHOYtXzg==' https://www.google.com https://t.tellapart.com https://platform.twitter.com https://www.google-analytics.com 'self'; frame- ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https: //fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph. facebook.com https://*.giphy.com https://pay.twitter.com https://analytics.twitter.com https://media. riffsy.com https://upload.twitter.com https://api.mapbox.com 'self'; style-src https://fonts.googleapis. com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn. com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https: //staticxx.facebook.com https://twitter.com https://*.twimg.com https://player.vimeo.com https://pay. twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https: //vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https: //s-static.ak.facebook.com 'self' https://donate.twitter.com; img-src https://graph.facebook.com https: //*.giphy.com https://twitter.com https://*.twimg.com data: https://fbcdn-profile-a.akamaihd.net https: //www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https: //media.riffsy.com https://www.google.com https://stats.g.doubleclick.net https://*.tiles.mapbox.com https://www.google-analytics.com blob: 'self'; report-uri https://twitter.com/i/csp_report? a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;

11. Content-Security-Policy: script-src https://connect.facebook.net https://cm.g.doubleclick.net https: //ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.

    com https://api.twitter.com https://analytics.twitter.com https://publish.twitter.com https://ton. twitter.com https://syndication.twitter.com 'nonce-uogXos0C/8QDBoxHOYtXzg==' https://www.google.com https://t.tellapart.com https://platform.twitter.com https://www.google-analytics.com 'self'; frame- ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https: //fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph. facebook.com https://*.giphy.com https://pay.twitter.com https://analytics.twitter.com https://media. riffsy.com https://upload.twitter.com https://api.mapbox.com 'self'; style-src https://fonts.googleapis. com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn. com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https: //staticxx.facebook.com https://twitter.com https://*.twimg.com https://player.vimeo.com https://pay. twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https: //vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https: //s-static.ak.facebook.com 'self' https://donate.twitter.com; img-src https://graph.facebook.com https: //*.giphy.com https://twitter.com https://*.twimg.com data: https://fbcdn-profile-a.akamaihd.net https: //www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https: //media.riffsy.com https://www.google.com https://stats.g.doubleclick.net https://*.tiles.mapbox.com https://www.google-analytics.com blob: 'self'; report-uri https://twitter.com/i/csp_report? a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false; twitter.com twitter.com evil.com
12. None

13. Content-Security-Policy: default-src https: ; script-src 'unsafe-inline' 'unsafe-dynamic' https://www.gstatic.com/recaptcha/api2/ 'nonce- dDMnKbh2kR5narOMRoBpGLQDdQl0KFCw';

    child-src https://www.google. com/recaptcha/; frame-src https://www.google.com/recaptcha/; img-src https: data: blob: ; style-src https: 'unsafe-inline'; object-src 'none'; report-uri /csp.do crbug.com nonce-dDMnK... crbug.com not-crbug.com
14. None

15. scheme://host:port

16. scheme://host:port scheme://sub1_host:port scheme://sub2_host:port

17. scheme://host:port scheme://sub2_host:port ? ? scheme://sub1_host:port

18. None

19. <script src="https://example.com/example-framework.js" integrity="sha384-Li9vy3DqF8tnTXui...bOxEbzJr7" crossorigin="anonymous"></script>

20. None

21. innocent-victim.com evil.com

22. None
23. None

24. Thanks for listening; go tie your origin to a mast!

    Mike West @mikewest / [email protected]