Protecting your Web Application with Content Security Policy (CSP) presented at AppSecUSA 2015

by Martin Johns,

Summary : The basic problem of XSS has been known at least since the year 2000.
Nonetheless, XSS is as widespread as ever, even though an astonishing amount of thought, attention and education has been devoted to the topic. Apparently, the convoluted mess of server-side scripting, transport level rewriting and heterogeneous client-side processing (which is commonly know under the term "the Web") is too complex to allow a robust SDL-based solution to succeed.
Content Security Policy (CSP) is a highly promising, new way to address this old problem. The currently established approach to counter XSS is trying to identify untrusted data and attempting to prevent that this data influences the semantics of the application's JavaScript. CSP breaks away from this practice: Instead of spotting bad scripts, CSP allows the server to precisely tell the Web browser, which scripts are actually allowed to run, thus, enabling the browser to robustly stop all injection attempts. This way, by the means of a simple policy, the fast majority of XSS vulnerabilities can be efficiently
In this lightning training, the fundamental mechanisms of CSP are covered:
* Protection capabilities and surface of CSP
* How to design strong CSP policies
* How to build CSP compliant web applications
* Using CSP's reporting functionality
To do so, the students work with a insecure legacy Web application (which is provided in the form of a virtual box image). After the practical identification of several XSS problems, the students will first deploy a strong CSP policy to prevent exploitation. Then, subsequently the students will use CSP's reporting mode to iteratively adopt the policy (and parts of the application code) to match the application's functionality requirements. Finally, after deploying the policy, the students can test themselves, that the previously found vulnerabilities are indeed mitigated.