Neatly Bypassing Content Security Policy (opens in new tab)

(lab.wallarm.com)

104 pointswlrm7y ago36 comments

36 comments

29 comments · 9 top-level

Someone12347y ago· 8 in thread

Great article.

Why is CSP so under-utilized? Less than 0.2% of the top 1m sites[0]. Although only 9% use basic features like secure cookies, and 6% HSTS.

[0] https://blog.mozilla.org/security/2018/02/28/analysis-alexa-...

throwawayjava7y ago

> Why is CSP so under-utilized?

I think a few reasons:

1. It's not a sufficient replacement for sanitizing input. You need to sanitize; CSP is just an extra layer of protection.

2. relative new.

3. many popular frameworks don't support it out of the box.

iancarroll7y ago

The deployment difficulty is also high, especially for what it offers. Deploying CSP on anything non-trivial involves a lot of coordination with basically anyone who runs code on your site.

1 more reply

sametmax7y ago

It may also prevent tooling to work on your site. E.G: bookmarklet won't work anymore. On browsers without extensions, they are the only way to get extra features.

It's especially annoying on github.

Promarged7y ago

Actually CSP can also block content modifications by extensions. I frequently get CSP reports from browsers using plugins that want to insert something on my site. Some time ago I also got CSP reports that indicated the AdBlocker couldn't touch the site too...

dwheeler7y ago

I think that's easy: CSP is under-utilized in big sites because it can be hard to transition existing big sites to it. The URL you reference only focuses on "big" sites, which are pretty much always existing sites. Using CSP properly means removing all inline JavaScript and CSS, which is a lot of work and takes a lot of time. Note that this report doesn't give credit if a site uses CSP but allows unsafe-inline (see its footnotes for details).

That said, that report also notes that there is growth. A site I manage, https://bestpractices.coreinfrastructure.org , does use CSP in practically every page. There's one page where we had to weaken the CSP requirements, but that page doesn't include any data directly created by a user (so the risk is not low). The most recent version of CSP has some features that may make transition easier (once sites believe they can depend on it). There's reason to hope that CSP will become more common, but it's going to take time.

yeukhon7y ago

Way too complex. Followed the development up until 2.0, and I was already lost. Take this as someone who was breathing on the spec almost every day for a year. Now reading the latest spec is like trying to understand kernel.

lozenge7y ago

Because most ad networks and analytics providers don't tell you what CSP header to add to work reliably. Partly because ad networks can rotate in ads/resellers/scripts from hundreds of companies. Also, the resulting header can be quite long delaying the first byte of content (for each resource on the page).

lvh7y ago

TL;DR: a terrifying amount of sites legitimately end up using these unsafe features without realizing it.

The spec revisions are a little arduous, but in my experience the biggest problem is that any site big enough to start caring about CSP is also big enough to have a myriad of trackers and JS snippets that insist on using these unsafe features. Google Tag Manager might as well have been based on weaponized XSS payloads.

And now the technical problem is actually a human problem because some poor security schmuck has to convince a totally different team with a totally different reporting structure (those trackers likely go up into sales or marketing, possibly some random SEO contractor you've barely heard of!) to prioritize a pretty fundamental change.

Maybe the security person tries to walk up their reporting chain until the two converge, possibly at the CEO. But it sure sounds like you're trying to kill a feature for intangible goals (it may or may not prevent an XSS vuln, you say?). And the team that owns the feature will tell you they can directly attribute growth to the visibility they get from that feature.

Even when it isn't SEO's fault, a lot of sites legitimately use inline scripts in order to shovel some server-side JSON into the rendered HTML quickly where eventually some JS can access it for example. You can use DOM elements with data attributes, but that's probably not how it works today because that's not the obvious way to do it.

dvirsky7y ago· 5 in thread

Oh, not CSP as in concurrency. Makes more sense now.

stephengillie7y ago

If your Cloud Service Provider doesn't support Communicating Sequential Processes, would their Customer Service Personnel handle a Constraint Satisfaction Problem?

sullyj37y ago

I assumed Constraint Satisfaction Problem

xenonite7y ago

I had the same thought. It would be good to adjust the headline accordingly.

dboreham7y ago

I came to read about how Node.js uses a single thread to bypass CSP...

djtriptych7y ago

* Stands in this line

dnag7y ago· 2 in thread

Just adding the sandbox attribute is enough to severely lock down an iframe.

mattbierner7y ago

Just to add some context: 'sandbox' will make the iframe load in a unique origin and also disable scripts (along with disabling bunch of other things). This will prevent these attacks.

There's also ' frame-src' for content security policies, which lets you control what is allowed in the iframe's src. Even with these guards in place, you generally should not let user content drive an iframe's src

ChrisSD7y ago

You'll also want the CSP `sandbox` policy on the `src` page to guard against direct linking.

[0] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Co...

nailer7y ago· 2 in thread

What if they use unsafe-inline but still lock down frames via frame-src?

alxlu7y ago

In this example it would still work since frame-src will fallback to default-src if not specified.

nailer7y ago

I don't think you're reading my question properly - I'm asking about when frame-src IS specified - but just in case it's me that's missing something. I'll reword my question.

What happens if a site:

- allows 'unsafe-inline' as a script-src

- does not allow untrusted domains in frame-src

1 more reply

minitech7y ago· 1 in thread

I’m confused. If you already have script injection on a website with script-src 'unsafe-inline' (!!!), what do you need to bypass? I guess for some very unusual types of websites it could be hard to get information out, but you’re otherwise free to perform any action within the site as the user.

alxlu7y ago

You would need to bypass connect-src in order to exfiltrate data. Even if you are able to call fetch() on your endpoint through XSS, CSP would block the network request. So the iframe and webrtc methods in the article are geared towards bypassing that since connect-src would fallback to default-src in this case.

Jach7y ago· 1 in thread

TLDR: don't use 'unsafe-inline'. Good article though.

zinckiwi7y ago

The clue is in the name, I'd have thought.

jey7y ago· 1 in thread

Mods, can you please update title to clarify that "CSP" means "Content Security Policy" here?

sctb7y ago

Sure thing!

nebulous17y ago

It's almost like there's a clue in the name 'unsafe-inline'

zupa-hu7y ago

TLDR: CSP can by bypassed if you don't use it on all responses, like error pages.

This is of course not bypassing CSP.

j / k navigate · click thread line to collapse

36 comments

29 comments · 9 top-level

Someone12347y ago· 8 in thread

Great article.

Why is CSP so under-utilized? Less than 0.2% of the top 1m sites[0]. Although only 9% use basic features like secure cookies, and 6% HSTS.

[0] https://blog.mozilla.org/security/2018/02/28/analysis-alexa-...

throwawayjava7y ago

> Why is CSP so under-utilized?

I think a few reasons:

1. It's not a sufficient replacement for sanitizing input. You need to sanitize; CSP is just an extra layer of protection.

2. relative new.

3. many popular frameworks don't support it out of the box.

iancarroll7y ago

The deployment difficulty is also high, especially for what it offers. Deploying CSP on anything non-trivial involves a lot of coordination with basically anyone who runs code on your site.

1 more reply

sametmax7y ago

It may also prevent tooling to work on your site. E.G: bookmarklet won't work anymore. On browsers without extensions, they are the only way to get extra features.

It's especially annoying on github.

Promarged7y ago

dwheeler7y ago

yeukhon7y ago

lozenge7y ago

lvh7y ago

TL;DR: a terrifying amount of sites legitimately end up using these unsafe features without realizing it.

dvirsky7y ago· 5 in thread

Oh, not CSP as in concurrency. Makes more sense now.

stephengillie7y ago

If your Cloud Service Provider doesn't support Communicating Sequential Processes, would their Customer Service Personnel handle a Constraint Satisfaction Problem?

sullyj37y ago

I assumed Constraint Satisfaction Problem

xenonite7y ago

I had the same thought. It would be good to adjust the headline accordingly.

dboreham7y ago

I came to read about how Node.js uses a single thread to bypass CSP...

djtriptych7y ago

* Stands in this line

dnag7y ago· 2 in thread

Just adding the sandbox attribute is enough to severely lock down an iframe.

mattbierner7y ago

Just to add some context: 'sandbox' will make the iframe load in a unique origin and also disable scripts (along with disabling bunch of other things). This will prevent these attacks.

ChrisSD7y ago

You'll also want the CSP `sandbox` policy on the `src` page to guard against direct linking.

[0] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Co...

nailer7y ago· 2 in thread

What if they use unsafe-inline but still lock down frames via frame-src?

alxlu7y ago

In this example it would still work since frame-src will fallback to default-src if not specified.

nailer7y ago

I don't think you're reading my question properly - I'm asking about when frame-src IS specified - but just in case it's me that's missing something. I'll reword my question.

What happens if a site:

- allows 'unsafe-inline' as a script-src

- does not allow untrusted domains in frame-src

1 more reply

minitech7y ago· 1 in thread

alxlu7y ago

Jach7y ago· 1 in thread

TLDR: don't use 'unsafe-inline'. Good article though.

zinckiwi7y ago

The clue is in the name, I'd have thought.

jey7y ago· 1 in thread

Mods, can you please update title to clarify that "CSP" means "Content Security Policy" here?