content-security-policy mar 27 2012 yosuke hasegawa introduction of in 5 minutes 5分でわかるcsp
TRANSCRIPT
![Page 1: Content-Security-Policy Mar 27 2012 Yosuke HASEGAWA Introduction of in 5 minutes 5分でわかるCSP](https://reader036.vdocuments.net/reader036/viewer/2022070415/56649c7d5503460f949329b6/html5/thumbnails/1.jpg)
Content-Security-Policy
Mar 27 2012Yosuke HASEGAWA
Introduction of
in 5 minutes
5 分でわかる CSP
![Page 2: Content-Security-Policy Mar 27 2012 Yosuke HASEGAWA Introduction of in 5 minutes 5分でわかるCSP](https://reader036.vdocuments.net/reader036/viewer/2022070415/56649c7d5503460f949329b6/html5/thumbnails/2.jpg)
what's CSP ?
![Page 3: Content-Security-Policy Mar 27 2012 Yosuke HASEGAWA Introduction of in 5 minutes 5分でわかるCSP](https://reader036.vdocuments.net/reader036/viewer/2022070415/56649c7d5503460f949329b6/html5/thumbnails/3.jpg)
![Page 4: Content-Security-Policy Mar 27 2012 Yosuke HASEGAWA Introduction of in 5 minutes 5分でわかるCSP](https://reader036.vdocuments.net/reader036/viewer/2022070415/56649c7d5503460f949329b6/html5/thumbnails/4.jpg)
![Page 5: Content-Security-Policy Mar 27 2012 Yosuke HASEGAWA Introduction of in 5 minutes 5分でわかるCSP](https://reader036.vdocuments.net/reader036/viewer/2022070415/56649c7d5503460f949329b6/html5/thumbnails/5.jpg)
以上。
![Page 6: Content-Security-Policy Mar 27 2012 Yosuke HASEGAWA Introduction of in 5 minutes 5分でわかるCSP](https://reader036.vdocuments.net/reader036/viewer/2022070415/56649c7d5503460f949329b6/html5/thumbnails/6.jpg)
5 秒で終わった!
![Page 7: Content-Security-Policy Mar 27 2012 Yosuke HASEGAWA Introduction of in 5 minutes 5分でわかるCSP](https://reader036.vdocuments.net/reader036/viewer/2022070415/56649c7d5503460f949329b6/html5/thumbnails/7.jpg)
もうちょっとまじめに。
![Page 8: Content-Security-Policy Mar 27 2012 Yosuke HASEGAWA Introduction of in 5 minutes 5分でわかるCSP](https://reader036.vdocuments.net/reader036/viewer/2022070415/56649c7d5503460f949329b6/html5/thumbnails/8.jpg)
NetAgent http://www.netagent.co.jp/OWASP Japan 1st meeting
Content-Security-Policy
CSP - Content-Security-Policy XSS 根絶の切り札
Firefox 4+, Google Chrome 18+,...指定された以外のリソースが読めない
<script><iframe><img>...インラインスクリプトが禁止される
<script>alert(1)</script> ... NGeval やイベント属性の禁止
<body onload=alert(1)> ... NG
![Page 9: Content-Security-Policy Mar 27 2012 Yosuke HASEGAWA Introduction of in 5 minutes 5分でわかるCSP](https://reader036.vdocuments.net/reader036/viewer/2022070415/56649c7d5503460f949329b6/html5/thumbnails/9.jpg)
NetAgent http://www.netagent.co.jp/OWASP Japan 1st meeting
Content-Security-Policy
レスポンスヘッダで許可するリソースを指定
'self' は同一ドメイン、同一ポートのみ許可<meta> での指定も可(上書きは不可 )Firefox と WebKit でヘッダ名が異なる
※長いので以降 X-WebKit-CSP のみ例示
Content-Security-Policy: default-src 'self'X-WebKit-CSP: default-src 'self'
![Page 10: Content-Security-Policy Mar 27 2012 Yosuke HASEGAWA Introduction of in 5 minutes 5分でわかるCSP](https://reader036.vdocuments.net/reader036/viewer/2022070415/56649c7d5503460f949329b6/html5/thumbnails/10.jpg)
NetAgent http://www.netagent.co.jp/OWASP Japan 1st meeting
Content-Security-Policy
リソースの種類ごとに指定可能
X-WebKit-CSP: default-src 'self'; img-src *.example.jp
<img src="http://img.example.jp/img.png"> OK<img src="http://example.com/img.png"> NG<iframe src="/child.html"></iframe> OK<iframe src="http://www.example.jp/"></iframe>NG
![Page 11: Content-Security-Policy Mar 27 2012 Yosuke HASEGAWA Introduction of in 5 minutes 5分でわかるCSP](https://reader036.vdocuments.net/reader036/viewer/2022070415/56649c7d5503460f949329b6/html5/thumbnails/11.jpg)
NetAgent http://www.netagent.co.jp/OWASP Japan 1st meeting
Content-Security-Policy
リソースの種類ごとに指定可能
Firefox は未サポート
X-WebKit-CSP: default-src 'self'; script-src: 'unsafe-inline'
<script>function foo(){ ... }</script> OK <body onload="foo()"> OK<a href="javascript:foo()"> OK
![Page 12: Content-Security-Policy Mar 27 2012 Yosuke HASEGAWA Introduction of in 5 minutes 5分でわかるCSP](https://reader036.vdocuments.net/reader036/viewer/2022070415/56649c7d5503460f949329b6/html5/thumbnails/12.jpg)
NetAgent http://www.netagent.co.jp/OWASP Japan 1st meeting
Content-Security-Policy
ポリシー違反時にレポート送信
X-WebKit-CSP: default-src 'self'; report-uri http://example.jp/cspreport.cgi
X-Content-Securit-Policy-Report-Only: default-src 'self' report-uri http://example.jp/cspreport.cgiX-WebKit-CSP-Report-Only: default-src 'self' report-uri http://example.jp/cspreport.cgi
![Page 13: Content-Security-Policy Mar 27 2012 Yosuke HASEGAWA Introduction of in 5 minutes 5分でわかるCSP](https://reader036.vdocuments.net/reader036/viewer/2022070415/56649c7d5503460f949329b6/html5/thumbnails/13.jpg)
NetAgent http://www.netagent.co.jp/OWASP Japan 1st meeting
Content-Security-Policy
きちんと指定することで第三者によるリソースの読み込みを確実にブロック可能
広告やアクセス解析用 JS 、 JS ライブラリなどが動かなくなることも
運用はかなりめんどくさいW3C Working Draft / Editors
Draft / 各ブラウザ実装それぞれで差異
![Page 14: Content-Security-Policy Mar 27 2012 Yosuke HASEGAWA Introduction of in 5 minutes 5分でわかるCSP](https://reader036.vdocuments.net/reader036/viewer/2022070415/56649c7d5503460f949329b6/html5/thumbnails/14.jpg)
NetAgent http://www.netagent.co.jp/OWASP Japan 1st meeting
References
Introducing Content Security Policy - MDNhttps://developer.mozilla.org/en/Introducing_Content_Security_Policy
Content Security Policy W3C Working Draft 29 November 2011http://www.w3.org/TR/CSP/
Content Security Policy W3C Editor's Draft 21 March 2012https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html
O'Reilly Japan - Firefox Hacks Rebootedhttp://www.oreilly.co.jp/books/9784873114972/
![Page 15: Content-Security-Policy Mar 27 2012 Yosuke HASEGAWA Introduction of in 5 minutes 5分でわかるCSP](https://reader036.vdocuments.net/reader036/viewer/2022070415/56649c7d5503460f949329b6/html5/thumbnails/15.jpg)
5 分で終わった !→ 発表枠 : 実は 10
分 !!もうちょっとだけ続くんじゃ
![Page 16: Content-Security-Policy Mar 27 2012 Yosuke HASEGAWA Introduction of in 5 minutes 5分でわかるCSP](https://reader036.vdocuments.net/reader036/viewer/2022070415/56649c7d5503460f949329b6/html5/thumbnails/16.jpg)
Content-Security-Policy
Mar 27 2012Yosuke HASEGAWA
Breaking
in 5 minutes
5 分でやぶる CSP
![Page 17: Content-Security-Policy Mar 27 2012 Yosuke HASEGAWA Introduction of in 5 minutes 5分でわかるCSP](https://reader036.vdocuments.net/reader036/viewer/2022070415/56649c7d5503460f949329b6/html5/thumbnails/17.jpg)
NetAgent http://www.netagent.co.jp/OWASP Japan 1st meeting
Breaking CSP
もっとも厳しい制約
他のドメインのリソースは読み込めないインラインの JS は利用不可XSS があっても何もできないに等しい
Content-Security-Policy: default-src 'self'X-WebKit-CSP: default-src 'self'
![Page 18: Content-Security-Policy Mar 27 2012 Yosuke HASEGAWA Introduction of in 5 minutes 5分でわかるCSP](https://reader036.vdocuments.net/reader036/viewer/2022070415/56649c7d5503460f949329b6/html5/thumbnails/18.jpg)
NetAgent http://www.netagent.co.jp/OWASP Japan 1st meeting
Breaking CSP
XSS があるのに何もできないのは悔しい !!Content-Security-Policy: default-src 'self'
X-WebKit-CSP: default-src 'self'Content-Type: text/html; charset=utf-8
<html><body><div>XSS here<script>...</script></div></body></html>
![Page 19: Content-Security-Policy Mar 27 2012 Yosuke HASEGAWA Introduction of in 5 minutes 5分でわかるCSP](https://reader036.vdocuments.net/reader036/viewer/2022070415/56649c7d5503460f949329b6/html5/thumbnails/19.jpg)
E4X - necromancyFirefox only
![Page 20: Content-Security-Policy Mar 27 2012 Yosuke HASEGAWA Introduction of in 5 minutes 5分でわかるCSP](https://reader036.vdocuments.net/reader036/viewer/2022070415/56649c7d5503460f949329b6/html5/thumbnails/20.jpg)
NetAgent http://www.netagent.co.jp/OWASP Japan 1st meeting
E4X - ECMAScript for XML
E4X - Firefox のみサポートJavaScript 内で” XML 型”をサポート
var xml = <user> <name>Yosuke</name> <mail>[email protected]</mail> </user>;alert( xml.name );
![Page 21: Content-Security-Policy Mar 27 2012 Yosuke HASEGAWA Introduction of in 5 minutes 5分でわかるCSP](https://reader036.vdocuments.net/reader036/viewer/2022070415/56649c7d5503460f949329b6/html5/thumbnails/21.jpg)
NetAgent http://www.netagent.co.jp/OWASP Japan 1st meeting
Breaking CSP
自分自身 (HTML) は読み込み可能 !Content-Security-Policy: default-src 'self'X-WebKit-CSP: default-src 'self'Content-Type: text/html; charset=utf-8
<html><body><div><script src="self.html"></script></div></body></html>
![Page 22: Content-Security-Policy Mar 27 2012 Yosuke HASEGAWA Introduction of in 5 minutes 5分でわかるCSP](https://reader036.vdocuments.net/reader036/viewer/2022070415/56649c7d5503460f949329b6/html5/thumbnails/22.jpg)
NetAgent http://www.netagent.co.jp/OWASP Japan 1st meeting
Breaking CSP
HTML を JavaScript と解釈させれば!
2 つの XML リテラルを含む JavaScript として valid
<html><body><div></div></body></html>;alert(1);<html><body><div></div></body></html>
![Page 23: Content-Security-Policy Mar 27 2012 Yosuke HASEGAWA Introduction of in 5 minutes 5分でわかるCSP](https://reader036.vdocuments.net/reader036/viewer/2022070415/56649c7d5503460f949329b6/html5/thumbnails/23.jpg)
NetAgent http://www.netagent.co.jp/OWASP Japan 1st meeting
Breaking CSP
自分自身 (HTML) は読み込み可能 !Content-Security-Policy: default-src 'self'X-WebKit-CSP: default-src 'self'Content-Type: text/html; charset=utf-8
<html><body><div><script src="self.html?q=%3C/div%3E...%3C/html%3E;alert(1);..."></script></div></body></html>
![Page 24: Content-Security-Policy Mar 27 2012 Yosuke HASEGAWA Introduction of in 5 minutes 5分でわかるCSP](https://reader036.vdocuments.net/reader036/viewer/2022070415/56649c7d5503460f949329b6/html5/thumbnails/24.jpg)
NetAgent http://www.netagent.co.jp/OWASP Japan 1st meeting
Breaking CSP
E4X を使うと HTML を JS として解釈可能XML 宣言、 doctype 宣言があると駄目
ちゃんと doctype 宣言つけておこうそもそも XSS をなくそう
CSP 使いこなすと XSS のリスクは大幅減!
![Page 25: Content-Security-Policy Mar 27 2012 Yosuke HASEGAWA Introduction of in 5 minutes 5分でわかるCSP](https://reader036.vdocuments.net/reader036/viewer/2022070415/56649c7d5503460f949329b6/html5/thumbnails/25.jpg)
NetAgent http://www.netagent.co.jp/OWASP Japan 1st meeting
Question?
[email protected]@netagent.co.jp
@hasegawayosuke
http://utf-8.jp/
![Page 26: Content-Security-Policy Mar 27 2012 Yosuke HASEGAWA Introduction of in 5 minutes 5分でわかるCSP](https://reader036.vdocuments.net/reader036/viewer/2022070415/56649c7d5503460f949329b6/html5/thumbnails/26.jpg)