Description: Content Security Policy (CSP) is a defense-in-depth mechanism to whitelist content sources in a web application, significantly reducing the risk and impact of injections in a web application. It is supported by most modern browsers, and it already is at its third version - yet, meaningful adoption in the web is struggling. In this presentation I'll highlight the major roadblocks that make CSP deployment difficult, common mistakes, talk about what works and what doesn't in different browsers, show how easy it is to defeat most whitelist based CSPs. I'll also discuss prototyping of an effective strict policy based on nonces only, new features we contributed to CSP3 that will make CSP easier to maintain and much more usable for big web applications and some success stories of CSP at Google. Finally, we will show some juicy bypasses, for example thanks to JSONP endpoints, by abusing a CDN and loading outdated versions of AngularJS, or loading different frameworks in a particular sequence. We hope that after attending this talk you will understand how tricky it can be to deploy an effective CSP policy and what are the common mistakes to avoid, and as an attacker you will get resources and pointers on how well is CSP keeping up with modern web technologies, and how to break it. Fun is guaranteed!
Biography: Lukas Wecichselbaum(@we1x)
Information Security Engineer at Google. He’s currently working, among other stuff, on researching security enhancements and mitigations for web applications. Lukas graduated from Vienna University of Technology in Austria where he worked on dynamic analysis of Android malware. He also founded Andrubis – one of the very first large scale malware analysis platforms for Android applications.
Biography: Michele Spagnuolo(@mikispag )
Information Security Engineer at Google Switzerland, Michele is a security researcher focused on web application security, and the Rosetta Flash guy. He is also author of BitIodine, a tool for extracting intelligence from the Bitcoin network.
For More Information Please Visit:- http://area41.io/
Tags:
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.