Loading…
Attending this event?
View analytic
Friday, February 22 • 11:00 - 12:30
CSP in the age of Script Gadgets

Sign up or log in to save this to your schedule and see who's attending!

Content Security Policy (CSP) is one of the most promising defenses against XSS vulnerabilities. Here, we revisit the history of CSP, discuss weaknesses and bypasses, and show how to build strong policies. 


Abstract
Content Security Policy (CSP) was first introduced in 2012. It should have been a silver-bullet defense against various injection attacks, including the rampant Cross-Site Scripting vulnerabilities. Unfortunately, modern development practices and legacy code bases proved to be substantial obstacles. New versions of CSP were released to address usability and compatibility for developers. Unfortunately, researchers discovered many bypasses and vulnerabilities in real-world CSP policies. The latest problem is known as script gadgets, where data is turned into code by legitimate functionality.

In this session, we will take a look at the problems you might encounter when deploying CSP. We start at CSP level 1 and work towards the latest level 3 version. We discuss CSP's features, potential bypasses, and pitfalls to avoid. In the end, you will have gained the knowledge to deploy a secure and effective CSP policy.


This session is intended for anyone building, designing or securing web-based applications.

Speakers
MJ

Martin Johns

Full professor, TU Braunschweig


Friday February 22, 2019 11:00 - 12:30