SecAppDev 2019 has ended
Back To Schedule
Friday, February 22 • 11:00 - 12:30
CSP in the age of Script Gadgets

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Content Security Policy (CSP) is one of the most promising defenses against XSS vulnerabilities. Here, we revisit the history of CSP, discuss weaknesses and bypasses, and show how to build strong policies. 

Content Security Policy (CSP) was first introduced in 2012. It should have been a silver-bullet defense against various injection attacks, including the rampant Cross-Site Scripting vulnerabilities. Unfortunately, modern development practices and legacy code bases proved to be substantial obstacles. New versions of CSP were released to address usability and compatibility for developers. Unfortunately, researchers discovered many bypasses and vulnerabilities in real-world CSP policies. The latest problem is known as script gadgets, where data is turned into code by legitimate functionality.

In this session, we will take a look at the problems you might encounter when deploying CSP. We start at CSP level 1 and work towards the latest level 3 version. We discuss CSP's features, potential bypasses, and pitfalls to avoid. In the end, you will have gained the knowledge to deploy a secure and effective CSP policy.

This session is intended for anyone building, designing or securing web-based applications.


Martin Johns

Full professor, TU Braunschweig

Friday February 22, 2019 11:00 - 12:30 CET
West wing (room Lemaître)