AppSecUSA 2015 has ended
AppSecUSA 2015 - Buy ticket at http://2015.appsecusa.org/buy/
Back To Schedule
Thursday, September 24 • 1:00pm - 1:55pm
Protecting your Web Application with Content Security Policy (CSP)

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Lab material available for download here: 
Please download before arriving at the conference!

The basic problem of XSS has been known at least since the year 2000.
Nonetheless, XSS is as widespread as ever, even though an astonishing amount of thought, attention and education has been devoted to the topic. Apparently, the convoluted mess of server-side scripting, transport level rewriting and heterogeneous client-side processing (which is commonly know under the term "the Web") is too complex to allow a robust SDL-based solution to succeed.

Content Security Policy (CSP) is a highly promising, new way to address this old problem. The currently established approach to counter XSS is trying to identify untrusted data and attempting to prevent that this data influences the semantics of the application's JavaScript. CSP breaks away from this practice: Instead of spotting bad scripts, CSP allows the server to precisely tell the Web browser, which scripts are actually allowed to run, thus, enabling the browser to robustly stop all injection attempts. This way, by the means of a simple policy, the fast majority of XSS vulnerabilities can be efficiently

In this lightning training, the fundamental mechanisms of CSP are covered:

* Protection capabilities and surface of CSP
* How to design strong CSP policies
* How to build CSP compliant web applications
* Using CSP's reporting functionality

To do so, the students work with a insecure legacy Web application (which is provided in the form of a virtual box image). After the practical identification of several XSS problems, the students will first deploy a strong CSP policy to prevent exploitation. Then, subsequently the students will use CSP's reporting mode to iteratively adopt the policy (and parts of the application code) to match the application's functionality requirements. Finally, after deploying the policy, the students can test themselves, that the previously found vulnerabilities are indeed mitigated. 

avatar for Martin Johns

Martin Johns

Research Expert, SAP SE
Dr. Martin Johns is a Research Expert in the Product Security Research unit within SAP SE, where he leads the Web application security team. Furthermore, he serves on the board of the German OWASP chapter. Before joining SAP, Martin studied Mathematics and Computer Science at the... Read More →

Thursday September 24, 2015 1:00pm - 1:55pm PDT
Room E