Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
AppSecUSA 2015 - Buy ticket at http://2015.appsecusa.org/buy/
 
View analytic
Thursday, September 24 • 1:00pm - 1:55pm
Protecting your Web Application with Content Security Policy (CSP)

Sign up or log in to save this to your schedule and see who's attending!

Lab material available for download here: 
https://drive.google.com/folderview?id=0BxSfMVkfLvslZUw1RDhXX0UwVVU&usp=sharing
Please download before arriving at the conference!

The basic problem of XSS has been known at least since the year 2000.
Nonetheless, XSS is as widespread as ever, even though an astonishing amount of thought, attention and education has been devoted to the topic. Apparently, the convoluted mess of server-side scripting, transport level rewriting and heterogeneous client-side processing (which is commonly know under the term "the Web") is too complex to allow a robust SDL-based solution to succeed.

Content Security Policy (CSP) is a highly promising, new way to address this old problem. The currently established approach to counter XSS is trying to identify untrusted data and attempting to prevent that this data influences the semantics of the application's JavaScript. CSP breaks away from this practice: Instead of spotting bad scripts, CSP allows the server to precisely tell the Web browser, which scripts are actually allowed to run, thus, enabling the browser to robustly stop all injection attempts. This way, by the means of a simple policy, the fast majority of XSS vulnerabilities can be efficiently

In this lightning training, the fundamental mechanisms of CSP are covered:

* Protection capabilities and surface of CSP
* How to design strong CSP policies
* How to build CSP compliant web applications
* Using CSP's reporting functionality

To do so, the students work with a insecure legacy Web application (which is provided in the form of a virtual box image). After the practical identification of several XSS problems, the students will first deploy a strong CSP policy to prevent exploitation. Then, subsequently the students will use CSP's reporting mode to iteratively adopt the policy (and parts of the application code) to match the application's functionality requirements. Finally, after deploying the policy, the students can test themselves, that the previously found vulnerabilities are indeed mitigated. 

Speakers
avatar for Martin Johns

Martin Johns

Research Expert, SAP SE
Dr. Martin Johns is a Research Expert in the Product Security Research unit within SAP SE, where he leads the Web application security team. Furthermore, he serves on the board of the German OWASP chapter. Before joining SAP, Martin studied Mathematics and Computer Science at the Universities of Hamburg, Santa Cruz (CA), and Passau. During the 1990ties and the early years of the new millennium he earned his living as a software engineer in... Read More →


Thursday September 24, 2015 1:00pm - 1:55pm
Room E