160 likes | 385 Views
CSP : script-nonce. Bo Feng, Kun Yu, Yuchun Cui. Content Security Policy.
E N D
CSP : script-nonce Bo Feng, Kun Yu, Yuchun Cui
Content Security Policy • W3C specification offering the possibility to instruct the client browser from which location and/or which type of resources are allowed to be loaded. To define a loading behavior, the CSP specification use "directive" where a directive define a loading behavior for a target resource type https://www.owasp.org/index.php/Content_Security_Policy
Set rules in HTTP Response Header • Content-Security-Policy : Defined by W3C as standard header • X-Content-Security-Policy : Firefox & IE • X-WebKit-CSP : Chrome
script-nonce • The script-nonce directive is intended to allow developers to strictly specify exactly which script elements on a page were intentionally included for execution. • HTTP Response Header: • Content-Security-Policy: script-nonce random-value ; • Script tag’s nonce attribute in HTTP Response Content • <script nonce="random-value”> alert("I execute!"); </script> • <script> alert("I don't execute. Boo!"); </script>
Task • Add proper Content-Security-Policy header in HTTP response header • Add nonce attribute in each valid <script> HTML tag
Apache Module • Output filters • Header filter • Body content filter • Filters modify content, then send modified content to next filter in the filter chain filter Our filter Other filters
Header filter • Add CSP header keys for different browsers: • Content-Security-Policy : script-nonce rand-val • X-Content-Security-Policy : script-nonce rand-val • X-WebKit-CSP : script-nonce rand-val
Body content filter • Find <script> tag with some specified nonce value, replace it with new rand-valstring • E.g. • Before replacing it : • <script nonce=‘asdf’> … • <script > … • Aftet replacing it with random value (the same one in the header filter) : • <script nonce=‘randome-value’> … • <script > … // this script will be invalid because of lacking invalid nonce value
Random string generator • PRG function : get random 16 bytes • … • unsigned char ptr[16]; • int fd = open("/dev/random", O_RDONLY); • read(fd, ptr, 16); • close(fd); • …
Random string generator – contd. • PRG function : convert 16 bytes to 32 Hex string : • … • char randstr[32]; • for (i = 0; i < 16; i++) { • sprintf(randstr + i*2, "%02x", *(ptr+i)); • } • …
Random string generator – contd. • E.g. c38f222be2f2f705b386ed6118a59354 • Random value space:1632 = 2128