1 / 16

CSP : script-nonce

CSP : script-nonce. Bo Feng, Kun Yu, Yuchun Cui. Content Security Policy.

lacota-bailey
Download Presentation

CSP : script-nonce

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSP : script-nonce Bo Feng, Kun Yu, Yuchun Cui

  2. Content Security Policy • W3C specification offering the possibility to instruct the client browser from which location and/or which type of resources are allowed to be loaded. To define a loading behavior, the CSP specification use "directive" where a directive define a loading behavior for a target resource type https://www.owasp.org/index.php/Content_Security_Policy

  3. Set rules in HTTP Response Header • Content-Security-Policy : Defined by W3C as standard header • X-Content-Security-Policy : Firefox & IE • X-WebKit-CSP : Chrome

  4. script-nonce • The script-nonce directive is intended to allow developers to strictly specify exactly which script elements on a page were intentionally included for execution. • HTTP Response Header: • Content-Security-Policy: script-nonce random-value ; • Script tag’s nonce attribute in HTTP Response Content • <script nonce="random-value”> alert("I execute!"); </script> • <script> alert("I don't execute. Boo!"); </script>

  5. Task • Add proper Content-Security-Policy header in HTTP response header • Add nonce attribute in each valid <script> HTML tag

  6. Apache Module • Output filters • Header filter • Body content filter • Filters modify content, then send modified content to next filter in the filter chain filter Our filter Other filters

  7. Header filter • Add CSP header keys for different browsers: • Content-Security-Policy : script-nonce rand-val • X-Content-Security-Policy : script-nonce rand-val • X-WebKit-CSP : script-nonce rand-val

  8. Body content filter • Find <script> tag with some specified nonce value, replace it with new rand-valstring • E.g. • Before replacing it : • <script nonce=‘asdf’> … • <script > … • Aftet replacing it with random value (the same one in the header filter) : • <script nonce=‘randome-value’> … • <script > … // this script will be invalid because of lacking invalid nonce value

  9. Random string generator • PRG function : get random 16 bytes • … • unsigned char ptr[16]; • int fd = open("/dev/random", O_RDONLY); • read(fd, ptr, 16); • close(fd); • …

  10. Random string generator – contd. • PRG function : convert 16 bytes to 32 Hex string : • … • char randstr[32]; • for (i = 0; i < 16; i++) { • sprintf(randstr + i*2, "%02x", *(ptr+i)); • } • …

  11. Random string generator – contd. • E.g. c38f222be2f2f705b386ed6118a59354 • Random value space:1632 = 2128

  12. Header filter output sample

  13. Body content filter output sample

  14. Experiments (script-src)

  15. Experiments (script-nonce)

  16. Experiments (script-src, script-nonce)

More Related