Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
CSP
Posted by: Gareth Heyes
Date: June 23, 2009 01:46PM

What do you guys think?

https://wiki.mozilla.org/Security/CSP/Spec
http://blog.mozilla.com/security/2009/06/19/shutting-down-xss-with-content-security-policy/

Here are mine:-
http://www.thespanner.co.uk/2009/06/23/csp-mozilla-content-security-policy/

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: CSP
Posted by: thrill
Date: June 23, 2009 03:47PM

In my limited knowledge of what you guys do, I think it's a step in the right direction given that the majority of people understand this little part of it:

Quote

CSP is not intended to be a main line of defense, but rather one of the many layers of security that can be employed to help secure a web site.

But having been around computer security long enough I'm sure it's going to take a few versions of the CSP before the kinks are worked out (read, before guys like you guys figure out ways of subverting it's purpose). :)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: CSP
Posted by: Anonymous User
Date: June 23, 2009 05:40PM

I think CSP will bring up a lot of nice (new) circumvention patterns. I think we will - besides weird wildcard settings - see a rise of chameleon files, tricks with named anchors and E4X stunts.

The tricks with the anchor is awesome - not even a new request to the server, the payload is already there :)

I sometimes wonder how many more of those top level patching approaches we need layer on layer until we realize we need to fix on lower levels, rework the DTDs, make user agents actually use custom ones once in a while and so on. Merging the server sent headers with the ones in the markup to have most friendly and developer intended intersections sounds like an own branch of webapp sec science to come up...

Options: ReplyQuote
Re: CSP
Posted by: Anonymous User
Date: June 23, 2009 06:10PM

Slight variation of your vector, Gareth - I think this one shows quite directly how feature one breaks feature two.

<html><!-- whatever --><script src="#"></script></html>,alert(1)<!-- whatever --></html>



Edited 1 time(s). Last edit at 06/23/2009 06:21PM by .mario.

Options: ReplyQuote
Re: CSP
Posted by: PaPPy
Date: June 29, 2009 01:06PM

i think xss could be fixed if people stopped half ass coding shit and trying to re-invent the wheel

also this would do away with on events, if u had to run everything thru script tags?

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: CSP
Posted by: Gareth Heyes
Date: June 29, 2009 01:41PM

@PaPPy

I think events are still possible but you have to use event listeners which makes sense. With the added bonus of promoting unobtrusive scripting

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: CSP
Posted by: wireghoul
Date: June 29, 2009 07:54PM

It's fail in shrinkwrap, the web is so badly written that browsers pack quirk modes, and auto correct your html causing a large number of issues, etc.

IMHO we need to take a step back, label mashups as bad practice so people think twice about developing/using them (duh that will happen). Enforce compliance, if your site uses bad html then it will render unreadable and it sucks to be you.

Every additional addon of snakeoil that tries to isolate an issue embedded in a lower layer only brings half boiled solutions to the plate while introducing more bugs and corner cases.

Like so many other problems (smtp spam anyone) it might be easier to fix on the protocol layer than the various browsers interpretation of how things should look/feel/work(tm).

[www.justanotherhacker.com]

Options: ReplyQuote


Sorry, only registered users may post in this forum.