CC
Uploaded byCysinfo Cyber Security Community
PDF, PPTX693 views

The Art of Executing JavaScript by Akhil Mahendra

This document outlines a presentation on executing JavaScript and preventing cross-site scripting (XSS) attacks. It discusses the types of XSS, including reflected, stored, and DOM-based XSS. It also covers same origin policy, content security policy (CSP) directives and keywords, common CSP mistakes like unsafe-inline, and bypassing CSP. It provides examples of XSS in different contexts like HTML, attributes, scripts, styles, and URLs. Finally, it mentions escaping the expression sandbox in Angular JS and demonstrates XSS and CSP bypass techniques.

Embed presentation

Download as PDF, PPTX
Team bi0s Amrita Center for Cybersecurity, Amritapuri The Art of Executing Javascript
Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Akhil Mahendra ➢ Web application security enthusiast ➢ CTFer{@teambi0s} ➢ @Akhil_Mahendra About
Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Introduction - XSS ➢ Types of XSS and different context ➢ Same Origin Policy ➢ Content Security Policy ➢ XSS via Angular JS Agenda
Team bi0s Amrita Center for Cybersecurity, Amritapuri Attack with a wrong name ? Introduction
Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Still exists after 18 years ! ➢ NO.7 in OWASP top 10 2017 ➢ Most commonly reported security vulnerability Introduction
Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Stealing user cookies ➢ Keylogger ➢ Deface website Introduction - Impact
Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Reflected XSS ➢ Stored XSS ➢ DOM based XSS Types of XSS
Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ HTML ➢ Attribute ➢ Script ➢ Style ➢ Url Different Context
Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ User input comes inside HTML elements ○ <p>Injection</p> ➢ POC ○ <script>alert(1)</script> Different Context -html context
Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ User input comes inside HTML attributes ○ <p class = ” Injection ”> </p> ○ <p Injection = ” test123 ”> </p> ➢ POC ○ " onmouseover="alert(1)"> ○ onmouseover="alert(1)" class Different Context -attribute context
Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ User input comes inside <script> tags ○ <script> var a = ‘ Injection ‘; </script> ➢ POC ○ ‘;alert(1);// Different Context -script context
Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ User input comes inside <script> tags ○ <p style “ color: injection ” > </p> ➢ POC ○ expression(alert(1)); Different Context -style context
Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ User input comes inside <script> tags ○ <a href = ” injection ” > click </a> ➢ POC ○ javascript:alert(1) Different Context -url context
Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Scripts on a page can make HTTP request and process responses between hosts that has the same: Protocol, Hostname, Port ➢ An IFRAME loaded cannot read or write data into the page unless it’s in the same origin ! SOP
Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Still exists after 18 years ! ➢ NO.7 in OWASP top 10 2017 ➢ Most commonly reported security vulnerability SOP
Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Introduced as a mechanism to mitigate code injection ➢ Directives defines: ○ From where and what content are allowed to load ○ In which context the content is allowed to execute ➢ It’s a mitigation not first line of defense! CSP
Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Directives: ○ default-src ○ script-src ○ object-src ○ style-src ○ image-src ○ frame-src CSP - Directives
Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Keywords: ○ ‘*’ ○ 'none' ○ 'self' ○ 'unsafe-inline' ○ 'unsafe-eval' CSP - Keywords
Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ HTTP Headers ○ <?php header('Content-Security-Policy: default-src https://cdn.example.net; object-src 'none'"’);?> ➢ Meta tag in HTML ○ <meta http-equiv="Content-Security-Policy" content="default-src https://cdn.example.net; object-src 'none'"> CSP
Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ unsafe-inline, unsafe-eval, data: ○ whole purpose of CSP is defeated ➢ Eg: default-src: ’self’;script-src: ‘unsafe-inline’ ○ Bypass : <script>alert(1)</script> CSP - Common mistakes
Team bi0s Amrita Center for Cybersecurity, Amritapuri CSP - Common mistakes
Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Nonces: ○ Nonce must be a random string ○ Should not be reused ○ Should not be guessable CSP - Common mistakes
Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Examples of bad nonce ○ Request 1- D29162F1B99108DDA2406C697FFAC27586F42C7D021669F01F720CEEACBB06F5 ○ Request 2- D29162F1B99108DDA2406C697FFAC27586F42C7D021669F01F720CEEACBB06F5 ○ e10adc3949ba59abbe56e057f20f883e - md5(123456) ○ 1231441 CSP - Common mistakes
Team bi0s Amrita Center for Cybersecurity, Amritapuri Demo
Team bi0s Amrita Center for Cybersecurity, Amritapuri CSP Bypass CSP - bypass
Team bi0s Amrita Center for Cybersecurity, Amritapuri Escaping the expression sandbox for XSS XSS via Angular JS
Team bi0s Amrita Center for Cybersecurity, Amritapuri Thanks @Akhil_Mahendra

More Related Content

PDF
The Supporting Role of Antivirus Evasion while Persisting
byCTruncer
 
PDF
Ever Present Persistence - Established Footholds Seen in the Wild
byCTruncer
 
PDF
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
byCysinfo Cyber Security Community
 
PDF
Wordlist Generation and Wifi Cracking
byShakar Bhattarai
 
PDF
Veil-Ordnance
byVeilFramework
 
PDF
Wordpress security
byMehmet Ince
 
PPTX
An introduction to Node.js application development
byshelloidhq
 
PDF
Generamba
byNicolae Ghimbovschi
 
The Supporting Role of Antivirus Evasion while Persisting
byCTruncer
 
Ever Present Persistence - Established Footholds Seen in the Wild
byCTruncer
 
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
byCysinfo Cyber Security Community
 
Wordlist Generation and Wifi Cracking
byShakar Bhattarai
 
Veil-Ordnance
byVeilFramework
 
Wordpress security
byMehmet Ince
 
An introduction to Node.js application development
byshelloidhq
 
Generamba
byNicolae Ghimbovschi
 

What's hot

PDF
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
byEdureka!
 
PDF
Bringing Down the House - How One Python Script Ruled Over AntiVirus
byCTruncer
 
PDF
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
byCTruncer
 
PDF
Make CSRF Again
byNetsparker
 
PDF
The State of the Veil Framework
byVeilFramework
 
PDF
An EyeWitness View into your Network
byCTruncer
 
PPTX
Same-origin Policy (SOP)
byNetsparker
 
PDF
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
byMario Heiderich
 
PDF
The state of JavaScript Linting - English version
byMichael Kühnel
 
PDF
AntiVirus Evasion Reconstructed - Veil 3.0
byCTruncer
 
PDF
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
byCodemotion
 
PDF
Understanding Non Blocking I/O with Python
byVaidik Kapoor
 
PDF
Web security at Meteor (Pivotal Labs)
byEmily Stark
 
PPTX
Phu appsec13
bydrewz lin
 
PDF
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
bySecurity Bootcamp
 
PDF
Web Uygulamalarının Hacklenmesi
byÖmer Çıtak
 
PPTX
Hacking - Breaking Into It
byCTruncer
 
PDF
Построение простого REST сервера на Node.js | Odessa Frontend Code challenge
byOdessaFrontend
 
PDF
Automatic constraints as a team maturity accelerator for startups
byFrançois-Guillaume Ribreau
 
PDF
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
bydrewz lin
 
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
byEdureka!
 
Bringing Down the House - How One Python Script Ruled Over AntiVirus
byCTruncer
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
byCTruncer
 
Make CSRF Again
byNetsparker
 
The State of the Veil Framework
byVeilFramework
 
An EyeWitness View into your Network
byCTruncer
 
Same-origin Policy (SOP)
byNetsparker
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
byMario Heiderich
 
The state of JavaScript Linting - English version
byMichael Kühnel
 
AntiVirus Evasion Reconstructed - Veil 3.0
byCTruncer
 
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
byCodemotion
 
Understanding Non Blocking I/O with Python
byVaidik Kapoor
 
Web security at Meteor (Pivotal Labs)
byEmily Stark
 
Phu appsec13
bydrewz lin
 
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
bySecurity Bootcamp
 
Web Uygulamalarının Hacklenmesi
byÖmer Çıtak
 
Hacking - Breaking Into It
byCTruncer
 
Построение простого REST сервера на Node.js | Odessa Frontend Code challenge
byOdessaFrontend
 
Automatic constraints as a team maturity accelerator for startups
byFrançois-Guillaume Ribreau
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
bydrewz lin
 

Similar to The Art of Executing JavaScript by Akhil Mahendra

PPTX
Lec4-WebClientSideExploitation.pptxdslkjhgfkjdshgfkjfhdkjg
byarfaouisalim
 
PPT
XSS Primer - Noob to Pro in 1 hour
bysnoopythesecuritydog
 
KEY
Cross Site Scripting - Mozilla Security Learning Center
byMichael Coates
 
ODP
XSS
byHrishikesh Mishra
 
PDF
Chapter 13 web security
bynewbie2019
 
PDF
Securing your AngularJS Application
byPhilippe De Ryck
 
PDF
Penetration testing web application web application (in) security
byNahidul Kibria
 
PDF
Web Development Security
byRafael Monteiro
 
PPT
Web Apps Security
byVictor Bucutea
 
PDF
Web Application Security
byYnon Perek
 
PPTX
Devouring Security Insufficient data validation risks Cross Site Scripting
bygmaran23
 
DOCX
Pantallas escaneo Sitio Web
byandres1422
 
PDF
DefCamp 2013 - Http header analysis
byDefCamp
 
PDF
Let's talk Security
byDheeraj Joshi
 
PDF
Neoito — Secure coding practices
byNeoito
 
KEY
Application Security for RIAs
byjohnwilander
 
PPTX
Dmk sb2010 web_defense
byDan Kaminsky
 
KEY
Application Security for Rich Internet Applicationss (Jfokus 2012)
byjohnwilander
 
PPT
Same Origin Policy Weaknesses
bykuza55
 
PDF
Making Web Development "Secure By Default"
byDuo Security
 
Lec4-WebClientSideExploitation.pptxdslkjhgfkjdshgfkjfhdkjg
byarfaouisalim
 
XSS Primer - Noob to Pro in 1 hour
bysnoopythesecuritydog
 
Cross Site Scripting - Mozilla Security Learning Center
byMichael Coates
 
XSS
byHrishikesh Mishra
 
Chapter 13 web security
bynewbie2019
 
Securing your AngularJS Application
byPhilippe De Ryck
 
Penetration testing web application web application (in) security
byNahidul Kibria
 
Web Development Security
byRafael Monteiro
 
Web Apps Security
byVictor Bucutea
 
Web Application Security
byYnon Perek
 
Devouring Security Insufficient data validation risks Cross Site Scripting
bygmaran23
 
Pantallas escaneo Sitio Web
byandres1422
 
DefCamp 2013 - Http header analysis
byDefCamp
 
Let's talk Security
byDheeraj Joshi
 
Neoito — Secure coding practices
byNeoito
 
Application Security for RIAs
byjohnwilander
 
Dmk sb2010 web_defense
byDan Kaminsky
 
Application Security for Rich Internet Applicationss (Jfokus 2012)
byjohnwilander
 
Same Origin Policy Weaknesses
bykuza55
 
Making Web Development "Secure By Default"
byDuo Security
 

More from Cysinfo Cyber Security Community

PPTX
Emerging Trends in Cybersecurity by Amar Prusty
byCysinfo Cyber Security Community
 
PPTX
Detecting Bad Apples: Understanding macOS Malware TTPs by Surya Teja
byCysinfo Cyber Security Community
 
PPTX
Attacking and Defending AI by Adity Roy and Nikita Biradar
byCysinfo Cyber Security Community
 
PPTX
S2 e (selective symbolic execution) -shivkrishna a
byCysinfo Cyber Security Community
 
PPTX
Bit flipping attack on aes cbc - ashutosh ahelleya
byCysinfo Cyber Security Community
 
PDF
The Ultimate Serial Port Detective – Baudowl
byCysinfo Cyber Security Community
 
PPTX
Analysis of android apk using adhrit by Abhishek J.M
byCysinfo Cyber Security Community
 
PDF
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
byCysinfo Cyber Security Community
 
PPTX
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
byCysinfo Cyber Security Community
 
PDF
Unicorn: The Ultimate CPU Emulator by Akshay Ajayan
byCysinfo Cyber Security Community
 
PDF
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
byCysinfo Cyber Security Community
 
PPTX
Dynamic binary analysis using angr siddharth muralee
byCysinfo Cyber Security Community
 
PDF
Security Analytics using ELK stack
byCysinfo Cyber Security Community
 
PDF
Understanding Malware Persistence Techniques by Monnappa K A
byCysinfo Cyber Security Community
 
PDF
Threat Hunting with Garuda: From Manual Analysis to AI-Driven Hunting By Monn...
byCysinfo Cyber Security Community
 
PDF
Linux Malware Analysis
byCysinfo Cyber Security Community
 
PPTX
Security challenges in d2d communication by ajithkumar vyasarao
byCysinfo Cyber Security Community
 
PDF
Closer look at PHP Unserialization by Ashwin Shenoi
byCysinfo Cyber Security Community
 
PDF
Reversing and Decrypting Malware Communications by Monnappa
byCysinfo Cyber Security Community
 
PDF
Understanding evasive hollow process injection techniques monnappa k a
byCysinfo Cyber Security Community
 
Emerging Trends in Cybersecurity by Amar Prusty
byCysinfo Cyber Security Community
 
Detecting Bad Apples: Understanding macOS Malware TTPs by Surya Teja
byCysinfo Cyber Security Community
 
Attacking and Defending AI by Adity Roy and Nikita Biradar
byCysinfo Cyber Security Community
 
S2 e (selective symbolic execution) -shivkrishna a
byCysinfo Cyber Security Community
 
Bit flipping attack on aes cbc - ashutosh ahelleya
byCysinfo Cyber Security Community
 
The Ultimate Serial Port Detective – Baudowl
byCysinfo Cyber Security Community
 
Analysis of android apk using adhrit by Abhishek J.M
byCysinfo Cyber Security Community
 
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
byCysinfo Cyber Security Community
 
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
byCysinfo Cyber Security Community
 
Unicorn: The Ultimate CPU Emulator by Akshay Ajayan
byCysinfo Cyber Security Community
 
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
byCysinfo Cyber Security Community
 
Dynamic binary analysis using angr siddharth muralee
byCysinfo Cyber Security Community
 
Security Analytics using ELK stack
byCysinfo Cyber Security Community
 
Understanding Malware Persistence Techniques by Monnappa K A
byCysinfo Cyber Security Community
 
Threat Hunting with Garuda: From Manual Analysis to AI-Driven Hunting By Monn...
byCysinfo Cyber Security Community
 
Linux Malware Analysis
byCysinfo Cyber Security Community
 
Security challenges in d2d communication by ajithkumar vyasarao
byCysinfo Cyber Security Community
 
Closer look at PHP Unserialization by Ashwin Shenoi
byCysinfo Cyber Security Community
 
Reversing and Decrypting Malware Communications by Monnappa
byCysinfo Cyber Security Community
 
Understanding evasive hollow process injection techniques monnappa k a
byCysinfo Cyber Security Community
 

Recently uploaded

PDF
AI/ML Infra Meetup | SkyPilot: Open-source System to Scale AI across Clusters...
byAlluxio, Inc.
 
PDF
SWEBOK: the software engineering body of knowledge (SC25 Workshop Research So...
byHironori Washizaki
 
PDF
AI/ML Infra Meetup | Unlock the Future of Generative AI: TorchTitan's Latest ...
byAlluxio, Inc.
 
PDF
AOX Apps - Mobile App Development Company New York
byAOX APPS
 
PDF
Building Custom Insurance Applications With
byOpenkoda
 
PPTX
Enhance Workplace Safety with EHA Good Catch System
byEHA Soft Solutions
 
PDF
Hyperon Chain – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority1
 
PDF
Quantum TechDocs - Technology & Compliance.pdf
byietmsoftware1
 
PPTX
Key Benefits of Odoo Customization Services
byCandidRoot Solutions Private Limited
 
PDF
6 Hotel Booking Trends You Can’t Ignore in 2025.pdf
byHotelogix
 
PDF
A new Vision of Software Sustainability and its Engineering: Reflections and ...
byPatricia Lago
 
PDF
virtual CISO service by Reflect Security
byreflectsecsol
 
PDF
vMix Overview & Key Features Easily Produce, Record and Live Stream
byIGM Soraing
 
PPTX
Harnessing BUSY Software for Smart Business Management.pptx
byMoving Cloud
 
PDF
A Complete Guide to Salesforce for Education.pdf
byVALiNTRY360
 
DOCX
Unit 1 - Machine Learning Basics AUCE.docx
byMOSIUOA WESI
 
PPTX
Working of Minimax Algorithm with Alpha-Beta Pruning.pptx
byMuhammadHassanArshad2
 
PDF
DSD-INT 2025 3D Modeling of Shallow Water Dynamics Using Delft3D FM - Martins
byDeltares
 
PDF
AWS Certified Developer - Associate certificate.pdf
byGabriellaSantosRodri
 
PPTX
Short Film Script Development Process HARMONIA
byzdolezalmedia
 
AI/ML Infra Meetup | SkyPilot: Open-source System to Scale AI across Clusters...
byAlluxio, Inc.
 
SWEBOK: the software engineering body of knowledge (SC25 Workshop Research So...
byHironori Washizaki
 
AI/ML Infra Meetup | Unlock the Future of Generative AI: TorchTitan's Latest ...
byAlluxio, Inc.
 
AOX Apps - Mobile App Development Company New York
byAOX APPS
 
Building Custom Insurance Applications With
byOpenkoda
 
Enhance Workplace Safety with EHA Good Catch System
byEHA Soft Solutions
 
Hyperon Chain – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority1
 
Quantum TechDocs - Technology & Compliance.pdf
byietmsoftware1
 
Key Benefits of Odoo Customization Services
byCandidRoot Solutions Private Limited
 
6 Hotel Booking Trends You Can’t Ignore in 2025.pdf
byHotelogix
 
A new Vision of Software Sustainability and its Engineering: Reflections and ...
byPatricia Lago
 
virtual CISO service by Reflect Security
byreflectsecsol
 
vMix Overview & Key Features Easily Produce, Record and Live Stream
byIGM Soraing
 
Harnessing BUSY Software for Smart Business Management.pptx
byMoving Cloud
 
A Complete Guide to Salesforce for Education.pdf
byVALiNTRY360
 
Unit 1 - Machine Learning Basics AUCE.docx
byMOSIUOA WESI
 
Working of Minimax Algorithm with Alpha-Beta Pruning.pptx
byMuhammadHassanArshad2
 
DSD-INT 2025 3D Modeling of Shallow Water Dynamics Using Delft3D FM - Martins
byDeltares
 
AWS Certified Developer - Associate certificate.pdf
byGabriellaSantosRodri
 
Short Film Script Development Process HARMONIA
byzdolezalmedia
 

The Art of Executing JavaScript by Akhil Mahendra

  • 1.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri The Art of Executing Javascript
  • 2.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri ➢ Akhil Mahendra ➢ Web application security enthusiast ➢ CTFer{@teambi0s} ➢ @Akhil_Mahendra About
  • 3.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri ➢ Introduction - XSS ➢ Types of XSS and different context ➢ Same Origin Policy ➢ Content Security Policy ➢ XSS via Angular JS Agenda
  • 4.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri Attack with a wrong name ? Introduction
  • 5.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri ➢ Still exists after 18 years ! ➢ NO.7 in OWASP top 10 2017 ➢ Most commonly reported security vulnerability Introduction
  • 6.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri ➢ Stealing user cookies ➢ Keylogger ➢ Deface website Introduction - Impact
  • 7.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri ➢ Reflected XSS ➢ Stored XSS ➢ DOM based XSS Types of XSS
  • 8.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri ➢ HTML ➢ Attribute ➢ Script ➢ Style ➢ Url Different Context
  • 9.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri ➢ User input comes inside HTML elements ○ <p>Injection</p> ➢ POC ○ <script>alert(1)</script> Different Context -html context
  • 10.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri ➢ User input comes inside HTML attributes ○ <p class = ” Injection ”> </p> ○ <p Injection = ” test123 ”> </p> ➢ POC ○ " onmouseover="alert(1)"> ○ onmouseover="alert(1)" class Different Context -attribute context
  • 11.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri ➢ User input comes inside <script> tags ○ <script> var a = ‘ Injection ‘; </script> ➢ POC ○ ‘;alert(1);// Different Context -script context
  • 12.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri ➢ User input comes inside <script> tags ○ <p style “ color: injection ” > </p> ➢ POC ○ expression(alert(1)); Different Context -style context
  • 13.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri ➢ User input comes inside <script> tags ○ <a href = ” injection ” > click </a> ➢ POC ○ javascript:alert(1) Different Context -url context
  • 14.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri ➢ Scripts on a page can make HTTP request and process responses between hosts that has the same: Protocol, Hostname, Port ➢ An IFRAME loaded cannot read or write data into the page unless it’s in the same origin ! SOP
  • 15.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri ➢ Still exists after 18 years ! ➢ NO.7 in OWASP top 10 2017 ➢ Most commonly reported security vulnerability SOP
  • 16.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri ➢ Introduced as a mechanism to mitigate code injection ➢ Directives defines: ○ From where and what content are allowed to load ○ In which context the content is allowed to execute ➢ It’s a mitigation not first line of defense! CSP
  • 17.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri ➢ Directives: ○ default-src ○ script-src ○ object-src ○ style-src ○ image-src ○ frame-src CSP - Directives
  • 18.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri ➢ Keywords: ○ ‘*’ ○ 'none' ○ 'self' ○ 'unsafe-inline' ○ 'unsafe-eval' CSP - Keywords
  • 19.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri ➢ HTTP Headers ○ <?php header('Content-Security-Policy: default-src https://cdn.example.net; object-src 'none'"’);?> ➢ Meta tag in HTML ○ <meta http-equiv="Content-Security-Policy" content="default-src https://cdn.example.net; object-src 'none'"> CSP
  • 20.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri ➢ unsafe-inline, unsafe-eval, data: ○ whole purpose of CSP is defeated ➢ Eg: default-src: ’self’;script-src: ‘unsafe-inline’ ○ Bypass : <script>alert(1)</script> CSP - Common mistakes
  • 21.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri CSP - Common mistakes
  • 22.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri ➢ Nonces: ○ Nonce must be a random string ○ Should not be reused ○ Should not be guessable CSP - Common mistakes
  • 23.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri ➢ Examples of bad nonce ○ Request 1- D29162F1B99108DDA2406C697FFAC27586F42C7D021669F01F720CEEACBB06F5 ○ Request 2- D29162F1B99108DDA2406C697FFAC27586F42C7D021669F01F720CEEACBB06F5 ○ e10adc3949ba59abbe56e057f20f883e - md5(123456) ○ 1231441 CSP - Common mistakes
  • 24.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri Demo
  • 25.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri CSP Bypass CSP - bypass
  • 26.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri Escaping the expression sandbox for XSS XSS via Angular JS
  • 27.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri Thanks @Akhil_Mahendra