Loading…
This event has ended. Visit the official site or create your own event on Sched.
One Track
Lots of Flavor
Wednesday, April 17 • 11:05am - 11:50am
Content Security Policy: A successful mess between hardening and mitigation

Sign up or log in to save this to your schedule and see who's attending!

In this talk, we distill our multi-year experience fighting XSS at Google with nonce-based Content Security Policy (CSP), one of the most misunderstood and, arguably, most powerful web mitigation techniques.

We aim to provide a technical in-depth analysis of the effectiveness of different flavors of CSP for the many classes of XSS vulnerabilities, busting myths and common misunderstandings, and explore the often fuzzy boundaries between hardening and mitigation techniques. In a world where there are a dozen major root causes of XSS, each with its own, distinct, preventive measures, we define a threat model in which CSP can provide strong defense-in-depth guarantees and enforce best coding practices, leading to a real hardening effect.
We present advanced CSP kung-fu: setting more than one policy, pinning CSP to an origin with Origin-Policy manifests, and highlight special cases with Service Workers, Web Assembly and web modules.

Finally, we share for the first time data on real-world sensitive applications where exploitation of XSS vulnerabilities has been prevented on modern browsers by CSP.
After attending this talk you will finally understand CSP, knowing its strengths and limits while appreciating its complexity and multifaceted nature.

Speakers
avatar for Michele Spagnuolo

Michele Spagnuolo

Senior Information Security Engineer, Google
Senior Information Security Engineer at Google Switzerland, Michele is a security researcher focused on web application security, and the Rosetta Flash guy. He is also author of BitIodine, a tool for extracting intelligence from the Bitcoin network.
avatar for Lukas Weichselbaum

Lukas Weichselbaum

Staff Information Security Engineer, Google
Lukas Weichselbaum is a Staff Information Security Engineer at Google with 10+ years of industry experience who frequently speaks at international infosec and developer conferences. | | He's passionate about securing Web applications from common Web vulnerabilities and leads the... Read More →



Wednesday April 17, 2019 11:05am - 11:50am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Attendees (28)