OWASP Global AppSec US 2021 has ended
Back To Schedule
Friday, November 12 • 1:00pm - 2:00pm
Roadblocks for CSP and Where to Find Them

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
The Web as a cornerstone of our modern society is one of the main targets of attacks, most prominently Cross-Site Scripting (XSS). To mitigate the effect of those attacks from the Web application itself, browsers support the Content Security Policy (CSP). By deploying such a policy, a Web developer can specify a list of allowed JavaScript sources and prohibit the execution of inline scripts, making it hard or even impossible for an attacker to execute their malicious payload.
Although CSP may sound like the holy grail of Web Security, it suffers from several issues. Research has shown that the majority of all policies deployed by real-world Web sites are trivially bypassable because they either allow the execution of inline JavaScript or allow all resources of a specific scheme.
Now it would be easy to just point our finger at Web developers and claim that they are just not smart enough to use the mechanism in the intended way. However, CSP is arguably one of the most complex security mechanisms, interacting with ever-changing dynamically created Web applications. This motivated us to explore why it is so hard for developers to deploy a CSP and which factors hinder a secure deployment of the mechanism. Hence, we directly involved real-world Web developers in our recent study and focused on their mindset, experiences, and problems when working with CSP.
With our talk, we want to raise awareness regarding the various roadblocks we found, hindering a secure deployment of CSP. Since these roadblocks touch upon a variety of issues throughout the development and deployment stack - such as framework and browser support, plugins, error reports, information sources, etc. - it is not enough to solely focus on developers’ capabilities. Although the complexity of the mechanism is indeed an issue, other factors such as application and company structure impose constraints on developers that may complicate the development process. We will both discuss how these roadblocks could be removed in the future, and which steps developers can take to circumvent them now. In addition to that, we want to address actionable strategies that assist the development of a secure CSP, all together hopefully making the Web a safer place. Furthermore, we will encourage the audience to share their triumphs and horror stories regarding CSP, setting our findings in the context of their personal experiences.

avatar for Lea Gröber

Lea Gröber

Lea Gröber is a second-year PhD student at the CISPA Helmholtz Center for Information Security, where she is supervised by Katharina Krombholz. She does interdisciplinary research on making security and privacy critical technology and defensive mechanisms more accessible to users... Read More →

Friday November 12, 2021 1:00pm - 2:00pm PST

Attendees (8)