Dom,
On Sat, Nov 3, 2012 at 4:44 AM, Dominique RIGHETTO
<dominique.righe...@gmail.com> wrote:
> Hi,
>
> About CSP, if we focus on XSS subject the plugin can try to detect if
> the app. protect itself against remote content loading
> using a policy (detection in the same way than the clickjaking plugin
> currently does).
Agreed,
> As i understand (based on section 4 of W3C specs[0] and other readings)
> to protect against remote loading of scripts/plugins
> the app. should put CSP http response header(s) into one of this way:
>
> - Option 1 : Use "defaut-src" directive and set it to either "self"
> (load only from source host+port) or explicit allowed sources.
>
> - Option 2 : Use "script-src" and "object-src" directives and set it to
> either "self" or explicit allowed sources.
>
> The W3C specs section 4 say also:
> "In either case, authors should not include 'unsafe-inline' in their CSP
> policies if they wish to protect themselves against XSS."
>
> The disadvantage is often (as i seen in my daily job) an app. include
> inline script content into scripts tag then implementing this check
> will cause many "False Positive" but we can perhaps include an option
> into the plugin to enable it (it will disabled by default)....
>
> Plugin can also detect presence of
> "default-src","script-src","object-src" directives with value set to "*"
> because this indicate
> that all sources are allowed and then remote content loading is fully
> open....
>
> What do you think ?
I think that we should be able to detect the following vulnerabilities:
* CSP not in use
* CSP in use but poorly configured
"default-src","script-src","object-src" directives with value set to
"*"
* CSP in "reporting" mode "report-uri" is found
* CSP enables 'unsafe-inline'
* CSP enables 'unsafe-eval'
I wasn't able to read the whole spec, one question: What's the scope
of CSP? If for example the browser accesses http://foo.com/bar.jsp and
that resource returns CSP headers (properly configured, etc.) and then
follows a link to http://foo.com/ , is the CSP configuration
"remembered" or is it URL-scoped? If the scope is URL, then we should
have some type of "protection" against reporting N vulns for each URL
in the site.
Recommendation: write a separate python module that parses the CSP
header, I have the feeling we'll use it in more places than just the
csp.py grep plugin.
Good resource with examples:
http://www.html5rocks.com/en/tutorials/security/content-security-policy/
> [0] http://www.w3.org/TR/CSP/#directives
>
> --
> Cordialement, Best regards,
> Dominique Righetto
> dominique.righe...@gmail.com
> dominique.righe...@owasp.org
> Twitter: @righettod
> GPG: 0x323D19BA
> http://righettod.github.com
> "No trees were killed to send this message, but a large number of
> electrons were terribly inconvenienced."
>
> ------------------------------------------------------------------------------
> LogMeIn Central: Instant, anywhere, Remote PC access and management.
> Stay in control, update software, and manage PCs from one command center
> Diagnose problems and improve visibility into emerging IT issues
> Automate, monitor and manage. Do more in less time with Central
> http://p.sf.net/sfu/logmein12331_d2d
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
