SlideShare a Scribd company logo

T3DD23 Content Security Policy - Concept, Strategies & Pitfalls

Oliver Hader
Oliver Hader

Content Security Policy (CSP) is a web security standard introduced to prevent cross-site scripting and other code injection attacks resulting from malicious content being executed in the trusted web page context. TYPO3 v12 comes with integrated CSP support, policy modeling, and violation report handling. This talk presents the basic concepts, common pitfalls, and potential solutions for using a secure and strict Content Security Policy. Talk during TYPO3 Developer Days 2023: https://t3dd23.typo3.com/program/sessions/content-security-policy-concept-strategies-pitfalls-561

Technology
1 of 48
Download to read offline
Content-Security-Policy Concept, Strategies, Pitfalls Oliver Hader oliver@typo3.org @ohader TYPO3 Developer Days 2023 August 4th, 2023
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 2 ▪Research & Development ▪TYPO3 Security Team Lead ▪50% TYPO3 GmbH / 50% Freelancer ▪#hof #cycling #paramedic #in.die.musik ~# whoami Oliver Hader @ohader
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 3 ▪ Why? ▪ Concept Introduction to Content-Security-Policy ▪ Pitfalls Examples and CSP in Action ▪ Strategies Content-Security-Policy in TYPO3 v12+ Agenda
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Why? cause matters 4
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 5 ▪ please, don’t publish security vulnerabilities to public channels ▪ not on GitHub/Forge ▪ not in Slack channels ▪ not on Twitter, ... ▪ report to security@typo3.org ▪ security team supports community Trigger Warning ⚠︎
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Why? 6 ▪ cross-site scripting & privacy concerns ▪ 2018-2023: 34 XSS vulnerabilities in TYPO3 CMS ▪ script execution / remote control via JavaScript (in the scope & with the permissions of the victim) ▪ trigger download of executable applications ▪ extract users’ details (location, IP address, session data, …) ▪ <script> | <img src=“~” onerror=“…”> | <iframe> | <style> | …
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 7 Video <script>
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 8 Video <link rel=“stylesheet”>
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Concept Content-Security- Policy 9
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 10 Content-Security-Policy as meta tag or HTTP header (preferred) Content-Security-Policy (CSP)
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Content-Security-Policy (CSP) 11 ▪ default-src ▪ img-src ▪ child-src ▪ frame-src ▪ script-src | style-src ▪ sandbox ▪ *-src ▪ ’none’ ▪ ’self’ ▪ *.example.org ▪ https://example.org ▪ https: | data: ▪ [script|style]-src ▪ ’unsafe-eval’ ▪ ’unsafe-inline’ ▪ ’nonce-…’ ▪ ’strict-dynamic’ directive source source
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 12 docs https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP Content-Security-Policy (CSP)
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 13 script-src (CSP2) vs. script-src, script-src-elem, script-src-attr (CSP3) Content-Security-Policy (CSP) - Examples example.org ‘unsafe-inline’ script-src-elem … ‘unsafe-eval’ ‘unsafe-inline’ ‘unsafe-hashes’ script-src-elem script-src-attr script-src-elem 1 2 3 4
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 14 style-src (CSP2) vs. style-src, style-src-elem, style-src-attr (CSP3) Content-Security-Policy (CSP) - Examples style-src-elem style-src-elem style-src-attr example.org ‘unsafe-inline’ ‘unsafe-inline’ 1 2 3
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 15 Support of CSP Level 3 script-src-elem - Apple: “nope” Content-Security-Policy (CSP)
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 16 button clicked, script execution blocked Content-Security-Policy (CSP) - onclick example
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 17 button clicked, ‘unsafe-inline’ script executed Content-Security-Policy (CSP) - onclick example
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 18 button clicked, ‘unsafe-hashes’ script executed Content-Security-Policy (CSP) - onclick example
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 19 HTML on typo3v12, loads from hacko3v12, loads from other3v12 Content-Security-Policy (CSP) - external scripts example on https://typo3v12.ddev.site/… https://hacko3v12.ddev.site/static/cross-script.js
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 20 loaded from typo3v12, hacko3v12, other3v12, blocked eval Content-Security-Policy (CSP) - external scripts example
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 21 allow loading all scripts via ‘strict-dynamic’ when nonce is given Content-Security-Policy (CSP) - external scripts example
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 22 ‘strict-dynamic’ works when using DOM-API ✅ - denied for “parser-inserted” script ❌ Content-Security-Policy (CSP) - external scripts example on https://typo3v12.ddev.site/… https://hacko3v12.ddev.site/static/cross-script.js ✅ ❌ ✅
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 23 Support of CSP Level 3 strict-dynamic - Apple: “yepp” Content-Security-Policy (CSP)
Content-Security-Policy (CSP) - CSP Simulator ▪ github.com/ohader/csp-simulator ▪ Content-Security-Policy Simulator ▪ HTTP man-in-the-middle proxy ▪ for arbitrary websites 24 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Strategies The TYPO3 POV 25
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org TYPO3 and CSP 26 ▪ general: prevention & detection strategy ▪ provide tools/APIs, suggestions, advisories ▪ Content-Security-Policy to mitigate XSS vulnerabilities ▪ with TYPO3 v12: available, but not enforced ▪ with TYPO3 v13: plans, to enable CSP per default ▪ listen & incorporate community feedback & experience
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 27 Dedicated feature flag scopes (backend, frontend, frontend & site) TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 28 Excerpt of CSP “Policy” models, directives, sources, … TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 29 Static CSP declaration for extensions in PHP or site config TYPO3 and CSP
TYPO3 and CSP ▪ “nonce” = number used once(!) (must be random, not predictable) ▪ nonce value added automatically for static(!) files in PageRender ▪ nonce value added for inline scripts and styles when explicitly requested, in PageRenderer and AssetCollector ▪ (incl. Fluid view helpers) 30 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 31 CSP reporting backend module TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 32 CSP reporting backend module & applying “resolutions” TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 33 Individual CSP violation handlers, suggesting “resolutions” TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 34 CSP HTTP header for backend requests TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 35 Manually triggered CSP violation (eval) TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 36 CSP violation sent back to TYPO3 reporting endpoint TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 37 CSP violation sent back to TYPO3 reporting endpoint
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Pitfalls observations 38
Pitfalls ▪ […] ’unsafe-inline’ is ignored if either a hash or nonce value is present […] ▪ same for style-src ▪ (TYPO3 is prepared to add nonce values everywhere*) 39 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 40 Google’s Suggestion on Integrating Google Maps Pitfalls ❌ CSP Level 3 CSP Level 2
Pitfalls ▪ false-positive reports ▪ caused by browser plugins ▪ can use own scheme, e.g. ▪ moz-extension: ▪ safari-extension: 41 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
Pitfalls ▪ false-positive reports ▪ caused by browser plugins ▪ can use own scheme, e.g. ▪ moz-extension: ▪ safari-extension: 42 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
Pitfalls ▪ false-positive reports ▪ caused by browser plugins ▪ can use own scheme, e.g. ▪ moz-extension: ▪ safari-extension: 43 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
Pitfalls ▪ Google Translate proxies site ▪ request was actually blocked 44 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
Pitfalls ▪ something™ changes base-uri ▪ <base href=“https://h4ck3r.org”> ▪ CSP: base-uri ‘none’ | ‘self’ 45 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Conclusion? 46
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Conclusion? 47 ▪ unfinished CSP Level 3 (draft) vs CSP Level 2 (2016) ▪ painful backward compatibility & open questions ▪ somewhere in between max. convenience & max. security ▪ please enable CSP in TYPO3 v12 (backend, maybe frontend) ▪ report your findings & feedback to https://forge.typo3.org
thanks! questions? 48

Recommended

[cb22] Understanding the Chinese underground card shop ecosystem and becoming...
[cb22] Understanding the Chinese underground card shop ecosystem and becoming...[cb22] Understanding the Chinese underground card shop ecosystem and becoming...
[cb22] Understanding the Chinese underground card shop ecosystem and becoming...
CODE BLUE
 
Natural Language Search with Knowledge Graphs (Activate 2019)
Natural Language Search with Knowledge Graphs (Activate 2019)Natural Language Search with Knowledge Graphs (Activate 2019)
Natural Language Search with Knowledge Graphs (Activate 2019)
Trey Grainger
 
Developing and maintaining a Java GraphQL back-end: The less obvious - Bojan ...
Developing and maintaining a Java GraphQL back-end: The less obvious - Bojan ...Developing and maintaining a Java GraphQL back-end: The less obvious - Bojan ...
Developing and maintaining a Java GraphQL back-end: The less obvious - Bojan ...
Codemotion
 
Introduction to Javascript
Introduction to JavascriptIntroduction to Javascript
Introduction to Javascript
Amit Tyagi
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
Lena Petsenchuk
 
Get method and post method
Get method and post methodGet method and post method
Get method and post method
baabtra.com - No. 1 supplier of quality freshers
 
QWeb Report in odoo
QWeb Report in odooQWeb Report in odoo
QWeb Report in odoo
expertodoo
 
Os lab manual
Os lab manualOs lab manual
Os lab manual
Mohd Mohiuddin Ansari
 

Recommended

[cb22] Understanding the Chinese underground card shop ecosystem and becoming...
[cb22] Understanding the Chinese underground card shop ecosystem and becoming...[cb22] Understanding the Chinese underground card shop ecosystem and becoming...
[cb22] Understanding the Chinese underground card shop ecosystem and becoming...
CODE BLUE
 
Natural Language Search with Knowledge Graphs (Activate 2019)
Natural Language Search with Knowledge Graphs (Activate 2019)Natural Language Search with Knowledge Graphs (Activate 2019)
Natural Language Search with Knowledge Graphs (Activate 2019)
Trey Grainger
 
Developing and maintaining a Java GraphQL back-end: The less obvious - Bojan ...
Developing and maintaining a Java GraphQL back-end: The less obvious - Bojan ...Developing and maintaining a Java GraphQL back-end: The less obvious - Bojan ...
Developing and maintaining a Java GraphQL back-end: The less obvious - Bojan ...
Codemotion
 
Introduction to Javascript
Introduction to JavascriptIntroduction to Javascript
Introduction to Javascript
Amit Tyagi
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
Lena Petsenchuk
 
Get method and post method
Get method and post methodGet method and post method
Get method and post method
baabtra.com - No. 1 supplier of quality freshers
 
QWeb Report in odoo
QWeb Report in odooQWeb Report in odoo
QWeb Report in odoo
expertodoo
 
Os lab manual
Os lab manualOs lab manual
Os lab manual
Mohd Mohiuddin Ansari
 
Java script arrays
Java script arraysJava script arrays
Java script arrays
Frayosh Wadia
 
Css3
Css3Css3
Css3
Deepak Mangal
 
Encase Forensic
Encase ForensicEncase Forensic
Encase Forensic
Megha Sahu
 
Real Time Communication using Node.js and Socket.io
Real Time Communication using Node.js and Socket.ioReal Time Communication using Node.js and Socket.io
Real Time Communication using Node.js and Socket.io
Mindfire Solutions
 
System Resource Utilization Monitor を知ろう
System Resource Utilization Monitor を知ろうSystem Resource Utilization Monitor を知ろう
System Resource Utilization Monitor を知ろう
彰 村地
 
Sessions and cookies
Sessions and cookiesSessions and cookies
Sessions and cookies
www.netgains.org
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
MLG College of Learning, Inc
 
Web Application Security Workshop (T3DD19)
Web Application Security Workshop (T3DD19)Web Application Security Workshop (T3DD19)
Web Application Security Workshop (T3DD19)
Oliver Hader
 
Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)
Oliver Hader
 
Cloud Security Engineer Skills, Roles Responsibilities Salary Trends.pdf
Cloud Security Engineer Skills, Roles Responsibilities Salary Trends.pdfCloud Security Engineer Skills, Roles Responsibilities Salary Trends.pdf
Cloud Security Engineer Skills, Roles Responsibilities Salary Trends.pdf
Infosec Train
 
SAST für TYPO3 Extensions
SAST für TYPO3 ExtensionsSAST für TYPO3 Extensions
SAST für TYPO3 Extensions
Oliver Hader
 
What's new in Reactor Californium
What's new in Reactor CaliforniumWhat's new in Reactor Californium
What's new in Reactor Californium
Stéphane Maldini
 
May 2023 CIAOPS Need to Know Webinar
May 2023 CIAOPS Need to Know WebinarMay 2023 CIAOPS Need to Know Webinar
May 2023 CIAOPS Need to Know Webinar
Robert Crane
 
Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview
Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview
Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview
Richard Platt
 
Spring Cloud Gateway - Stéphane Maldini
Spring Cloud Gateway - Stéphane MaldiniSpring Cloud Gateway - Stéphane Maldini
Spring Cloud Gateway - Stéphane Maldini
VMware Tanzu
 
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
Chanaka Lasantha
 
Spring Cloud Gateway
Spring Cloud GatewaySpring Cloud Gateway
Spring Cloud Gateway
Stéphane Maldini
 
Getting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOpsGetting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOps
Franklin Mosley
 
S1P: Spring Cloud on PKS
S1P: Spring Cloud on PKSS1P: Spring Cloud on PKS
S1P: Spring Cloud on PKS
Mauricio (Salaboy) Salatino
 
Mitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuMitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo Nixu
Nixu Corporation
 
Singapore International Cyberweek 2020
Singapore International Cyberweek 2020Singapore International Cyberweek 2020
Singapore International Cyberweek 2020
Abhik Roychoudhury
 
Building Data Environments for Production Microservices with Geode
Building Data Environments for Production Microservices with GeodeBuilding Data Environments for Production Microservices with Geode
Building Data Environments for Production Microservices with Geode
VMware Tanzu
 

More Related Content

What's hot

What's hot (7)

Java script arrays
Java script arraysJava script arrays
Java script arrays
 
Css3
Css3Css3
Css3
 
Encase Forensic
Encase ForensicEncase Forensic
Encase Forensic
 
Real Time Communication using Node.js and Socket.io
Real Time Communication using Node.js and Socket.ioReal Time Communication using Node.js and Socket.io
Real Time Communication using Node.js and Socket.io
 
System Resource Utilization Monitor を知ろう
System Resource Utilization Monitor を知ろうSystem Resource Utilization Monitor を知ろう
System Resource Utilization Monitor を知ろう
 
Sessions and cookies
Sessions and cookiesSessions and cookies
Sessions and cookies
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 

Similar to T3DD23 Content Security Policy - Concept, Strategies & Pitfalls

Highway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup DublinHighway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup Dublin
Christian Deger
 

Similar to T3DD23 Content Security Policy - Concept, Strategies & Pitfalls (20)

Web Application Security Workshop (T3DD19)
Web Application Security Workshop (T3DD19)Web Application Security Workshop (T3DD19)
Web Application Security Workshop (T3DD19)
 
Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)
 
Cloud Security Engineer Skills, Roles Responsibilities Salary Trends.pdf
Cloud Security Engineer Skills, Roles Responsibilities Salary Trends.pdfCloud Security Engineer Skills, Roles Responsibilities Salary Trends.pdf
Cloud Security Engineer Skills, Roles Responsibilities Salary Trends.pdf
 
SAST für TYPO3 Extensions
SAST für TYPO3 ExtensionsSAST für TYPO3 Extensions
SAST für TYPO3 Extensions
 
What's new in Reactor Californium
What's new in Reactor CaliforniumWhat's new in Reactor Californium
What's new in Reactor Californium
 
May 2023 CIAOPS Need to Know Webinar
May 2023 CIAOPS Need to Know WebinarMay 2023 CIAOPS Need to Know Webinar
May 2023 CIAOPS Need to Know Webinar
 
Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview
Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview
Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview
 
Spring Cloud Gateway - Stéphane Maldini
Spring Cloud Gateway - Stéphane MaldiniSpring Cloud Gateway - Stéphane Maldini
Spring Cloud Gateway - Stéphane Maldini
 
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
 
Spring Cloud Gateway
Spring Cloud GatewaySpring Cloud Gateway
Spring Cloud Gateway
 
Getting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOpsGetting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOps
 
S1P: Spring Cloud on PKS
S1P: Spring Cloud on PKSS1P: Spring Cloud on PKS
S1P: Spring Cloud on PKS
 
Mitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuMitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo Nixu
 
Singapore International Cyberweek 2020
Singapore International Cyberweek 2020Singapore International Cyberweek 2020
Singapore International Cyberweek 2020
 
Building Data Environments for Production Microservices with Geode
Building Data Environments for Production Microservices with GeodeBuilding Data Environments for Production Microservices with Geode
Building Data Environments for Production Microservices with Geode
 
Securing Pivotal Platform at Prime Therapeutics
Securing Pivotal Platform at Prime TherapeuticsSecuring Pivotal Platform at Prime Therapeutics
Securing Pivotal Platform at Prime Therapeutics
 
PyConPL 2017 - with python: security
PyConPL 2017 - with python: securityPyConPL 2017 - with python: security
PyConPL 2017 - with python: security
 
Introduction to ModSecurity and the OWASP Core Rule Set
Introduction to ModSecurity and the OWASP Core Rule SetIntroduction to ModSecurity and the OWASP Core Rule Set
Introduction to ModSecurity and the OWASP Core Rule Set
 
Highway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup DublinHighway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup Dublin
 
riffing on Knative - Scott Andrews
riffing on Knative - Scott Andrewsriffing on Knative - Scott Andrews
riffing on Knative - Scott Andrews
 

More from Oliver Hader

TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
Oliver Hader
 
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Oliver Hader
 
TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0
Oliver Hader
 
TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)
Oliver Hader
 

More from Oliver Hader (15)

Hacking TYPO3 v9
Hacking TYPO3 v9Hacking TYPO3 v9
Hacking TYPO3 v9
 
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
 
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
 
TYPO3 Event Sourcing
TYPO3 Event SourcingTYPO3 Event Sourcing
TYPO3 Event Sourcing
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application Security
 
TYPO3 Backstage Development
TYPO3 Backstage DevelopmentTYPO3 Backstage Development
TYPO3 Backstage Development
 
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
 
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJSWebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
 
Web Components
Web ComponentsWeb Components
Web Components
 
Web application security
Web application securityWeb application security
Web application security
 
Contribute to TYPO3 CMS
Contribute to TYPO3 CMSContribute to TYPO3 CMS
Contribute to TYPO3 CMS
 
T3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS TeamT3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS Team
 
TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0
 
TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)
 
TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7
 

Recently uploaded

Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
UK Journal
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
CzechDreamin
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
Stephen Perrenod
 

Recently uploaded (20)

Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 

T3DD23 Content Security Policy - Concept, Strategies & Pitfalls

  • 1. Content-Security-Policy Concept, Strategies, Pitfalls Oliver Hader oliver@typo3.org @ohader TYPO3 Developer Days 2023 August 4th, 2023
  • 2. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 2 ▪Research & Development ▪TYPO3 Security Team Lead ▪50% TYPO3 GmbH / 50% Freelancer ▪#hof #cycling #paramedic #in.die.musik ~# whoami Oliver Hader @ohader
  • 3. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 3 ▪ Why? ▪ Concept Introduction to Content-Security-Policy ▪ Pitfalls Examples and CSP in Action ▪ Strategies Content-Security-Policy in TYPO3 v12+ Agenda
  • 4. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Why? cause matters 4
  • 5. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 5 ▪ please, don’t publish security vulnerabilities to public channels ▪ not on GitHub/Forge ▪ not in Slack channels ▪ not on Twitter, ... ▪ report to security@typo3.org ▪ security team supports community Trigger Warning ⚠︎
  • 6. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Why? 6 ▪ cross-site scripting & privacy concerns ▪ 2018-2023: 34 XSS vulnerabilities in TYPO3 CMS ▪ script execution / remote control via JavaScript (in the scope & with the permissions of the victim) ▪ trigger download of executable applications ▪ extract users’ details (location, IP address, session data, …) ▪ <script> | <img src=“~” onerror=“…”> | <iframe> | <style> | …
  • 7. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 7 Video <script>
  • 8. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 8 Video <link rel=“stylesheet”>
  • 9. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Concept Content-Security- Policy 9
  • 10. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 10 Content-Security-Policy as meta tag or HTTP header (preferred) Content-Security-Policy (CSP)
  • 11. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Content-Security-Policy (CSP) 11 ▪ default-src ▪ img-src ▪ child-src ▪ frame-src ▪ script-src | style-src ▪ sandbox ▪ *-src ▪ ’none’ ▪ ’self’ ▪ *.example.org ▪ https://example.org ▪ https: | data: ▪ [script|style]-src ▪ ’unsafe-eval’ ▪ ’unsafe-inline’ ▪ ’nonce-…’ ▪ ’strict-dynamic’ directive source source
  • 12. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 12 docs https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP Content-Security-Policy (CSP)
  • 13. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 13 script-src (CSP2) vs. script-src, script-src-elem, script-src-attr (CSP3) Content-Security-Policy (CSP) - Examples example.org ‘unsafe-inline’ script-src-elem … ‘unsafe-eval’ ‘unsafe-inline’ ‘unsafe-hashes’ script-src-elem script-src-attr script-src-elem 1 2 3 4
  • 14. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 14 style-src (CSP2) vs. style-src, style-src-elem, style-src-attr (CSP3) Content-Security-Policy (CSP) - Examples style-src-elem style-src-elem style-src-attr example.org ‘unsafe-inline’ ‘unsafe-inline’ 1 2 3
  • 15. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 15 Support of CSP Level 3 script-src-elem - Apple: “nope” Content-Security-Policy (CSP)
  • 16. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 16 button clicked, script execution blocked Content-Security-Policy (CSP) - onclick example
  • 17. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 17 button clicked, ‘unsafe-inline’ script executed Content-Security-Policy (CSP) - onclick example
  • 18. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 18 button clicked, ‘unsafe-hashes’ script executed Content-Security-Policy (CSP) - onclick example
  • 19. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 19 HTML on typo3v12, loads from hacko3v12, loads from other3v12 Content-Security-Policy (CSP) - external scripts example on https://typo3v12.ddev.site/… https://hacko3v12.ddev.site/static/cross-script.js
  • 20. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 20 loaded from typo3v12, hacko3v12, other3v12, blocked eval Content-Security-Policy (CSP) - external scripts example
  • 21. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 21 allow loading all scripts via ‘strict-dynamic’ when nonce is given Content-Security-Policy (CSP) - external scripts example
  • 22. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 22 ‘strict-dynamic’ works when using DOM-API ✅ - denied for “parser-inserted” script ❌ Content-Security-Policy (CSP) - external scripts example on https://typo3v12.ddev.site/… https://hacko3v12.ddev.site/static/cross-script.js ✅ ❌ ✅
  • 23. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 23 Support of CSP Level 3 strict-dynamic - Apple: “yepp” Content-Security-Policy (CSP)
  • 24. Content-Security-Policy (CSP) - CSP Simulator ▪ github.com/ohader/csp-simulator ▪ Content-Security-Policy Simulator ▪ HTTP man-in-the-middle proxy ▪ for arbitrary websites 24 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 25. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Strategies The TYPO3 POV 25
  • 26. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org TYPO3 and CSP 26 ▪ general: prevention & detection strategy ▪ provide tools/APIs, suggestions, advisories ▪ Content-Security-Policy to mitigate XSS vulnerabilities ▪ with TYPO3 v12: available, but not enforced ▪ with TYPO3 v13: plans, to enable CSP per default ▪ listen & incorporate community feedback & experience
  • 27. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 27 Dedicated feature flag scopes (backend, frontend, frontend & site) TYPO3 and CSP
  • 28. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 28 Excerpt of CSP “Policy” models, directives, sources, … TYPO3 and CSP
  • 29. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 29 Static CSP declaration for extensions in PHP or site config TYPO3 and CSP
  • 30. TYPO3 and CSP ▪ “nonce” = number used once(!) (must be random, not predictable) ▪ nonce value added automatically for static(!) files in PageRender ▪ nonce value added for inline scripts and styles when explicitly requested, in PageRenderer and AssetCollector ▪ (incl. Fluid view helpers) 30 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 31. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 31 CSP reporting backend module TYPO3 and CSP
  • 32. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 32 CSP reporting backend module & applying “resolutions” TYPO3 and CSP
  • 33. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 33 Individual CSP violation handlers, suggesting “resolutions” TYPO3 and CSP
  • 34. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 34 CSP HTTP header for backend requests TYPO3 and CSP
  • 35. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 35 Manually triggered CSP violation (eval) TYPO3 and CSP
  • 36. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 36 CSP violation sent back to TYPO3 reporting endpoint TYPO3 and CSP
  • 37. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 37 CSP violation sent back to TYPO3 reporting endpoint
  • 38. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Pitfalls observations 38
  • 39. Pitfalls ▪ […] ’unsafe-inline’ is ignored if either a hash or nonce value is present […] ▪ same for style-src ▪ (TYPO3 is prepared to add nonce values everywhere*) 39 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 40. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 40 Google’s Suggestion on Integrating Google Maps Pitfalls ❌ CSP Level 3 CSP Level 2
  • 41. Pitfalls ▪ false-positive reports ▪ caused by browser plugins ▪ can use own scheme, e.g. ▪ moz-extension: ▪ safari-extension: 41 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 42. Pitfalls ▪ false-positive reports ▪ caused by browser plugins ▪ can use own scheme, e.g. ▪ moz-extension: ▪ safari-extension: 42 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 43. Pitfalls ▪ false-positive reports ▪ caused by browser plugins ▪ can use own scheme, e.g. ▪ moz-extension: ▪ safari-extension: 43 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 44. Pitfalls ▪ Google Translate proxies site ▪ request was actually blocked 44 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 45. Pitfalls ▪ something™ changes base-uri ▪ <base href=“https://h4ck3r.org”> ▪ CSP: base-uri ‘none’ | ‘self’ 45 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 46. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Conclusion? 46
  • 47. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Conclusion? 47 ▪ unfinished CSP Level 3 (draft) vs CSP Level 2 (2016) ▪ painful backward compatibility & open questions ▪ somewhere in between max. convenience & max. security ▪ please enable CSP in TYPO3 v12 (backend, maybe frontend) ▪ report your findings & feedback to https://forge.typo3.org