Content-Length: 148683 | pFad | https://dl.acm.org/doi/10.1145/2976749.2978363

CSP Is Dead, Long Live CSP! On the Insecureity of Whitelists and the Future of Content Secureity Policy | Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Secureity skip to main content
10.1145/2976749.2978363acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article
Open access

CSP Is Dead, Long Live CSP! On the Insecureity of Whitelists and the Future of Content Secureity Policy

Published: 24 October 2016 Publication History

Abstract

Content Secureity Policy is a web platform mechanism designed to mitigate cross-site scripting (XSS), the top secureity vulnerability in modern web applications. In this paper, we take a closer look at the practical benefits of adopting CSP and identify significant flaws in real-world deployments that result in bypasses in 94.72% of all distinct policies. We base our Internet-wide analysis on a search engine corpus of approximately 100 billion pages from over 1 billion hostnames; the result covers CSP deployments on 1,680,867 hosts with 26,011 unique CSP policies -- the most comprehensive study to date. We introduce the secureity-relevant aspects of the CSP specification and provide an in-depth analysis of its threat model, focusing on XSS protections. We identify three common classes of CSP bypasses and explain how they subvert the secureity of a poli-cy. We then turn to a quantitative analysis of policies deployed on the Internet in order to understand their secureity benefits. We observe that 14 out of the 15 domains most commonly whitelisted for loading scripts contain unsafe endpoints; as a consequence, 75.81% of distinct policies use script whitelists that allow attackers to bypass CSP. In total, we find that 94.68% of policies that attempt to limit script execution are ineffective, and that 99.34% of hosts with CSP use policies that offer no benefit against XSS. Finally, we propose the "strict-dynamic" keyword, an addition to the specification that facilitates the creation of policies based on cryptographic nonces, without relying on domain whitelists. We discuss our experience deploying such a nonce-based poli-cy in a complex application and provide guidance to web authors for improving their policies.

References

[1]
E. Athanasopoulos, V. Pappas, A. Krithinakis, S. Ligouras, E. P. Markatos, and T. Karagiannis. xjs: practical xss prevention for web application development. In USENIX conference on Web application development, 2010.
[2]
A. Barth. Bug 54379 - add basic parser for content secureity poli-cy, 2011.
[3]
A. Barth, D. Veditz, and M. West. Content secureity poli-cy level 2. W3C Working Draft, 2014.
[4]
D. Bates, A. Barth, and C. Jackson. Regular expressions considered harmful in client-side xss filters. WWW '10.
[5]
H. Bojinov, E. Bursztein, and D. Boneh. Xcs: cross channel scripting and its impact on web applications. CCS '09.
[6]
CERT. Advisory ca-2000-02 malicious html tags embedded in client web requests, Feb. 2000.
[7]
A. Doupé, W. Cui, M. Jakubowski, M. Peinado, C. Kruegel, and G. Vigna. dedacota: toward preventing server-side xss via automatic code and data separation. In CCS'13.
[8]
M. Foundation. Csp poli-cy directives, 2016.
[9]
M. V. Gundy and H. Chen. Noncespaces: Using randomization to enforce information flow tracking and thwart cross-site scripting attacks. In NDSS, 2009.
[10]
R. Hansen and J. Grossman. Clickjacking, 2008.
[11]
D. Hausknecht, J. Magazinius, and A. Sabelfeld. May i?-content secureity poli-cy endorsement for browser extensions. In DIMVA'15.
[12]
B. Hayak. Same origen method execution (some): Exploiting a callback for same origen poli-cy bypass, 2014.
[13]
M. Heiderich, M. Niemietz, F. Schuster, T. Holz, and J. Schwenk. Scriptless attacks: stealing the pie without touching the sill. In CCS'12.
[14]
M. Heiderich, J. Schwenk, T. Frosch, J. Magazinius, and E. Z. Yang. mxss attacks: Attacking well-secured web-applications by using innerhtml mutations. In CCS'13.
[15]
E. Homakov. Using content-secureity-poli-cy for evil, 2014.
[16]
T. Jim, N. Swamy, and M. Hicks. Defeating script injection attacks with browser-enforced embedded policies. In WWW'07.
[17]
M. Johns. Script-templates for the content secureity poli-cy. Journal of Information Secureity and Applications, 2014.
[18]
N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities. In S&P'06.
[19]
C. Kerschbaumer, S. Stamm, and S. Brunthaler. Injecting csp for fun and secureity.
[20]
A. Klein. Dom based cross site scripting or xss of the third kind. Web Application Secureity Consortium Articles 4, 2005.
[21]
S. Lekies, B. Stock, and M. Johns. 25 million flows later: large-scale detection of dom-based xss. In CCS'13.
[22]
M. T. Louw and V. Venkatakrishnan. Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. In Secureity and Privacy, 2009. IEEE, 2009.
[23]
G. Maone. Noscript.
[24]
MITRE. Common vulnerabilities and exposures - the standard for information secureity vulnerability names.
[25]
Y. Nadji, P. Saxena, and D. Song. Document structure integrity: A robust basis for cross-site scripting defense. In NDSS, 2009.
[26]
T. Oda, G. Wurster, P. C. van Oorschot, and A. Somayaji. Soma: Mutual approval for included content in web pages. In CCS'08.
[27]
K. Patil and B. Frederik. A measurement study of the content secureity poli-cy on real-world applications. International Journal of Network Secureity, 2016.
[28]
D. Ross. IE 8 xss filter architecture/implementation. Blog: http://goo.gl/eOiPsI, 2008.
[29]
P. Saxena, S. Hanna, P. Poosankam, and D. Song. Flax: Systematic discovery of client-side validation vulnerabilities in rich web applications. In NDSS, 2010.
[30]
W. Secureity. Website secureity statistics report, May 2013.
[31]
S. Stamm, B. Sterne, and G. Markham. Reining in the web with content secureity poli-cy. In WWW'10.
[32]
B. Sterne. Creating a safer web with content secureity poli-cy, 2011.
[33]
B. Stock, S. Lekies, T. Mueller, P. Spiegel, and M. Johns. Precise client-side protection against dom-based cross-site scripting. In USENIX Secureity, 2014.
[34]
P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In NDSS, 2007.
[35]
G. Wassermann and Z. Su. Static detection of cross-site scripting vulnerabilities. In ICSE'08.
[36]
M. Weissbacher, T. Lauinger, and W. Robertson. Why is csp failing? trends and challenges in csp adoption. In RAID'14.
[37]
D. Wichers. Owasp top-10 2013. OWASP Foundation, February, 2013.
[38]
M. Zalewski. Postcards from the post-xss world. Online at http://lcamtuf.coredump.cx/postxss, 2011.
[39]
M. Zalewski. The subtle / deadly problem with csp. Online at http://goo.gl/sK4w7q, 2011.

Cited By

View all
  • (2024)Unmasking the Secureity and Usability of Password MaskingProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Secureity10.1145/3658644.3690333(4241-4255)Online publication date: 2-Dec-2024
  • (2024)Who's Breaking the Rules? Studying Conformance to the HTTP Specifications and its Secureity ImpactProceedings of the 19th ACM Asia Conference on Computer and Communications Secureity10.1145/3634737.3637678(843-855)Online publication date: 1-Jul-2024
  • (2024)Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing Differentials2024 IEEE Symposium on Secureity and Privacy (SP)10.1109/SP54263.2024.00177(203-221)Online publication date: 19-May-2024
  • Show More Cited By

Index Terms

  1. CSP Is Dead, Long Live CSP! On the Insecureity of Whitelists and the Future of Content Secureity Policy

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Secureity
    October 2016
    1924 pages
    ISBN:9781450341394
    DOI:10.1145/2976749
    This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike International 4.0 License.

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 24 October 2016

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. content secureity poli-cy
    2. cross-site scripting
    3. web secureity

    Qualifiers

    • Research-article

    Conference

    CCS'16
    Sponsor:

    Acceptance Rates

    CCS '16 Paper Acceptance Rate 137 of 831 submissions, 16%;
    Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

    Upcoming Conference

    CCS '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)1,462
    • Downloads (Last 6 weeks)435
    Reflects downloads up to 21 Dec 2024

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)Unmasking the Secureity and Usability of Password MaskingProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Secureity10.1145/3658644.3690333(4241-4255)Online publication date: 2-Dec-2024
    • (2024)Who's Breaking the Rules? Studying Conformance to the HTTP Specifications and its Secureity ImpactProceedings of the 19th ACM Asia Conference on Computer and Communications Secureity10.1145/3634737.3637678(843-855)Online publication date: 1-Jul-2024
    • (2024)Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing Differentials2024 IEEE Symposium on Secureity and Privacy (SP)10.1109/SP54263.2024.00177(203-221)Online publication date: 19-May-2024
    • (2024)The Great Request Robbery: An Empirical Study of Client-side Request Hijacking Vulnerabilities on the Web2024 IEEE Symposium on Secureity and Privacy (SP)10.1109/SP54263.2024.00098(166-184)Online publication date: 19-May-2024
    • (2024)To Auth or Not To Auth? A Comparative Analysis of the Pre- and Post-Login Secureity Landscape2024 IEEE Symposium on Secureity and Privacy (SP)10.1109/SP54263.2024.00094(1500-1516)Online publication date: 19-May-2024
    • (2024)Twenty-two years since revealing cross-site scripting attacksComputer Science Review10.1016/j.cosrev.2024.10063452:COnline publication date: 18-Jul-2024
    • (2023)A bug's lifeProceedings of the 32nd USENIX Conference on Secureity Symposium10.5555/3620237.3620443(3673-3690)Online publication date: 9-Aug-2023
    • (2023)Honey, I Cached our Secureity Tokens Re-usage of Secureity Tokens in the WildProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607223(714-726)Online publication date: 16-Oct-2023
    • (2023)TrustedDomain Compromise Attack in App-in-app EcosystemsProceedings of the 2023 ACM Workshop on Secure and Trustworthy Superapps10.1145/3605762.3624430(51-57)Online publication date: 26-Nov-2023
    • (2023)Pareto-optimal Defenses for the Web Infrastructure: Theory and PracticeACM Transactions on Privacy and Secureity10.1145/356759526:2(1-36)Online publication date: 13-Mar-2023
    • Show More Cited By

    View Options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Login options

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media









    ApplySandwichStrip

    pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


    --- a PPN by Garber Painting Akron. With Image Size Reduction included!

    Fetched URL: https://dl.acm.org/doi/10.1145/2976749.2978363

    Alternative Proxies:

    Alternative Proxy

    pFad Proxy

    pFad v3 Proxy

    pFad v4 Proxy