Cookie Consent by Free Privacy Policy Generator 📌 Reshaping web defenses with strict Content Security Policy

🏠 Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeiträge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden Überblick über die wichtigsten Aspekte der IT-Sicherheit in einer sich ständig verändernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch übersetzen, erst Englisch auswählen dann wieder Deutsch!

Google Android Playstore Download Button für Team IT Security



📚 Reshaping web defenses with strict Content Security Policy


💡 Newskategorie: IT Security Nachrichten
🔗 Quelle: feedproxy.google.com



Cross-site scripting — the ability to inject undesired scripts into a trusted web application — has been one of the top web security vulnerabilities for over a decade. Just in the past 2 years Google has awarded researchers over $1.2 million for reporting XSS bugs in our applications via the Vulnerability Reward Program. Modern web technologies such as strict contextual auto-escaping help developers avoid mistakes which lead to XSS, and automated scanners can catch classes of vulnerabilities during the testing process. However, in complex applications bugs inevitably slip by, allowing attacks ranging from harmless pranks to malicious targeted exploits.

Content Security Policy (CSP) is a mechanism designed to step in precisely when such bugs happen; it provides developers the ability to restrict which scripts are allowed to execute so that even if attackers can inject HTML into a vulnerable page, they should not be able to load malicious scripts and other types of resources. CSP is a flexible tool allowing developers to set a wide range of policies; it is supported — though not always in its entirety — by all modern browsers.

However, the flexibility of CSP also leads to its biggest problem: it makes it easy to set policies which appear to work, but offer no real security benefit. In a recent Internet-wide study we analyzed over 1 billion domains and found that 95% of deployed CSP policies are ineffective as a protection against XSS. One of the underlying reasons is that out of the 15 domains most commonly whitelisted by developers for loading external scripts as many as 14 expose patterns which allow attackers to bypass CSP protections. We believe it's important to improve this, and help the web ecosystem make full use of the potential of CSP.

Towards safer CSP policies
To help developers craft policies which meaningfully protect their applications, today we’re releasing the CSP Evaluator, a tool to visualize the effect of setting a policy and detect subtle misconfigurations. CSP Evaluator is used by security engineers and developers at Google to make sure policies provide a meaningful security benefit and cannot be subverted by attackers.

Even with such a helpful tool, building a safe script whitelist for a complex application is often all but impossible due to the number of popular domains with rresources that allow CSP to be bypassed. Here’s where the idea of a nonce-based CSP policy comes in. Instead of whitelisting all allowed script locations, it’s often simpler to modify the application to prove that a script is trusted by the developer by giving it a nonce -- an unpredictable, single-use token which has to match a value set in the policy:

Content-Security-Policy: script-src 'nonce-random123'

<script nonce='random123'>alert('This script will run')</script>
<script>alert('Will not run: missing nonce')</script>
<script nonce='bad123'>alert("Won't run: invalid nonce")</script>

With 'strict-dynamic', a part of the upcoming CSP3 specification already supported by Chrome and Opera (and coming soon to Firefox), adopting such policies in complex, modern applications becomes much easier. Developers can now set a single, short policy such as:

script-src 'nonce-random123' 'strict-dynamic'; object-src 'none'

and make sure that all static <script> elements contain a matching nonce attribute — in many cases this is all that’s needed to enjoy added protection against XSS since ‘strict-dynamic’ will take care of loading any trusted scripts added at runtime. This approach allows setting policies which are backwards-compatible with all CSP-aware browsers, and plays well with applications which already use a traditional CSP policy; it also simplifies the process of adopting CSP and doesn’t require changing the policy as the application evolves.

Adopting strict CSP
In the past months we’ve deployed this approach in several large Google applications, including Cloud Console, Photos, History, Careers Search, Maps Timeline, Cultural Institute and are working on many more. We believe this approach can also help other developers so today we’re publishing documentation discussing the best strategies for implementing CSP, including an overview of the benefits of CSP, sample policies, and examples of common code changes.

Further, today we’re releasing CSP Mitigator, a Chrome extension that helps developers review an application for compatibility with nonce-based CSP. The extension can be enabled for any URL prefix and will collect data about any programming patterns that need to be refactored to support CSP. This includes identifying scripts which do not have the correct nonce attribute, detecting inline event handlers, javascript: URIs, and several other more subtle patterns which might need attention.
As with the CSP Evaluator, we use the extension with our applications to help speed up the process of adopting nonce-based CSP policies nonce-based policies across Google.

Encouraging broader use of strict CSP
Finally, today we’re including CSP adoption efforts in the scope of the Patch Reward Program; proactive work to help make popular open-source web frameworks compatible with nonce-based CSP can qualify for rewards (but please read the program rules and CSP refactoring tips first). We hope that increased attention to this area will also encourage researchers to find new, creative ways to circumvent CSP restrictions, and help us further improve the mechanism so that we can better protect Internet users from web threats.

To reach out to us, email [email protected].
...













📌 Reshaping web defenses with strict Content Security Policy


📈 80.63 Punkte

📌 Reshaping web defenses with strict Content Security Policy


📈 80.63 Punkte

📌 Strict password policy could prevent credential reuse, paper suggests


📈 28.05 Punkte

📌 VPN With 'Strict No-Logs Policy' Exposed Millions of User Log Files


📈 28.05 Punkte

📌 A new default Referrer-Policy for Chrome: strict-origin-when-cross-origin


📈 28.05 Punkte

📌 US Gaming Giant Steam Has Managed To Skirt China's Strict Regulations on Content


📈 27.06 Punkte

📌 ​​​​​​​The perfect storm: How digital transformation is reshaping security and networking


📈 25.66 Punkte

📌 How passkeys are reshaping user security and convenience


📈 25.66 Punkte

📌 How Artificial Intelligence Is Reshaping the Workforce


📈 23.75 Punkte

📌 Egypt’s Agenda for Reshaping the UN on Counterterrrorism


📈 23.75 Punkte

📌 Disney Makes Deal for 21st Century Fox, Reshaping Entertainment Landscape


📈 23.75 Punkte

📌 How the Pandemic is Reshaping the Bug-Bounty Landscape


📈 23.75 Punkte

📌 How the Pandemic is Reshaping the Bug Bounty Landscape


📈 23.75 Punkte

📌 Reshaping the Threat Landscape: Deepfake Cyberattacks Are Here


📈 23.75 Punkte

📌 DevSecOps: AI is reshaping developer roles, but it’s not all smooth sailing


📈 23.75 Punkte

📌 The Evolving Cloud Landscape: How Private Clouds Are Reshaping the Tech Industry


📈 23.75 Punkte

📌 Fashion Forward: how technology is reshaping the fashion industry


📈 23.75 Punkte

📌 All-source intelligence: reshaping an old tool for future challenges


📈 23.75 Punkte

📌 How React is Reshaping the Future of Development


📈 23.75 Punkte

📌 "Beyond Virtual Assistants: How Amazon Q is Reshaping Work with Generative AI"


📈 23.75 Punkte

📌 How technology is reshaping the college student experience


📈 23.75 Punkte

📌 The Digital Markets Act: Reshaping Tech Competition in the EU | UpGuard


📈 23.75 Punkte

📌 Reshaping the Model’s Memory without the Need for Retraining


📈 23.75 Punkte

📌 Understanding the Basics of Nose Reshaping


📈 23.75 Punkte

📌 Reshaping the Focus of Cybersecurity


📈 23.75 Punkte

📌 How AI is reshaping the cybersecurity job landscape


📈 23.75 Punkte

📌 Breaking New Grounds in AI: How Multimodal Large Language Models are Reshaping Age and Gender Estimation


📈 23.75 Punkte

📌 Explore web applications through their content security policy (CSP)


📈 21.71 Punkte

📌 SMTP Strict Transport Security Coming Soon to Gmail, Other Webmail Providers


📈 21.53 Punkte

📌 OWASP Appsec Tutorial Series - Episode 4: Strict Transport Security


📈 21.53 Punkte

📌 Mail Transfer Agent - Strict Transport Security


📈 21.53 Punkte

📌 What is HSTS (HTTP Strict Transport Security)? | UpGuard


📈 21.53 Punkte

matomo