CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy

@article{Weichselbaum2016CSPID,
  title={CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy},
  author={Lukas Weichselbaum and Michele Spagnuolo and Sebastian Lekies and Artur Janc},
  journal={Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security},
  year={2016}
}
Content Security Policy is a web platform mechanism designed to mitigate cross-site scripting (XSS), the top security vulnerability in modern web applications. In this paper, we take a closer look at the practical benefits of adopting CSP and identify significant flaws in real-world deployments that result in bypasses in 94.72% of all distinct policies. We base our Internet-wide analysis on a search engine corpus of approximately 100 billion pages from over 1 billion hostnames; the result… 

Figures and Tables from this paper

Semantics-Based Analysis of Content Security Policy Deployment
TLDR
A systematic, large-scale analysis of the effectiveness of the current CSP deployment, using the formal semantics for the latest stable version of the standard, CSP Level 2, to substantiate the methodology and assess the impact of the detected issues.
On the Content Security Policy Violations due to the Same-Origin Policy
TLDR
This work describes how CSP may be violated due to the SOP when a page contains an embedded iframe from the same origin, and discusses measures to avoid CSP violations.
A Tale of Two Headers: A Formal Analysis of Inconsistent Click-Jacking Protection on the Web
TLDR
This paper formally study the problem of inconsistencies in framing control policies across different browsers and implements an automated policy analyzer based on the theory, which is used to assess the state of click-jacking protection on the Web.
CCSP: Controlled Relaxation of Content Security Policies by Runtime Policy Composition
TLDR
This paper presents Compositional CSP, an extension of CSP based on runtime policy composition that is designed to overcome the limitations arising from the use of static white-lists, while avoiding a major overhaul of C SP and the logic underlying policy writing.
Twenty-two years since revealing cross-site scripting attacks: a systematic mapping and a comprehensive survey
TLDR
The present review covers 147 high quality published studies since 1999 including early publications of 2022 and reveals a remarkable bias toward basic and JavaScript XSS attacks and a dearth of vulnerability repair mechanisms.
If It’s Not Secure, It Should Not Compile: Preventing DOM-Based XSS in Large-Scale Web Development with API Hardening
TLDR
Google's secure-by-design engineering paradigm that effectively prevents DOM-based XSS vulnerabilities in large-scale web development is introduced and empirical results are presented showing how API hardening has helped reduce the occurrences of X SS vulnerabilities in Google's enormous code base over the course of two-year deployment.
On the Security of Parsing Security-Relevant HTTP Headers in Modern Browsers
TLDR
Browsers conform to the specification and behave securely, however, all tested browsers behave differently when it comes to parsing the Strict-Transport-Security header, and Chrome, Safari, and Firefox behave differently if the header contains a character, which is not allowed by the defined ABNF.
Reining in the Web's Inconsistencies with Site Policy
TLDR
This paper formalizes inconsistencies for cookie security attributes, CSP and HSTS, and quantifies the magnitude and impact of inconsistencies at scale by crawling 15,000 popular sites and proposes Site Policy, designed to overcome Origin Policy’s shortcomings and make any insecurity explicit.
Automatically Retrofitting Cordova Applications for Stricter Content Security Policies
TLDR
This work proposes a tool that generates CSP definitions for pre-existing, real-world Cordova apps and attempts to rewrite all Javascript APIs that are restricted by CSP, finding that any static rewriting of Javascript APIs should apply in-depth flow analysis and be able to deal with special syntaxes introduced by the most common UI frameworks.
Poster: Are Trusted-Types the Panacea for XSS?
  • Computer Science
  • 2022
—Cross-Site Scripting (XSS) is one of the most preva- lent vulnerabilities present in modern Web applications. To mitigate the effect of this markup injection vulnerability, the Content Security
...
...

References

SHOWING 1-10 OF 53 REFERENCES
Reining in the web with content security policy
TLDR
This work presents content restrictions, and a content restrictions enforcement scheme called Content Security Policy (CSP), which intends to be one such layer of real world security in layers, and shows how a system such as CSP can be effective to lock down sites and provide an early alert system for vulnerabilities on a web site.
May I? - Content Security Policy Endorsement for Browser Extensions
TLDR
A large-scale empirical study of all free extensions from Google's Chrome web store uncovers three classes of vulnerabilities arising from the tension between the power of extensions and CSP intended by web pages: third party code inclusion, enabling XSS, and user profiling.
Injecting CSP for Fun and Security
TLDR
This work presents a system that constructs a CSP policy for web sites by whitelisting only expected content scripts on a site, and can provide significantly improved resistance to XSS for sites not yet using CSP.
Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense
TLDR
A new approach that combines randomization of web application code and runtime tracking of untrusted data both on the server and the browser to combat XSS attacks is developed, and a client-server architecture that enforces document structure integrity is proposed that can be implemented in current browsers with a minimal impact to compatibility and that requires minimal effort from the web developer.
A Measurement Study of the Content Security Policy on Real-World Applications
TLDR
Measurements on a large corpus of web applications pro-vide a key insight on the amount of efforts web developers required to adapt to CSP and identified errors in CSP policies that are set by website developers on their websites.
Static detection of cross-site scripting vulnerabilities
  • Gary Wassermann, Z. Su
  • Computer Science
    2008 ACM/IEEE 30th International Conference on Software Engineering
  • 2008
TLDR
This paper presents a static analysis for finding XSS vulnerabilities that directly addresses weak or absent input validation, and implements the approach and provides an extensive evaluation that finds both known and unknown vulnerabilities in real-world web applications.
Precise Client-side Protection against DOM-based Cross-Site Scripting
TLDR
This work proposes an alternative filter design for DOM-based XSS, that utilizes runtime taint tracking and taint-aware parsers to stop the parsing of attacker-controlled syntactic content and presents a practical implementation based on the open source browser Chromium.
Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks
TLDR
Noncespaces is presented, a technique that enables web clients to distinguish between trusted and untrusted content to prevent exploitation of XSS vulnerabilities and it is shown that with simple policies Noncespaces thwarts popular XSS attack vectors.
FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications
TLDR
This work provides empirical evidence that CSV vulnerabilities are not merely conceptual but are prevalent in today’s web applications, and proposes dynamic analysis techniques to systematically discover vulnerabilities of this class.
deDacota: toward preventing server-side XSS via automatic code and data separation
TLDR
This paper presents a novel approach to securing legacy web applications by automatically and statically rewriting an application so that the code and data are clearly separated in its web pages, which protects the application and its users from a large range of server-side cross-site scripting attacks.
...
...