Content Security Policy

[luntrus]

Hi Firefox and Flock users,

Get accustomed to Content Security Policy inside your browser!
The last 3 years have seen a dramatic increase in both awareness and exploitation of Web Application Vulnerabilities. 2008 has seen dozens of high-profile attacks against websites using Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) for the purposes of information stealing, website defacement, malware planting, etc.

CSP is a new policy introduced inside the Fx and Flock browser to get accustomed to the idea and a proof-of-concept.....
To read more about this initiative:
http://people.mozilla.org/~bsterne/cont ... index.html

To download and install into your browser: http://people.mozilla.org/~bsterne/cont ... policy.xpi
Better use the official Fx download site here: https://addons.mozilla.org/nl/firefox/addon/7478

You can toggle the add-on off and on where it sits in the browser and Content Security Policy will be fully backward compatible and will not affect sites or browsers which don't support it. Non-supporting browsers will disregard the Content Security Policy header and will default to the standard Same-Origin policy for webpage content.

I have it now installed in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090202 Minefield/3.2a1pre ID:20090202033956 (enforced it with Nightly Tester Tools),

OK and keep NoScript installed, this is not a replacement for that Cop inside your Browser...

luntrus

[LoudNoise]

Split off topic because it was off topic.

[Soul Stealer]

Wow ..... I had just responded to this topic where it was and after I hit post, I couldn't figure out where it went .....

This is what I posted:

I'm thinking luntrus needs his/her own security thread. You put out a lot of good information and it would be easier to follow in a separate thread. Just my opinion.

[luntrus]

Hi Friar Tuck,

It seems we have just started this thread. This is a very interesting subject, but also a very fundamental one, because it is my opinion that through patch heaping alone we are not winning the battle against the malcreants. You can fuzz a browser until you weigh an ounce, but that won't bring you an oversight of exploitable design flaws. A common policy and user education must finally bring this more secure browser. And in-browser security is not something that is acquired at once, it is more a kind of attitude, but I am convinced the Firefox-community will achieve this. Another view on the above mentioned issue(s) can be found here:
http://www.cgisecurity.com/2007/11/browser-securit.html


luntrus

[luntrus]

When I try to test drive the following Public Bot Scripts, I immediately get alerts through firekeeper, whether I like to block or allow, for a list of these public bot scripts, see:
http://www.botsvsbrowsers.com/category/16/index.html
If I allow these so-called Cross Site Exploit attempts, as I said public browsing bots, and block once, I got immediately blocked to go through Netcraft - preventing Phishing.
Where in the interrelation server browser is CSP gonna discriminate between acceptable and non-acceptable policy?
Like to hear your views here? Will self build search bots go under the radar, or not allowed?

luntrus

[luntrus]

Hi fx or flock users,

Web browsers are not prepared for emerging threats. - Code (e.g. JavaScript, Java, Flash) is executed with the assumption of trust. - Forensic challenges • Resource links do not appear in the browser history. • No-Cache instructions might inhibit the browser from saving a copy of the malicious page. • Network devices might only record IP address and port for SSL requests -- no idea if the request was safe. • Current security measures are inadequate or bypassed by certain attacks. - Same Origin Rule - Cookie attributes (secure, httponly)

As long as there is a functionality versus security debate, there could not be a "and and" situation.
Users also should be educated that no-one can use a browser "as it is", because the reality of online threats has made that an impossibility. So, yes, we are in need of a new security policy,

luntrus

[luntrus]

Hi malware fighters and users of pro-active protection inside the Mozilla browser,

Actually with more and more attack vectors found online and XSS cross-site scripting ones in particular (27%), pro-active in-browser protection is something every user cannot go without. In my browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090315 Minefield/3.2a1pre ID:20090315050013 I use the following extensions to do so - NoScript, RequestPolicy, Perspectives, CSP and firekeeper with some malware rulesists installed, when I test against protection against xss(cross site scripting) vulnerabilities it is either firekeeper or NoScript that alert me that they have protected the browser. A good testing site I found here:
hxxp://www.xssing.com/index.php?x=1 Pick an attack vector there and then click Test it!
(These tests are only to be performed by users that use Firefox or Flock browsers and have NoScript or firekeeper with the xss ruleslist installed, for other I have made the link non-clickable!)
Are we protected all around by NoScript? I guess we are, but without it, and in another browser?
One give away firekeeper got them all, inside firekeeper I run following rules lists: #Experimental Firekeeper rules. by Alexander Sotirov, the list from malware.hiperlinks.com, the http://www.malware.com.br aggressive list and the most important here: http://firekeeper.mozdev.org/rules/XSS.fk
As far as for testing websites for possible XSS issues, use this extension: XSS-Me 0.4.0!
https://addons.mozilla.org/en-US/firefox/addon/7598
To see whether your site already has issues:
http://www.xssed.com/archive/domain=moz ... special=1/
(none there of course where I gave the example, but I had not expected anything else, to tell you honestly),
Well you all, enjoy your tests and be further protected,

luntrus

[Jason Mmm]

wow... finally someone else cares enough about CAPS to develop an extension dedicated to it... awesome

I've been suffering with the interface of Controle de Scripts for CAPS
https://addons.mozilla.org/en-US/firefox/addon/1154




is your extension icon related to the now defunct computercops (castlecops)?




I welcome a tool that in some respects takes noscript to another level: disabling javascript methods on particular domains.

[luntrus]

Hi Jason Mmm,

Yes I think this is setting the way, a pro-active interrelationairy way of protecting user and webmaster alike.
In-browser pro-active protection like NoScript was aided firmly when RequestPolicy came around and
Perspectives. Seen in the light of the evergrowing menace of cross-site-scripting attack vector and Iframe injecting re-directs cleansing domains of ill weed is something that is of utmost importance. I like the analogy with the capitals of the ill-missed castlecops (their resources found a good rescue place fortunatey), but I think it is just the similarity of the capitals that is striking.
Just wait who will junp the bandwaggon and in what tempo, thanks for your contribution, my friend,

luntrus

[Alan Baxter]

the ill-missed castlecops (their resources found a good rescue place fortunatey)

Do you mean the lists at http://www.systemlookup.com/?

[luntrus]

Hi Alan Baxter,

SL and CC shared a lot of the information, also this is still there: http://www.malwareinfo.org/
A recommended program to find XXS holes is to use Acunetix WVS XSS Scanner - Free Edition,
they have also firefox addons

For Download:

http://www.acunetix.com/cross-site-scri ... canner.htm


XSS-ME Homepage:

http://www.securitycompass.com/exploitme.shtml

luntrus

[Fugitif]

what about XSS Assistant ?

"The goal of this script is to allow users to easily test any web for cross-site-scripting flaws. The script aims to do this by providing an easy to use menu by any form. It should be noted that although I may refer only to forms for the rest of the description, the script does also allow the user to test the current variables in the url bar for cross site scripting flaws. While this script does help a user find an XSS flaw it cannot really be used without understanding what an XSS flaw is. If you do not yet understand XSS flaws, I suggest you read up on it."

This script can test for multiple vectors from RSnake's XSS Cheat Sheet and from another one by mario, it can also be used to notify the XSS directly to xssed.com. We suggest that you take a look at this script as it can be very useful to search for XSS holes.

XSS Assistant for Greasemonkey:

http://www.whiteacid.org/xss_assistant.user.js

[FunkyRes]

Late to thead - but I just wanted to say, CSP is very exciting to me as well.

Where I think it will benefit the web the most is in all the LAMP/WAMP based webapps that people install on their websites, and often rarely update.
If these apps start to ship with CSP policies as part of the app out of the box, then when John Doe is running a version of Joomla that is six versions old with plugins that are vulnerable and outdated, the CSP will help protect visitors of the site from XSS attacks that take advantage of the fact that John Doe hasn't recently updated his software.

Web App developers need to be encouraged to implement CSP, but it's doable.

Also - it can help reduce hot linking. IE if I set the csp-image directive to
self *.photobucket.com *.imageshack.us *.flickr.com

and a user hotlinks to an image on a different domain, when a user with a CSP aware browser visits the page, I'll get a notice of the policy violation and can disable the illegal image before the site it was hotlinked from replaces it with something disgusting. Granted - input filters should catch that, but they sometimes fail.

CSP rocks, I hope it becomes the norm in browsers and web apps in the very near future.

[luntrus]

Hi FunkyRes,

Thank you for your reaction, and your enthusiasm, and the valid observations you added to this discussion.
Have you tested here already?
Link: http://www.nlm.cz/nlm/columns.csp?!C1,1

It is taking up, my friend, it is taking up to a more coordinated security execution, we have waited too long for this to materialize,

luntrus

[luntrus]

Hi folks,

Here is demonstrated how powerful CSS realy has become:
http://www.businessinfo.co.uk/labs/css_ ... lickedLink
Another reason why we need CSP to regulate security there,

luntrus