Overview
Dive into an in-depth analysis of Content Security Policy (CSP) vulnerabilities in major web browsers during this 26-minute Black Hat conference talk. Explore the root causes of persistent security bugs that threaten user privacy and attract criminal and governmental interest. Learn about the innovative "BugHog" tool, an open-source automated bisection system developed to conduct a comprehensive lifecycle analysis of 75 CSP-related bugs. Discover key insights into bug prevention and handling practices of browser vendors, including issues with policy inheritance implementation and inter-vendor vulnerability sharing. Uncover surprising findings, such as publicly disclosed security bugs still affecting current major releases of Firefox and Safari. Gain valuable perspectives from both attackers and defenders on improving web browser security and reducing the lifespan of critical vulnerabilities.
Syllabus
Back to the Roots: Finding the Origin of CSP Security Bugs
Taught by
Black Hat