Explore the world of Content Security Policies (CSPs) in this informative conference talk from GOTO Copenhagen 2018. Delve into the importance of CSPs as a crucial security tool, understanding their functionality, implementation, and limitations in protecting website users. Witness demonstrations of attacks thwarted by CSPs, observe a site intentionally broken by a CSP, and learn about various CSP directives and options. Gain insights into available tools for working with CSPs and discover how to effectively integrate them into your security strategy. Perfect for developers and security professionals looking to enhance their web application security knowledge.
Content Security Policies - Let's Break Stuff
Overview
Syllabus
Intro
Background
Crosssite scripting
Cross site scripting
Persistent crosssite scripting
Reflective crosssite scripting
Selfcrosssite scripting
Social engineering
Facebook console
Fight back against hackers
What is a content security policy
Browser support
Resources
Image
Object Source
Style Source
Inline Source
Dont Use It
Nonce
Constant Security
Breaking Production
Breaking the Site
Report URI
Payload
ReportURI
ReportOnly
Over Time
Fun Part
Business buzzwords
Requirements
Gibson
Garbage Files
Update Files
Script
Pop Emoji
Poop Emoji
Corporate Phone Call
Code Base
No poop emojis
No proof emojis
Inline script
Homepage
Gate
Home Page
Garbage File
Content Security Policy
Tips
Cryptographic Nonces
Twig
Multiple Policies
Enforce Report Policies
Test Multiple Policies
Scott Helm
Mr Goodwin
Homework
Taught by
GOTO Conferences
Related Courses
-
No More XSS - Deploying CSP with Nonces and Strict-Dynamic
-
Fixing XSS with Content Security Policy
-
Roadblocks for Content Security Policy (CSP) Implementation - Developer Challenges and Solutions
-
Evaluating the Effectiveness of Content Security Policy in the Wild
-
You Use Content Security Policy, Don't You?
-
Content Security Policy to the Rescue
