Overview
Explore the intricacies of Content Security Policy (CSP) in this comprehensive conference talk from the Hack In The Box Security Conference. Delve into the challenges of CSP deployment, common pitfalls, and browser compatibility issues. Discover juicy bypasses exploiting JSONP endpoints and outdated AngularJS versions on CDNs. Learn about a revolutionary approach to CSP implementation using nonces and a new CSP3 feature. Gain insights into effective CSP policy deployment, understand potential vulnerabilities, and explore how CSP adapts to modern web technologies. Presented by Michele Spagnuolo and Lukas Weichselbaum, experienced information security engineers from Google, this talk covers topics such as CSP basics, breaking CSP, whitelist models, CSP tools, nonce propagation, and browser support. Whether you're a defender or an attacker, acquire valuable knowledge to enhance your understanding of web application security.
Syllabus
Introduction
Google Zurich
Summary
What is CSP
Content Security Policy
Breaking CSP
Examples
Default source
Whitelist
JSONP
Angular
Paths
CSP Tool
CSP Nonces
Nonce
Nonce Propagation
Unsafe Dynamic
Demo
CSP Oddities
Browser Support
Success Stories
Taught by
Hack In The Box Security Conference