Explore the intricacies of Content Security Policy (CSP) and its role in combating XSS vulnerabilities in this in-depth talk from the Hack In The Box Security Conference. Delve into the technical analysis of various CSP flavors and their effectiveness against different classes of XSS vulnerabilities, debunking common myths and misconceptions. Gain insights into the blurred lines between hardening and mitigation techniques, and understand how CSP can provide robust defense-in-depth guarantees while enforcing best coding practices. Learn advanced CSP techniques and examine real-world data on how CSP has prevented XSS exploitation in sensitive applications on modern browsers. Discover the strengths, limitations, and complexity of CSP, covering topics such as nonce-based CSP, Ghostbase CSP, Strict Dynamic, Trusted Types, CSP Coverage, reporting, and detection. Equip yourself with practical knowledge on implementing and evaluating CSP, including examples, tricks, and tools like the CSP evaluator.
Overview
Syllabus
Intro
Web Platform Bugs
Google CSP
Ghostbase CSP
Level 1 CSP
Advanced CSP
Refactoring
Strict Dynamic
Trusted Types
CSP Coverage
Guru Section
CSP
Nonce Only
Example
CSS
CSP Reporting
CSP Detection
Trick Dynamic
Conclusion
CSP evaluator
Questions
Browser Cache
SSRI
Taught by
Hack In The Box Security Conference
