Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Thursday, June 30 • 15:00 - 15:45
Making CSP great again!

Sign up or log in to save this to your schedule and see who's attending!

Content Security Policy (CSP) is a defense-in-depth mechanism to restrict resources that can be loaded, embedded and executed in a web application, significantly reducing the risk and impact of injections. It is supported by most modern browsers, and it already is at its third iteration - yet, adoption in the web is struggling.

In this presentation we will highlight the major roadblocks that make CSP deployment difficult, common mistakes, talk about what works and what doesn't in different browsers, show how easy it is to defeat the whitelist-based model with some juicy bypasses, for example thanks to JSONP endpoints, by abusing a CDN and loading outdated versions of AngularJS.

Finally, we present a radically new way of doing CSP in a simpler, easier to maintain and more secure way based on nonces and making use of a new feature we contributed to CSP3.

We hope that after attending this talk you will understand how tricky it can be to deploy an effective CSP policy and what are the common mistakes to avoid, and as an attacker you will get resources and pointers on how well is CSP keeping up with modern web technologies, and how to break it. 
Fun is guaranteed!

Speakers
avatar for Michele Spagnuolo

Michele Spagnuolo

Information Security Engineer, Google
Information Security Engineer at Google Switzerland, Michele is a security researcher focused on web application security, and the Rosetta Flash guy. He is also author of BitIodine, a tool for extracting intelligence from the Bitcoin network.
avatar for Lukas Weichselbaum

Lukas Weichselbaum

Information Security Engineer, Google
Lukas Weichselbaum is an Information Security Engineer at Google. He’s currently working, among other stuff, on researching security enhancements and mitigations for web applications. Lukas graduated from Vienna University of Technology in Austria where he worked on dynamic analysis of Android malware. He also founded Andrubis – one of the very first large scale malware analysis platforms for Android applications.


Thursday June 30, 2016 15:00 - 15:45
Room A (Michelangelo Ballroom Sect. 3)

Attendees (44)