YoVDO

No More XSS - Deploying CSP with Nonces and Strict-Dynamic

Offered By: Security BSides San Francisco via YouTube

Tags

Security BSides Courses Web Development Courses Cross-Site Scripting (XSS) Courses Web Security Courses Content Security Policy Courses

Course Description

Overview

Explore a comprehensive conference talk on implementing Content Security Policy (CSP) to prevent cross-site scripting (XSS) vulnerabilities. Learn about the evolution of CSP, focusing on version 3's strict-dynamic mechanism, which simplifies application to existing web pages without major refactoring. Discover how Pinterest and Instapaper successfully deployed strict CSP, including implementation tips and potential pitfalls. Gain insights into topics such as nonces, hashes, whitelisting, and JavaScript templates. Understand the deployment process, necessary code changes, and the benefits of report-only mode. Equip yourself with practical knowledge to enhance web application security and effectively combat XSS attacks.

Syllabus

Introduction
Agenda
Crosssite scripting
Templates and autoescape
No crosssite scripting
Content security policy
Domain whitelist
Object source base URI
HTML injection
Inline scripts
CSP nonces
What can go wrong
Hashes
Whitelisting
Strictdynamic
JavaScript templates
Deploying CSP
Easier to deploy
Code changes
Nonces
Change templates
Report only mode
CSP policy
Resources
Questions
Report URL


Taught by

Security BSides San Francisco

Related Courses

Early Detection through Deception
YouTube Hack for Show, Report for Dough - Brian King
YouTube Blue Teamin on a Budget of Zero - Kyle Bubp
YouTube Windows Event Logs - Zero to Hero
YouTube Weaponizing Splunk - Using Blue Team Tools for Evil
YouTube