All geek questions in one place

XSS - Content Security Policy

Is it possible to prevent XSS 100% by setting the content security policy as default-src 'self'? Is there an XSS way in this case? One of the possibilities that I can think of is that you enter user input into one of your scripts dynamically on the server side, do you agree? Are there any other vulnerabilities you can think of?

+4
source share
3 answers

No, CSP is not a magic bullet. It should be one line of defense, not the whole defense. If configured correctly, it can help.

  • preventing the use of XSS, where the payload, whether constant or reflected, should be small, and therefore usually just creates a script element and enters external code
  • Avoid data mining and misuse as a platform to attack other sites. Depending on how your application works, access to your server service may be sufficient to extract data, for example, if your users can write blog posts, an attacker may create a new record with the data to be extracted, wait for a signal that the data (via a comment, for example), and delete the message again, all without communication with external servers.
+2
source

, , default-src 'self' javascript : JSONP.

self . sourcing JavaScript self ( ), , .

, . , JSONP, .

http://githubengineering.com/githubs-csp-journey/

+2

CSP XSS. ( , , , , ) (http://caniuse.com/#search=csp).

XSS, . JavaScript, - Self-XSS (, facebook Chrome - ).

, - XSS. :

  • Import data from third-party systems
  • Migration data from the old system.
  • Cookies and http.

If you have the appropriate data verification and encoding (server side), you can additionally apply a browser mechanism, such as: CSP, X-XSS-Protection or X-Content-Type-Options, to increase your confidence in the security of your system.

+1
source

Source: https://habr.com/ru/post/1651557/

More articles:


All Articles