- 08 Sep 2015 » XSS to RCE in ...
- 25 Jul 2014 » Twitter's CSP Report Collector
- 13 Dec 2013 » Automatic XSS Protection With CSP: No Changes Required
In order to help ease approval for the Content Security Policy script-hash proposal, I created a PoC to demonstrate that this is just as easy as script-nonce. I believe script-hash is an idea that solves some of the shortcomings of script nonce. However, it is significantly more complex. I think that the complexity can be greatly reduced with proper tooling. My PoC branch aims to prove that this can be practical. I have a sample application with all of this in action.
Hash? Nonce? Huh.
IFF the nonce in the script tag matches the value in the header, the script executes.
Upside: pretty easy to apply
So in this case, script-src ‘sha1-fU8Y3i83rje0823mI+3hgmqgysc=’
Downside: moar harder for developers and browsers to implement.
Script Hash Generation
- Grab all templates (stuff that turns into html that kinda already looks like html)
- Iterate over each file and:
- Grep the code for /(<script([s](?!src)([w-])+=([“‘])[^”‘]+4)[s]>)(.?)(</script>)/mx
- Take each match (second to last capture group in this case, ruby 1.8 doesn’t support named capture groups).
- Hash the value with SHA256 and base64 encode the output.
- Store the filename and any hashes (e.g. in a YAML file, hash, associative array, whatever). Key: filename, value: array of hashes.
Script hash application
- Hook into the framework so that anytime a template is rendered, we take note.
- Once rendering is done, add the hashes (if any) of all rendered templates to the content security policy.
“Automatic inline script CSP protection”
To hopefully satisfy this claim, here’s some steps you’d have to take:
- Have a task that watches the filesystem for changes to your templates.
- Update the script hashes that are applied to the given template without having to restart any process.
Here’s a (poor quality) screen cast of my PoC branch:
- Generating hashes “on deploy” is no good. Tests would break if CSP is enforced and the hashes are outdated.
- I’m not that great with Regexen. In writing this post, I noticed at least one improvement I can make.