Injecting CSP for Fun and Security

Christoph Kerschbaumer, Sid Stamm, Stefan Brunthaler

2016

Abstract

Content Security Policy (CSP) defends against Cross Site Scripting (XSS) by restricting execution of JavaScript to a set of trusted sources listed in the CSP header. A high percentage (90%) of sites among the Alexa top 1,000 that deploy CSP use the keyword unsafe-inline, which permits all inline scripts to run—including attacker–injected scripts—making CSP ineffective against XSS attacks. We present a system that constructs a CSP policy for web sites by whitelisting only expected content scripts on a site. When deployed, this auto-generated CSP policy can effectively protect a site’s visitors from XSS attacks by blocking injected (non-whitelisted) scripts from being executed. While by no means perfect, our system can provide significantly improved resistance to XSS for sites not yet using CSP.

Paper Citation

in Harvard Style

Kerschbaumer C., Stamm S. and Brunthaler S. (2016). Injecting CSP for Fun and Security . In Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-167-0, pages 15-25. DOI: 10.5220/0005650100150025

in Bibtex Style

@conference{icissp16,
author={Christoph Kerschbaumer and Sid Stamm and Stefan Brunthaler},
title={Injecting CSP for Fun and Security},
booktitle={Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2016},
pages={15-25},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005650100150025},
isbn={978-989-758-167-0},
}

in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Injecting CSP for Fun and Security
SN - 978-989-758-167-0
AU - Kerschbaumer C.
AU - Stamm S.
AU - Brunthaler S.
PY - 2016
SP - 15
EP - 25
DO - 10.5220/0005650100150025