This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Thursday, May 11 • 12:25 - 13:10
So we broke all CSPs... You won't guess what happened next!

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.
Last year we proved that the whitelist-based approach of Content Security Policy (CSP) is flawed and proposed an alternative based on 'strict-dynamic' in combination with nonces or hashes.

In our academic paper (CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy, ACM CCS, 2016), we demonstrated, using automatic checks, that 94.72% of all real-world policies can be trivially bypassed by an attacker with an XSS bug, and 75.81% are bypassable due to whitelists.

Thanks to the new 'strict-dynamic' approach, we were finally able to deploy an effective policy to many important Google products, such as GMail, Photos, and others. In this presentation we would like to share our experience, show examples, best practices and common pitfalls.

Finally, we share how we are addressing the recent bypasses of nonce-based policies, such as nonce exfiltration/reuse techniques and dangling markup attacks.

avatar for Michele Spagnuolo

Michele Spagnuolo

Senior Information Security Engineer, Google
Senior Information Security Engineer at Google Switzerland, Michele is a security researcher focused on web application security, and the Rosetta Flash guy. He is also author of BitIodine, a tool for extracting intelligence from the Bitcoin network.

Thursday May 11, 2017 12:25 - 13:10
Waterfront Center: Hall 1B

Attendees (47)