Overview
This course on Content Security Policy (CSP) aims to educate participants on the defense-in-depth mechanism to restrict resources in web applications, reducing the risk of injections. The course covers major roadblocks in CSP deployment, common mistakes, and effective strategies in different browsers. Participants will learn how to defeat whitelist-based models, utilize nonces for a more secure CSP, and understand the challenges and advancements in modern web technologies. The teaching method includes presentations, demonstrations, and examples. This course is intended for web developers, security professionals, and individuals interested in web application security.
Syllabus
Introduction
Google Zurich
Summary
What is CSP
Content Security Policy
Breaking CSP
Examples
Default source
Whitelist
JSONP
Angular
Paths
CSP Tool
CSP Nonces
Nonce
Nonce Propagation
Unsafe Dynamic
Demo
CSP Oddities
Browser Support
Success Stories
Taught by
Hack In The Box Security Conference