WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

SEC Consult blog :: Content security policy - assumptions vs. reality

From: SEC Consult Vulnerability Lab <research () sec-consult com>
Date: Thu, 11 Jul 2013 17:08:05 +0200
SEC Consult Vulnerability Lab published a new blog entry titled:
Content Security Policy (CSP) - Another example on application security and 
"assumptions vs. reality"

Abstract:
---------
Software applications have been around for quite some time. Since the first 
security vulnerabilities and corresponding exploits emerged from the back rooms 
of software development and administration departments in the 80ties it took 
software vendors more than two decades before they slowly started reacting on 
the tens of thousands of security defects which have been published in a more 
or less responsible manner by security researchers and other people stumbling 
upon them frequently.

The sad story is that instead of addressing the root of the problem which, as 
we all know, is proper software development engineering methods and application 
security programs, most of the SW vendors and big players in our industry chose 
to go a completely alternative path which would take away responsibility from 
the engineers and developers and introduce additional protective security 
layers to operating systems, development frameworks, servers, clients and even 
the applications themselves.

CSP is yet another additional layer of security. Implementing CSP can mitigate 
the risk of content injection vulnerabilities (e.g. XSS attacks) if the web 
browser supports it.

This article will focus on Content Security Policy (CSP) and how to bypass it!


URL: http://blog.sec-consult.com/

Author: Alexander Kolmann


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: