WebApp Sec mailing list archives
SEC Consult blog :: Content security policy - assumptions vs. reality
From: SEC Consult Vulnerability Lab <research () sec-consult com>
Date: Thu, 11 Jul 2013 17:08:05 +0200
SEC Consult Vulnerability Lab published a new blog entry titled: Content Security Policy (CSP) - Another example on application security and "assumptions vs. reality" Abstract: --------- Software applications have been around for quite some time. Since the first security vulnerabilities and corresponding exploits emerged from the back rooms of software development and administration departments in the 80ties it took software vendors more than two decades before they slowly started reacting on the tens of thousands of security defects which have been published in a more or less responsible manner by security researchers and other people stumbling upon them frequently. The sad story is that instead of addressing the root of the problem which, as we all know, is proper software development engineering methods and application security programs, most of the SW vendors and big players in our industry chose to go a completely alternative path which would take away responsibility from the engineers and developers and introduce additional protective security layers to operating systems, development frameworks, servers, clients and even the applications themselves. CSP is yet another additional layer of security. Implementing CSP can mitigate the risk of content injection vulnerabilities (e.g. XSS attacks) if the web browser supports it. This article will focus on Content Security Policy (CSP) and how to bypass it! URL: http://blog.sec-consult.com/ Author: Alexander Kolmann ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- SEC Consult blog :: Content security policy - assumptions vs. reality SEC Consult Vulnerability Lab (Jul 11)