Web Application Security
Back to list
SEC Consult blog :: Content security policy - assumptions vs. reality
Jul 11 2013 03:08PM
SEC Consult Vulnerability Lab (research sec-consult com)
SEC Consult Vulnerability Lab published a new blog entry titled:
Content Security Policy (CSP) - Another example on application security and
"assumptions vs. reality"
Software applications have been around for quite some time. Since the first
security vulnerabilities and corresponding exploits emerged from the back rooms
of software development and administration departments in the 80ties it took
software vendors more than two decades before they slowly started reacting on
the tens of thousands of security defects which have been published in a more
or less responsible manner by security researchers and other people stumbling
upon them frequently.
The sad story is that instead of addressing the root of the problem which, as
we all know, is proper software development engineering methods and application
security programs, most of the SW vendors and big players in our industry chose
to go a completely alternative path which would take away responsibility from
the engineers and developers and introduce additional protective security
layers to operating systems, development frameworks, servers, clients and even
the applications themselves.
CSP is yet another additional layer of security. Implementing CSP can mitigate
the risk of content injection vulnerabilities (e.g. XSS attacks) if the web
browser supports it.
This article will focus on Content Security Policy (CSP) and how to bypass it!
Author: Alexander Kolmann
SEC Consult Vulnerability Lab
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
This list is sponsored by Cenzic
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
[ reply ]
Copyright 2010, SecurityFocus