XSS mitigation: add support for Content-Security-Policy #4528
Comments
|
Hello @u238 and thank you for reporting! I assume with support you mean a user's ability to do while icingaweb2 just keeps working. (Correct?) All of the above plus your report implies that you've tested it. What exactly doesn’t work for you? After all XSS is about scripts. Would Best, |
|
Hi,
Not really. That setting will not prevent other attacks like dangling markup and clickjacking attacks etc all described in the link I provided. |
|
An an idealist I personally prefer to get rid of XSS holes not to require this kind of hardening. But as a realist I see that this would be nearly impossible. As well as I see that cars have airbags and seat belts for a reason. However the "seat belt" here – Whatever your HTML (and CSS/...?) contains inline and is not HTML (CSS, JS, ...): outline it to a URL (of a dev's choice) below the same WWW doc root. I.e.: no inline JS (w/ Before I do anything here I'd like to hear from both
who considers which security mitigation of
worth refactoring and possibly additional requests (yes, I know about HTTP 2 optimistic pushing, but let's assume the worst – i.e. HTTP/1.x – for now). Oh, and remember: We're not talking about an IW2 mod shipping malicious PHP code. In that case you can only pray. We're only talking about (unintentional) security holes – missing escaping of a string inside HTML in privileged context originated from a user input in unprivileged context, etc.. ref/IP/42393 |
|
Well you won't get me to argue against CSP, it's a useful tool.
No, you certainly don't want to use CSP as an excuse to ignore XSS holes, but rather do both, so if something is discovered, you don't have to panic as it's not exploitable trivially and you can take care of it without a hurry.
There's also the option to authenticate inline-content with a nonce or hash. |
Oh, nice! But our PMs would still have to allocate dev HR for touching either the inline JS or inline everything (at their option). |
|
However I'd say only the self source is better. The hashes/nonces would have to be synced IW2<->HTTPd otherwise. |
Inline JS found so far
|
|
@nilmerg With diff --git a/application/layouts/scripts/layout.phtml b/application/layouts/scripts/layout.phtml
index 1800f2c15..488380255 100644
--- a/application/layouts/scripts/layout.phtml
+++ b/application/layouts/scripts/layout.phtml
@@ -50,6 +50,13 @@ $innerLayoutScript = $this->layout()->innerLayout . '.phtml';
<link rel="stylesheet" href="<?= $this->href($cssfile) ?>" media="all" type="text/css" />
<link type="image/png" rel="shortcut icon" href="<?= $this->baseUrl('img/favicon.png') ?>" />
<link rel="apple-touch-icon" href="<?= $this->baseUrl('img/touch-icon.png') ?>">
+ <style>
+ /*
+ #layout {
+ filter: hue-rotate(240deg);
+ }
+ */
+ </style>
</head>
<body id="body" class="loading">
<pre id="responsive-debug"></pre>
@@ -103,6 +110,7 @@ var icinga = new Icinga({
locale: '<?= $lang; ?>',
timezone: '<?= $timezone ?>'
});
+// $('div#layout')[0].style='filter: hue-rotate(240deg);';
</script>
</body>
</html>the style tag is rejected, but not the inJScted one. |
At least for using the nonce, the application has to send the header, if you wouldn't use a new one for every response, this would defeat the purpose. |
|
💡 Actually we could send a CSP header. HTTPd would have to append its own stuff to it rather than replacing. |
|
Hello again @u238! I've talked to @nilmerg. Securing all types of content as with We can offer you one of the following (at our option, we didn’t fully decide yet):
Please let me know if your customer(s) accept that and we shall proceed. Best, @nilmerg The first option would obviously require all modules to outline JS to be fancy again. The second would require calling a hook like ?><script nonce="<?= GEN_NONCE_AND_APPEND_IT_TO_SCRIPT_SRC() ?>">alert('LOLCAT!')</script><?php |
Modules were never required to do this. If that's the case, an alternative must be used. The nonces would only be required for our own framework code.
We should not send |
|
Then we do just that. Whoever wants to enable CSP can do so explicitly in the webserver configuration. |
|
No, that should have been sarcasm. I meant: you can put the nonces in a header of your choice which... will have no effect in any case. Neither by default, nor on users who try to enable CSP. Anyway: to me it sounds like you clearly prefer the first option of mine as it doesn’t imply IW2 sending CSP by itself.
With a controller taking URL params and generating JS, of course. 😎 :P |
|
Hi all,
I discussed this internally and we think this is a very good step in the right direction. Thank you all for your time! |
|
Hi @Al2Klimov , i did not exaclty understand your solution. |
|
Instead of making everything in framework + Director script-src-self-compliant, I'd add nonces to the framework's inline JS (to reduce requests). Icinga Web 2 would send a CSP with script-src nonce1, nonce2, ... nonceN, self, unsafe-inline or so. This wouldn’t break anything. To activate this you'd have to edit (not set!) the CSP header via HTTPd by removing everything from including " unsafe-" up to and not including ";". ( |
|
I would say we stop the discussion here until we have talked about it internally. |
|
I searched where we currently have inline CSS or JS. (excluding: SVG, demos, examples, external libraries, and inline font usage) Inline CSS and JS
|
nilmerg
changed the title
Is your feature request related to a problem? Please describe.
Different attack scenarios demonstrate the high impact that XSS vulnerabilities in an arbitrary module can have on an icingaweb2 installation. We showed during an internal audit that through one single XSS vulnerability we where able to fully compromise the monitoring infrastructure.
Describe the solution you'd like
Support CSP headers in oder to mitigate XSS attacks.
The text was updated successfully, but these errors were encountered: