An apache module that supports CSP2.1 to thwart the reflected and stored XSS attacks
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
conf
doc
gt-sample
preprocess
webpages
README.md
withnonce
withoutnonce

README.md

How to use mod_script_nonce module

Add the following in conf/httpd.conf LoadModule script_nonce_module modules/mod_script_nonce.so

<Location />¬                                                                    
	 AddOutputFilterByType ADD-SCRIPT-NONCE text/html                            
     Addscriptnonce s/server-secret/                          
</Location>

How to compile and install the module:

apxs -iac <path to mod_script_nonce.c>  -I <path to apr-util and apr source files>

Lalit, Ameya and GT

Instructions: Install Chrome Dev build. Stable installations of chrome do not support script-nonce yet.

How to install Chrome Dev build ? On Ubuntu: #If google chrome is already installed sudo apt-purge google-chrome-stable sudo apt-get install google-chrome-unstable

I tested this on Chrome 28.0.1496.0 (Official Build 197749) dev

How to see script-nonce in action ? in sample.html file, uncomment the meta directive in the head section of the page to cross-check if the browser supports script-nonce.

meta -> an alternative way to send HTTP headers in a web-page.

Now, in our sample module, we are adding the same HTTP header.(read mod_example1.c) Benefit of adding the HTTP header in apache: The web-developer need not worry about enforcing the script-nonce. The web-admin gets to decide the policy for the pages served from an apache installation. This is a huge win.

This will take care of stored XSS attacks.

Approach: mod_example1 will generate a nonce and set the HTTP header. and set the notes nonce-s, with value of the form s|pattern|nonce|ni

This nonce-s will be used by the tweaked mod_substitute to substitute all the occurrences of the pattern in the response.

Lalit pointed out that we could simply hack mod_substitute to our own needs and avoid using request->notes. And so we did.

Implemented Approach: Hacked mod_substitute to replace the given string (mentioned in httpd.conf) with a nonce, that is generated per request.