Prevent XSS on your wordpress Blog with CSP

CSP – short for Content Security Policy – is a Mozilla driven specification to reduce or eliminate a site’s XSS attack surface.

In Ticket #10237 Denis De Bernardy suggested to implement the new Mozilla feature to prevent XSS. That was about 11 month ago. The ticket got my attention as well those days but I could not give it the thoughtfulness it desired. My first-approach-patch was rated as too restrictive (hey I like it strict :) ).

Just yesterday I had the ticket on follow-up. And what should I say? Two weeks ago, a CSP implementation as a wordpress plugin has been finished by web security engineer Brandon Sterne (bsterne) and it’s released for a first test.

CSP WordPress Plugin Image-Gallery

What is CSP?

CSP is a HTTP-header based notation with rules that should command a browser to load or not load linked resources like image srcs, javascript files and all that stuff that can be used in XSS attacks. Hypertext comes with no restrictions by default and CSP is adding constraints for a more fine-grained control. It does only work if the browser supports it as well but if so, you can add an additional security layer for your site’s users.

X-Content-Security-Policy: allow 'self'; img-src *; \
                           object-src media1.com media2.com *.cdn.com; \
                           script-src trustedscripts.example.com

Sample X-Content-Security-Policy HTTP Header

Testdriving the CSP Plugin

Installing the plugin is as easy as with mostly any other wordpress plugin. Just click on Plugins -> Add New in your backend and search for Content Security Policy or CSP in short. You should find the Content Security Policy plugin in the result-list. Just press the Install link at the end of the entry and confirm by pressing Install Now in the upcoming dialog. After download and install, just activate it.

When you have done that successful you’ll find a new admin-page under Settings -> CSP. Note: You need to have javascript enabled to use this plugin. To give you an easy start (and without the need to hassle with configuring headers in “text mode”), this plugin comes with an interactive policy editor. That is why you need to have javascript enabled.

Suggest a Policy

For the start, just press the Suggest Policy button. After some ajax activity, the Trusted Sites is filled with a default policy. When I saw that right it will analyse your posts and comments for that (at least for post no. 1) and offer a suggestion then. In my scenario that was images for everyone and script and styles limited to the local address. Just if you wonder, the blog is running on an IP address. That’s the one starting with 192.168… in the screenshots.

Those default suggestion was pleasing me (this is a very simple test-blog, I do not need any external scripts or CSS files) for the moment. To confirm the policy, just press the Save Changes button.

Fine grained Settings

But wait! I do not want to allow linked images. That will transfer users referer information to other servers and I’d like to add some privacy here (sort of misuse of CSP, but let’s take this as an example for the moment). This can be done by either clicking on the Everyone below Images which will strike-through it and the Save Changes button appears again. Pressing it will save the changes. After saving, it will remove that Everyone entry.

And now? What happened to images? In CSP there is a fallback to the main setting then. Click on Show Advanced to make the concrete setting visible. That is what has been generated by the plugins UI so far:

allow 'self'; script-src 'self' ; style-src 'self' ;

So by default, this is allow ‘self’ (the approach I went in my first patch only). So images do a fallback to that one then. In comparison, this is the “Advanced” policy setting with images allowed to everyone:

allow 'self'; img-src * ; script-src 'self' ; style-src 'self' ;

Activate CSP via Checkbox

Note: Do not forget to press the Enable CSP checkbox, otherwise this won’t be activated.

Note 2: Sometimes saving changes does not work with the plugin. Just counter-check by re-opening the admin-page via the menu and save again.

Summary

CSP is something very useful for your users. While it might not be supported by all your users browsers as of today, you as webmistress or -master should take care here and be one of the early adopters. The web is constantly evolving and security is a process everyone should take it’s part in.

This CSP Plugin is quite new but already useful even though it still has some flaws in it’s usability. In the end it does the job and is a nice way to learn about CSP.

References

Read on: Control your site’s usage in frames

About these ads
This entry was posted in Hacking The Core, Hakre's Tips, Patched, Plugin Plugout and tagged , , , , , , , , , , , , , . Bookmark the permalink.

One Response to Prevent XSS on your wordpress Blog with CSP

  1. Pingback: Control your site’s usage in frames | hakre on wordpress

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s