Developing web applications with security in mind is very much important in today's world with the increase in online attacks and fraud. Content Security Policy is a defense-in-depth mechanism which can help in mitigating Cross-Site Scripting vulnerabilities. In this talk, we'll see a live demo of an intentionally vulnerable web application and how Content Security Policy can prevent attacks. I’ll also talk about some success stories where companies successfully deployed CSP. We’ll discuss some common bypasses available for CSP and how CSP can be used to prevent other sets of issues like clickjacking, HTTPS migration, secure form submissions.
Level: All


Comments are closed.

Matt Dawkins at 11:30 on 16 Feb 2018

Any talk about security is going to be terrifying, and rightly so. It was really interesting seeing how easily you can compromise a vulnerable site, especially the one at the end with the hidden bitcoin iframe! Loads of useful info on CSP, although it could perhaps have benefitted from some practical demonstrations of how to implement it on an existing site using a popular framework. I'll definitely be looking into CSP further!

I loved your talk. I can use this at work, thanks!

Anonymous at 09:33 on 17 Feb 2018

The content was good, Dheeraj is clearly very knowledgeable about csps.

The demos fell a bit short and could have been better prepared - it was difficult to work out what was being shown and why

The mention of bug bounties and ways to motivate people to better security with the cryptojacking problem was a good idea to put in

The flow and pacing of the talk could use a little work, it felt like it jumped to parts where knowledge about csps and xss was assumed rather than explaining why the things were important to know about