I'm asking this question as I'm not familiar with CSP. But couldn't the atracker change the CSP or simply remove it from the header? When he has access to the server or the distributor that sounds like an easy thing to do.
-
-
Replying to @trickser26
Yes! This is an excellent point. There are a couple of ways to handle this; 1. Define the header in the webserver. This means that we have the additional security boundary of a Linux user, increases attacker cost... /1
1 reply 0 retweets 0 likes -
Replying to @andrewhowdencom @trickser26
2. Implement it in the application, but in a way that's not trivial to override. In the case of 2, it's likely the attacker will be able to drop the CSP. You could set some sort of static analysis on the site to ensure CSP is present -- but it's a "turtles all the way down" /2
1 reply 0 retweets 1 like -
Replying to @andrewhowdencom @trickser26
What would probably be ideal is some sort of "expiry" property of the CSP, such as that which is found on HSTS. cc
@ericlaw -- do you know if there's a way to set a "persistent" CSP?2 replies 0 retweets 1 like -
-
Replying to @andrewhowdencom
Wow thanks a lot. But in the case of a provider takeover case (1) doesn't sound like it can be used as a layer of protection. I'm assuming here that everybody can change a file that is owned by the root user when he has direct access to the harddrive (virtual harddrive)
1 reply 0 retweets 1 like -
Replying to @trickser26
Yes! 100%. However, the mechanism I've seen to compromise this isn't "RCE to root", but rather just an admin that's used a terrible password on some common software, and someone that's brute forced it. In that case, they don't even get RCE on the server. Here, CSP will help?
2 replies 0 retweets 1 like -
Replying to @andrewhowdencom @trickser26
(cc
@gwillem who may disagree with me, and has much better knowledge of the statistics, and@ericlaw as this clarifies the risks I'm trying to mitigate).1 reply 0 retweets 1 like -
It will help a bit, but once they got access to the CMS code, its trivial to add a magecart scraper to the server-side code, where it stays completely out of sight.
1 reply 0 retweets 1 like -
Replying to @gwillem
Yah but "connect-src" will catch it egressing? The POST from ajax. Unless it goes back to server and then out, and then you're completely outside CSP
2 replies 0 retweets 1 like
CSP is not effective as DLP. There are a variety of ways to egress data that CSP cannot block.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.