Talk Intermediate 13:30 - 14:15 August 12, 2023

Felipe Molina

Content Security Policy (CSP) has been in support by most modern browsers for a while now. The RFC of the first version was released in 2014. Almost 10 years later, and with version 3 recently released, a far-reaching study of CSP deployment across the Internet was due.

The top one million most popular sites were scanned and their CSP related headers were stored. The values of the CSP headers were analysed to answer several questions. How popular is this security measure nowadays. What are common pitfalls and misconfigurations within CSP headers. How often do sites enable reporting of violations to take a more proactive approach? Do sites blindly trust third parties such as content delivery networks and how can this trust be abused.

This talk will cover the results of the analysis against real world data and answer the previous questions. Additionally, it will present practical exploitation examples and provide with effective hardening and mitigation to the detected weaknesses.

Felipe Molina

Security Analyst on Orange Cyberdefense's SensePost Team

Felipe Molina is a Spaniard hacker working in the SensePost Team at Orange Cyberdefense. He loves Andalusia, to hack, drink beer, barbecue with family and friends, deep diving into new software to find cool vulnerabilities.