Content-Security-Policy: manage security settings of your app

Mateusz Kulewicz3 komentarze

There are already lots of ways to prevent XSS. We can make sure the data input by the user is never presented with markup the user might have provided, encode the data, prevent any scripts from saving to the DB, add X-XSS-Protection header. Some of the instructions are now incorporated into modern frameworks, so adding a team that contained a script in the team name didn’t cause any harm on Matchlogger.

One of the still less known ways to secure your application more is a Content-Security-Policy header. As it states in the reference guide,

The new Content-Security-Policy HTTP response header helps you reduce XSS risks on modern browsers by declaring what dynamic resources are allowed to load via a HTTP Header.

The header is now supported by all modern browsers (note: IE11 supports only deprecated X-Content-Security-Policy header). It is fairly easy to add to Spring Boot application – the only part I’ve added to the config is headers() section.

Let’s check what happens if we use a default policy on Matchlogger:

Boom. We lose all styles, images, and JS as the browser blocked loading resources because of the Content-Security-Policy header in the response. We still can add teams, though, which is good – the application seems to work without all that.

Each of the issues mentioned in the developer console shows us something else which might be important from application security perspective. While in such a small app all of those issues can be dealt with – with less or more effort – in a big application with lots of legacy code we might take a different approach. Here the best approach would be to download all the used libraries and styles into the application and instead of allowing users to put any crest URL, allow them to upload pictures (make sure the upload is secured too then!).

Content-Security-Policy allows us to both define host whitelist for script/image sources and provides some sources we could use. For example,

script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'

would allow us to use both JS from our origin, unpkg.com, inline scripts and eval() instruction. It still maintains a whitelist of script sources but might be useful in cases where we either explicitly want to allow inline scripts and eval(), or we know we have them in our codebase and we want to manage them from now on as a risk we would like to mitigate in future.

So, is this header helpful? From two perspectives it is.

First of all, we add a new layer of protection – the browser will compare the content it obtained from the server with its security policy, and in the case of unauthorized adding of scripts, block them.

Another good thing here is that while implementing Content-Security-Policy, we get to know our application and its potential security risks better. That’s always a good thing as we want to make sure we don’t harm our users.

Podróż na żywo: Weekend na południu

Mateusz Kulewicz1 Comment

Dawno nie było żadnej podróży na żywo, prawda?

Tym razem podróż zaczyna się w piątek wieczorem, a skończy… dopiero w niedzielę! Post będzie więc aktualizowany na bieżąco, tym razem przy użyciu narzędzia, które nie wymaga, byście co chwilę odświeżali stronę.

Jaki jest plan? Tym razem trzy punkty są pewne:

  • W piątek około 19:40 wsiadam w pociąg do Zakopanego, w którym pierwszy raz będę miał okazję jechać w wagonie sypialnym. W Zakopanem będę około 8 rano dnia następnego, czyli przede mną ponad 12 godzin w pociągu;
  • W sobotę wieczorem muszę być w Krakowie, gdzie spotykam ludzi, którzy razem ze mną bawią się w wirtualne państwa;
  • W niedzielę o 18:20 lecę samolotem LOT-u z Krakowa do Gdańska.

Co będzie pomiędzy tymi punktami? Mam pewne plany, ale one cały czas się zmieniają. Zobaczymy, czy wszystko pójdzie zgodnie z oczekiwaniami.

Aby przejść do relacji, kliknij na „Read more”. Zapraszam do wspólnej podróży!

Wigle – analysis and pinpointing of WiFi networks in your area

Mateusz Kulewicz

I like gathering all possible data, even if it has no clear purpose. That’s why I have a flights log (at 4 different sites, 2 of which I still update), use statistics pages to find out facts about geocaches I found, keep a map of all places I’ve visited and want to visit, sometimes I also log information about radio stations I was able to receive at a location (that’s called band scanning). Google Location History and Swarm are also my friends. That’s also something that explains why I chose Matchlogger as the project for Daj się poznać. I also like projects where people contribute to creating something bigger, like Wikipedia or OpenStreetMap. That’s why when I read about Wigle, I thought to give it a try.

Wigle is a page that collects data about Wi-Fi and cellular networks found by users. At the moment, there are more than 325 million networks that are in WiGLE’s database. An important point in history would be the second part of 2006 when it turned out that there are more encrypted than unencrypted networks in the database. People that provide data to WiGLE (mostly through Android app) are doing something that is called wardriving – that is searching for wireless networks from a moving vehicle. If you’re not in a car, then you’re either warwalking, warjogging, warbiking, warrailing or wartraining 😉 One important note is that they don’t connect to the networks – just listen to broadcasted data – so no unauthorized access takes place.

I played around with Wigle app for the last 2 days, starting it up when I was commuting to and from work and during my jogging around the neighborhood. I live in Gdańsk which is a city of over 400 thousand inhabitants and was commuting for about 8 km each day using public transport alongside one of the most popular routes. I also went for a 3 km run around my neighborhood. Can you guess how many networks I found? The answer is at the bottom of this post.

There was absolutely no point in time when I didn’t have any Wi-Fi network available when I was either outside or in public transport vehicles. There were moments when I could catch 73 (or even 80) networks at a time – though it was around Wrzeszcz’s Shibuya Crossing equivalent 😉

73 networks found at one moment.

There were some interesting findings.

Apparently, Xiaomi Yi car cameras are quite popular lately – I noticed at least three of them. WiFi is used for remote control on them.
Looks like we may have a fan of a Polish fringe politician here – „Korwin” network.
Some Audi cars have their own WiFi networks. You can connect up to 8 devices at a time.

I’m fairly high in the monthly ranking and it looks that I increased coverage slightly in Gdańsk – as most of the existing users were driving through the main roads and didn’t go into smaller side streets. Wigle’s maps also can show people where are the busy streets with all the cars.

So, how many networks have I found?

3372!