Nothing Special   »   [go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

The Nonce-nce of Web Security: An Investigation of CSP Nonces Reuse

  • Conference paper
  • First Online:
Computer Security. ESORICS 2023 International Workshops (ESORICS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14399))

Included in the following conference series:

Abstract

Content Security Policy (CSP) is an effective security mechanism that prevents the exploitation of Cross-Site Scripting (XSS) vulnerabilities on websites by specifying the sources from which their web pages can load resources, such as scripts and styles. CSP nonces enable websites to allow the execution of specific inline scripts and styles without relying on a whitelist. In this study, we measure and analyze the use of CSP nonces in the wild, specifically looking for nonce reuse, short nonces, and invalid nonces. We find that, of the 2271 sites that deploy a nonce-based policy, 598 of them reuse the same nonce value in more than one response, potentially enabling attackers to bypass protection offered by the CSP against XSS attacks. We analyze the causes of the nonce reuses to identify whether they are introduced by the server-side code or if the nonces are being cached by web caches. Moreover, we investigate whether nonces are only reused within the same session or for different sessions, as this impacts the effectiveness of CSP in preventing XSS attacks. Finally, we discuss the possibilities for attackers to bypass the CSP and achieve XSS in different nonce reuse scenarios.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://github.com/Golim/nonce-nce.

  2. 2.

    The code of the algorithm can be found at https://github.com/golim/wcde.

  3. 3.

    The specific dataset that we used can be downloaded at https://tranco-list.eu/list/W97W9/.

References

  1. Calzavara, S., Rabitti, A., Bugliesi, M.: Content security problems? evaluating the effectiveness of content security policy in the wild. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1365–1375. CCS ’16, Association for Computing Machinery, New York, NY, USA (2016). https://doi.org/10.1145/2976749.2978338

  2. Calzavara, S., Rabitti, A., Bugliesi, M.: CCSP: Controlled relaxation of content security policies by runtime policy composition. In: 26th USENIX Security Symposium (USENIX Security 17), pp. 695–712. USENIX Association, Vancouver, BC (2017). https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/calzavara

  3. Calzavara, S., Rabitti, A., Bugliesi, M.: Semantics-based analysis of content security policy deployment. ACM Trans. Web 12(2) (2018). https://doi.org/10.1145/3149408

  4. CloudFront, A.: Understanding the cache key (2023). https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/understanding-the-cache-key.html

  5. Doupé, A., Cui, W., Jakubowski, M.H., Peinado, M., Kruegel, C., Vigna, G.: Dedacota: toward preventing server-side xss via automatic code and data separation. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security. p. 1205–1216. CCS ’13, Association for Computing Machinery, New York, NY, USA (2013). https://doi.org/10.1145/2508859.2516708

  6. Hausknecht, D., Magazinius, J., Sabelfeld, A.: May I? - content security policy endorsement for browser extensions. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 261–281. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_14

    Chapter  Google Scholar 

  7. Johns, M.: Script-templates for the content security policy. J. Inf. Secur. Appl. 19(3), 209–223 (2014). https://doi.org/10.1016/j.jisa.2014.03.007

    Article  MathSciNet  Google Scholar 

  8. Kerschbaumer., C., Stamm., S., Brunthaler., S.: Injecting CSP for fun and security. In: Proceedings of the 2nd International Conference on Information Systems Security and Privacy - ICISSP, pp. 15–25. INSTICC, SciTePress, Online (2016). https://doi.org/10.5220/0005650100150025

  9. Lekies, S., Kotowicz, K., Groß, S., Vela Nava, E.A., Johns, M.: Code-reuse attacks for the web: breaking cross-site scripting mitigations via script gadgets. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1709–1723. CCS ’17, Association for Computing Machinery, New York, NY, USA (2017). https://doi.org/10.1145/3133956.3134091

  10. Mirheidari, S.A., Golinelli, M., Onarlioglu, K., Kirda, E., Crispo, B.: Web cache deception escalates! In: 31st USENIX Security Symposium (USENIX Security 22), pp. 179–196. USENIX Association, Boston, MA (2022). https://www.usenix.org/conference/usenixsecurity22/presentation/mirheidari

  11. Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks of computers. Commun. ACM 21(12), 993–999 (1978). https://doi.org/10.1145/359657.359659

    Article  Google Scholar 

  12. OWASP: Cross Site Scripting Prevention Cheat Sheet. https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

  13. Pan, X., Cao, Y., Liu, S., Zhou, Y., Chen, Y., Zhou, T.: CSPAutoGen: black-box enforcement of content security policy upon real-world websites. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 653–665. CCS ’16, Association for Computing Machinery, New York, NY, USA (2016). https://doi.org/10.1145/2976749.2978384

  14. Patil, K., Frederik, B.: A measurement study of the content security policy on real-world applications. Int. J. Netw. Secur. 18, 383–392 (2016)

    Google Scholar 

  15. Pochat, V.L., Goethem, T.V., Tajalizadehkhoob, S., Korczynski, M., Joosen, W.: Tranco: a research-oriented top sites ranking hardened against manipulation. In: Proceedings 2019 Network and Distributed System Security Symposium. Internet Society (2019). https://doi.org/10.14722/ndss.2019.23386

  16. Roth, S., Barron, T., Calzavara, S., Nikiforakis, N., Stock, B.: Complex security policy? A longitudinal analysis of deployed content security policies. In: Proceedings of the 27th Network and Distributed System Security Symposium (2020)

    Google Scholar 

  17. Roth, S., Gröber, L., Backes, M., Krombholz, K., Stock, B.: 12 Angry developers - a qualitative study on developers’ struggles with CSP. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pp. 3085–3103. CCS ’21, Association for Computing Machinery, New York, NY, USA (2021). https://doi.org/10.1145/3460120.3484780

  18. Some, D.F., Bielova, N., Rezk, T.: On the content security policy violations due to the same-origin policy. In: Proceedings of the 26th International Conference on World Wide Web, pp. 877–886. WWW ’17, International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, CHE (2017). https://doi.org/10.1145/3038912.3052634

  19. Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: Proceedings of the 19th International Conference on World Wide Web, pp. 921–930. WWW ’10, Association for Computing Machinery, New York, NY, USA (2010). https://doi.org/10.1145/1772690.1772784

  20. Steffens, M., Musch, M., Johns, M., Stock, B.: Who’s hosting the block party? Studying third-party blockage of CSP and SRI. In: Network and Distributed System Security Symposium (2021)

    Google Scholar 

  21. Trampert, L., Stock, B., Roth, S.: Honey, I cached our security tokens re-usage of security tokens in the wild. RAID ’23 (2023). https://swag.cispa.saarland/papers/trampert2023honey.pdf

  22. Van Acker, S., Hausknecht, D., Sabelfeld, A.: Data exfiltration in the face of CSP. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 853–864. ASIA CCS ’16, Association for Computing Machinery, New York, NY, USA (2016). https://doi.org/10.1145/2897845.2897899

  23. Veditz, D., Barth, A., West, M.: Content security policy level 2. W3C recommendation, W3C (2016). https://www.w3.org/TR/2016/REC-CSP2-20161215/

  24. Weichselbaum, L., Spagnuolo, M., Lekies, S., Janc, A.: CSP is dead, long live CSP! on the insecurity of whitelists and the future of content security policy. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1376–1387. CCS ’16, Association for Computing Machinery, New York, NY, USA (2016). https://doi.org/10.1145/2976749.2978363

  25. Weissbacher, M., Lauinger, T., Robertson, W.: Why is CSP failing? trends and challenges in CSP adoption. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) Research in Attacks, Intrusions and Defenses, pp. 212–233. Springer International Publishing, Cham (2014). https://doi.org/10.1007/978-3-319-11379-1_11

    Chapter  Google Scholar 

  26. West, M., Sartori, A.: Content security policy level 3. W3C working draft, W3C (2023). https://www.w3.org/TR/2023/WD-CSP3-20230220/

Download references

Acknowledgements

This work has been partially supported by the EU Horizon project DUCA (GA 101086308) and CrossCon (GA 101070537). Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or CINEA. Neither the European Union nor the granting authority can be held responsible for them.

Author information

Authors and Affiliations

  1. University of Trento, Trento, Italy

    Matteo Golinelli, Francesco Bonomi & Bruno Crispo

Authors
  1. Matteo Golinelli
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Francesco Bonomi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Bruno Crispo
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Matteo Golinelli .

Editor information

Editors and Affiliations

  1. Norwegian University of Science and Technology, Gjøvik, Norway

    Sokratis Katsikas

  2. Norwegian Computing Center, Oslo, Norway

    Habtamu Abie

  3. University of Trento, Trento, Italy

    Silvio Ranise

  4. University of Genoa, Genoa, Italy

    Luca Verderame

  5. Consiglio Nazionale delle Ricerche (CNR), Genoa, Italy

    Enrico Cambiaso

  6. SINTEF A.S., Oslo, Norway

    Rita Ugarelli

  7. Instituto Superior de Engenharia do Porto, Porto, Portugal

    Isabel Praça

  8. Hong Kong Polytechnic University, Hong Kong, China

    Wenjuan Li

  9. Technical University of Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

  10. University of Nottingham, Nottingham, UK

    Steven Furnell

  11. Norwegian University of Science and Technology, Gjøvik, Norway

    Basel Katt

  12. Norwegian Computing Center, Oslo, Norway

    Sandeep Pirbhulal

  13. Institute for Energy Technology (IFE), Halden, Norway

    Ankur Shukla

  14. University of Calabria, Rende, Italy

    Michele Ianni

  15. University of Verona, Verona, Italy

    Mila Dalla Preda

  16. The University of Texas at San Antonio, San Antonio, TX, USA

    Kim-Kwang Raymond Choo

  17. University of Lisbon, Lisbon, Portugal

    Miguel Pupo Correia

  18. University of Twente, Enschede, The Netherlands

    Abhishta Abhishta

  19. University of Amsterdam, Amsterdam, The Netherlands

    Giovanni Sileno

  20. Open University in the Netherlands, Heerlen, The Netherlands

    Mina Alishahi

  21. Robert Gordon University, Aberdeen, UK

    Harsha Kalutarage

  22. Osaka University, Osaka, Japan

    Naoto Yanai

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Golinelli, M., Bonomi, F., Crispo, B. (2024). The Nonce-nce of Web Security: An Investigation of CSP Nonces Reuse. In: Katsikas, S., et al. Computer Security. ESORICS 2023 International Workshops. ESORICS 2023. Lecture Notes in Computer Science, vol 14399. Springer, Cham. https://doi.org/10.1007/978-3-031-54129-2_27

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-54129-2_27

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-54128-5

  • Online ISBN: 978-3-031-54129-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation