GitHub’s post-CSP journey

Last year we shared some details on GitHub’s CSP journey. A journey was a good way to describe it, as our usage of Content Security Policy (CSP) significantly changed from…

Overview

This article discusses GitHub's evolution in implementing Content Security Policy (CSP) and the subsequent measures taken to defend against post-CSP exploitation. It highlights the collaboration with Cure53 to identify vulnerabilities and the various mitigations developed to enhance security against content injection attacks.

What You'll Learn

1

How to implement stricter img-src policies to prevent content exfiltration

2

Why per-form CSRF tokens enhance security against CSRF attacks

3

How to utilize same-site cookies to mitigate CSRF vulnerabilities

4

When to employ dangling markup protections in web applications

Key Questions Answered

What vulnerabilities did Cure53 identify in GitHub's CSP?
Cure53 identified several vulnerabilities, including ways to exfiltrate sensitive information through Google Analytics and Gravatar. They highlighted that these services could be exploited to leak CSRF tokens and other sensitive data, prompting GitHub to revise its CSP policies and remove third-party image sources.
How does GitHub mitigate dangling markup attacks?
GitHub mitigates dangling markup attacks by implementing strategies such as closing unclosed attributes and tags in forms to prevent CSRF token exfiltration. They also introduced per-form CSRF tokens, ensuring that each token is unique to its form, thus limiting the potential impact of any single token being compromised.
What is the purpose of same-site cookies in GitHub's security strategy?
Same-site cookies are used to control when cookies are sent in cross-origin requests, thereby mitigating CSRF attacks. By setting the SameSite attribute to 'Strict' or 'Lax', GitHub ensures that session cookies are not sent with requests from untrusted sites, enhancing overall security.
What changes were made to the img-src policy at GitHub?
GitHub transitioned from a permissive img-src policy to a more restrictive one, removing third-party sources like Google Analytics and Gravatar. This change was made to prevent potential data exfiltration through image requests, thereby tightening security against content injection vulnerabilities.

Technologies & Tools

Some links below are affiliate links. We may earn a commission if you make a purchase.

Security
Content Security Policy
Used to define which content sources are trusted and to mitigate risks of content injection attacks.
Backend Framework
Ruby On Rails
Utilized for generating HTML and managing CSRF tokens in GitHub's web application.

Key Actionable Insights

1
Implement stricter img-src policies to limit potential data exfiltration through images.
By narrowing the sources allowed in the img-src directive of CSP, organizations can significantly reduce the risk of sensitive data being sent to malicious sites.
2
Adopt per-form CSRF tokens to enhance security against CSRF attacks.
This approach ensures that even if one token is compromised, it cannot be used across different forms, thus minimizing the risk of privilege escalation.
3
Utilize same-site cookies to protect against CSRF vulnerabilities.
Setting the SameSite attribute on cookies helps prevent them from being sent in cross-origin requests, adding an additional layer of security.
4
Regularly assess and update CSP policies to address new vulnerabilities.
As new attack vectors are discovered, maintaining an up-to-date CSP is crucial for protecting web applications from exploitation.

Common Pitfalls

1
Failing to close unclosed attributes and tags can lead to dangling markup vulnerabilities.
This mistake often occurs when developers do not account for how browsers parse HTML, allowing attackers to exploit these gaps to exfiltrate sensitive information.

Related Concepts

Content Security Policy
Cross-site Request Forgery (csrf)
Web Security Best Practices