Hi all,

we'll have our next online event in less than two weeks. Presenting language will be English again.

Happy to welcome Ben and Marius talking about their interesting research with respect to Content Security Policy!

TLDR:

Title: "Content Security Policy - The Past, The Present, The Future?"
Speaker: Ben Stock / Marius Steffens
Location: Online, please check the link the day before
Start: 16th of March 2021, 6:30 pm (CET)
Networking: Stick around afterwards if you like.

Abstract :

Content Security Policy has been around for 10 years and still only a fraction of sites on the Web leverage its full potential to mitigate XSS and other flaws. In this talk, we will discuss the evolution of CSP over time and how sites could leverage it to secure against three attacks classes. This is based on our NDSS 2020 paper (https://swag.cispa.saarland/papers/roth2020csp.pdf), which sheds light on the usage of CSP on 10,000 sites over a period of six years. In addition, we will discuss how seemingly irrelevant choices when allowing sites can lead to catastrophic consequences for the security of CSP. Finally, we will discuss insights from our most recent study (NDSS 2021, https://swag.cispa.saarland/papers/steffens2021blockparty.pdf), which shows that CSP’s success is in large parts blocked by third parties, and cannot be blamed on developers. With this, we’ll give our personal outlook on where CSP can be going from here, and what needs to happen for it to succeed.

Bios:

Ben Stock is a Tenure-Track Faculty at the CISPA-Helmholtz Center for Information Security in Saarbrücken, where he currently supervises four PhD students. In his PhD, Ben focussed on the detection and mitigation of Client-Side Cross-Site Scripting. During his PhD, he worked closely with SAP Research and interned with Microsoft Research. After his PhD, he joined CISPA as a postdoc, focussing on both Web Security as well as Usable Security research. He currently heads the Secure Web Applications Group at CISPA, is a regular speaker at academic and non-academic venues like CCS, USENIX Security, NDSS, Blackhat, and OWASP AppSec.

Marius Steffens is a third-year PhD student in the Secure Web Applications Group at the CISPA-Helmholtz Center for Information Security, supervised by Ben Stock. Marius is interested in finding emerging vulnerabilities in client-side Web applications at a large scale, leveraging dynamic program analysis techniques. Besides automatically exploiting sites, he is also interested in understanding the pitfalls associated with deployments of Web security mechanisms, which are currently hampering widespread adoption.

How to participate

OWASP Hamburg Meetup members who RSVP'd for the event will see the Google Meet invite URL at the RHS and can join the video conference directly. I'll update the invite URL ~ a day before. Please make sure when joining you are muted by default.

Our OWASP "Stammtisch"

Our meeting is about web applications and their (in)security and/or about IT security in general. People come together who care as a hobby or in their job about information security: developers, managers, pentesters and everybody else who's interested. The atmosphere is open and relaxed. Who's coming to sell products or services: Move on, this is not the right place. OWASP is about education and sharing (mostly) technical information.

Feel free to forward our meetup URL to your colleagues or friends. They are welcome, too. Participation is free and open -- as the O in OWASP.

Cheers, Dirk