conf 2022-11-16 14:15 – 15:00 La Marive FR

CSP, XSS, WTF?

Name: Black Alps 2022
Start: 2022-11-15
End: 2022-11-16
Location: La Marive, Yverdon-les-Bains

Abstract

Special discount for this talk, you will learn about two related stories for the price of one!
The first one is about how the Jenkins Security team is including Content Security Policy (CSP) in the Jenkins project without breaking everything. We will explain why CSP is appealing in terms of security and how we are envisioning its introduction in an existing (very large) project.
The second part of the talk will be on a Cross-site scripting (XSS) vulnerability we have found on a very popular dating application. This vulnerability was particularly interesting as it had the possibility to spread like a virus within the social network and the impact could have been catastrophic. We will explain how we were able to bypass their incomplete CSP configuration.

Download slides (PDF)

Speakers

Kevin Guerroudj

Software and Security Engineer

CloudBees

Recently graduated from a master in Cybersecurity, I have developed a real passion in the security of web applications. A passion that continues to grow thanks to my job but also in my free time especially through bugbounty programs but also by keeping a close eye on new CVEs.

Wadeck Follonier

Engineering manager

CloudBees

Wadeck Follonier is the Security Officer of the Jenkins project (2022), and an engineering manager at CloudBees. After his Master from EPFL, he has spent his last 10 years with companies of various sizes, with a growing interest in security. When time permits, he plays with genetic algorithms and video game development.

Talk

CSP, XSS, WTF?