Re: CSP Transition Tools

Hi Garrett,

You know this already, but for other interested parties, I made a
couple tools for generating a CSP called CSPTools last year and gave a
preso on it at Defcon last year:

https://github.com/Kennysan/CSPTools

http://www.youtube.com/watch?v=BEsEIV8v2fQ

I'm currently working on revamping the proxy and the parsing tools to
be more robust.

-Ken

On Tue, Jan 14, 2014 at 3:37 AM, Taras Ivashchenko <oxdef@yandex-team.ru> wrote:
> Hi, Garrett!
>
> We shared our case study at  OWASP AppSec EU 2013, so you can watch it on
> YouTube: "Content Security Policy - the panacea for XSS or placebo?"
> http://www.youtube.com/watch?v=-7jLU-eO6XA
>
> We also shared our CSP related tools:
>
> * CSP Tester - This extension helps web masters to test web application
> behavior with Content Security Policy (CSP) ver. 1.0 implemented.,
> https://www.oxdef.info/csp-tester
> * CSP Reporter - In a nutshell it is a parser for CSP (Content Security
> Policy) reports. Main purpose is to create easy to read and understand report
> from big size logs. https://www.oxdef.info/csp-reporter
>
> В письме от 13 января 2014 14:26:23 пользователь Garrett Robinson написал:
>> Hey webappsec!
>>
>> I'm working on encouraging some large site operators to transition to
>> using CSP. As we know, the process of transitioning is not easy,
>> especially on large, established sites with lots of inline code. I want
>> to give them some advice about techniques and tools they can use to make
>> this process easier.
>>
>> If you've transitioned a site (especially a large and/or complex one) to
>> use CSP, please consider sharing your process, tools, and any lessons
>> learned! I'd love to build an inventory that we could maybe turn into a
>> document to help site operators transition.
>>
>> -Garrett
>
> --
> Taras Ivashchenko
> Information Security Administrator,
> Yandex
>
>

Received on Tuesday, 14 January 2014 22:10:22 UTC