Is there any way for a Content-Security-Policy to block a CSS function, (specifically the url() function)?

I would like to block the execution of any instance of CSS’s url() function in CSS provided by my server. One promising method would be a CSP, but I’m not sure if this is possible using a CSP. Is it? And if not, what is the best way to acc… Continue reading Is there any way for a Content-Security-Policy to block a CSS function, (specifically the url() function)?

CSP: any way to prevent inline scripts dynamically created by a trusted external script?

Let’s say I have a simple web application which uses a single JavaScript (JS) file, loaded from its own domain, and has implemented the restrictive Content Security Policy (CSP) of default-src ‘self’. There’s a stored XSS in it whereby the… Continue reading CSP: any way to prevent inline scripts dynamically created by a trusted external script?

Crafty Web Skimming Domain Spoofs “https”

Earlier today, KrebsOnSecurity alerted the 10th largest food distributor in the United States that one of its Web sites had been hacked and retrofitted with code that steals credit card and login data. While such Web site card skimming attacks are not new, this intrusion leveraged a sneaky new domain that hides quite easily in a hacked site’s source code: “http[.]ps” (the actual malicious domain does not include the brackets, which are there to keep readers from being able to click on it). Continue reading Crafty Web Skimming Domain Spoofs “https”