SlideShare une entreprise Scribd logo

DefCamp 2013 - Http header analysis

DefCamp
DefCamp
Technologie
1  sur  62
Télécharger pour lire hors ligne
HTTP Header Analysis @httphacker httphacker.com
Agenda • Why are headers important to us?
Agenda • Why are headers important to us? • What Checks are in AppSec Scanners?
Agenda • Why are headers important to us? • What Checks are in AppSec Scanners? • Review of Header Attributes
Agenda • Why are headers important to us? • What Checks are in AppSec Scanners? • Review of Header Attributes • Demo of gethead.py
Why are headers important to us?
Why are headers important to us? Input&Parameter&Coverage&in&Web&Applica6on& Scanners& Non$Coverage$Rate$of$Input$Vectors$ 60" 50" GET$ 40" No"Coverage" 30" Coverage" 20" 10" 0" GET" POST" HTTP"Cookie" HTTP"Header" Reference: Data compiled from InfoSec Institute 2012 study It’s the least protected area... POST$ HTTP$Cookie$ HTTP$Header$
Opportunity POST /.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/boot.ini&url=httphacker.com HTTP/1.0 Referer: domain.com/external.xml Accept: */* User-Agent: Mozilla/5.0 Gecko/20110614 Firefox/3.6.18 Host: domain.com Connection: Keep-Alive Cookie: oAuth[access_token]=%31%33%33%37%22%3e%3c%73%43%72%49%70%54%3e%61%6c %65%72%74%28%68 %74%74%70%68%61%63%6b%65%72%29%3c%2f %73%43%72%49%70%54%3e;PHPSESSID=k04mk749i6cur91k; ! <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd"> ]><REQUEST><FROM>null</ FROM><METHOD>SEND</METHOD><MESSAGE type=”MSG”><HEAD><ID>612117752013</ ID><FROM>null</FROM><DESTINATION>UserManagerService&xxe;</ DESTINATION><ACTION>logout</ACTION><EVENT>null</EVENT></HEAD><BODY /></ MESSAGE></REQUEST> ! username:http&password=hacker
What Checks are in AppSec Scanners?
What Checks are in AppSec Scanners?
What is missing in AppSec Scanners?
Let’s review some of these headers...
Content Security Policy (CSP)
Content Security Policy (CSP) • Lets you specify a policy for where content in your webpages can be loaded from
Content Security Policy (CSP) • Lets you specify a policy for where content in your webpages can be loaded from • Lets you put restrictions on script execution
Content Security Policy (CSP) • Lets you specify a policy for where content in your webpages can be loaded from • • Lets you put restrictions on script execution Headers • Content-Security-Policy - Chrome 25 (Firefox nightlies) • • X-Content-Security-Policy - Firefox 4+ X-WebKit-CSP - WebKit browsers (Chrome/Safari)
CSP Directives • • • • • • • • • • default-src - Specifies the default for other sources script-src style-src object-src - plugins img-src media-src - video/audio frame-src font-src connect-src report-uri - Specifies where CSP violations can be reported
CSP Sources (for the directives) • ‘none’ - No content of this type is allowed (All directives)
CSP Sources (for the directives) • ‘none’ - No content of this type is allowed (All directives) • ‘self’ - Content of this type can only be loaded from the same origin (no content from other sites) (All directives)
CSP Sources (for the directives) • ‘none’ - No content of this type is allowed (All directives) • ‘self’ - Content of this type can only be loaded from the same origin (no content from other sites) (All directives) • ‘unsafe-inline’ - Allows unsafe inline content • Supported by style-src (inline css) and script-src (inline script)
CSP Sources (for the directives) • ‘none’ - No content of this type is allowed (All directives) • ‘self’ - Content of this type can only be loaded from the same origin (no content from other sites) (All directives) • ‘unsafe-inline’ - Allows unsafe inline content • • Supported by style-src (inline css) and script-src (inline script) ‘unsafe-eval’ - Allow script functions considered unsafe (such as eval()) • Supported by script-src
CSP Sources (for the directives) • And you can specify custom sources: • • * - Allow content from anywhere • *.domain.com - Wildcard host, allow content from any domain.com sub-domain • • www.domain.com:81 - You can specify a port number https: - Scheme only, load only content served over https https://www.domain.com - You can specify an absolute URI for a host (path has no effect though)
And then it all comes together • Content-Security-Policy: default-src ‘self’; script-src ‘self’ scripts.domain.com • • • This policy sets a default source of ‘self’ for all directives • • Scripts can also be loaded from scripts.domain.com script-src defines its own sources, replacing the default In effect, scripts, stylesheets, images, flash animations, Java applets, etc., can only be loaded from the same origin as the page This policy denies inline scripts and CSS!
The “special” sources • ‘unsafe-inline’ can allow inline scripts (script-src) and styles (style-src) • ‘unsafe-eval’ allows certain JavaScript functions considered high risk (eval()) • Use these special sources with care
CSP Reporting • You can specify a “report-uri” in the CSP header
CSP Reporting • • You can specify a “report-uri” in the CSP header Must be a relative URI
CSP Reporting • • • You can specify a “report-uri” in the CSP header Must be a relative URI Will post violation reports as JSON back to the web application
CSP Reporting • • • You can specify a “report-uri” in the CSP header • Content-Security-Policy-Report-Only Must be a relative URI Will post violation reports as JSON back to the web application • Will not block scripts or resources violating the policy • Will report them to the web application
XSS Protection
XSS Protection • X-XSS-Protection: 1; mode=block • Enables XSS Filter built into most recent web browsers • Role is to re-enable for a particular website if it was disabled by the user
XSS summarized • • • Make sure you validate your inputs Make sure you encode everything you output • • • Input to the web application Data from backend system EVERYTHING! Use CSP and XSS-Protection as an extra level of defense, it’s not the cure!
X-Frame-Options (Click-jacking)
Click-jacking • A malicious site loads the vulnerable site in an iframe
Click-jacking • A malicious site loads the vulnerable site in an iframe • The iframe is invisible and positioned in front of something the user is likely to click on
Click-jacking • A malicious site loads the vulnerable site in an iframe • The iframe is invisible and positioned in front of something the user is likely to click on • The user clicks on what appears to be an element on the malicious site • The user really clicks in the iframe, triggering some operation on the vulnerable site
X-Frame-Options • • X-Frame-Options: Deny | SameOrigin Instructs the browser to not display the page in a frame • When the page isn’t displayed, there’s nothing to click on! • Browser support: Opera 10.5+, Chrome 4.1+, IE 8+, Firefox 3.6.9+, Safari 4+ • Remember: The request is still sent to - and processed by - the web server!
X-Frame-Options Client Message
HTTP Strict Transport Security (HTTPS stripping)
HTTPS stripping explained • “Secure” websites use SSL/TLS to preserve the confidentiality and integrity of the communication with a browser
HTTPS stripping explained • “Secure” websites use SSL/TLS to preserve the confidentiality and integrity of the communication with a browser • For usability, “secure” websites are still accessible through insecure channels (HTTP on port 80) • • They’ll redirect the user to HTTPS • The very first request is insecure, and open to attack! User enters www.onlinebank.com - and is redirected to https://www.onlinebank.com
HTTPS stripping explained • SSL stripping is a MiTM attack • Attacker keeps the victim on HTTP, but passes requests on over HTTPS to the target website • Practical attack demoed at BlackHat in 2009 (sslstrip)
HTTPS stripping scenario An attacker sitting in the middle of a HTTPS session
HTTPS stripping scenario An attacker sitting in the middle of a HTTPS session An attacker performing a HTTPS stripping attack
HTTP Strict Transport Security • Strict-Transport-Security: max-age=31536000; includeSubDomains • Max-age specifies for how many seconds the policy should be in effect • includeSubDomains - optional • Instructs the browser to only communicate to that hostname over SSL/TLS • Fails hard on certificate errors • The user does not have the option to click through certificate warnings • Browser support: Chrome 4+, Firefox 4+, Opera 12
Session hijacking Securing Cookies
Session hijacking explained • Means getting access to a user’s privileged session > steal session tokens
Session hijacking explained • Means getting access to a user’s privileged session > steal session tokens • Session tokens mean cookies
Session hijacking explained • Means getting access to a user’s privileged session > steal session tokens • • Session tokens mean cookies Protect the cookies!
Session hijacking explained • Means getting access to a user’s privileged session > steal session tokens • • • Session tokens mean cookies Protect the cookies! Cookies can be marked with the ‘httpOnly’ flag > makes them inaccessible to JS, they won’t be included in requests from applets
Session hijacking explained • Means getting access to a user’s privileged session > steal session tokens • • • Session tokens mean cookies • Cookies can be marked with the “secure” flag > instructs the browser to only send them with HTTPS requests Protect the cookies! Cookies can be marked with the ‘httpOnly’ flag > makes them inaccessible to JS, they won’t be included in requests from applets
IE MIME sniffing (Content-Type Options)
IE MIME Sniffing • HTTP responses include a header stating what type of content is included
IE MIME Sniffing • HTTP responses include a header stating what type of content is included • To compensate for misconfigured servers and bad programming, IE introduced MIME sniffing back in the days (IE4)
IE MIME Sniffing • HTTP responses include a header stating what type of content is included • To compensate for misconfigured servers and bad programming, IE introduced MIME sniffing back in the days (IE4) • They introduced the “X-Content-Type-Options: nosniff” header in IE9 to disable the behavior
IE MIME Sniffing • HTTP responses include a header stating what type of content is included • To compensate for misconfigured servers and bad programming, IE introduced MIME sniffing back in the days (IE4) • They introduced the “X-Content-Type-Options: nosniff” header in IE9 to disable the behavior • Always serve your content with the correct content type, and the “X-Content-Type-Options” header
In Summary...we need more header detection and protection!
gethead Project https://github.com/httphacker
gethead Current Features • Written in Python 2.7.5 • Performs HTTP Header Analysis • Reports Header Vulnerabilities • Open Source
gethead December Features • • • • • Support for git updates • Export with multi-format options (XML, HTML, TXT) Support for Python 3.x Complete Header Analysis Rank Vulnerabilities by Severity Export Findings with Description, Impact, Execution, Fix, and References
gethead February Features • Replay & Inline Upstream Proxy Support to import into WebInspect • • • • Scan domains, sub-domains, and multi-services Header Injection & Fuzzing functionality HTTP Header Policy Bypassing Modularize and port to more platforms (e.g. gMinor, Kali, Burp Extension, Metasploit, Chrome)
Thank you.

Recommandé

Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIStormpath
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Build a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIBuild a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIStormpath
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Rakesh Kachhadiya
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 

Recommandé

Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIStormpath
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Build a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIBuild a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIStormpath
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Rakesh Kachhadiya
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!Lewis Ardern
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIsClaire Hunsaker
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!Lewis Ardern
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web ServicesRob Daigneau
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 
Reviewing AngularJS
Reviewing AngularJSReviewing AngularJS
Reviewing AngularJSLewis Ardern
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Open source security
Open source securityOpen source security
Open source securitylrigknat
 
Secureyourrestapi 140530183606-phpapp02
Secureyourrestapi 140530183606-phpapp02Secureyourrestapi 140530183606-phpapp02
Secureyourrestapi 140530183606-phpapp02Subhajit Bhuiya
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Securitylevigross
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Web Security 101
Web Security 101Web Security 101
Web Security 101Brent Shaffer
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army FrameworkOAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army FrameworkBrent Shaffer
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraKrzysztof Kotowicz
 
SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Inve...
SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Inve...SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Inve...
SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Inve...Amazon Web Services
 
Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headersAndre N. Klingsheim
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 

Contenu connexe

Tendances

OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!Lewis Ardern
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!Lewis Ardern
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web ServicesRob Daigneau
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 
Reviewing AngularJS
Reviewing AngularJSReviewing AngularJS
Reviewing AngularJSLewis Ardern
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Open source security
Open source securityOpen source security
Open source securitylrigknat
 
Secureyourrestapi 140530183606-phpapp02
Secureyourrestapi 140530183606-phpapp02Secureyourrestapi 140530183606-phpapp02
Secureyourrestapi 140530183606-phpapp02Subhajit Bhuiya
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Securitylevigross
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army FrameworkOAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army FrameworkBrent Shaffer
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraKrzysztof Kotowicz
 
SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Inve...
SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Inve...SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Inve...
SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Inve...Amazon Web Services
 

Tendances (20)

OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIs
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web Services
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 
Reviewing AngularJS
Reviewing AngularJSReviewing AngularJS
Reviewing AngularJS
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best Practices
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
 
Open source security
Open source securityOpen source security
Open source security
 
Secureyourrestapi 140530183606-phpapp02
Secureyourrestapi 140530183606-phpapp02Secureyourrestapi 140530183606-phpapp02
Secureyourrestapi 140530183606-phpapp02
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army FrameworkOAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
 
SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Inve...
SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Inve...SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Inve...
SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Inve...
 

Similaire à DefCamp 2013 - Http header analysis

Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headersAndre N. Klingsheim
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersdevObjective
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security PoliciesMatias Korhonen
 
Web security for app developers
Web security for app developersWeb security for app developers
Web security for app developersPablo Gazmuri
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableCollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableDarren Duke
 
Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security IntroCash Williams
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸Amazon Web Services
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsSecuRing
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Build your own analytics power tools
Build your own analytics power toolsBuild your own analytics power tools
Build your own analytics power toolsAlban Gérôme
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Gareth Davies
 

Similaire à DefCamp 2013 - Http header analysis (20)

Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headers
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security Policies
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Web security for app developers
Web security for app developersWeb security for app developers
Web security for app developers
 
Flashack
FlashackFlashack
Flashack
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableCollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
 
Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security Intro
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
NullMQ @ PDX
NullMQ @ PDXNullMQ @ PDX
NullMQ @ PDX
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Build your own analytics power tools
Build your own analytics power toolsBuild your own analytics power tools
Build your own analytics power tools
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016
 

Plus de DefCamp

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht HackingDefCamp
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of TrustDefCamp
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?DefCamp
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXDefCamp
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...DefCamp
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDefCamp
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)DefCamp
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFADefCamp
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationDefCamp
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money downDefCamp
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...DefCamp
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochDefCamp
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareDefCamp
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?DefCamp
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured DefCamp
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...DefCamp
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.DefCamp
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber SecurityDefCamp
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering holeDefCamp
 

Plus de DefCamp (20)

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
 

Dernier

Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 

Dernier (20)

Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 

DefCamp 2013 - Http header analysis

  • 2. Agenda • Why are headers important to us?
  • 3. Agenda • Why are headers important to us? • What Checks are in AppSec Scanners?
  • 4. Agenda • Why are headers important to us? • What Checks are in AppSec Scanners? • Review of Header Attributes
  • 5. Agenda • Why are headers important to us? • What Checks are in AppSec Scanners? • Review of Header Attributes • Demo of gethead.py
  • 6. Why are headers important to us?
  • 7. Why are headers important to us? Input&Parameter&Coverage&in&Web&Applica6on& Scanners& Non$Coverage$Rate$of$Input$Vectors$ 60" 50" GET$ 40" No"Coverage" 30" Coverage" 20" 10" 0" GET" POST" HTTP"Cookie" HTTP"Header" Reference: Data compiled from InfoSec Institute 2012 study It’s the least protected area... POST$ HTTP$Cookie$ HTTP$Header$
  • 8. Opportunity POST /.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/boot.ini&url=httphacker.com HTTP/1.0 Referer: domain.com/external.xml Accept: */* User-Agent: Mozilla/5.0 Gecko/20110614 Firefox/3.6.18 Host: domain.com Connection: Keep-Alive Cookie: oAuth[access_token]=%31%33%33%37%22%3e%3c%73%43%72%49%70%54%3e%61%6c %65%72%74%28%68 %74%74%70%68%61%63%6b%65%72%29%3c%2f %73%43%72%49%70%54%3e;PHPSESSID=k04mk749i6cur91k; ! <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd"> ]><REQUEST><FROM>null</ FROM><METHOD>SEND</METHOD><MESSAGE type=”MSG”><HEAD><ID>612117752013</ ID><FROM>null</FROM><DESTINATION>UserManagerService&xxe;</ DESTINATION><ACTION>logout</ACTION><EVENT>null</EVENT></HEAD><BODY /></ MESSAGE></REQUEST> ! username:http&password=hacker
  • 9. What Checks are in AppSec Scanners?
  • 10. What Checks are in AppSec Scanners?
  • 11. What is missing in AppSec Scanners?
  • 12. Let’s review some of these headers...
  • 14. Content Security Policy (CSP) • Lets you specify a policy for where content in your webpages can be loaded from
  • 15. Content Security Policy (CSP) • Lets you specify a policy for where content in your webpages can be loaded from • Lets you put restrictions on script execution
  • 16. Content Security Policy (CSP) • Lets you specify a policy for where content in your webpages can be loaded from • • Lets you put restrictions on script execution Headers • Content-Security-Policy - Chrome 25 (Firefox nightlies) • • X-Content-Security-Policy - Firefox 4+ X-WebKit-CSP - WebKit browsers (Chrome/Safari)
  • 17. CSP Directives • • • • • • • • • • default-src - Specifies the default for other sources script-src style-src object-src - plugins img-src media-src - video/audio frame-src font-src connect-src report-uri - Specifies where CSP violations can be reported
  • 18. CSP Sources (for the directives) • ‘none’ - No content of this type is allowed (All directives)
  • 19. CSP Sources (for the directives) • ‘none’ - No content of this type is allowed (All directives) • ‘self’ - Content of this type can only be loaded from the same origin (no content from other sites) (All directives)
  • 20. CSP Sources (for the directives) • ‘none’ - No content of this type is allowed (All directives) • ‘self’ - Content of this type can only be loaded from the same origin (no content from other sites) (All directives) • ‘unsafe-inline’ - Allows unsafe inline content • Supported by style-src (inline css) and script-src (inline script)
  • 21. CSP Sources (for the directives) • ‘none’ - No content of this type is allowed (All directives) • ‘self’ - Content of this type can only be loaded from the same origin (no content from other sites) (All directives) • ‘unsafe-inline’ - Allows unsafe inline content • • Supported by style-src (inline css) and script-src (inline script) ‘unsafe-eval’ - Allow script functions considered unsafe (such as eval()) • Supported by script-src
  • 22. CSP Sources (for the directives) • And you can specify custom sources: • • * - Allow content from anywhere • *.domain.com - Wildcard host, allow content from any domain.com sub-domain • • www.domain.com:81 - You can specify a port number https: - Scheme only, load only content served over https https://www.domain.com - You can specify an absolute URI for a host (path has no effect though)
  • 23. And then it all comes together • Content-Security-Policy: default-src ‘self’; script-src ‘self’ scripts.domain.com • • • This policy sets a default source of ‘self’ for all directives • • Scripts can also be loaded from scripts.domain.com script-src defines its own sources, replacing the default In effect, scripts, stylesheets, images, flash animations, Java applets, etc., can only be loaded from the same origin as the page This policy denies inline scripts and CSS!
  • 24. The “special” sources • ‘unsafe-inline’ can allow inline scripts (script-src) and styles (style-src) • ‘unsafe-eval’ allows certain JavaScript functions considered high risk (eval()) • Use these special sources with care
  • 25. CSP Reporting • You can specify a “report-uri” in the CSP header
  • 26. CSP Reporting • • You can specify a “report-uri” in the CSP header Must be a relative URI
  • 27. CSP Reporting • • • You can specify a “report-uri” in the CSP header Must be a relative URI Will post violation reports as JSON back to the web application
  • 28. CSP Reporting • • • You can specify a “report-uri” in the CSP header • Content-Security-Policy-Report-Only Must be a relative URI Will post violation reports as JSON back to the web application • Will not block scripts or resources violating the policy • Will report them to the web application
  • 30. XSS Protection • X-XSS-Protection: 1; mode=block • Enables XSS Filter built into most recent web browsers • Role is to re-enable for a particular website if it was disabled by the user
  • 31. XSS summarized • • • Make sure you validate your inputs Make sure you encode everything you output • • • Input to the web application Data from backend system EVERYTHING! Use CSP and XSS-Protection as an extra level of defense, it’s not the cure!
  • 33. Click-jacking • A malicious site loads the vulnerable site in an iframe
  • 34. Click-jacking • A malicious site loads the vulnerable site in an iframe • The iframe is invisible and positioned in front of something the user is likely to click on
  • 35. Click-jacking • A malicious site loads the vulnerable site in an iframe • The iframe is invisible and positioned in front of something the user is likely to click on • The user clicks on what appears to be an element on the malicious site • The user really clicks in the iframe, triggering some operation on the vulnerable site
  • 36. X-Frame-Options • • X-Frame-Options: Deny | SameOrigin Instructs the browser to not display the page in a frame • When the page isn’t displayed, there’s nothing to click on! • Browser support: Opera 10.5+, Chrome 4.1+, IE 8+, Firefox 3.6.9+, Safari 4+ • Remember: The request is still sent to - and processed by - the web server!
  • 38. HTTP Strict Transport Security (HTTPS stripping)
  • 39. HTTPS stripping explained • “Secure” websites use SSL/TLS to preserve the confidentiality and integrity of the communication with a browser
  • 40. HTTPS stripping explained • “Secure” websites use SSL/TLS to preserve the confidentiality and integrity of the communication with a browser • For usability, “secure” websites are still accessible through insecure channels (HTTP on port 80) • • They’ll redirect the user to HTTPS • The very first request is insecure, and open to attack! User enters www.onlinebank.com - and is redirected to https://www.onlinebank.com
  • 41. HTTPS stripping explained • SSL stripping is a MiTM attack • Attacker keeps the victim on HTTP, but passes requests on over HTTPS to the target website • Practical attack demoed at BlackHat in 2009 (sslstrip)
  • 42. HTTPS stripping scenario An attacker sitting in the middle of a HTTPS session
  • 43. HTTPS stripping scenario An attacker sitting in the middle of a HTTPS session An attacker performing a HTTPS stripping attack
  • 44. HTTP Strict Transport Security • Strict-Transport-Security: max-age=31536000; includeSubDomains • Max-age specifies for how many seconds the policy should be in effect • includeSubDomains - optional • Instructs the browser to only communicate to that hostname over SSL/TLS • Fails hard on certificate errors • The user does not have the option to click through certificate warnings • Browser support: Chrome 4+, Firefox 4+, Opera 12
  • 46. Session hijacking explained • Means getting access to a user’s privileged session > steal session tokens
  • 47. Session hijacking explained • Means getting access to a user’s privileged session > steal session tokens • Session tokens mean cookies
  • 48. Session hijacking explained • Means getting access to a user’s privileged session > steal session tokens • • Session tokens mean cookies Protect the cookies!
  • 49. Session hijacking explained • Means getting access to a user’s privileged session > steal session tokens • • • Session tokens mean cookies Protect the cookies! Cookies can be marked with the ‘httpOnly’ flag > makes them inaccessible to JS, they won’t be included in requests from applets
  • 50. Session hijacking explained • Means getting access to a user’s privileged session > steal session tokens • • • Session tokens mean cookies • Cookies can be marked with the “secure” flag > instructs the browser to only send them with HTTPS requests Protect the cookies! Cookies can be marked with the ‘httpOnly’ flag > makes them inaccessible to JS, they won’t be included in requests from applets
  • 52. IE MIME Sniffing • HTTP responses include a header stating what type of content is included
  • 53. IE MIME Sniffing • HTTP responses include a header stating what type of content is included • To compensate for misconfigured servers and bad programming, IE introduced MIME sniffing back in the days (IE4)
  • 54. IE MIME Sniffing • HTTP responses include a header stating what type of content is included • To compensate for misconfigured servers and bad programming, IE introduced MIME sniffing back in the days (IE4) • They introduced the “X-Content-Type-Options: nosniff” header in IE9 to disable the behavior
  • 55. IE MIME Sniffing • HTTP responses include a header stating what type of content is included • To compensate for misconfigured servers and bad programming, IE introduced MIME sniffing back in the days (IE4) • They introduced the “X-Content-Type-Options: nosniff” header in IE9 to disable the behavior • Always serve your content with the correct content type, and the “X-Content-Type-Options” header
  • 56. In Summary...we need more header detection and protection!
  • 58. gethead Current Features • Written in Python 2.7.5 • Performs HTTP Header Analysis • Reports Header Vulnerabilities • Open Source
  • 59. gethead December Features • • • • • Support for git updates • Export with multi-format options (XML, HTML, TXT) Support for Python 3.x Complete Header Analysis Rank Vulnerabilities by Severity Export Findings with Description, Impact, Execution, Fix, and References
  • 60. gethead February Features • Replay & Inline Upstream Proxy Support to import into WebInspect • • • • Scan domains, sub-domains, and multi-services Header Injection & Fuzzing functionality HTTP Header Policy Bypassing Modularize and port to more platforms (e.g. gMinor, Kali, Burp Extension, Metasploit, Chrome)
  • 61.