SlideShare une entreprise Scribd logo

HTTP Security Headers Every Java Developer Must Know

Ayoma Wijethunga
Ayoma Wijethunga

Demonstration based session on HTTP headers relevant to security aspect of web applications. Target audience is web developers, and more attention is given to Java language.

Technologie
1  sur  52
Télécharger pour lire hors ligne
HTTP Security Headers every Java developer must know Ayoma Wijethunga, WSO2, Platform Security Team.
Ayoma Wijethunga o Software Engineer at WSO2, Platform Security Team. o Get in touch o Email : ayoma@wso2.com o LinkedIn : https://lk.linkedin.com/in/ayoma o Blog : http://ayomaonline.com o Twitter / Facebook / Github / Hangout : ayomawdb api android arduino automation building developing discusses diy electronics engineering iot jaggery java kali linux modular osgi prusa reprap security software ublox web wireshark wso2
“To better defend yourself, think like a hacker”
Contents o Headers o X-XSS-Protection o X-Frame-Options o X-Content-Type-Options o Content-Security-Policy o Strict-Transport-Security o Public-Key-Pins o Access-Control-Allow-* o Set-Cookie (security flags) o Security Threats o Cross Site Scripting (XSS) o Clickjacking o Session Hijacking o Sensitive Information Leakage o Man in the Middle Attacks o SSL Spoofing o Future Developments
Storyline
Storyline Alex Responsible of monitoring and managing a data center [Operations] Bob Black hat hacker Image credit : http://www.kameleon.pics
Storyline - Attack Map Attack 1 o Cross Site Scripting (XSS) o Session Hijacking o Set-Cookie httpOnly flag o X-XSS Protection Attack 4 o Man in the Middle Attacks o Session Hijacking o Set-Cookie secure flag o Strict-Transport-Security Attack 2 o Clickjacking o X-Frame-Options Attack 5 o SSL Spoofing o Session Hijacking o Man in the Middle Attacks o Public-Key-Pins Attack 3 o Sensitive Information Leakage o Access-Control-Allow-*
Lab Setup Demonstration
Attack 1 (Demonstration) Bob get the URL for Alice’s datacenter monitoring and management control panel. http://javacolombo.duckdns.org/server-admin o Cross Site Scripting (XSS) o Session Hijacking o Set-Cookie httpOnly flag o X-XSS Protection
Attack Demonstration Session Hijacking
Set-Cookie HttpOnly flag o Mitigate the risk of client side scripts accessing protected cookies. o Set-Cookie: <name>=<value>[; <Max-Age>=<age>][; expires=<date>] [; domain=<domain_name>][; path=<some_path>][; secure][; HttpOnly] o Tomcat 7+ sets HttpOnly flag for session_id by default. o In Tomcat 6, set useHttpOnly="true" on Context element of context.xml to enable. o With Java EE 6+, it is possible to define cookie-config in web.xml <session-config> <cookie-config> <http-only>true</http-only> </cookie-config> </session-config> o Cookie cookie = getMyCookie("gxsesmgt"); cookie.setHttpOnly(true); o More details : https://www.owasp.org/index.php/HttpOnly
Solution Demonstration Set-Cookie httpOnly flag
Attack Demonstration Cross Site Scripting (XSS)
X-XSS-Protection o Request browsers to enable / disable reflected XSS protection o Chrome / IE8+ - enables XSS protection by default o Firefox - enables XSS protection on demand o Available Directives o0 - Disabled o1 - Enable and render pages after sanitizing o1; mode=block- Enable and block pages with XSS o1; report=http://example.com/report - (chrome / WebKit only) o Use a Filter and response.addHeader("X-XSS-Protection", "1; mode=block"); o Use Tomcat built in security filter : HttpHeaderSecurityFilter ohttps://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#HTTP_Header_Security_Filter
Solution Demonstration X-XSS Protection
Beyond HTTP Headers o Use cookies only if there is no other server side option. o Do not give sensitive names to cookies. o Do not depend on browser level protection (Filters can be bypassed : <svg><script>/<1/>alert(document.domain)</script></svg>) o Validate user input. o Use proper encoding [ https://github.com/OWASP/owasp-java-encoder ]. o Attention on CSRF protection. o Renew session ID upon login & logout (session fixation).
Attack 2 (Demonstration) Alice gets a link from Bob in disguise to a malicious web application. o Clickjacking o X-Frame-Options
Attack Demonstration Clickjacking
X-Frame-Options o Indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. o Available Directives oDENY - prevents any domain from framing the content. oSAMEORIGIN - only allows the current site to frame the content. oALLOW-FROM uri - permits the specified 'uri' to frame this page. [this will fail open if the browser does not support it] o Use a Filter and response.addHeader("X-Frame-Options", "..."); o Use Tomcat built in security filter : HttpHeaderSecurityFilter ohttps://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#HTTP_Header_Security_Filter o More details : https://www.owasp.org/index. php/Clickjacking_Defense_Cheat_Sheet
Solution Demonstration X-Frame-Options
Beyond HTTP Headers o HTTP GET (incl. links) should only be used for idempotent actions. o Request secondary user confirmation for critical actions. o Use frame busting scripts for older browsers. o Example : <style>html { display:none }</style> <script> if (self == top) { document.documentElement.style.display = ’block'; } else { top.location = self.location; } </script> o https://www.owasp. org/images/0/0e/OWASP_AppSec_Research_2010_Busting_Frame_Busti ng_by_Rydstedt.pdf
Attack 3 (Demonstration) Alice gets a link from Bob in disguise to a malicious web application. o Sensitive Information Leakage o Access-Control-Allow-*
Access-Control-Allow-* o Browsers enforce cross domain rules by default (users can loosen security). o Access-Control-Allow-Origin: * o Allow any external domain to access resource (Never do this in production unless there is a good reason) o Access-Control-Allow-Origin: http://example.com o Allow only example.com to access resource o Access-Control-Request-Method: GET, HEAD, POST o Allow only GET, HEAD and POST requests to access resource o Access-Control-Request-Headers: X-PINGOTHER o Whitelist headers that browsers are allowed to access o Access-Control-Max-Age: <delta-seconds> o Number of seconds the preflight request results can be cached o Access-Control-Allow-Credentials: true | false o Give permission to include cookies if credentials are enabled in client (Never set to true in production unless there is a good reason) o https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
Attack & Solution Demonstration Sensitive Information Leakage
Attack 4 (Demonstration) Bob gain access to Alice’s network and perform a Man in the Middle attack. o Man in the Middle Attacks o Session Hijacking o Set-Cookie secure flag o Strict-Transport-Security
Man in the Middle Setup Image credit : https://tails.boum.org/doc/about/warning/index.en.html o Passive o Network Hub (L1), Network Taps, Routers with Monitor Port (DD-WRT) o Active o DNS Spoofing (spoofing Domain Name to IP mapping) o ARP Spoofing (spoofing IP to MAC mapping) o Techniques : https://www.blackhat.com/presentations/bh-europe-03/bh-europe-03-valleri. pdf
DNS Spoofing javacolombo. duckdns.org 192.168.56.1 DNS javacolombo. duckdns.org 10.10.10.3 Spoofed DNS
ARP Spoofing javacolombo. duckdns.org 192.168.56.1 54:ee:75:74: 85:21 DNS ARP
Man in the Middle - VirtualBox Setup Malicious local DNS entry added to Alice’s PC : o echo 10.10.10.3 javacolombo.duckdns.org | sudo tee -a /etc/hosts Bob’s iptables rules used to reroute traffic : o iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to- destination 192.168.56.1 o iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to- destination 192.168.56.1 o iptables -t nat -A POSTROUTING -j MASQUERADE
Attack Demonstration VirtualBox Man in the Middle Setup Man in the Middle Attacks Session Hijacking
Suggest a Solution
Is enabling HTTPS enough? Attack Demonstration with HTTPS enabled. Man in the Middle Attacks Session Hijacking
Set-Cookie Secure flag o Mitigate the risk of sending protected cookies over HTTP. o Set-Cookie: <name>=<value>[; <Max-Age>=<age>][; expires=<date>] [; domain=<domain_name>][; path=<some_path>][; secure][; HttpOnly] o Tomcat 6+ sets secure for session_id by default if and only if first request for session is using https. o With Java EE 6+, it is possible to define cookie-config in web.xml <session-config> <cookie-config> <secure>true</secure> </cookie-config> </session-config> o Cookie cookie = getMyCookie("gxsesmgt"); cookie.setSecure(true); o More details : https://www.owasp.org/index.php/SecureFlag
Strict-Transport-Security o Requests supported browsers to communicate with specified domain only over HTTPS. o Example : Strict-Transport-Security: max-age=31536000; includeSubDomains; preload o Use a Filter and response.addHeader("Strict-Transport-Security", "..."); o Use Tomcat built in security filter : HttpHeaderSecurityFilter ohttps://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#HTTP_Header_Security_Filter o HSTS Preload : https://hstspreload.appspot.com o Browser support : http://caniuse.com/#feat=stricttransportsecurity o More details : https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
Solution Demonstration Set-Cookie secure flag Strict-Transport-Security
Beyond HTTP Headers o Use HTTPS all the time, if you handle sensitive data. o Authenticated sessions must use HTTPS to ensure safety of user session. o Attention on network, system and physical security. o Disable HTTP access all together, if that is not required.
Attack 5 (Demonstration) Bob improves Man in the Middle attack to bypass HTTPS. o SSL Spoofing o Session Hijacking o Man in the Middle Attacks o Public-Key-Pins
Attacks on HTTPS o SSL Strip o Removes HTTPS protection symbol (lock) in browser. o SSL Split o Get Alice to trust a different certificate. o Compromise Alice’s computer and add a malicious trusted CA. o Compromise CA.
SSL Attacks o Start SSLSplit, splitting all HTTP, HTTPS traffic arriving towards 10.10.10.3 and send same towards 192.168.56.1 after logging: o sslsplit -D -l connections.log -j /tmp/sslsplit/ -S logdir -k evilca.key -c evilca.crt ssl 10.10.10.3 8444 192.168.56.1 443 tcp 10.10.10.3 8081 192.168.56.1 80 o Flush existing rules and redirect all HTTP and HTTPS traffic to SSLSplit: o iptables -t nat -F o iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to- ports 8081 o iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to- ports 8444
Attack Demonstration SSL Spoofing Session Hijacking Man in the Middle Attacks
Public-Key-Pins o Instructs browser to associate a specific cryptographic public key with a host. o Sends sha256 hash of public key in HTTP headers with a expiry. o Browsers maintain preloaded list of public key pins [https://wiki.mozilla. org/SecurityEngineering/Public_Key_Pinning] o Public-Key-Pins: pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs="; pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE="; max-age=5184000; includeSubdomains; report-uri="https://www.example.net/hpkp-report" o Sha256 hashing with key file : o openssl rsa -in ca.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
Solution Demonstration Public-Key-Pins
Out of storyline
Content-Security-Policy o Layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. o Designed to be fully backward compatible. o Replace X-XSS-Protection with frame-ancestors directive. o Content-Security-Policy : frame-ancestors none; o Replaces X-Frame-Options. with reflected-xss directive. o Content-Security-Policy : reflected-xss block; o http://www.html5rocks.com/en/tutorials/security/content-security-policy o https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives o http://content-security-policy.com
Content-Security-Policy - Examples o default-src Default policy for loading content such as JavaScript, Images, CSS o script-src Defines valid sources of JavaScript. o style-src Defines valid sources of stylesheets. o Example : Load content from ‘self’ and cdn.example.com, in addition allow loading scripts from js.example.com Content-Security-Policy: default-src 'self' cdn.example.com; script- src 'self' js.example.com; o Example : Disallow loading content of current page inside iframes and enable XSS protection Content-Security-Policy: frame-ancestors 'none'; reflected-xss 'block';
X-Content-Type-Options o Used to stop browser from using MIME-sniffing to determine content-type of a resource. o Prevent usage of maliciously crafted resources to perform attacks including XSS. o Use a Filter and response.addHeader("X-Content-Type-Options", "nosniff"); o Use Tomcat built in security filter : HttpHeaderSecurityFilter o https://tomcat.apache.org/tomcat-7.0-doc/config/filter. html#HTTP_Header_Security_Filter
Tomcat HttpHeaderSecurityFilter o Available with Tomcat 7.0.63, X-XSS-Protection header was added in 7.0.68 <filter> <filter-name>HttpHeaderSecurityFilter</filter-name> <display-name>HttpHeaderSecurityFilter</display-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> </filter> <filter-mapping> <filter-name>HttpHeaderSecurityFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> o Security headers enabled by default : o X-XSS-Protection: 1; mode=block o X-Content-Type-Options: nosniff o X-Frame-Options: DENY o Strict-Transport-Security: max-age=0; o https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#HTTP_Header_Security_Filter o https://github. com/apache/tomcat/blob/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter. java
Future Developments IETF Drafts
Cookie Prefixes o Mechanism of identifying whether a third-party has tampered HTTP Cookies attributes set by the server. o Defining security attributes of a cookie in the cookie name. o Set-Cookie: __Secure-JSESSIONID=12345678901234567890; Secure; Domain=example.com o "__Secure-" o "Secure" attribute & Domain o "__Host-" o Secure" attribute & "Path" attribute with a value of "/" o https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00
Encrypted Content-Encoding for HTTP o Allows HTTP message payloads to be encrypted. o Store a file/content on a server without exposing its contents to that server. HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Encoding: aesgcm Connection: close Encryption: keyid="http://example.org/bob/keys/123"; salt="XZwpw6o37R-6qoZjw6KwAw" [encrypted payload] o https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-01
Q&A
Thank You! http://ayomaonline.com @ayomawdb

Recommandé

Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
Frans Rosén
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
Frans Rosén
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
Mikhail Egorov
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
Cookie testing
Cookie testingCookie testing
Cookie testing
BugRaptors
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
Frans Rosén
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 

Recommandé

Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
Frans Rosén
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
Frans Rosén
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
Mikhail Egorov
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
Cookie testing
Cookie testingCookie testing
Cookie testing
BugRaptors
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
Frans Rosén
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
Will Schroeder
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
RyanISI
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
 
Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzing
n|u - The Open Security Community
 
Digital Forensics and Incident Response (DFIR) using Docker Containers
Digital Forensics and Incident Response (DFIR) using Docker ContainersDigital Forensics and Incident Response (DFIR) using Docker Containers
Digital Forensics and Incident Response (DFIR) using Docker Containers
Deep Shankar Yadav
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
Soroush Dalili
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP Headers
Frank Kim
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege Escalation
Riyaz Walikar
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing Vault
Ramit Surana
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
Paul Ionescu
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016
Aaron Hnatiw
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Frans Rosén
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
HackerOne
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
Ismael Goncalves
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
Frans Rosén
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers
한익 주
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
devObjective
 

Contenu connexe

Tendances

Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP Headers
Frank Kim
 
Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016
Aaron Hnatiw
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
HackerOne
 

Tendances (20)

Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzing
 
Digital Forensics and Incident Response (DFIR) using Docker Containers
Digital Forensics and Incident Response (DFIR) using Docker ContainersDigital Forensics and Incident Response (DFIR) using Docker Containers
Digital Forensics and Incident Response (DFIR) using Docker Containers
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP Headers
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege Escalation
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing Vault
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
 

En vedette

Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Akash Mahajan
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
OWASP
 
Security "for free" through HTTP headers
Security "for free" through HTTP headersSecurity "for free" through HTTP headers
Security "for free" through HTTP headers
Andre N. Klingsheim
 

En vedette (20)

List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash Mahajan
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
 
"EL PLAN DE EMPRESA. CLAVES DEL EXITO PARA EMPRENDER"
"EL PLAN DE EMPRESA. CLAVES DEL EXITO PARA EMPRENDER""EL PLAN DE EMPRESA. CLAVES DEL EXITO PARA EMPRENDER"
"EL PLAN DE EMPRESA. CLAVES DEL EXITO PARA EMPRENDER"
 
URBAN OASIS FEATURED ON AEROPORTS DE PARIS
URBAN OASIS FEATURED ON AEROPORTS DE PARIS URBAN OASIS FEATURED ON AEROPORTS DE PARIS
URBAN OASIS FEATURED ON AEROPORTS DE PARIS
 
06 isoyetas 25 años
06 isoyetas 25 años06 isoyetas 25 años
06 isoyetas 25 años
 
HTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English versionHTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English version
 
Tarea upaep
Tarea upaepTarea upaep
Tarea upaep
 
Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headers
 
Security "for free" through HTTP headers
Security "for free" through HTTP headersSecurity "for free" through HTTP headers
Security "for free" through HTTP headers
 
Hertfordshire life deconstruction
Hertfordshire life deconstructionHertfordshire life deconstruction
Hertfordshire life deconstruction
 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in Turkey
 
Analisis de transformadores
Analisis de transformadoresAnalisis de transformadores
Analisis de transformadores
 
Conceptos
ConceptosConceptos
Conceptos
 
How to secure your web applications with NGINX
How to secure your web applications with NGINXHow to secure your web applications with NGINX
How to secure your web applications with NGINX
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
 
Maquinas III reaccion y conmutacion
Maquinas III reaccion y conmutacionMaquinas III reaccion y conmutacion
Maquinas III reaccion y conmutacion
 
Homebrew Updater
Homebrew UpdaterHomebrew Updater
Homebrew Updater
 
Security HTTP Headers
Security HTTP HeadersSecurity HTTP Headers
Security HTTP Headers
 

Similaire à HTTP Security Headers Every Java Developer Must Know

Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
George Boobyer
 
HTML5 vs Silverlight
HTML5 vs SilverlightHTML5 vs Silverlight
HTML5 vs Silverlight
Matt Casto
 
V2 peter-lubbers-sf-jug-websocket
V2 peter-lubbers-sf-jug-websocketV2 peter-lubbers-sf-jug-websocket
V2 peter-lubbers-sf-jug-websocket
brent bucci
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
Roberto Suggi Liverani
 
Security talk: Fortifying your Joomla! website
Security talk: Fortifying your Joomla! websiteSecurity talk: Fortifying your Joomla! website
Security talk: Fortifying your Joomla! website
Sigsiu.NET
 

Similaire à HTTP Security Headers Every Java Developer Must Know (20)

Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
 
Let's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a CertificateLet's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a Certificate
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
 
HTML5와 모바일
HTML5와 모바일HTML5와 모바일
HTML5와 모바일
 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hacking
 
HTML5 vs Silverlight
HTML5 vs SilverlightHTML5 vs Silverlight
HTML5 vs Silverlight
 
Browser security
Browser securityBrowser security
Browser security
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
 
Talk about html5 security
Talk about html5 securityTalk about html5 security
Talk about html5 security
 
Download It
Download ItDownload It
Download It
 
V2 peter-lubbers-sf-jug-websocket
V2 peter-lubbers-sf-jug-websocketV2 peter-lubbers-sf-jug-websocket
V2 peter-lubbers-sf-jug-websocket
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakes
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
 
HTTP basics in relation to Applicaiton Security - OWASP
HTTP basics in relation to Applicaiton Security - OWASPHTTP basics in relation to Applicaiton Security - OWASP
HTTP basics in relation to Applicaiton Security - OWASP
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Security talk: Fortifying your Joomla! website
Security talk: Fortifying your Joomla! websiteSecurity talk: Fortifying your Joomla! website
Security talk: Fortifying your Joomla! website
 

Dernier

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Dernier (20)

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

HTTP Security Headers Every Java Developer Must Know

  • 1. HTTP Security Headers every Java developer must know Ayoma Wijethunga, WSO2, Platform Security Team.
  • 2. Ayoma Wijethunga o Software Engineer at WSO2, Platform Security Team. o Get in touch o Email : ayoma@wso2.com o LinkedIn : https://lk.linkedin.com/in/ayoma o Blog : http://ayomaonline.com o Twitter / Facebook / Github / Hangout : ayomawdb api android arduino automation building developing discusses diy electronics engineering iot jaggery java kali linux modular osgi prusa reprap security software ublox web wireshark wso2
  • 3. “To better defend yourself, think like a hacker”
  • 4. Contents o Headers o X-XSS-Protection o X-Frame-Options o X-Content-Type-Options o Content-Security-Policy o Strict-Transport-Security o Public-Key-Pins o Access-Control-Allow-* o Set-Cookie (security flags) o Security Threats o Cross Site Scripting (XSS) o Clickjacking o Session Hijacking o Sensitive Information Leakage o Man in the Middle Attacks o SSL Spoofing o Future Developments
  • 6. Storyline Alex Responsible of monitoring and managing a data center [Operations] Bob Black hat hacker Image credit : http://www.kameleon.pics
  • 7. Storyline - Attack Map Attack 1 o Cross Site Scripting (XSS) o Session Hijacking o Set-Cookie httpOnly flag o X-XSS Protection Attack 4 o Man in the Middle Attacks o Session Hijacking o Set-Cookie secure flag o Strict-Transport-Security Attack 2 o Clickjacking o X-Frame-Options Attack 5 o SSL Spoofing o Session Hijacking o Man in the Middle Attacks o Public-Key-Pins Attack 3 o Sensitive Information Leakage o Access-Control-Allow-*
  • 9. Attack 1 (Demonstration) Bob get the URL for Alice’s datacenter monitoring and management control panel. http://javacolombo.duckdns.org/server-admin o Cross Site Scripting (XSS) o Session Hijacking o Set-Cookie httpOnly flag o X-XSS Protection
  • 11. Set-Cookie HttpOnly flag o Mitigate the risk of client side scripts accessing protected cookies. o Set-Cookie: <name>=<value>[; <Max-Age>=<age>][; expires=<date>] [; domain=<domain_name>][; path=<some_path>][; secure][; HttpOnly] o Tomcat 7+ sets HttpOnly flag for session_id by default. o In Tomcat 6, set useHttpOnly="true" on Context element of context.xml to enable. o With Java EE 6+, it is possible to define cookie-config in web.xml <session-config> <cookie-config> <http-only>true</http-only> </cookie-config> </session-config> o Cookie cookie = getMyCookie("gxsesmgt"); cookie.setHttpOnly(true); o More details : https://www.owasp.org/index.php/HttpOnly
  • 14. X-XSS-Protection o Request browsers to enable / disable reflected XSS protection o Chrome / IE8+ - enables XSS protection by default o Firefox - enables XSS protection on demand o Available Directives o0 - Disabled o1 - Enable and render pages after sanitizing o1; mode=block- Enable and block pages with XSS o1; report=http://example.com/report - (chrome / WebKit only) o Use a Filter and response.addHeader("X-XSS-Protection", "1; mode=block"); o Use Tomcat built in security filter : HttpHeaderSecurityFilter ohttps://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#HTTP_Header_Security_Filter
  • 16. Beyond HTTP Headers o Use cookies only if there is no other server side option. o Do not give sensitive names to cookies. o Do not depend on browser level protection (Filters can be bypassed : <svg><script>/<1/>alert(document.domain)</script></svg>) o Validate user input. o Use proper encoding [ https://github.com/OWASP/owasp-java-encoder ]. o Attention on CSRF protection. o Renew session ID upon login & logout (session fixation).
  • 17. Attack 2 (Demonstration) Alice gets a link from Bob in disguise to a malicious web application. o Clickjacking o X-Frame-Options
  • 19. X-Frame-Options o Indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. o Available Directives oDENY - prevents any domain from framing the content. oSAMEORIGIN - only allows the current site to frame the content. oALLOW-FROM uri - permits the specified 'uri' to frame this page. [this will fail open if the browser does not support it] o Use a Filter and response.addHeader("X-Frame-Options", "..."); o Use Tomcat built in security filter : HttpHeaderSecurityFilter ohttps://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#HTTP_Header_Security_Filter o More details : https://www.owasp.org/index. php/Clickjacking_Defense_Cheat_Sheet
  • 21. Beyond HTTP Headers o HTTP GET (incl. links) should only be used for idempotent actions. o Request secondary user confirmation for critical actions. o Use frame busting scripts for older browsers. o Example : <style>html { display:none }</style> <script> if (self == top) { document.documentElement.style.display = ’block'; } else { top.location = self.location; } </script> o https://www.owasp. org/images/0/0e/OWASP_AppSec_Research_2010_Busting_Frame_Busti ng_by_Rydstedt.pdf
  • 22. Attack 3 (Demonstration) Alice gets a link from Bob in disguise to a malicious web application. o Sensitive Information Leakage o Access-Control-Allow-*
  • 23. Access-Control-Allow-* o Browsers enforce cross domain rules by default (users can loosen security). o Access-Control-Allow-Origin: * o Allow any external domain to access resource (Never do this in production unless there is a good reason) o Access-Control-Allow-Origin: http://example.com o Allow only example.com to access resource o Access-Control-Request-Method: GET, HEAD, POST o Allow only GET, HEAD and POST requests to access resource o Access-Control-Request-Headers: X-PINGOTHER o Whitelist headers that browsers are allowed to access o Access-Control-Max-Age: <delta-seconds> o Number of seconds the preflight request results can be cached o Access-Control-Allow-Credentials: true | false o Give permission to include cookies if credentials are enabled in client (Never set to true in production unless there is a good reason) o https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
  • 25. Attack 4 (Demonstration) Bob gain access to Alice’s network and perform a Man in the Middle attack. o Man in the Middle Attacks o Session Hijacking o Set-Cookie secure flag o Strict-Transport-Security
  • 26. Man in the Middle Setup Image credit : https://tails.boum.org/doc/about/warning/index.en.html o Passive o Network Hub (L1), Network Taps, Routers with Monitor Port (DD-WRT) o Active o DNS Spoofing (spoofing Domain Name to IP mapping) o ARP Spoofing (spoofing IP to MAC mapping) o Techniques : https://www.blackhat.com/presentations/bh-europe-03/bh-europe-03-valleri. pdf
  • 29. Man in the Middle - VirtualBox Setup Malicious local DNS entry added to Alice’s PC : o echo 10.10.10.3 javacolombo.duckdns.org | sudo tee -a /etc/hosts Bob’s iptables rules used to reroute traffic : o iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to- destination 192.168.56.1 o iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to- destination 192.168.56.1 o iptables -t nat -A POSTROUTING -j MASQUERADE
  • 30. Attack Demonstration VirtualBox Man in the Middle Setup Man in the Middle Attacks Session Hijacking
  • 32. Is enabling HTTPS enough? Attack Demonstration with HTTPS enabled. Man in the Middle Attacks Session Hijacking
  • 33. Set-Cookie Secure flag o Mitigate the risk of sending protected cookies over HTTP. o Set-Cookie: <name>=<value>[; <Max-Age>=<age>][; expires=<date>] [; domain=<domain_name>][; path=<some_path>][; secure][; HttpOnly] o Tomcat 6+ sets secure for session_id by default if and only if first request for session is using https. o With Java EE 6+, it is possible to define cookie-config in web.xml <session-config> <cookie-config> <secure>true</secure> </cookie-config> </session-config> o Cookie cookie = getMyCookie("gxsesmgt"); cookie.setSecure(true); o More details : https://www.owasp.org/index.php/SecureFlag
  • 34. Strict-Transport-Security o Requests supported browsers to communicate with specified domain only over HTTPS. o Example : Strict-Transport-Security: max-age=31536000; includeSubDomains; preload o Use a Filter and response.addHeader("Strict-Transport-Security", "..."); o Use Tomcat built in security filter : HttpHeaderSecurityFilter ohttps://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#HTTP_Header_Security_Filter o HSTS Preload : https://hstspreload.appspot.com o Browser support : http://caniuse.com/#feat=stricttransportsecurity o More details : https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
  • 35. Solution Demonstration Set-Cookie secure flag Strict-Transport-Security
  • 36. Beyond HTTP Headers o Use HTTPS all the time, if you handle sensitive data. o Authenticated sessions must use HTTPS to ensure safety of user session. o Attention on network, system and physical security. o Disable HTTP access all together, if that is not required.
  • 37. Attack 5 (Demonstration) Bob improves Man in the Middle attack to bypass HTTPS. o SSL Spoofing o Session Hijacking o Man in the Middle Attacks o Public-Key-Pins
  • 38. Attacks on HTTPS o SSL Strip o Removes HTTPS protection symbol (lock) in browser. o SSL Split o Get Alice to trust a different certificate. o Compromise Alice’s computer and add a malicious trusted CA. o Compromise CA.
  • 39. SSL Attacks o Start SSLSplit, splitting all HTTP, HTTPS traffic arriving towards 10.10.10.3 and send same towards 192.168.56.1 after logging: o sslsplit -D -l connections.log -j /tmp/sslsplit/ -S logdir -k evilca.key -c evilca.crt ssl 10.10.10.3 8444 192.168.56.1 443 tcp 10.10.10.3 8081 192.168.56.1 80 o Flush existing rules and redirect all HTTP and HTTPS traffic to SSLSplit: o iptables -t nat -F o iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to- ports 8081 o iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to- ports 8444
  • 40. Attack Demonstration SSL Spoofing Session Hijacking Man in the Middle Attacks
  • 41. Public-Key-Pins o Instructs browser to associate a specific cryptographic public key with a host. o Sends sha256 hash of public key in HTTP headers with a expiry. o Browsers maintain preloaded list of public key pins [https://wiki.mozilla. org/SecurityEngineering/Public_Key_Pinning] o Public-Key-Pins: pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs="; pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE="; max-age=5184000; includeSubdomains; report-uri="https://www.example.net/hpkp-report" o Sha256 hashing with key file : o openssl rsa -in ca.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
  • 44. Content-Security-Policy o Layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. o Designed to be fully backward compatible. o Replace X-XSS-Protection with frame-ancestors directive. o Content-Security-Policy : frame-ancestors none; o Replaces X-Frame-Options. with reflected-xss directive. o Content-Security-Policy : reflected-xss block; o http://www.html5rocks.com/en/tutorials/security/content-security-policy o https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives o http://content-security-policy.com
  • 45. Content-Security-Policy - Examples o default-src Default policy for loading content such as JavaScript, Images, CSS o script-src Defines valid sources of JavaScript. o style-src Defines valid sources of stylesheets. o Example : Load content from ‘self’ and cdn.example.com, in addition allow loading scripts from js.example.com Content-Security-Policy: default-src 'self' cdn.example.com; script- src 'self' js.example.com; o Example : Disallow loading content of current page inside iframes and enable XSS protection Content-Security-Policy: frame-ancestors 'none'; reflected-xss 'block';
  • 46. X-Content-Type-Options o Used to stop browser from using MIME-sniffing to determine content-type of a resource. o Prevent usage of maliciously crafted resources to perform attacks including XSS. o Use a Filter and response.addHeader("X-Content-Type-Options", "nosniff"); o Use Tomcat built in security filter : HttpHeaderSecurityFilter o https://tomcat.apache.org/tomcat-7.0-doc/config/filter. html#HTTP_Header_Security_Filter
  • 47. Tomcat HttpHeaderSecurityFilter o Available with Tomcat 7.0.63, X-XSS-Protection header was added in 7.0.68 <filter> <filter-name>HttpHeaderSecurityFilter</filter-name> <display-name>HttpHeaderSecurityFilter</display-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> </filter> <filter-mapping> <filter-name>HttpHeaderSecurityFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> o Security headers enabled by default : o X-XSS-Protection: 1; mode=block o X-Content-Type-Options: nosniff o X-Frame-Options: DENY o Strict-Transport-Security: max-age=0; o https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#HTTP_Header_Security_Filter o https://github. com/apache/tomcat/blob/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter. java
  • 49. Cookie Prefixes o Mechanism of identifying whether a third-party has tampered HTTP Cookies attributes set by the server. o Defining security attributes of a cookie in the cookie name. o Set-Cookie: __Secure-JSESSIONID=12345678901234567890; Secure; Domain=example.com o "__Secure-" o "Secure" attribute & Domain o "__Host-" o Secure" attribute & "Path" attribute with a value of "/" o https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00
  • 50. Encrypted Content-Encoding for HTTP o Allows HTTP message payloads to be encrypted. o Store a file/content on a server without exposing its contents to that server. HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Encoding: aesgcm Connection: close Encryption: keyid="http://example.org/bob/keys/123"; salt="XZwpw6o37R-6qoZjw6KwAw" [encrypted payload] o https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-01
  • 51. Q&A