Demonstration based session on HTTP headers relevant to security aspect of web applications. Target audience is web developers, and more attention is given to Java language.
2. Ayoma Wijethunga
o Software Engineer at WSO2, Platform Security Team.
o Get in touch
o Email : ayoma@wso2.com
o LinkedIn : https://lk.linkedin.com/in/ayoma
o Blog : http://ayomaonline.com
o Twitter / Facebook / Github / Hangout : ayomawdb
api android arduino automation building
developing discusses diy electronics
engineering iot jaggery java kali linux
modular osgi prusa reprap security software
ublox web wireshark wso2
4. Contents
o Headers
o X-XSS-Protection
o X-Frame-Options
o X-Content-Type-Options
o Content-Security-Policy
o Strict-Transport-Security
o Public-Key-Pins
o Access-Control-Allow-*
o Set-Cookie (security flags)
o Security Threats
o Cross Site Scripting (XSS)
o Clickjacking
o Session Hijacking
o Sensitive Information
Leakage
o Man in the Middle Attacks
o SSL Spoofing
o Future Developments
7. Storyline - Attack Map
Attack 1
o Cross Site Scripting (XSS)
o Session Hijacking
o Set-Cookie httpOnly flag
o X-XSS Protection
Attack 4
o Man in the Middle Attacks
o Session Hijacking
o Set-Cookie secure flag
o Strict-Transport-Security
Attack 2
o Clickjacking
o X-Frame-Options
Attack 5
o SSL Spoofing
o Session Hijacking
o Man in the Middle Attacks
o Public-Key-Pins
Attack 3
o Sensitive Information Leakage
o Access-Control-Allow-*
9. Attack 1 (Demonstration)
Bob get the URL for Alice’s datacenter
monitoring and management control
panel.
http://javacolombo.duckdns.org/server-admin
o Cross Site Scripting (XSS)
o Session Hijacking
o Set-Cookie httpOnly flag
o X-XSS Protection
11. Set-Cookie HttpOnly flag
o Mitigate the risk of client side scripts accessing protected cookies.
o Set-Cookie: <name>=<value>[; <Max-Age>=<age>][; expires=<date>] [;
domain=<domain_name>][; path=<some_path>][; secure][; HttpOnly]
o Tomcat 7+ sets HttpOnly flag for session_id by default.
o In Tomcat 6, set useHttpOnly="true" on Context element of context.xml to
enable.
o With Java EE 6+, it is possible to define cookie-config in web.xml
<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>
o Cookie cookie = getMyCookie("gxsesmgt"); cookie.setHttpOnly(true);
o More details : https://www.owasp.org/index.php/HttpOnly
14. X-XSS-Protection
o Request browsers to enable / disable reflected XSS protection
o Chrome / IE8+ - enables XSS protection by default
o Firefox - enables XSS protection on demand
o Available Directives
o0 - Disabled
o1 - Enable and render pages after sanitizing
o1; mode=block- Enable and block pages with XSS
o1; report=http://example.com/report - (chrome / WebKit only)
o Use a Filter and response.addHeader("X-XSS-Protection", "1; mode=block");
o Use Tomcat built in security filter : HttpHeaderSecurityFilter
ohttps://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#HTTP_Header_Security_Filter
16. Beyond HTTP Headers
o Use cookies only if there is no other server side option.
o Do not give sensitive names to cookies.
o Do not depend on browser level protection (Filters can be bypassed :
<svg><script>/<1/>alert(document.domain)</script></svg>)
o Validate user input.
o Use proper encoding [ https://github.com/OWASP/owasp-java-encoder ].
o Attention on CSRF protection.
o Renew session ID upon login & logout (session fixation).
17. Attack 2 (Demonstration)
Alice gets a link from Bob in disguise to
a malicious web application.
o Clickjacking o X-Frame-Options
19. X-Frame-Options
o Indicate whether or not a browser should be allowed to render a page in a
<frame> or <iframe>.
o Available Directives
oDENY - prevents any domain from framing the content.
oSAMEORIGIN - only allows the current site to frame the content.
oALLOW-FROM uri - permits the specified 'uri' to frame this page. [this will fail
open if the browser does not support it]
o Use a Filter and response.addHeader("X-Frame-Options", "...");
o Use Tomcat built in security filter : HttpHeaderSecurityFilter
ohttps://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#HTTP_Header_Security_Filter
o More details : https://www.owasp.org/index.
php/Clickjacking_Defense_Cheat_Sheet
21. Beyond HTTP Headers
o HTTP GET (incl. links) should only be used for idempotent actions.
o Request secondary user confirmation for critical actions.
o Use frame busting scripts for older browsers.
o Example :
<style>html { display:none }</style>
<script>
if (self == top) {
document.documentElement.style.display = ’block';
} else {
top.location = self.location;
}
</script>
o https://www.owasp.
org/images/0/0e/OWASP_AppSec_Research_2010_Busting_Frame_Busti
ng_by_Rydstedt.pdf
22. Attack 3 (Demonstration)
Alice gets a link from Bob in disguise to
a malicious web application.
o Sensitive Information
Leakage
o Access-Control-Allow-*
23. Access-Control-Allow-*
o Browsers enforce cross domain rules by default (users can loosen security).
o Access-Control-Allow-Origin: *
o Allow any external domain to access resource (Never do this in production
unless there is a good reason)
o Access-Control-Allow-Origin: http://example.com
o Allow only example.com to access resource
o Access-Control-Request-Method: GET, HEAD, POST
o Allow only GET, HEAD and POST requests to access resource
o Access-Control-Request-Headers: X-PINGOTHER
o Whitelist headers that browsers are allowed to access
o Access-Control-Max-Age: <delta-seconds>
o Number of seconds the preflight request results can be cached
o Access-Control-Allow-Credentials: true | false
o Give permission to include cookies if credentials are enabled in client (Never
set to true in production unless there is a good reason)
o https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
25. Attack 4 (Demonstration)
Bob gain access to Alice’s network and
perform a Man in the Middle attack.
o Man in the Middle Attacks
o Session Hijacking
o Set-Cookie secure flag
o Strict-Transport-Security
26. Man in the Middle Setup
Image credit : https://tails.boum.org/doc/about/warning/index.en.html
o Passive
o Network Hub (L1), Network Taps, Routers with Monitor Port (DD-WRT)
o Active
o DNS Spoofing (spoofing Domain Name to IP mapping)
o ARP Spoofing (spoofing IP to MAC mapping)
o Techniques : https://www.blackhat.com/presentations/bh-europe-03/bh-europe-03-valleri.
pdf
29. Man in the Middle - VirtualBox Setup
Malicious local DNS entry added to Alice’s PC :
o echo 10.10.10.3 javacolombo.duckdns.org | sudo tee -a /etc/hosts
Bob’s iptables rules used to reroute traffic :
o iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-
destination 192.168.56.1
o iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-
destination 192.168.56.1
o iptables -t nat -A POSTROUTING -j MASQUERADE
32. Is enabling HTTPS enough?
Attack Demonstration
with HTTPS enabled.
Man in the Middle Attacks
Session Hijacking
33. Set-Cookie Secure flag
o Mitigate the risk of sending protected cookies over HTTP.
o Set-Cookie: <name>=<value>[; <Max-Age>=<age>][; expires=<date>] [;
domain=<domain_name>][; path=<some_path>][; secure][; HttpOnly]
o Tomcat 6+ sets secure for session_id by default if and only if first request
for session is using https.
o With Java EE 6+, it is possible to define cookie-config in web.xml
<session-config>
<cookie-config>
<secure>true</secure>
</cookie-config>
</session-config>
o Cookie cookie = getMyCookie("gxsesmgt"); cookie.setSecure(true);
o More details : https://www.owasp.org/index.php/SecureFlag
34. Strict-Transport-Security
o Requests supported browsers to communicate with specified
domain only over HTTPS.
o Example : Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
o Use a Filter and response.addHeader("Strict-Transport-Security", "...");
o Use Tomcat built in security filter : HttpHeaderSecurityFilter
ohttps://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#HTTP_Header_Security_Filter
o HSTS Preload : https://hstspreload.appspot.com
o Browser support : http://caniuse.com/#feat=stricttransportsecurity
o More details : https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
36. Beyond HTTP Headers
o Use HTTPS all the time, if you handle sensitive data.
o Authenticated sessions must use HTTPS to ensure
safety of user session.
o Attention on network, system and physical security.
o Disable HTTP access all together, if that is not required.
37. Attack 5 (Demonstration)
Bob improves Man in the Middle attack
to bypass HTTPS.
o SSL Spoofing
o Session Hijacking
o Man in the Middle Attacks
o Public-Key-Pins
38. Attacks on HTTPS
o SSL Strip
o Removes HTTPS protection symbol (lock) in browser.
o SSL Split
o Get Alice to trust a different certificate.
o Compromise Alice’s computer and add a malicious trusted CA.
o Compromise CA.
39. SSL Attacks
o Start SSLSplit, splitting all HTTP, HTTPS traffic arriving towards 10.10.10.3
and send same towards 192.168.56.1 after logging:
o sslsplit -D -l connections.log -j /tmp/sslsplit/ -S logdir -k evilca.key -c
evilca.crt ssl 10.10.10.3 8444 192.168.56.1 443 tcp 10.10.10.3 8081
192.168.56.1 80
o Flush existing rules and redirect all HTTP and HTTPS traffic to SSLSplit:
o iptables -t nat -F
o iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-
ports 8081
o iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-
ports 8444
41. Public-Key-Pins
o Instructs browser to associate a specific cryptographic public key
with a host.
o Sends sha256 hash of public key in HTTP headers with a expiry.
o Browsers maintain preloaded list of public key pins [https://wiki.mozilla.
org/SecurityEngineering/Public_Key_Pinning]
o Public-Key-Pins:
pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=";
pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=";
max-age=5184000; includeSubdomains;
report-uri="https://www.example.net/hpkp-report"
o Sha256 hashing with key file :
o openssl rsa -in ca.key -outform der -pubout | openssl dgst -sha256 -binary
| openssl enc -base64
44. Content-Security-Policy
o Layer of security that helps to detect and mitigate certain types of attacks, including
Cross-Site Scripting (XSS) and data injection attacks.
o Designed to be fully backward compatible.
o Replace X-XSS-Protection with frame-ancestors directive.
o Content-Security-Policy : frame-ancestors none;
o Replaces X-Frame-Options. with reflected-xss directive.
o Content-Security-Policy : reflected-xss block;
o http://www.html5rocks.com/en/tutorials/security/content-security-policy
o https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives
o http://content-security-policy.com
45. Content-Security-Policy - Examples
o default-src Default policy for loading content such as JavaScript, Images, CSS
o script-src Defines valid sources of JavaScript.
o style-src Defines valid sources of stylesheets.
o Example : Load content from ‘self’ and cdn.example.com, in addition allow loading
scripts from js.example.com
Content-Security-Policy: default-src 'self' cdn.example.com; script-
src 'self' js.example.com;
o Example : Disallow loading content of current page inside iframes and enable XSS
protection
Content-Security-Policy: frame-ancestors 'none'; reflected-xss
'block';
46. X-Content-Type-Options
o Used to stop browser from using MIME-sniffing to determine content-type
of a resource.
o Prevent usage of maliciously crafted resources to perform attacks including
XSS.
o Use a Filter and response.addHeader("X-Content-Type-Options",
"nosniff");
o Use Tomcat built in security filter : HttpHeaderSecurityFilter
o https://tomcat.apache.org/tomcat-7.0-doc/config/filter.
html#HTTP_Header_Security_Filter
47. Tomcat HttpHeaderSecurityFilter
o Available with Tomcat 7.0.63, X-XSS-Protection header was added in
7.0.68
<filter>
<filter-name>HttpHeaderSecurityFilter</filter-name>
<display-name>HttpHeaderSecurityFilter</display-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>HttpHeaderSecurityFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
o Security headers enabled by default :
o X-XSS-Protection: 1; mode=block
o X-Content-Type-Options: nosniff
o X-Frame-Options: DENY
o Strict-Transport-Security: max-age=0;
o https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#HTTP_Header_Security_Filter
o https://github.
com/apache/tomcat/blob/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.
java
49. Cookie Prefixes
o Mechanism of identifying whether a third-party has tampered HTTP
Cookies attributes set by the server.
o Defining security attributes of a cookie in the cookie name.
o Set-Cookie: __Secure-JSESSIONID=12345678901234567890;
Secure; Domain=example.com
o "__Secure-"
o "Secure" attribute & Domain
o "__Host-"
o Secure" attribute & "Path" attribute with a value of "/"
o https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00
50. Encrypted Content-Encoding for HTTP
o Allows HTTP message payloads to be encrypted.
o Store a file/content on a server without exposing its contents to that server.
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Encoding: aesgcm
Connection: close
Encryption: keyid="http://example.org/bob/keys/123"; salt="XZwpw6o37R-6qoZjw6KwAw"
[encrypted payload]
o https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-01