SlideShare une entreprise Scribd logo

Securing your web application through HTTP headers

A
Andre N. Klingsheim

These are my slides for my workshop at the Booster conference 2013.

Technologie
1  sur  35
Télécharger pour lire hors ligne
SECURING YOUR WEB APPLICATION THROUGH HTTP HEADERS Booster — 14. March 2013 André N. Klingsheim (@klingsen) AppSec AS 1
OUTLINE • HTTP headers • Attacks and security headers • Cross site scripting (XSS) — Content Security Policy • Clickjacking — X-Frame-options • SSL stripping++ — HTTP Strict Transport Security • Session hijacking — Cookie security settings • MIME type attacks — X-Download-Options, X-Content-Type-options 2
DEMO 3
HYGIENE: VERSION HEADERS • Web servers and web application frameworks tend to include version headers in the HTTP responses • There really is no reason to leak this information to an attacker • Get rid of them and save the bandwith! • Demo 4
Cross site scripting (XSS) CONTENT SECURITY POLICY 5
CROSS SITE SCRIPTING (XSS) • Reflected • User controlled data from the request is included in the response • Persistent • Attacker is able to store the attack server side, the stored attack is later included in response(s) • DOM based • Does not involve the server, happens on the client side - XSS (Cross Site Scripting) Prevention Cheat Sheet - OWASP Top 10 for JavaScript – A2: Cross Site Scripting – XSS 6
DEMO 7
CONTENT SECURITY POLICY (CSP) • Lets you specify a policy for where content in your webpages can be loaded from • Lets you put restrictions on script execution • Headers • Content-Security-Policy – Chrome 25 • X-Content-Security-Policy – Firefox 4+ • X-WebKit-Csp – WebKit browsers (Chrome/Safari) • W3C Candidate recommendation • Will end up being a proper standard! 8
CSP DIRECTIVES • default-src — Specifies the default for other sources • script-src • style-src • object-src — plugins • img-src • media-src — video/audio • frame-src • font-src • connect-src • report-uri — Specifies where CSP violations can be reported 9
CSP SOURCES (FOR THE DIRECTIVES) • 'none' — No content of this type is allowed (All directives) • 'self' — Content of this type can only be loaded from the same origin (no content from other sites) (All directives) • 'unsafe-inline' — Allows unsafe inline content. • Supported by style-src (inline css) and script-src (inline script) • 'unsafe-eval' — Allows script functions considered unsafe (such as eval()) • Supported by script-src • And you can specify custom sources: • * — Allow content from anywhere • https: — Scheme only, load only content served over https • *.nwebsec.com — Wildcard host, allow content from any nwebsec.com sub-domain. • www.nwebsec.com:81 — You can specify a port number • https://www.nwebsec.com — You can of specify an absolute URI for a host (path has no effect though) 10
AND THEN IT ALL COMES TOGETHER • Content-Security-Policy: default-src 'self'; script-src 'self' scripts.nwebsec.codeplex.com • This policy sets a default source of 'self' for all directives. • script-src defines its own sources, replacing the default (hence the inclusion of 'self') • In effect, scripts, stylesheets, images, flash animations, Java applets etc can only be loaded from the same origin as the page • Scripts can also be loaded from scripts.nwebsec.codeplex.com • This policy denies inline scripts and CSS! 11
THE "SPECIAL" SOURCES • 'unsafe-inline' can allow inline scripts (script-src) and styles (style-src) • 'unsafe-eval' allows certain JavaScript functions considered high risk (eval()) • Use these special sources with care 12
CSP REPORTING • You can specify a "report-uri" in the CSP header • Must be a relative URI • Will post violation reports as JSON back to the web application • Content-Security-Policy-Report-Only • Will not block scripts or resources violating the policy • Will report them to the web application 13
XSS SUMMARIZED • Make sure you validate your inputs • Make sure you encode everything you output • Input to the web application • Data from backend systems • EVERYTHING! • Use CSP as an extra level of defense, it's not the cure! 14
X-Frame-Options CLICKJACKING 15
CLICKJACKING • A malicious site loads the vulnerable site in an iframe • The iframe is invisible, and positioned in front of something the user is likely to click on • The user clicks on what appears to be an element on the malicious site • The user really clicks in the iframe, triggering some operation on the vulnerable site 16
CLICKJACKING DEMO Vulnerable site Evil site Delete something! Click me! 17
FRAMESNIFFING • You can specify an URL with an anchor when loading an iFrame • Browsers would scroll to the anchor tag, or the html element with the relevant id attribute • This scrolling can be detected with JavaScript • Note: Vulnerability has been fixed in latest versions of browsers 18
X-FRAME-OPTIONS • X-Frame-Options: Deny | SameOrigin • Instructs the browser to not display the page in a frame • When the page isn’t displayed, there’s nothing to click on! • Browser support: Opera 10.5, Chrome 4.1, IE 8, Firefox 3.6.9, Safari 4 • Remember: The request is still sent to — and prosessed by — the web server! 19
X-FRAME-OPTIONS SEQUENCE DIAGRAM Attacker Target 20
Strict-Transport-Security HTTPS STRIPPING 21
HTTPS STRIPPING EXPLAINED • "Secure" websites use SSL/TLS to preserve the confidentiality and integrity of the communication with a browser • For usability, "secure" websites are still accessible through insecure channels (HTTP on port 80) • They’ll redirect the user to HTTPS • User enters www.onlinebank.com — and is redirected to https://www.onlinebank.com • The very first request is insecure, and open to attack! • SSL stripping is a middleperson attack • Attacker keeps the victim on HTTP, but passes requests on over HTTPS to the target website • Practical attack demoed at Black Hat in 2009 (sslstrip) http://www.thoughtcrime.org/software/sslstrip/ 22
HOW "SECURE BROWSING" USUALLY WORKS www.onlinebank.com (unprotected) Redirect: https://www.onlinebank.com (unprotected) https://www.onlinebank.com (protected) Online bank 23
HTTPS STRIPPING www.onlinebank.com (unprotected) https://www.onlinebank.com (protected) Response (unprotected) Response (protected) http://www.onlinebank.com (unprotected) https://www.onlinebank.com (protected) Attacker Online bank Response (unprotected) Response (protected) 24
DEMO 25
HTTP STRICT TRANSPORT SECURITY • Strict-Transport-Security: max-age=31536000; includeSubDomains • Max-age specifies for how many seconds the policy should be in effect • includeSubDomains — optional • Instructs the browser to only communicate to that hostname over SSL/TLS • Fails hard on certificate errors • The user does not have the option to click through certificate warnings • Browser support: Chrome 4+, Firefox 4+, Opera 12 26
Securing cookies SESSION HIJACKING 27
SESSION HIJACKING EXPLAINED • Means getting access to a user's privileged session -> steal session tokens • On the web, session tokens mean cookies • Protect the cookies! • Cookies can be marked with the "httpOnly" flag -> makes them inaccessible to JS, they won't be included in requests from applets. • Cookies can be marked with the "secure" flag -> instructs the browser to only send them with HTTPS requests 28
DEMO 29
X-Content-Type-Options: nosniff IE MIME SNIFFING 30
IE MIME SNIFFING • HTTP responses include a header stating what type of content is included • E.g. Content-Type: text/html; charset=utf-8 • To compensate for misconfigured servers and bad programming, IE introduced MIME sniffing back in the days (IE4) • Some undesires side effects when IE guesses wrong • They introduced the "X-Content-Type-Options: nosniff " header in IE9 to disable the behaviour • Always serve your content with the correct content type, and the "X-Content-Type-Options" header • Demo! 31
COST/BENEFIT OF SECURITY HEADERS 32
ADDING HEADERS IS EASY • Benefits • Usually a single line of code in any "webpage" • Can often be added through config • Prevents well known attacks • Cost • Low • CSP can be expensive, might require rewrite of existing applications 33
SOME REFERENCES • Blog: Security through HTTP response headers • http://www.dotnetnoob.com/2012/09/security-through-http-response-headers.html • The NWebsec security library for ASP.NET • http://nwebsec.codeplex.com/ • The NWebsec demo site • http://www.nwebsec.com/ • The application used for demo here • https://github.com/klings/Booster2013 34
@klingsen THANK YOU! 35

Recommandé

Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application DefenseFrank Kim
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersFrank Kim
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishMarkus Eisele
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
 
Security vulnerabilities - 2018
Security vulnerabilities - 2018Security vulnerabilities - 2018
Security vulnerabilities - 2018Marius Vorster
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp
 
Browser Security
Browser SecurityBrowser Security
Browser SecurityRoberto Suggi Liverani
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
 

Recommandé

Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application DefenseFrank Kim
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersFrank Kim
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishMarkus Eisele
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
 
Security vulnerabilities - 2018
Security vulnerabilities - 2018Security vulnerabilities - 2018
Security vulnerabilities - 2018Marius Vorster
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp
 
Browser Security
Browser SecurityBrowser Security
Browser SecurityRoberto Suggi Liverani
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceKrzysztof Kotowicz
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front endErlend Oftedal
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5DefconRussia
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitationKrzysztof Kotowicz
 
Html5 security
Html5 securityHtml5 security
Html5 securityKrishna T
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015kriptonium
 
Html5 for Security Folks
Html5 for Security FolksHtml5 for Security Folks
Html5 for Security Folksn|u - The Open Security Community
 
An Overview of Common Vulnerabilities in Wordpress
An Overview of Common Vulnerabilities in WordpressAn Overview of Common Vulnerabilities in Wordpress
An Overview of Common Vulnerabilities in WordpressAnalytive
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesConviso Application Security
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
Story of http headers
Story of http headersStory of http headers
Story of http headersVandana Verma
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection VulnerabilitiesMindfire Solutions
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecuritySanjeev Verma, PhD
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsKrzysztof Kotowicz
 
Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Philippe Gamache
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps SecurityVictor Bucutea
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah
 
Mobile Api and Caching
Mobile Api and CachingMobile Api and Caching
Mobile Api and CachingNew Relic
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 

Contenu connexe

Tendances

Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceKrzysztof Kotowicz
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front endErlend Oftedal
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5DefconRussia
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitationKrzysztof Kotowicz
 
Html5 security
Html5 securityHtml5 security
Html5 securityKrishna T
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015kriptonium
 
An Overview of Common Vulnerabilities in Wordpress
An Overview of Common Vulnerabilities in WordpressAn Overview of Common Vulnerabilities in Wordpress
An Overview of Common Vulnerabilities in WordpressAnalytive
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
Story of http headers
Story of http headersStory of http headers
Story of http headersVandana Verma
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecuritySanjeev Verma, PhD
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsKrzysztof Kotowicz
 
Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Philippe Gamache
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah
 

Tendances (20)

Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidence
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front end
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
Html5 for Security Folks
Html5 for Security FolksHtml5 for Security Folks
Html5 for Security Folks
 
An Overview of Common Vulnerabilities in Wordpress
An Overview of Common Vulnerabilities in WordpressAn Overview of Common Vulnerabilities in Wordpress
An Overview of Common Vulnerabilities in Wordpress
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
 
Story of http headers
Story of http headersStory of http headers
Story of http headers
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection Vulnerabilities
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser Security
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
 
Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
 

En vedette

Mobile Api and Caching
Mobile Api and CachingMobile Api and Caching
Mobile Api and CachingNew Relic
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersdevObjective
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanAkash Mahajan
 
HTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English versionHTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English versionMichal Špaček
 
Security "for free" through HTTP headers
Security "for free" through HTTP headersSecurity "for free" through HTTP headers
Security "for free" through HTTP headersAndre N. Klingsheim
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers한익 주
 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyDr. Emin İslam Tatlı
 
How to secure your web applications with NGINX
How to secure your web applications with NGINXHow to secure your web applications with NGINX
How to secure your web applications with NGINXWallarm
 
ONLINE BANKING
ONLINE BANKINGONLINE BANKING
ONLINE BANKINGdeepa
 
Online banking
Online bankingOnline banking
Online bankingPreet Raj
 
Security In Internet Banking
Security In Internet BankingSecurity In Internet Banking
Security In Internet BankingChiheb Chebbi
 
Online banking ppt
Online banking pptOnline banking ppt
Online banking pptVishnu V S
 
Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...
Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...
Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...IOSR Journals
 
Internet banking - College Project
Internet banking - College ProjectInternet banking - College Project
Internet banking - College ProjectSheril Daniel
 
Web Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSWeb Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSPerfectial, LLC
 

En vedette (20)

Mobile Api and Caching
Mobile Api and CachingMobile Api and Caching
Mobile Api and Caching
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Online banking trojans
Online banking trojansOnline banking trojans
Online banking trojans
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash Mahajan
 
HTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English versionHTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English version
 
Security "for free" through HTTP headers
Security "for free" through HTTP headersSecurity "for free" through HTTP headers
Security "for free" through HTTP headers
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers
 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in Turkey
 
How to secure your web applications with NGINX
How to secure your web applications with NGINXHow to secure your web applications with NGINX
How to secure your web applications with NGINX
 
ONLINE BANKING
ONLINE BANKINGONLINE BANKING
ONLINE BANKING
 
Online banking
Online bankingOnline banking
Online banking
 
Security In Internet Banking
Security In Internet BankingSecurity In Internet Banking
Security In Internet Banking
 
E banking security
E banking securityE banking security
E banking security
 
Online banking ppt
Online banking pptOnline banking ppt
Online banking ppt
 
Security HTTP Headers
Security HTTP HeadersSecurity HTTP Headers
Security HTTP Headers
 
Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...
Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...
Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...
 
Project on E-banking
Project on E-bankingProject on E-banking
Project on E-banking
 
Internet banking - College Project
Internet banking - College ProjectInternet banking - College Project
Internet banking - College Project
 
Web Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSWeb Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORS
 

Similaire à Securing your web application through HTTP headers

Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesYury Chemerkin
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scriptinggmaran23
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?Nathan Van Gheem
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security PoliciesMatias Korhonen
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptCyber Security Alliance
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityMikal Villa
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafePhilippe De Ryck
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Securitychuckbt
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Krzysztof Kotowicz
 
www.webre24h.com - Ajax security
www.webre24h.com - Ajax securitywww.webre24h.com - Ajax security
www.webre24h.com - Ajax securitywebre24h
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QACodeFest
 

Similaire à Securing your web application through HTTP headers (20)

Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comes
 
HTML5 - The Promise & The Peril
HTML5 - The Promise & The PerilHTML5 - The Promise & The Peril
HTML5 - The Promise & The Peril
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security Policies
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Browser security — ROOTS
Browser security — ROOTSBrowser security — ROOTS
Browser security — ROOTS
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header Security
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
 
14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.ppt
 
14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.ppt
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
 
www.webre24h.com - Ajax security
www.webre24h.com - Ajax securitywww.webre24h.com - Ajax security
www.webre24h.com - Ajax security
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QA
 
Codefest2015
Codefest2015Codefest2015
Codefest2015
 

Dernier

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Dernier (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

Securing your web application through HTTP headers

  • 1. SECURING YOUR WEB APPLICATION THROUGH HTTP HEADERS Booster — 14. March 2013 André N. Klingsheim (@klingsen) AppSec AS 1
  • 2. OUTLINE • HTTP headers • Attacks and security headers • Cross site scripting (XSS) — Content Security Policy • Clickjacking — X-Frame-options • SSL stripping++ — HTTP Strict Transport Security • Session hijacking — Cookie security settings • MIME type attacks — X-Download-Options, X-Content-Type-options 2
  • 3. DEMO 3
  • 4. HYGIENE: VERSION HEADERS • Web servers and web application frameworks tend to include version headers in the HTTP responses • There really is no reason to leak this information to an attacker • Get rid of them and save the bandwith! • Demo 4
  • 5. Cross site scripting (XSS) CONTENT SECURITY POLICY 5
  • 6. CROSS SITE SCRIPTING (XSS) • Reflected • User controlled data from the request is included in the response • Persistent • Attacker is able to store the attack server side, the stored attack is later included in response(s) • DOM based • Does not involve the server, happens on the client side - XSS (Cross Site Scripting) Prevention Cheat Sheet - OWASP Top 10 for JavaScript – A2: Cross Site Scripting – XSS 6
  • 7. DEMO 7
  • 8. CONTENT SECURITY POLICY (CSP) • Lets you specify a policy for where content in your webpages can be loaded from • Lets you put restrictions on script execution • Headers • Content-Security-Policy – Chrome 25 • X-Content-Security-Policy – Firefox 4+ • X-WebKit-Csp – WebKit browsers (Chrome/Safari) • W3C Candidate recommendation • Will end up being a proper standard! 8
  • 9. CSP DIRECTIVES • default-src — Specifies the default for other sources • script-src • style-src • object-src — plugins • img-src • media-src — video/audio • frame-src • font-src • connect-src • report-uri — Specifies where CSP violations can be reported 9
  • 10. CSP SOURCES (FOR THE DIRECTIVES) • 'none' — No content of this type is allowed (All directives) • 'self' — Content of this type can only be loaded from the same origin (no content from other sites) (All directives) • 'unsafe-inline' — Allows unsafe inline content. • Supported by style-src (inline css) and script-src (inline script) • 'unsafe-eval' — Allows script functions considered unsafe (such as eval()) • Supported by script-src • And you can specify custom sources: • * — Allow content from anywhere • https: — Scheme only, load only content served over https • *.nwebsec.com — Wildcard host, allow content from any nwebsec.com sub-domain. • www.nwebsec.com:81 — You can specify a port number • https://www.nwebsec.com — You can of specify an absolute URI for a host (path has no effect though) 10
  • 11. AND THEN IT ALL COMES TOGETHER • Content-Security-Policy: default-src 'self'; script-src 'self' scripts.nwebsec.codeplex.com • This policy sets a default source of 'self' for all directives. • script-src defines its own sources, replacing the default (hence the inclusion of 'self') • In effect, scripts, stylesheets, images, flash animations, Java applets etc can only be loaded from the same origin as the page • Scripts can also be loaded from scripts.nwebsec.codeplex.com • This policy denies inline scripts and CSS! 11
  • 12. THE "SPECIAL" SOURCES • 'unsafe-inline' can allow inline scripts (script-src) and styles (style-src) • 'unsafe-eval' allows certain JavaScript functions considered high risk (eval()) • Use these special sources with care 12
  • 13. CSP REPORTING • You can specify a "report-uri" in the CSP header • Must be a relative URI • Will post violation reports as JSON back to the web application • Content-Security-Policy-Report-Only • Will not block scripts or resources violating the policy • Will report them to the web application 13
  • 14. XSS SUMMARIZED • Make sure you validate your inputs • Make sure you encode everything you output • Input to the web application • Data from backend systems • EVERYTHING! • Use CSP as an extra level of defense, it's not the cure! 14
  • 16. CLICKJACKING • A malicious site loads the vulnerable site in an iframe • The iframe is invisible, and positioned in front of something the user is likely to click on • The user clicks on what appears to be an element on the malicious site • The user really clicks in the iframe, triggering some operation on the vulnerable site 16
  • 17. CLICKJACKING DEMO Vulnerable site Evil site Delete something! Click me! 17
  • 18. FRAMESNIFFING • You can specify an URL with an anchor when loading an iFrame • Browsers would scroll to the anchor tag, or the html element with the relevant id attribute • This scrolling can be detected with JavaScript • Note: Vulnerability has been fixed in latest versions of browsers 18
  • 19. X-FRAME-OPTIONS • X-Frame-Options: Deny | SameOrigin • Instructs the browser to not display the page in a frame • When the page isn’t displayed, there’s nothing to click on! • Browser support: Opera 10.5, Chrome 4.1, IE 8, Firefox 3.6.9, Safari 4 • Remember: The request is still sent to — and prosessed by — the web server! 19
  • 20. X-FRAME-OPTIONS SEQUENCE DIAGRAM Attacker Target 20
  • 22. HTTPS STRIPPING EXPLAINED • "Secure" websites use SSL/TLS to preserve the confidentiality and integrity of the communication with a browser • For usability, "secure" websites are still accessible through insecure channels (HTTP on port 80) • They’ll redirect the user to HTTPS • User enters www.onlinebank.com — and is redirected to https://www.onlinebank.com • The very first request is insecure, and open to attack! • SSL stripping is a middleperson attack • Attacker keeps the victim on HTTP, but passes requests on over HTTPS to the target website • Practical attack demoed at Black Hat in 2009 (sslstrip) http://www.thoughtcrime.org/software/sslstrip/ 22
  • 23. HOW "SECURE BROWSING" USUALLY WORKS www.onlinebank.com (unprotected) Redirect: https://www.onlinebank.com (unprotected) https://www.onlinebank.com (protected) Online bank 23
  • 24. HTTPS STRIPPING www.onlinebank.com (unprotected) https://www.onlinebank.com (protected) Response (unprotected) Response (protected) http://www.onlinebank.com (unprotected) https://www.onlinebank.com (protected) Attacker Online bank Response (unprotected) Response (protected) 24
  • 25. DEMO 25
  • 26. HTTP STRICT TRANSPORT SECURITY • Strict-Transport-Security: max-age=31536000; includeSubDomains • Max-age specifies for how many seconds the policy should be in effect • includeSubDomains — optional • Instructs the browser to only communicate to that hostname over SSL/TLS • Fails hard on certificate errors • The user does not have the option to click through certificate warnings • Browser support: Chrome 4+, Firefox 4+, Opera 12 26
  • 28. SESSION HIJACKING EXPLAINED • Means getting access to a user's privileged session -> steal session tokens • On the web, session tokens mean cookies • Protect the cookies! • Cookies can be marked with the "httpOnly" flag -> makes them inaccessible to JS, they won't be included in requests from applets. • Cookies can be marked with the "secure" flag -> instructs the browser to only send them with HTTPS requests 28
  • 29. DEMO 29
  • 31. IE MIME SNIFFING • HTTP responses include a header stating what type of content is included • E.g. Content-Type: text/html; charset=utf-8 • To compensate for misconfigured servers and bad programming, IE introduced MIME sniffing back in the days (IE4) • Some undesires side effects when IE guesses wrong • They introduced the "X-Content-Type-Options: nosniff " header in IE9 to disable the behaviour • Always serve your content with the correct content type, and the "X-Content-Type-Options" header • Demo! 31
  • 33. ADDING HEADERS IS EASY • Benefits • Usually a single line of code in any "webpage" • Can often be added through config • Prevents well known attacks • Cost • Low • CSP can be expensive, might require rewrite of existing applications 33
  • 34. SOME REFERENCES • Blog: Security through HTTP response headers • http://www.dotnetnoob.com/2012/09/security-through-http-response-headers.html • The NWebsec security library for ASP.NET • http://nwebsec.codeplex.com/ • The NWebsec demo site • http://www.nwebsec.com/ • The application used for demo here • https://github.com/klings/Booster2013 34