Luke CrouchFor learning and doing web app security
View Slide
MeLuke Crouch• Privacy & Security Engineer, Mozilla• Board member, Techlahoma Foundation• I’ve had 4 cups of coffee already ☕ ☕ ☕ ☕
This talk• 112 slides in ~15m• Mozilla Observatory• Website• Command-line tool• API• Questions
How many of you use a tool toscan your web site or app forsecurity issues? 🙋
In Mozilla research, 16% say Yesn=1,181 web engineers*old data
In Mozilla research, 47% say Non=1,181 web developers*old data
Why don’t you use something toscan your web site or app?
40% say:I don’t need it
Can’t have securityvulnerabilities …… if you don’t know aboutyour security vulnerabilities.
17% say they“need to” use atool
THANK YOU!
Because even if your app or sitemay not seem like a target …
Your users may be re-using theirpassword …
• their bank• their PayPal• their workplace• their healthcare provider• their password manager (!)• their computer• etc.• their email • which gives an attacker accessto all of those others!
So if your app is hacked, theirother accounts could get hackedtoo.
Next (rhetorical) question …
Which of the following security tech appliesto your code?• Mixed Content• Subresource Integrity• Cross-Origin Resource Sharing• Cookies• Secure• HttpOnly• Content Security Policy• HTTP Strict TransportSecurity• Redirections• Referrer Policy• X-Frame-Options• X-XSS-Protection• X-Content-Type-Options
🤷🤷
How do you knowwhat you need to know?
Observatory helps me focus onlearning the most importantsecurity for my code right now.
Because the reason most of us don’t do allthis …• Mixed Content• Subresource Integrity• Cross-Origin Resource Sharing• Cookies• Secure• HttpOnly• Content Security Policy• HTTP Strict TransportSecurity• Redirections• Referrer Policy• X-Frame-Options• X-XSS-Protection• X-Content-Type-Options
we don’t have time to do it all.
But, there’s plenty of “quick wins”you can get with a little bit of time
So, let’s get started …
⚠ Disclaimer: don’t be evil ⚠
You should only use securityscanning and testing toolswith permission
So … don’t go scan a bunch ofgovernment websites
Now … let’s go scan a bunch ofgovernment websites
hackerone.com
So basically, GSA gives permissionto scan some sites, within certainscope and under certain conditions
Let’s try the first one on the list:itdashboard.gov
Loading external scripts over(insecure) HTTP - WCGW? 🤷
https://itdashboard.gov………
https://itdashboard.govHTTP HTTP
https://itdashboard.govsrc=“http://ajax.googleapis.com/…”integrity="sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC" >
https://www.keycdn.com/support/what-is-mime-sniffing
https://itdashboard.gov/user-uploads/js in image.jpg filejs in image.jpg file
Does your server set the rightContent-Type for scripts andstyles?
Yes?
This is “easy” - you can add:X-Content-Type-Options: nosniffacross your entire server.
X-Content-Type-Optionsis the first recommended fix,because it’s easier than others …
No?
Do you need to support old IE browsers?• No?• add X-Content-Type-Options: nosniff• Yes?• Sorry to hear that• Does your site need to render user uploads in pages?• No? add X-Content-Type-Options: nosniff• Yes? • Sorry again …
This is how improving yoursecurity works
1. Find a potential vulnerability 2. Learn about the potential attack(s) 3. Determine how much if affects your codespecifically 4. Make an appropriate fix 5. Repeat
So, what’s next foritdashboard.gov ?
Normally, you would make therecommended fix …
And then
But since GSA won’t give usaccess to deploy code onitdashboard.gov …
Let’s just check out the othertests in the report …
X-XSS-Protection
But what does it actually do?
https://itdashboard.gov/?param=alert(1)…
X-XSS-Protection: 1; mode-block
You might as well take care of olderbrowser users(they need all they help they can get!)
Do you need to render HTML from url params?• No?• add X-XSS-Protection: 1; mode-block• Yes?• No you don’t. add X-XSS-Protection: 1; mode-block• For real you do?• No, for real you don’t.
ObservatoryCommand-Line Interface
npm install observatory-cli
observatory itdashboard.gov --zero --format=report
So, same tests and results
Note: no “Recommendation”
But you could put this in your CI pipelineto scan a dev or stage site on every codechange
And you can make CI fail if thescore drops below a certain level
Observatory API
https://github.com/mozilla/http-observatory/blob/master/httpobs/docs/api.md
https://http-observatory.security.mozilla.org/api/v1• POST /analyze?host=itdashboard.gov• hidden=true&rescan=true• GET /analyze?host=itdashboard.gov • returns a “scan object” with a scan ID• GET /getScanResults?scan=
Now, let’s scan ALL the GSAsites in scope …
You should only use securityscanning and testing tools withpermission
Questions• Mozilla Observatory• Website• Command-line tool• API• 3rd-party scans• What else?
Appendix
So, let’s go see whereitdashboard.govmight be vulnerable?
View source …
src=“http://Phrase not found 🤔
“or use protocol-relative URLs”likesrc=“//
So, if someone accessed thispage via insecure http:// , wecould hack the script
But, if someone accessed thispage via insecure http:// , wecould just hack the page
So when would this ever be areal problem?
When would someone ever accessthis page overinsecure http:// ? 🙋
What if someone types“itdashboard.gov” without https?
What if another page links to“itdashboard.gov” without https?
When would someone run thispage overinsecure http:// ?
When would someone run thispage athttp://127.0.0.1 ?
Content Security Policy …what’s that?
Insert lots of content about CSP