Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mozilla Observatory First Draft

Mozilla Observatory First Draft

luke crouch

March 15, 2021
Tweet

More Decks by luke crouch

Other Decks in Technology

Transcript

  1. Luke Crouch
    For learning and doing web app security

    View Slide

  2. Me
    Luke Crouch
    • Privacy & Security Engineer,

    Mozilla

    • Board member,

    Techlahoma Foundation

    • I’ve had 4 cups of coffee already

    ☕ ☕ ☕ ☕

    View Slide

  3. This talk
    • 112 slides in ~15m

    • Mozilla Observatory

    • Website

    • Command-line tool

    • API

    • Questions

    View Slide

  4. How many of you use a tool to
    scan your web site or app for
    security issues? 🙋

    View Slide

  5. In Mozilla research,

    16% say Yes
    n=1,181 web engineers
    *old data

    View Slide

  6. In Mozilla research,

    47% say No
    n=1,181 web developers
    *old data

    View Slide

  7. Why don’t you use something to
    scan your web site or app?

    View Slide

  8. 40% say:
    I don’t need it

    View Slide

  9. Can’t have security
    vulnerabilities …
    … if you don’t know about
    your security vulnerabilities.

    View Slide

  10. 17% say they
    “need to” use a
    tool

    View Slide

  11. THANK YOU!

    View Slide

  12. Because even if your app or site
    may not seem like a target …

    View Slide

  13. Your users may be re-using their
    password …

    View Slide

  14. • their bank

    • their PayPal

    • their workplace

    • their healthcare provider

    • their password manager (!)

    • their computer

    • etc.

    • their email

    • which gives an attacker access
    to all of those others!

    View Slide

  15. So if your app is hacked, their
    other accounts could get hacked
    too.

    View Slide

  16. Next (rhetorical) question …

    View Slide

  17. Which of the following security tech applies
    to your code?
    • Mixed Content

    • Subresource Integrity

    • Cross-Origin Resource Sharing

    • Cookies

    • Secure
    • HttpOnly
    • Content Security Policy
    • HTTP Strict Transport
    Security

    • Redirections

    • Referrer Policy

    • X-Frame-Options

    • X-XSS-Protection

    • X-Content-Type-Options

    View Slide

  18. 🤷🤷

    View Slide

  19. Which of the following security tech applies
    to your code?
    • Mixed Content

    • Subresource Integrity

    • Cross-Origin Resource Sharing

    • Cookies

    • Secure
    • HttpOnly
    • Content Security Policy
    • HTTP Strict Transport
    Security

    • Redirections

    • Referrer Policy

    • X-Frame-Options

    • X-XSS-Protection

    • X-Content-Type-Options

    View Slide

  20. How do you know
    what you need to know?

    View Slide

  21. Luke Crouch
    For learning and doing web app security

    View Slide

  22. View Slide

  23. View Slide

  24. View Slide

  25. View Slide

  26. View Slide

  27. View Slide

  28. Observatory helps me focus on
    learning the most important
    security for my code right now.

    View Slide

  29. Because the reason most of us don’t do all
    this …
    • Mixed Content

    • Subresource Integrity

    • Cross-Origin Resource Sharing

    • Cookies

    • Secure
    • HttpOnly
    • Content Security Policy
    • HTTP Strict Transport
    Security

    • Redirections

    • Referrer Policy

    • X-Frame-Options

    • X-XSS-Protection

    • X-Content-Type-Options

    View Slide

  30. we don’t have time to do it all.

    View Slide

  31. But, there’s plenty of “quick wins”
    you can get with a little bit of time

    View Slide

  32. So, let’s get started …

    View Slide

  33. ⚠ Disclaimer: don’t be evil ⚠

    View Slide

  34. You should only use security
    scanning and testing tools
    with permission

    View Slide

  35. So … don’t go scan a bunch of
    government websites

    View Slide

  36. Now … let’s go scan a bunch of
    government websites

    View Slide

  37. hackerone.com

    View Slide

  38. View Slide

  39. View Slide

  40. View Slide

  41. So basically, GSA gives permission
    to scan some sites, within certain
    scope and under certain conditions

    View Slide

  42. View Slide

  43. Let’s try the first one on the list:
    itdashboard.gov

    View Slide

  44. View Slide

  45. View Slide

  46. View Slide

  47. View Slide

  48. Loading external scripts over
    (insecure) HTTP - WCGW? 🤷

    View Slide

  49. View Slide

  50. View Slide

  51. https://itdashboard.gov








    View Slide

  52. https://itdashboard.gov

    HTTP HTTP

    View Slide

  53. View Slide

  54. View Slide

  55. https://itdashboard.gov








    View Slide

  56. View Slide

  57. https://itdashboard.gov


    src=“http://ajax.googleapis.com/…”
    integrity="sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC"

    >



    View Slide

  58. View Slide

  59. View Slide

  60. View Slide

  61. View Slide

  62. View Slide

  63. View Slide

  64. https://www.keycdn.com/support/what-is-mime-sniffing

    View Slide

  65. https://itdashboard.gov

    /user-uploads/
    js in image.jpg file
    js in image.jpg file

    View Slide

  66. View Slide

  67. Does your server set the right
    Content-Type for scripts and
    styles?

    View Slide

  68. Yes?

    View Slide

  69. This is “easy” - you can add:
    X-Content-Type-Options: nosniff
    across your entire server.

    View Slide

  70. X-Content-Type-Options
    is the first recommended fix,
    because it’s easier than others …

    View Slide

  71. No?

    View Slide

  72. Do you need to support old IE browsers?
    • No?

    • add X-Content-Type-Options: nosniff

    • Yes?

    • Sorry to hear that

    • Does your site need to render user uploads in pages?

    • No? add X-Content-Type-Options: nosniff

    • Yes?

    • Sorry again …

    View Slide

  73. This is how improving your
    security works

    View Slide

  74. 1. Find a potential vulnerability

    2. Learn about the potential attack(s)

    3. Determine how much if affects your code
    specifically

    4. Make an appropriate fix

    5. Repeat

    View Slide

  75. So, what’s next for
    itdashboard.gov ?

    View Slide

  76. Normally, you would make the
    recommended fix …

    View Slide

  77. View Slide

  78. And then

    View Slide

  79. But since GSA won’t give us
    access to deploy code on
    itdashboard.gov …

    View Slide

  80. Let’s just check out the other
    tests in the report …

    View Slide

  81. View Slide

  82. View Slide

  83. X-XSS-Protection

    View Slide

  84. View Slide

  85. View Slide

  86. But what does it actually do?

    View Slide

  87. View Slide

  88. https://itdashboard.gov/?param=alert(1)






    View Slide

  89. X-XSS-Protection: 1; mode-block

    View Slide

  90. https://itdashboard.gov/?param=alert(1)






    View Slide

  91. View Slide

  92. You might as well take care of older
    browser users
    (they need all they help they can get!)

    View Slide

  93. Do you need to render HTML from url params?
    • No?

    • add X-XSS-Protection: 1; mode-block

    • Yes?

    • No you don’t. add X-XSS-Protection: 1; mode-block
    • For real you do?

    • No, for real you don’t.

    View Slide

  94. View Slide

  95. Observatory
    Command-Line Interface

    View Slide

  96. npm install observatory-cli

    View Slide

  97. observatory itdashboard.gov --zero --format=report

    View Slide

  98. View Slide

  99. So, same tests and results

    View Slide

  100. Note: no “Recommendation”

    View Slide

  101. But you could put this in your CI pipeline
    to scan a dev or stage site on every code
    change

    View Slide

  102. And you can make CI fail if the
    score drops below a certain level

    View Slide

  103. View Slide

  104. Observatory API

    View Slide

  105. https://github.com/mozilla/http-observatory/blob/master/httpobs/docs/api.md

    View Slide

  106. https://http-observatory.security.mozilla.org/api/v1
    • POST /analyze?host=itdashboard.gov

    • hidden=true&rescan=true

    • GET /analyze?host=itdashboard.gov

    • returns a “scan object” with a scan ID

    • GET /getScanResults?scan=

    View Slide

  107. Now, let’s scan ALL the GSA
    sites in scope …

    View Slide

  108. View Slide

  109. View Slide

  110. ⚠ Disclaimer: don’t be evil ⚠

    View Slide

  111. You should only use security
    scanning and testing tools with
    permission

    View Slide

  112. Questions
    • Mozilla Observatory

    • Website

    • Command-line tool

    • API

    • 3rd-party scans

    • What else?

    View Slide

  113. Appendix

    View Slide

  114. View Slide

  115. View Slide

  116. View Slide

  117. View Slide

  118. View Slide

  119. View Slide

  120. So, let’s go see where
    itdashboard.gov
    might be vulnerable?

    View Slide

  121. View Slide

  122. View source …

    View Slide

  123. View Slide

  124. src=“http://
    Phrase not found 🤔

    View Slide

  125. View Slide

  126. “or use protocol-relative URLs”
    like
    src=“//

    View Slide

  127. View Slide

  128. So, if someone accessed this
    page via insecure http:// , we
    could hack the script

    View Slide

  129. But, if someone accessed this
    page via insecure http:// , we
    could just hack the page

    View Slide

  130. So when would this ever be a
    real problem?

    View Slide

  131. When would someone ever access
    this page over
    insecure http:// ? 🙋

    View Slide

  132. What if someone types
    “itdashboard.gov” without https?

    View Slide

  133. What if another page links to
    “itdashboard.gov” without https?

    View Slide

  134. When would someone run this
    page over
    insecure http:// ?

    View Slide

  135. When would someone run this
    page at
    http://127.0.0.1 ?

    View Slide

  136. View Slide

  137. View Slide

  138. View Slide

  139. Content Security Policy …
    what’s that?

    View Slide

  140. Insert lots of content about CSP

    View Slide