Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mozilla Observatory First Draft

Mozilla Observatory First Draft

Ec25d046746de3be33779256f6957d8f?s=128

luke crouch

March 15, 2021
Tweet

Transcript

  1. Luke Crouch For learning and doing web app security

  2. Me Luke Crouch • Privacy & Security Engineer,
 Mozilla •

    Board member,
 Techlahoma Foundation • I’ve had 4 cups of coffee already
 ☕ ☕ ☕ ☕
  3. This talk • 112 slides in ~15m • Mozilla Observatory

    • Website • Command-line tool • API • Questions
  4. How many of you use a tool to scan your

    web site or app for security issues? 🙋
  5. In Mozilla research,
 16% say Yes n=1,181 web engineers *old

    data
  6. In Mozilla research,
 47% say No n=1,181 web developers *old

    data
  7. Why don’t you use something to scan your web site

    or app?
  8. 40% say: I don’t need it

  9. Can’t have security vulnerabilities … … if you don’t know

    about your security vulnerabilities.
  10. 17% say they “need to” use a tool

  11. THANK YOU!

  12. Because even if your app or site may not seem

    like a target …
  13. Your users may be re-using their password …

  14. • their bank • their PayPal • their workplace •

    their healthcare provider • their password manager (!) • their computer • etc. • their email • which gives an attacker access to all of those others!
  15. So if your app is hacked, their other accounts could

    get hacked too.
  16. Next (rhetorical) question …

  17. Which of the following security tech applies to your code?

    • Mixed Content • Subresource Integrity • Cross-Origin Resource Sharing • Cookies • Secure • HttpOnly • Content Security Policy • HTTP Strict Transport Security • Redirections • Referrer Policy • X-Frame-Options • X-XSS-Protection • X-Content-Type-Options
  18. 🤷🤷

  19. Which of the following security tech applies to your code?

    • Mixed Content • Subresource Integrity • Cross-Origin Resource Sharing • Cookies • Secure • HttpOnly • Content Security Policy • HTTP Strict Transport Security • Redirections • Referrer Policy • X-Frame-Options • X-XSS-Protection • X-Content-Type-Options
  20. How do you know what you need to know?

  21. Luke Crouch For learning and doing web app security

  22. None
  23. None
  24. None
  25. None
  26. None
  27. None
  28. Observatory helps me focus on learning the most important security

    for my code right now.
  29. Because the reason most of us don’t do all this

    … • Mixed Content • Subresource Integrity • Cross-Origin Resource Sharing • Cookies • Secure • HttpOnly • Content Security Policy • HTTP Strict Transport Security • Redirections • Referrer Policy • X-Frame-Options • X-XSS-Protection • X-Content-Type-Options
  30. we don’t have time to do it all.

  31. But, there’s plenty of “quick wins” you can get with

    a little bit of time
  32. So, let’s get started …

  33. ⚠ Disclaimer: don’t be evil ⚠

  34. You should only use security scanning and testing tools with

    permission
  35. So … don’t go scan a bunch of government websites

  36. Now … let’s go scan a bunch of government websites

  37. hackerone.com

  38. None
  39. None
  40. None
  41. So basically, GSA gives permission to scan some sites, within

    certain scope and under certain conditions
  42. None
  43. Let’s try the first one on the list: itdashboard.gov

  44. None
  45. None
  46. None
  47. None
  48. Loading external scripts over (insecure) HTTP - WCGW? 🤷

  49. None
  50. None
  51. https://itdashboard.gov <html> <head> … <script src=“http://ajax.googleapis.com/…”></script> … </head> … </html>

  52. https://itdashboard.gov <script src=“http://ajax.googleapis.com/…”></script> HTTP HTTP

  53. None
  54. None
  55. https://itdashboard.gov <html> <head> … <script src=“http://ajax.googleapis.com/…”></script> … </head> … </html>

  56. None
  57. https://itdashboard.gov <html> <head> <script src=“http://ajax.googleapis.com/…” integrity="sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC" 
 > </script> </head>

    </html>
  58. None
  59. None
  60. None
  61. None
  62. None
  63. None
  64. https://www.keycdn.com/support/what-is-mime-sniffing

  65. https://itdashboard.gov <script src=“/user-uploads/image.jpg”></script> /user-uploads/ js in image.jpg file js in

    image.jpg file
  66. None
  67. Does your server set the right Content-Type for scripts and

    styles?
  68. Yes?

  69. This is “easy” - you can add: X-Content-Type-Options: nosniff across

    your entire server.
  70. X-Content-Type-Options is the first recommended fix, because it’s easier than

    others …
  71. No?

  72. Do you need to support old IE browsers? • No?

    • add X-Content-Type-Options: nosniff • Yes? • Sorry to hear that • Does your site need to render user uploads in pages? • No? add X-Content-Type-Options: nosniff • Yes? • Sorry again …
  73. This is how improving your security works

  74. 1. Find a potential vulnerability
 2. Learn about the potential

    attack(s)
 3. Determine how much if affects your code specifically
 4. Make an appropriate fix
 5. Repeat
  75. So, what’s next for itdashboard.gov ?

  76. Normally, you would make the recommended fix …

  77. None
  78. And then

  79. But since GSA won’t give us access to deploy code

    on itdashboard.gov …
  80. Let’s just check out the other tests in the report

  81. None
  82. None
  83. X-XSS-Protection

  84. None
  85. None
  86. But what does it actually do?

  87. None
  88. https://itdashboard.gov/?param=<script>alert(1)</script> <html> <head><title>…</title></head> <body> <?php echo $_GET[‘param’] ?> </body> </html>

  89. X-XSS-Protection: 1; mode-block

  90. https://itdashboard.gov/?param=<script>alert(1)</script> <html> <head><title>…</title></head> <body> <?php echo $_GET[‘param’] ?> </body> </html>

  91. None
  92. You might as well take care of older browser users

    (they need all they help they can get!)
  93. Do you need to render HTML from url params? •

    No? • add X-XSS-Protection: 1; mode-block • Yes? • No you don’t. add X-XSS-Protection: 1; mode-block • For real you do? • No, for real you don’t.
  94. None
  95. Observatory Command-Line Interface

  96. npm install observatory-cli

  97. observatory itdashboard.gov --zero --format=report

  98. None
  99. So, same tests and results

  100. Note: no “Recommendation”

  101. But you could put this in your CI pipeline to

    scan a dev or stage site on every code change
  102. And you can make CI fail if the score drops

    below a certain level
  103. None
  104. Observatory API

  105. https://github.com/mozilla/http-observatory/blob/master/httpobs/docs/api.md

  106. https://http-observatory.security.mozilla.org/api/v1 • POST /analyze?host=itdashboard.gov • hidden=true&rescan=true • GET /analyze?host=itdashboard.gov •

    returns a “scan object” with a scan ID • GET /getScanResults?scan=<scan ID>
  107. Now, let’s scan ALL the GSA sites in scope …

  108. None
  109. None
  110. ⚠ Disclaimer: don’t be evil ⚠

  111. You should only use security scanning and testing tools with

    permission
  112. Questions • Mozilla Observatory • Website • Command-line tool •

    API • 3rd-party scans • What else?
  113. Appendix

  114. None
  115. None
  116. None
  117. None
  118. None
  119. None
  120. So, let’s go see where itdashboard.gov might be vulnerable?

  121. None
  122. View source …

  123. None
  124. src=“http:// Phrase not found 🤔

  125. None
  126. “or use protocol-relative URLs” like src=“//

  127. None
  128. So, if someone accessed this page via insecure http:// ,

    we could hack the script
  129. But, if someone accessed this page via insecure http:// ,

    we could just hack the page
  130. So when would this ever be a real problem?

  131. When would someone ever access this page over insecure http://

    ? 🙋
  132. What if someone types “itdashboard.gov” without https?

  133. What if another page links to “itdashboard.gov” without https?

  134. When would someone run this page over insecure http:// ?

  135. When would someone run this page at http://127.0.0.1 ?

  136. None
  137. None
  138. None
  139. Content Security Policy … what’s that?

  140. Insert lots of content about CSP