Mozilla Observatory First Draft

Transcript

1. Luke Crouch For learning and doing web app security

2. Me Luke Crouch • Privacy & Security Engineer,
 Mozilla •

   Board member,
 Techlahoma Foundation • I’ve had 4 cups of coffee already
 ☕ ☕ ☕ ☕

3. This talk • 112 slides in ~15m • Mozilla Observatory

   • Website • Command-line tool • API • Questions

4. How many of you use a tool to scan your

   web site or app for security issues? 🙋

5. In Mozilla research,
 16% say Yes n=1,181 web engineers *old

   data

6. In Mozilla research,
 47% say No n=1,181 web developers *old

   data

7. Why don’t you use something to scan your web site

   or app?

8. 40% say: I don’t need it

9. Can’t have security vulnerabilities … … if you don’t know

   about your security vulnerabilities.

10. 17% say they “need to” use a tool

11. THANK YOU!

12. Because even if your app or site may not seem

    like a target …

13. Your users may be re-using their password …

14. • their bank • their PayPal • their workplace •

    their healthcare provider • their password manager (!) • their computer • etc. • their email • which gives an attacker access to all of those others!

15. So if your app is hacked, their other accounts could

    get hacked too.

16. Next (rhetorical) question …

17. Which of the following security tech applies to your code?

    • Mixed Content • Subresource Integrity • Cross-Origin Resource Sharing • Cookies • Secure • HttpOnly • Content Security Policy • HTTP Strict Transport Security • Redirections • Referrer Policy • X-Frame-Options • X-XSS-Protection • X-Content-Type-Options

18. 🤷🤷

19. Which of the following security tech applies to your code?

    • Mixed Content • Subresource Integrity • Cross-Origin Resource Sharing • Cookies • Secure • HttpOnly • Content Security Policy • HTTP Strict Transport Security • Redirections • Referrer Policy • X-Frame-Options • X-XSS-Protection • X-Content-Type-Options

20. How do you know what you need to know?

21. Luke Crouch For learning and doing web app security

22. None
23. None
24. None
25. None
26. None
27. None

28. Observatory helps me focus on learning the most important security

    for my code right now.

29. Because the reason most of us don’t do all this

    … • Mixed Content • Subresource Integrity • Cross-Origin Resource Sharing • Cookies • Secure • HttpOnly • Content Security Policy • HTTP Strict Transport Security • Redirections • Referrer Policy • X-Frame-Options • X-XSS-Protection • X-Content-Type-Options

30. we don’t have time to do it all.

31. But, there’s plenty of “quick wins” you can get with

    a little bit of time

32. So, let’s get started …

33. ⚠ Disclaimer: don’t be evil ⚠

34. You should only use security scanning and testing tools with

    permission

35. So … don’t go scan a bunch of government websites

36. Now … let’s go scan a bunch of government websites

37. hackerone.com

38. None
39. None
40. None

41. So basically, GSA gives permission to scan some sites, within

    certain scope and under certain conditions
42. None

43. Let’s try the first one on the list: itdashboard.gov

44. None
45. None
46. None
47. None

48. Loading external scripts over (insecure) HTTP - WCGW? 🤷

49. None
50. None

51. https://itdashboard.gov <html> <head> … <script src=“http://ajax.googleapis.com/…”></script> … </head> … </html>

52. https://itdashboard.gov <script src=“http://ajax.googleapis.com/…”></script> HTTP HTTP

53. None
54. None

55. https://itdashboard.gov <html> <head> … <script src=“http://ajax.googleapis.com/…”></script> … </head> … </html>

56. None

57. https://itdashboard.gov <html> <head> <script src=“http://ajax.googleapis.com/…” integrity="sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC" 
 > </script> </head>

    </html>
58. None
59. None
60. None
61. None
62. None
63. None

64. https://www.keycdn.com/support/what-is-mime-sniffing

65. https://itdashboard.gov <script src=“/user-uploads/image.jpg”></script> /user-uploads/ js in image.jpg file js in

    image.jpg file
66. None

67. Does your server set the right Content-Type for scripts and

    styles?

68. Yes?

69. This is “easy” - you can add: X-Content-Type-Options: nosniff across

    your entire server.

70. X-Content-Type-Options is the first recommended fix, because it’s easier than

    others …

71. No?

72. Do you need to support old IE browsers? • No?

    • add X-Content-Type-Options: nosniff • Yes? • Sorry to hear that • Does your site need to render user uploads in pages? • No? add X-Content-Type-Options: nosniff • Yes? • Sorry again …

73. This is how improving your security works

74. 1. Find a potential vulnerability
 2. Learn about the potential

    attack(s)
 3. Determine how much if affects your code specifically
 4. Make an appropriate fix
 5. Repeat

75. So, what’s next for itdashboard.gov ?

76. Normally, you would make the recommended fix …

77. None

78. And then

79. But since GSA won’t give us access to deploy code

    on itdashboard.gov …

80. Let’s just check out the other tests in the report

    …
81. None
82. None

83. X-XSS-Protection

84. None
85. None

86. But what does it actually do?

87. None

88. https://itdashboard.gov/?param=<script>alert(1)</script> <html> <head><title>…</title></head> <body> <?php echo $_GET[‘param’] ?> </body> </html>

89. X-XSS-Protection: 1; mode-block

90. https://itdashboard.gov/?param=<script>alert(1)</script> <html> <head><title>…</title></head> <body> <?php echo $_GET[‘param’] ?> </body> </html>

91. None

92. You might as well take care of older browser users

    (they need all they help they can get!)

93. Do you need to render HTML from url params? •

    No? • add X-XSS-Protection: 1; mode-block • Yes? • No you don’t. add X-XSS-Protection: 1; mode-block • For real you do? • No, for real you don’t.
94. None

95. Observatory Command-Line Interface

96. npm install observatory-cli

97. observatory itdashboard.gov --zero --format=report

98. None

99. So, same tests and results

100. Note: no “Recommendation”

101. But you could put this in your CI pipeline to

     scan a dev or stage site on every code change

102. And you can make CI fail if the score drops

     below a certain level
103. None

104. Observatory API

105. https://github.com/mozilla/http-observatory/blob/master/httpobs/docs/api.md

106. https://http-observatory.security.mozilla.org/api/v1 • POST /analyze?host=itdashboard.gov • hidden=true&rescan=true • GET /analyze?host=itdashboard.gov •

     returns a “scan object” with a scan ID • GET /getScanResults?scan=<scan ID>

107. Now, let’s scan ALL the GSA sites in scope …

108. None
109. None

110. ⚠ Disclaimer: don’t be evil ⚠

111. You should only use security scanning and testing tools with

     permission

112. Questions • Mozilla Observatory • Website • Command-line tool •

     API • 3rd-party scans • What else?

113. Appendix

114. None
115. None
116. None
117. None
118. None
119. None

120. So, let’s go see where itdashboard.gov might be vulnerable?

121. None

122. View source …

123. None

124. src=“http:// Phrase not found 🤔

125. None

126. “or use protocol-relative URLs” like src=“//

127. None

128. So, if someone accessed this page via insecure http:// ,

     we could hack the script

129. But, if someone accessed this page via insecure http:// ,

     we could just hack the page

130. So when would this ever be a real problem?

131. When would someone ever access this page over insecure http://

     ? 🙋

132. What if someone types “itdashboard.gov” without https?

133. What if another page links to “itdashboard.gov” without https?

134. When would someone run this page over insecure http:// ?

135. When would someone run this page at http://127.0.0.1 ?

136. None
137. None
138. None

139. Content Security Policy … what’s that?

140. Insert lots of content about CSP