Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Increasing web apps security with the power of http headers

Increasing web apps security with the power of http headers

Nowadays everyone uses web browsers on a daily basis for various tasks such as reading emails or purchasing on ecommerce portals. Web developers often forget that a browser is a piece of software that can be used as remote code execution engine, an can be used to inject malicious code either by exploiting an Cross-Site Scripting (XSS) vulnerability or by executing a MITM attack. The focus of this talk is to explain how new browser headers (HSTS, HPKP, CSP) can help to easily add an extra layer of security in order to defend against common web security vulnerabilities. These could be the talking points: -Introduction about web browsers security,explaining why secure transport is important and what HTTPS provides in terms of confidentiality, authenticity and integrity -Analyze new headers, such as HTTP Strict Transport Security (HSTS), HTTP Public Key Pinning (HPKP) and Content Security Policy (CSP),explaining how they work for avoid HTTPS,XSS and Clickjacking attacks.

7c4b1ae16723b56facc7a8a8f95aa6ce?s=128

jmortegac

May 12, 2017
Tweet

More Decks by jmortegac

Other Decks in Programming

Transcript

  1. None
  2. None
  3. Increasing web apps security with the power of http headers

  4. Agenda HTTP Strict Transport Security (HSTS) HTTP Public Key Pinning

    (HPKP) Content Security Policy (CSP)
  5. HSTS • The browser strictly upgrades the connection to HTTPS

    protocol • Avoid MITM attacks that try intercept the initial HTTP request • SSLStripping attacks
  6. SSLStrip

  7. HSTS

  8. HSTS server { listen 443 ssl; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"

    always; # This 'location' block inherits the STS header location / { root /usr/share/nginx/html; } }
  9. HSTS Directives • max-age tells user-agent how long to cache

    the STS setting in seconds • includeSubDomains tells user-agent to include any subdomains
  10. chrome://net-internals/#hsts

  11. http://caniuse.com/#feat=stricttransportsecurity

  12. HTTPS Everywhere plugin • Redirects users to HTTPS version of

    the site • https://www.eff.org/https-everywhere • Available for Chrome,Firefox,Opera
  13. HPKP • Certificate Pinning is a security mechanism which allows

    HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates • The HTTPS web server serves a list of public key hashes, and on subsequent connections clients expect that server to use one or more of those public keys in its certificate chain.
  14. HPKP • Minimize MITM attacks by pinning certificate • The

    pin is saved by the browser in the first request and in next requests this pin is used to verify the public key • In this way we can check that the certificate has not been altered
  15. HPKP add_header Public-Key-Pins: 'pin-sha256="vDGd5BIsPtpEDVrOzMypcp9CjSQ8QIiIQq6i Rg59UOg="; pin-sha256="Mfyz5Zy4hGa1yrs93hMGGPo57r42fM+mttvE mHuXIdI="; max-age=60; includeSubdomains;

  16. HPKP • Decide which certificate's public keys you will pin

    • Create SHA-256 hashes for the public keys • Set your site to send a header with the pins • Visit your site multiple times to verify that you are not blocked • Check chrome://net-internals/#hsts and query your domain to verify that the pins are stored • Verify dynamic_pkp_observed and dynamic_spki_hashes
  17. HPKP

  18. None
  19. HPKP • PinPatrol firefox plugin • Check HSTS and HPKP

    headers
  20. None
  21. CSP • Helps to detect and mitigate data injection attacks

    such as XSS • Prevent XSS, clickjacking, code injection attacks
  22. CSP • Load everything from the same origin • 'self'

    --> Content of this type can only be loaded from the same origin • add_header Content-Security-Policy "default-src 'self';";
  23. CSP Source expressions

  24. https://csp-evaluator.withgoogle.com/

  25. http://cspisawesome.com/

  26. Conclusions • HSTS assures that the browser won’t open unencrypted

    HTTP requests to your domain • HPKP assures that nobody can exchange your certificate as a man-in-the-middle.
  27. More headers • X-XSS-Protection:Enables Web Browser’s self XSS (Cross-site-scripting) attack

    protection mechanism • X-Frame-Options:Provides protection against Clickjacking / UI Redress attacks. • X-Content-Type-Options:Used to prevent MIME content-sniffing attacks.
  28. • curl --head <domain>

  29. • Helmet module

  30. References • https://securityheaders.io • https://www.ssllabs.com/ssltest • https://www.chromium.org/hsts • https://hstspreload.org •

    https://www.owasp.org/index.php/HTTP_St rict_Transport_Security_Cheat_Sheet
  31. PinPatrol firefox plugin

  32. • https://observatory.mozilla.org/

  33. • https://report-uri.io

  34. Thank you! @jmortegac jmortega.github.io about.me/jmortegac