• Mitigates well known attacks • Ease of use • Library support • Can be added through config • Or a single line of code when generating a web response • Low cost • CSP can be more challenging, might require rewrite of existing applications 4
request is included in the response • Persistent • Attacker is able to store the attack server side, the stored attack is later included in response(s) • DOM based • Does not involve the server, happens on the client side - XSS (Cross Site Scripting) Prevention Cheat Sheet - OWASP Top 10 for JavaScript – A2: Cross Site Scripting – XSS 6
your webpages can be loaded from • Restrictions on script execution • Headers • Content-Security-Policy – enforces policy • Content-Security-Policy-Report-Only – Won’t break your site, but reports • Supported in Opera 29, Chrome 25, Firefox 31, Safari 7, iOS Safari 7.1, (Android/Chrome) • Support underway in Edge! • Comes in «two versions» • CSP 1.0, supported by most browsers (not IE, coming in Edge) • CSP level 2 is “brand new”, so partial support in browsers (Opera, Chrome, Firefox) 7 http://www.w3.org/TR/CSP1/ http://www.w3.org/TR/CSP2/
“nested browsing contexts” (e.g. iframe) and Worker execution contexts. • Replaces frame-src from CSP 1.0 • frame-src - now deprecated • form-action • frame-ancestors – Intended to replace X-Frame-Options • plugin-types – Whitelists media types for <embed> and <object> • sandbox – mandatory support (was optional in CSP 1.0) • report-uri — Relative or absolute URL where CSP violations can be reported 10
Sources not listed fall back to 'self‘ (style-src, img-src…) • script-src is defined, overrides default-src • In effect, stylesheets, images, flash animations, Java applets etc can only be loaded from the same origin as the page • This policy denies inline scripts and CSS! 13
inline script/style benefit from CSP 2.0 • Nonce – “number once” • Nonces are used to whitelist inline scripts and styles • Nonce included in header and in script element: <script nonce=“somenonce”> • Prevents XSS – attacker must guess correct nonce in header to inject valid content • Hashes • Content-Security-Policy: script-src 'sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=‘ • Lets this execute: <script>alert('Hello, world.');</script>
CSP header • Must be a relative or absolute URI • Posts JSON violation reports • Content-Security-Policy-Report-Only • Will not block scripts or resources violating the policy • Will report them to the web application 15
an iframe • The iframe is invisible, and positioned in front of something the user is likely to click on • The user clicks on what appears to be an element on the malicious site • The user really clicks in the iframe, triggering some operation on the vulnerable site 18
specify an URL with an anchor when loading an iFrame • Browsers would scroll to the anchor tag, or the html element with the relevant id attribute • This scrolling could be detected with JavaScript • Note: This was later fixed in browsers 20
Instructs the browser to not display the page in a frame • When the page isn’t displayed, there’s nothing to click on! • Browser support: Opera 10.5, Chrome 4.1, IE 8, Firefox 3.6.9, Safari 4 • Always send the header unless you intend to be “iframed” • Mitigates the entire class of iframe attacks • MVC 5 protection is tied to AntiForgery (CSRF) • Remember: The request is still sent to — and prosessed by — the web server! 21
the confidentiality and integrity of the communication with a browser • For usability, "secure" websites are still accessible through insecure channels (HTTP on port 80) • They’ll redirect the user to HTTPS • User enters www.onlinebank.com — and is redirected to https://www.onlinebank.com • The very first request is insecure, and open to attack! • SSL stripping is a middleperson attack • Attacker keeps the victim on HTTP, but passes requests on over HTTPS to the target website • Practical attack demoed at Black Hat in 2009 (sslstrip) http://www.thoughtcrime.org/software/sslstrip/ 25
Use) • Strict-Transport-Security: max-age=31536000; includeSubdomains • Max-age specifies for how many seconds the policy should be in effect • includeSubDomains — optional • Instructs the browser to only communicate to that hostname over SSL/TLS • Fails hard on certificate errors • Browser support: Chrome 4+, Firefox 4+, Opera 12, Safari • IE 11 added support last patch tuesday! 29 - XSS (Cross Site Scripting) Prevention Cheat Sheet - OWASP Top 10 for JavaScript – A2: Cross Site Scripting – XSS
“preload” directive • Strict-Transport-Security: max-age=31536000; includeSubdomains; preload • Lets you register your domain as “HSTS-always” • Max-age must be 18 weeks • Must include “includeSubdomains” token • Must include (new) “preload” token • Submit your site at: https://hstspreload.appspot.com • Preload list is used by Opera, Chrome, Firefox, and IE • Demo
of trusted CA certificates • A cert issued by ANY of these CA’s for your site -> trusted by browser • One compromised CA -> most sites on the web can be impersonated in a middleperson attack • Famous example, Diginotar (2011). • Fraudulent certs for google services, Yahoo!, Mozilla, Wordpress, The Tor project • Google detected fraudulent certs due to their built-in pinning in Chrome • Diginotar trust revoked by all browser -> Diginotar out of business 33
Use) • Public-Key-Pins: max-age=3000; pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=" • Pin value: the hash over the Subject Public Key Info element in the certificate -> identifies the key type and the public key • Browser checks site’s certificate chain • TLS connection fails if none of the certs have a pinned key • Browser support: Chrome, (Opera?), Firefox. Edge «under consideration» - http://tools.ietf.org/html/rfc7469
“public trust anchors” • This means the stock list of CA’s in your browser • Pinning certs with “private trust anchors” are not supported • Reasoning is that these are “friendly middlepersons” • “Data loss prevention appliances” • Firewalls • Content filters • Fortunately, this setting can be overridden in Firefox, enables internal testing
be valid • You pin the public key for (at least) one active certificate • MUST provide at least one backup pin • Securely stored (offline) certificate/csr for disaster recovery • Do this wrong, and you shoot yourself in the foot
security headers through • Web.config (HTTPModule) • OWIN middleware • MVC filter attributes • Set global policy by web.config or middleware • Full or partial override through attributes • Validates configuration • Sets syntactically correct headers - a simple typo voids protection • Particularly useful for CSP
• http://www.dotnetnoob.com/2012/09/security-through-http-response-headers.html • The NWebsec security library for ASP.NET • https://github.com/NWebsec/NWebsec • https://www.nuget.org/packages?q=nwebsec • The application used for demo here • https://github.com/klings/NDC-Oslo-2015 43