Upgrade to Pro — share decks privately, control downloads, hide ads and more …

State of the Union: Advances in Web Application...

Ben Toews
May 19, 2013
Technology
2
91

State of the Union: Advances in Web Application and Browser Security

Mr. IETF, Mr. W3c, members of the information security community, distinguished developers, and fellow hackers, Ben Toews and Scott Behrens present to you a state of the web security union address.

We have seen a surge of proposed standards and governing documents to improve web security. Client side flaws are being addressed by standards such as content-security-policy and IFRAME sandboxing. Data in transit is being more tightly secured using HTTP Strict Transport Security. There is a plethora of technologies available like X-frame-options, ORIGIN header, encrypted media extensions, X-XSS-Protection? We look at the intricacies of the proposed and accepted standards as well as how they are implemented. Security considerations will be addressed for these technologies from a design perspective and with a discussion on any weaknesses observed. In addition, information will be presented that breaks down which browser versions support these technologies as well as estimates of the number of users who run compatible browsers.

Developers should leave this talk with knowledge of how these security technologies work and where they can be applied. Security engineers will have a clearer understanding of these security technologies including how and when to recommend them as well as some common pitfalls associated with them.

See the feature support visualizations at http://btoe.ws/browserstats

Ben Toews

May 19, 2013
Tweet

More Decks by Ben Toews

See All by Ben Toews
GitHub AppSec: Keeping up with 111 prolific engineers
mastahyeti
0
100
The sky is falling: Nephological tales of security woe
mastahyeti
0
30
CSP
mastahyeti
7
280

Other Decks in Technology

See All in Technology
Amazon_CloudWatch_ログ異常検出_導入ガイド
tsujiba
4
1.6k
ユーザーの購買行動モデリングとその分析 / dsc-purchase-analysis
cyberagentdevelopers
PRO
2
100
バクラクにおける可観測性向上の取り組み
yuu26
3
420
【若手エンジニア応援LT会】AWS Security Hubの活用に苦労した話
kazushi_ohata
0
170
Gradle: The Build System That Loves To Hate You
aurimas
2
150
プロポーザルのつくり方
〜個人技編〜 / How to come up with proposals
ohbarye
1
110
Aurora_BlueGreenDeploymentsやってみた
tsukasa_ishimaru
1
130
なんで、私がAWS Heroに!? 〜社外の広い世界に一歩踏み出そう〜
minorun365
PRO
6
1.1k
初心者に Vue.js を 教えるには
tsukuha
5
390
来年もre:Invent2024 に行きたいあなたへ - “集中”と“つながり”で楽しむ -
ny7760
0
480
生成AIとAWS CDKで実現! 自社ブログレビューの効率化
ymae
2
330
使えそうで使われないCloudHSM
maikamibayashi
0
170

Featured

See All Featured
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
46
2.1k
Documentation Writing (for coders)
carmenintech
65
4.4k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Designing the Hi-DPI Web
ddemaree
280
34k
Designing on Purpose - Digital PM Summit 2013
jponch
115
6.9k
How to Ace a Technical Interview
jacobian
275
23k
Writing Fast Ruby
sferik
626
61k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
The World Runs on Bad Software
bkeepers
PRO
65
11k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
Git: the NoSQL Database
bkeepers
PRO
425
64k
Thoughts on Productivity
jonyablonski
67
4.3k

Transcript

  1. State of the Union Advances In Web Application and Browser

    Security

  2. Scott Behrens *Yes this photo is Photoshopped*

  3. Ben Toews

  4. ⾠ problems

  5. No one is paying attention

  6. normal web stuff

  7. HTML5 STANDARDS Forked Subset HTML5 Maintain Living Standard of HTML5

    + = InConsist3nCieS

  8. ✓ solutions

  9. •HTTP Strict Transport Security •Cross Origin Resource Sharing •Content Security

    Policy •X-XSS-Protection •nosniff •Iframe Sandbox •X-Frame-Options •Web Crypto API Solutions:

  10. Fuckin Chartz !?!?!?

  11. HTTP Strict Transport Security:

  12. Why ? HTTP Strict Transport Security:

  13. APT CHINA http://fc05.deviantart.net/fs71/f/2012/268/e/7/chinese_flag_map_by_shitalloverhumanity-d5fv2cc.png HTTP Strict Transport Security:

  14. STR ICT http://www.jokeblogger.com/sites/default/files/up/148/images/nun_ruler.jpg HTTP Strict Transport Security:

  15. Strict-Transport-Security: max-age=3600000; includeSubDomains HTTP Strict Transport Security:

  16. Do it 1. Add header 2. ... 3. ... 4.

    Profit?!?! HTTP Strict Transport Security:

  17. Security Concerns? HTTP Strict Transport Security:

  18. Cross-origin Resource Sharing

  19. Cross-Origin Resource Sharing (CORS)

  20. Problem? XMLHttpRequest -> Another Domain DENIED

  21. Solution? XMLHttpRequest (with Origin Header) - > Another Domain Server

    responds with Access-Control-Allow-Origin: * ACCESS GRANTED

  22. Client Sends: Origin: http://www.bobsbacon.net Server Sends Access Control Access-Control-Allow-Origin: http://

    www.bobsbacon.net If client and server orgin don’t match DENY

  23. What about 's It's the same except Set this in

    XMLHttpRequest xhr.withCredentials = True Server needs to send the following: Access-Control-Allow-Credentials: true

  24. Access-Control-Allow-Origin (required) Access-Control-Allow-Credentials Access-Control-Expose-Headers MOAR HEADERS

  25. Simple request methods: GET POST HEAD Simple request headers: Accept

    Accept-Language Content-Language Content-Type (only the ones below): application/x-www-form-urlencoded multipart/form-data text/plain Last-Event-ID

  26. THINGS CAN GET COMPLICATED http://www.html5rocks.com/en/tutorials/cors/

  27. Non Simple Preflight ✈ request (permission check) Server sends permissions

    Then actual request

  28. Preflight http://www.html5rocks.com/en/tutorials/cors/

  29. Server Response http://www.html5rocks.com/en/tutorials/cors/

  30. Request http://www.html5rocks.com/en/tutorials/cors/

  31. Response http://www.html5rocks.com/en/tutorials/cors/

  32. Server didn't send a response? XMLHttpRequest cannot load http://api.alice.com. Origin

    http:// api.bob.com is not allowed by Access-Control-Allow-Origin.

  33. Doesn't do CORS by default so send XDomainRequest object Keep

    SCHEME the same (http/https) Be specific on browser version!

  34. Be careful with user-credentials header

  35. Security? BEAT CORS WITH CSRF

  36. Cross-Domain XML Don't do this:

  37. ⾠problem: Cross-Site Scripting (XSS)

  38. Attacker controlled JavaScript being evaluated in the DOM XSS

  39. Old Fix Filter user input and encode output to neutralize

    special characters.

  40. ⚒solution: Content Security Policy.

  41. Content Security Policy:

  42. Content Security Policy: Disallow Inline Stuff: <script>alert(1)</script> <img src=/ onerror=alert(1)>

    <p style='background-image:expression(alert(1))'></p> <a href='javascript:alert(123)'>...</a>

  43. Content Security Policy: Disallow Dynamic Stuff: eval('alert(123)'); Function('alert(123)')(); setTimeout('alert(123)',1); setInterval('alert(123)',1);

  44. Content Security Policy: Content-Security-Policy: directive src-exp src-exp; directive src-exp src-exp;

  45. Content Security Policy: Directives • default-src • script-src • style-src

    • object-src • ...

  46. Content Security Policy: script-src https://somedomain.com:999

  47. Content Security Policy: script-src https://somedomain.com:999

  48. Content Security Policy: script-src https:

  49. Content Security Policy: script-src somedomain.com

  50. Content Security Policy: script-src *.somedomain.com

  51. Content Security Policy: script-src somedomain.com:999

  52. Content Security Policy: script-src self

  53. Content Security Policy: script-src unsafe-inline

  54. Content Security Policy: script-src unsafe-eval

  55. Content Security Policy: Do it 1. Remove inline junk. 2.

    Remove inline junk. 3. Remove inline junk. 4. Add CSP headers.

  56. Content Security Policy: WTF OM G ! CSP breaks bookmarklets

    and some browser extensions. Error reporting is meh.

  57. Content Security Policy: Security Concerns?

  58. ⾠problem: Cross-Site Scripting (XSS) is sneaky

  59. XSS still present on TONS of sites

  60. Browsers to the rescue! Firefox with XSS protection coming soon

  61. X-XSS-Protection

  62. IE and Chrome controlled by X-XSS-Protection header MODES: X-XSS-Protection: 1;

    mode=block X-XSS-Protection: 1 X-XSS-Protection: 0

  63. Lets Talk IE First Client requests resource -> <- Server

    sends header Browser either modifies or blocks XSS

  64. X-XSS-Protection: 1; mode=block Prevents rendering of the page

  65. X-XSS-Protection: 1; Detects XSS then attempts to modify page to

    block attack

  66. X-XSS-Protection: 0; Opt-Out

  67. XSS-Auditor Listens to X-XSS-Protection Headers On by default Integrated directly

    into WebKit ! ! FULL SUPPORT FOR WEBKIT BROWSERS

  68. XSS protection in Firefox? Coming to a theater near you!

  69. Problem$ False Positives Not Perfect Not much different than blacklisting

  70. Problem$ Does not protect against stored XSS

  71. Problem$ or Awesome for Hackers? Chrome/IE ✓ if response contain

    param from request, if so ▓ Used to use it to filter out script/inline events! Pass in request params! *This is fixed in Chrome now 

  72. D3v3lopers? Test if xss-protection breaks your application if break: fix_your_code()

    if !break: enable X-XSS-Protection: 1; mode=block

  73. D3v3lopers? Last line of D# Don't rely solely on browser

    XSS protection

  74. ⾠problem: Content-Type: text/plain is getting rendered as HTML

  75. ⚒solution: no-sniff

  76. nosniff

  77. Stop Sniffin Content Types nosniff

  78. Content-Type: text/plain MEANS nosniff Content-Type: text/plain

  79. X-Content-Type-Options: nosniff nosniff

  80. iframe Sandbox

  81. iframe Sandbox

  82. 3rd Party Widgets HOSTED ON My Website SHOULD YOU TRUST

    US?

  83. Sandboxing Provides RESTRICTIONS: Disable Forms/Scripts Disable Plugins Disable Popups Prevent

    links from targeting other browser contexts

  84. Browser parses attribute and enforces restrictions <iframe sandbox src="https://someadcompany.whatever.com/ widgets/adds_rule.html

    style="border: 0; width:130px; height:20px;"></iframe>

  85. $ecurity? SWITCH USER AGENT! CHECK SETTINGS: allow-same-origin allow-top-navigation allow-forms allow-scripts

    NOT [E]NABLED BY DEFAULT

  86. Developers Developer Developers Check User-Agent Untrusted files on same server

    with IFRAME = BAD

  87. X-Frame-Options

  88. X-Frame-Options

  89. CLICKJACKING ATTACKS

  90. User -> ☣Malicious Site☣ link with z-index=-1 iframe positioned over

    link User clicks link -> click happens on iframe

  91. X-Frame-Options Header tells browser if page can be rendered in

    frame Values: DENY SAMEORIGIN AllOW-FROM uri

  92. NOT A Standard Standard ...YET

  93. New Value? ALLOWALL

  94. Security should ✓for ALLOW-FROM scope Bypass by doing sudden redirect

    before final click

  95. DEVELOPERS SHOULD DENY WHEN POSSIBLE

  96. crypto is hard especially in JavaScript

  97. Web Crypto API: window.crypto.STUFF

  98. window.crypto.encrypt .decrypt Web Crypto API:

  99. window.crypto.sign .verify Web Crypto API:

  100. window.crypto.generateKey .deriveKey .importKey .exportKey Web Crypto API:

  101. HMAC using SHA-256 RSASSA-PKCS1-v1_5 using SHA-256 ECDSA using P-256 curve

    and SHA-256 AES-CBC Web Crypto API:

  102. http://www.nerdwallet.com/blog/investing/files/2012/11/ Secure.jpeg M04R CRYPT0 M04R SECURITIES Web Crypto API:

  103. http://polycrypt.net/ Web Crypto API:

  104. DEMO

  105. What about the future? Security Missconfigurations |________|___________________|_ | | C

    O N T E N T | | | |________________ |________|_INJECTION_________|_| `, | | | , Universal XSS 3rd Party Plugins Mobile Applications APIs

  106. http://btoe.ws/browserstats

  107. • https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#Sandboxed_frames • http://www.whatwg.org/ • https://l2exilium.net/item?id=5502505 • http://javascript.info/tutorial/clickjacking • https://bug-110857-attachments.webkit.org/attachment.cgi?id=190233

    • http://www.html5rocks.com/en/tutorials/cors/ • http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions- limitations-and-workarounds.aspx • http://www.w3.org/TR/cors/#simple-method • http://www.matasano.com/articles/javascript-cryptography/ • http://events.ccc.de/congress/2012/Fahrplan/events/5374.en.html • http://polycrypt.net/ • http://www.viagravaigra.com/images/viagra-banner.png • http://widgets-gadgets.com/images/Capturewidget.JPG • http://www.mimicemore.com/hr/wp-content/uploads/2011/02/www.jpg • http://www.kcconfidential.com/wp-content/uploads/2012/07/Crying+Baby+Natural+High +for+Some+Moms.jpg • https://www.owasp.org/index.php/File:2010-T10-ArchitectureDiagram.png • https://www.owasp.org/ • https://en.wikipedia.org/wiki/Cross-site_scripting • http://wordpress.org/ References: