Upgrade to Pro — share decks privately, control downloads, hide ads and more …

State of the Union: Advances in Web Application...

State of the Union: Advances in Web Application and Browser Security

Mr. IETF, Mr. W3c, members of the information security community, distinguished developers, and fellow hackers, Ben Toews and Scott Behrens present to you a state of the web security union address.

We have seen a surge of proposed standards and governing documents to improve web security. Client side flaws are being addressed by standards such as content-security-policy and IFRAME sandboxing. Data in transit is being more tightly secured using HTTP Strict Transport Security. There is a plethora of technologies available like X-frame-options, ORIGIN header, encrypted media extensions, X-XSS-Protection? We look at the intricacies of the proposed and accepted standards as well as how they are implemented. Security considerations will be addressed for these technologies from a design perspective and with a discussion on any weaknesses observed. In addition, information will be presented that breaks down which browser versions support these technologies as well as estimates of the number of users who run compatible browsers.

Developers should leave this talk with knowledge of how these security technologies work and where they can be applied. Security engineers will have a clearer understanding of these security technologies including how and when to recommend them as well as some common pitfalls associated with them.

See the feature support visualizations at http://btoe.ws/browserstats

Ben Toews

May 19, 2013
Tweet

More Decks by Ben Toews

Other Decks in Technology

Transcript

  1. •HTTP Strict Transport Security •Cross Origin Resource Sharing •Content Security

    Policy •X-XSS-Protection •nosniff •Iframe Sandbox •X-Frame-Options •Web Crypto API Solutions:
  2. Do it 1. Add header 2. ... 3. ... 4.

    Profit?!?! HTTP Strict Transport Security:
  3. Solution? XMLHttpRequest (with Origin Header) - > Another Domain Server

    responds with Access-Control-Allow-Origin: * ACCESS GRANTED
  4. What about 's It's the same except Set this in

    XMLHttpRequest xhr.withCredentials = True Server needs to send the following: Access-Control-Allow-Credentials: true
  5. Simple request methods: GET POST HEAD Simple request headers: Accept

    Accept-Language Content-Language Content-Type (only the ones below): application/x-www-form-urlencoded multipart/form-data text/plain Last-Event-ID
  6. Server didn't send a response? XMLHttpRequest cannot load http://api.alice.com. Origin

    http:// api.bob.com is not allowed by Access-Control-Allow-Origin.
  7. Doesn't do CORS by default so send XDomainRequest object Keep

    SCHEME the same (http/https) Be specific on browser version!
  8. Content Security Policy: Disallow Inline Stuff: <script>alert(1)</script> <img src=/ onerror=alert(1)>

    <p style='background-image:expression(alert(1))'></p> <a href='javascript:alert(123)'>...</a>
  9. Content Security Policy: Do it 1. Remove inline junk. 2.

    Remove inline junk. 3. Remove inline junk. 4. Add CSP headers.
  10. Content Security Policy: WTF OM G ! CSP breaks bookmarklets

    and some browser extensions. Error reporting is meh.
  11. IE and Chrome controlled by X-XSS-Protection header MODES: X-XSS-Protection: 1;

    mode=block X-XSS-Protection: 1 X-XSS-Protection: 0
  12. Lets Talk IE First Client requests resource -> <- Server

    sends header Browser either modifies or blocks XSS
  13. Problem$ or Awesome for Hackers? Chrome/IE ✓ if response contain

    param from request, if so ▓ Used to use it to filter out script/inline events! Pass in request params! *This is fixed in Chrome now 
  14. User -> ☣Malicious Site☣ link with z-index=-1 iframe positioned over

    link User clicks link -> click happens on iframe
  15. X-Frame-Options Header tells browser if page can be rendered in

    frame Values: DENY SAMEORIGIN AllOW-FROM uri
  16. What about the future? Security Missconfigurations |________|___________________|_ | | C

    O N T E N T | | | |________________ |________|_INJECTION_________|_| `, | | | , Universal XSS 3rd Party Plugins Mobile Applications APIs
  17. • https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#Sandboxed_frames • http://www.whatwg.org/ • https://l2exilium.net/item?id=5502505 • http://javascript.info/tutorial/clickjacking • https://bug-110857-attachments.webkit.org/attachment.cgi?id=190233

    • http://www.html5rocks.com/en/tutorials/cors/ • http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions- limitations-and-workarounds.aspx • http://www.w3.org/TR/cors/#simple-method • http://www.matasano.com/articles/javascript-cryptography/ • http://events.ccc.de/congress/2012/Fahrplan/events/5374.en.html • http://polycrypt.net/ • http://www.viagravaigra.com/images/viagra-banner.png • http://widgets-gadgets.com/images/Capturewidget.JPG • http://www.mimicemore.com/hr/wp-content/uploads/2011/02/www.jpg • http://www.kcconfidential.com/wp-content/uploads/2012/07/Crying+Baby+Natural+High +for+Some+Moms.jpg • https://www.owasp.org/index.php/File:2010-T10-ArchitectureDiagram.png • https://www.owasp.org/ • https://en.wikipedia.org/wiki/Cross-site_scripting • http://wordpress.org/ References: