Upgrade to Pro — share decks privately, control downloads, hide ads and more …

State of the Union: Advances in Web Application...

Ben Toews
May 19, 2013
Technology
2
91

State of the Union: Advances in Web Application and Browser Security

Mr. IETF, Mr. W3c, members of the information security community, distinguished developers, and fellow hackers, Ben Toews and Scott Behrens present to you a state of the web security union address.

We have seen a surge of proposed standards and governing documents to improve web security. Client side flaws are being addressed by standards such as content-security-policy and IFRAME sandboxing. Data in transit is being more tightly secured using HTTP Strict Transport Security. There is a plethora of technologies available like X-frame-options, ORIGIN header, encrypted media extensions, X-XSS-Protection? We look at the intricacies of the proposed and accepted standards as well as how they are implemented. Security considerations will be addressed for these technologies from a design perspective and with a discussion on any weaknesses observed. In addition, information will be presented that breaks down which browser versions support these technologies as well as estimates of the number of users who run compatible browsers.

Developers should leave this talk with knowledge of how these security technologies work and where they can be applied. Security engineers will have a clearer understanding of these security technologies including how and when to recommend them as well as some common pitfalls associated with them.

See the feature support visualizations at http://btoe.ws/browserstats

Ben Toews

May 19, 2013
Tweet

More Decks by Ben Toews

See All by Ben Toews
GitHub AppSec: Keeping up with 111 prolific engineers
mastahyeti
0
100
The sky is falling: Nephological tales of security woe
mastahyeti
0
30
CSP
mastahyeti
7
280

Other Decks in Technology

See All in Technology
Taming you application's environments
salaboy
0
190
なぜ今 AI Agent なのか _近藤憲児
kenjikondobai
4
1.4k
開発生産性を上げながらビジネスも30倍成長させてきたチームの姿
kamina_zzz
2
1.7k
Lambda10周年!Lambdaは何をもたらしたか
smt7174
2
110
Exadata Database Service on Dedicated Infrastructure(ExaDB-D) UI スクリーン・キャプチャ集
oracle4engineer
PRO
2
3.2k
Shopifyアプリ開発における Shopifyの機能活用
sonatard
4
250
New Relicを活用したSREの最初のステップ / NRUG OKINAWA VOL.3
isaoshimizu
2
610
100 名超が参加した日経グループ横断の競技型 AWS 学習イベント「Nikkei Group AWS GameDay」の紹介/mediajaws202411
nikkei_engineer_recruiting
1
170
OTelCol_TailSampling_and_SpanMetrics
gumamon
1
160
プロダクト活用度で見えた真実 ホリゾンタルSaaSでの顧客解像度の高め方
tadaken3
0
100
VideoMamba: State Space Model for Efficient Video Understanding
chou500
0
190
Application Development WG Intro at AppDeveloperCon
salaboy
0
190

Featured

See All Featured
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
Git: the NoSQL Database
bkeepers
PRO
427
64k
Site-Speed That Sticks
csswizardry
0
25
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
24k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
16
2.1k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Faster Mobile Websites
deanohume
305
30k
Teambox: Starting and Learning
jrom
133
8.8k

Transcript

  1. State of the Union Advances In Web Application and Browser

    Security

  2. Scott Behrens *Yes this photo is Photoshopped*

  3. Ben Toews

  4. ⾠ problems

  5. No one is paying attention

  6. normal web stuff

  7. HTML5 STANDARDS Forked Subset HTML5 Maintain Living Standard of HTML5

    + = InConsist3nCieS

  8. ✓ solutions

  9. •HTTP Strict Transport Security •Cross Origin Resource Sharing •Content Security

    Policy •X-XSS-Protection •nosniff •Iframe Sandbox •X-Frame-Options •Web Crypto API Solutions:

  10. Fuckin Chartz !?!?!?

  11. HTTP Strict Transport Security:

  12. Why ? HTTP Strict Transport Security:

  13. APT CHINA http://fc05.deviantart.net/fs71/f/2012/268/e/7/chinese_flag_map_by_shitalloverhumanity-d5fv2cc.png HTTP Strict Transport Security:

  14. STR ICT http://www.jokeblogger.com/sites/default/files/up/148/images/nun_ruler.jpg HTTP Strict Transport Security:

  15. Strict-Transport-Security: max-age=3600000; includeSubDomains HTTP Strict Transport Security:

  16. Do it 1. Add header 2. ... 3. ... 4.

    Profit?!?! HTTP Strict Transport Security:

  17. Security Concerns? HTTP Strict Transport Security:

  18. Cross-origin Resource Sharing

  19. Cross-Origin Resource Sharing (CORS)

  20. Problem? XMLHttpRequest -> Another Domain DENIED

  21. Solution? XMLHttpRequest (with Origin Header) - > Another Domain Server

    responds with Access-Control-Allow-Origin: * ACCESS GRANTED

  22. Client Sends: Origin: http://www.bobsbacon.net Server Sends Access Control Access-Control-Allow-Origin: http://

    www.bobsbacon.net If client and server orgin don’t match DENY

  23. What about 's It's the same except Set this in

    XMLHttpRequest xhr.withCredentials = True Server needs to send the following: Access-Control-Allow-Credentials: true

  24. Access-Control-Allow-Origin (required) Access-Control-Allow-Credentials Access-Control-Expose-Headers MOAR HEADERS

  25. Simple request methods: GET POST HEAD Simple request headers: Accept

    Accept-Language Content-Language Content-Type (only the ones below): application/x-www-form-urlencoded multipart/form-data text/plain Last-Event-ID

  26. THINGS CAN GET COMPLICATED http://www.html5rocks.com/en/tutorials/cors/

  27. Non Simple Preflight ✈ request (permission check) Server sends permissions

    Then actual request

  28. Preflight http://www.html5rocks.com/en/tutorials/cors/

  29. Server Response http://www.html5rocks.com/en/tutorials/cors/

  30. Request http://www.html5rocks.com/en/tutorials/cors/

  31. Response http://www.html5rocks.com/en/tutorials/cors/

  32. Server didn't send a response? XMLHttpRequest cannot load http://api.alice.com. Origin

    http:// api.bob.com is not allowed by Access-Control-Allow-Origin.

  33. Doesn't do CORS by default so send XDomainRequest object Keep

    SCHEME the same (http/https) Be specific on browser version!

  34. Be careful with user-credentials header

  35. Security? BEAT CORS WITH CSRF

  36. Cross-Domain XML Don't do this:

  37. ⾠problem: Cross-Site Scripting (XSS)

  38. Attacker controlled JavaScript being evaluated in the DOM XSS

  39. Old Fix Filter user input and encode output to neutralize

    special characters.

  40. ⚒solution: Content Security Policy.

  41. Content Security Policy:

  42. Content Security Policy: Disallow Inline Stuff: <script>alert(1)</script> <img src=/ onerror=alert(1)>

    <p style='background-image:expression(alert(1))'></p> <a href='javascript:alert(123)'>...</a>

  43. Content Security Policy: Disallow Dynamic Stuff: eval('alert(123)'); Function('alert(123)')(); setTimeout('alert(123)',1); setInterval('alert(123)',1);

  44. Content Security Policy: Content-Security-Policy: directive src-exp src-exp; directive src-exp src-exp;

  45. Content Security Policy: Directives • default-src • script-src • style-src

    • object-src • ...

  46. Content Security Policy: script-src https://somedomain.com:999

  47. Content Security Policy: script-src https://somedomain.com:999

  48. Content Security Policy: script-src https:

  49. Content Security Policy: script-src somedomain.com

  50. Content Security Policy: script-src *.somedomain.com

  51. Content Security Policy: script-src somedomain.com:999

  52. Content Security Policy: script-src self

  53. Content Security Policy: script-src unsafe-inline

  54. Content Security Policy: script-src unsafe-eval

  55. Content Security Policy: Do it 1. Remove inline junk. 2.

    Remove inline junk. 3. Remove inline junk. 4. Add CSP headers.

  56. Content Security Policy: WTF OM G ! CSP breaks bookmarklets

    and some browser extensions. Error reporting is meh.

  57. Content Security Policy: Security Concerns?

  58. ⾠problem: Cross-Site Scripting (XSS) is sneaky

  59. XSS still present on TONS of sites

  60. Browsers to the rescue! Firefox with XSS protection coming soon

  61. X-XSS-Protection

  62. IE and Chrome controlled by X-XSS-Protection header MODES: X-XSS-Protection: 1;

    mode=block X-XSS-Protection: 1 X-XSS-Protection: 0

  63. Lets Talk IE First Client requests resource -> <- Server

    sends header Browser either modifies or blocks XSS

  64. X-XSS-Protection: 1; mode=block Prevents rendering of the page

  65. X-XSS-Protection: 1; Detects XSS then attempts to modify page to

    block attack

  66. X-XSS-Protection: 0; Opt-Out

  67. XSS-Auditor Listens to X-XSS-Protection Headers On by default Integrated directly

    into WebKit ! ! FULL SUPPORT FOR WEBKIT BROWSERS

  68. XSS protection in Firefox? Coming to a theater near you!

  69. Problem$ False Positives Not Perfect Not much different than blacklisting

  70. Problem$ Does not protect against stored XSS

  71. Problem$ or Awesome for Hackers? Chrome/IE ✓ if response contain

    param from request, if so ▓ Used to use it to filter out script/inline events! Pass in request params! *This is fixed in Chrome now 

  72. D3v3lopers? Test if xss-protection breaks your application if break: fix_your_code()

    if !break: enable X-XSS-Protection: 1; mode=block

  73. D3v3lopers? Last line of D# Don't rely solely on browser

    XSS protection

  74. ⾠problem: Content-Type: text/plain is getting rendered as HTML

  75. ⚒solution: no-sniff

  76. nosniff

  77. Stop Sniffin Content Types nosniff

  78. Content-Type: text/plain MEANS nosniff Content-Type: text/plain

  79. X-Content-Type-Options: nosniff nosniff

  80. iframe Sandbox

  81. iframe Sandbox

  82. 3rd Party Widgets HOSTED ON My Website SHOULD YOU TRUST

    US?

  83. Sandboxing Provides RESTRICTIONS: Disable Forms/Scripts Disable Plugins Disable Popups Prevent

    links from targeting other browser contexts

  84. Browser parses attribute and enforces restrictions <iframe sandbox src="https://someadcompany.whatever.com/ widgets/adds_rule.html

    style="border: 0; width:130px; height:20px;"></iframe>

  85. $ecurity? SWITCH USER AGENT! CHECK SETTINGS: allow-same-origin allow-top-navigation allow-forms allow-scripts

    NOT [E]NABLED BY DEFAULT

  86. Developers Developer Developers Check User-Agent Untrusted files on same server

    with IFRAME = BAD

  87. X-Frame-Options

  88. X-Frame-Options

  89. CLICKJACKING ATTACKS

  90. User -> ☣Malicious Site☣ link with z-index=-1 iframe positioned over

    link User clicks link -> click happens on iframe

  91. X-Frame-Options Header tells browser if page can be rendered in

    frame Values: DENY SAMEORIGIN AllOW-FROM uri

  92. NOT A Standard Standard ...YET

  93. New Value? ALLOWALL

  94. Security should ✓for ALLOW-FROM scope Bypass by doing sudden redirect

    before final click

  95. DEVELOPERS SHOULD DENY WHEN POSSIBLE

  96. crypto is hard especially in JavaScript

  97. Web Crypto API: window.crypto.STUFF

  98. window.crypto.encrypt .decrypt Web Crypto API:

  99. window.crypto.sign .verify Web Crypto API:

  100. window.crypto.generateKey .deriveKey .importKey .exportKey Web Crypto API:

  101. HMAC using SHA-256 RSASSA-PKCS1-v1_5 using SHA-256 ECDSA using P-256 curve

    and SHA-256 AES-CBC Web Crypto API:

  102. http://www.nerdwallet.com/blog/investing/files/2012/11/ Secure.jpeg M04R CRYPT0 M04R SECURITIES Web Crypto API:

  103. http://polycrypt.net/ Web Crypto API:

  104. DEMO

  105. What about the future? Security Missconfigurations |________|___________________|_ | | C

    O N T E N T | | | |________________ |________|_INJECTION_________|_| `, | | | , Universal XSS 3rd Party Plugins Mobile Applications APIs

  106. http://btoe.ws/browserstats

  107. • https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#Sandboxed_frames • http://www.whatwg.org/ • https://l2exilium.net/item?id=5502505 • http://javascript.info/tutorial/clickjacking • https://bug-110857-attachments.webkit.org/attachment.cgi?id=190233

    • http://www.html5rocks.com/en/tutorials/cors/ • http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions- limitations-and-workarounds.aspx • http://www.w3.org/TR/cors/#simple-method • http://www.matasano.com/articles/javascript-cryptography/ • http://events.ccc.de/congress/2012/Fahrplan/events/5374.en.html • http://polycrypt.net/ • http://www.viagravaigra.com/images/viagra-banner.png • http://widgets-gadgets.com/images/Capturewidget.JPG • http://www.mimicemore.com/hr/wp-content/uploads/2011/02/www.jpg • http://www.kcconfidential.com/wp-content/uploads/2012/07/Crying+Baby+Natural+High +for+Some+Moms.jpg • https://www.owasp.org/index.php/File:2010-T10-ArchitectureDiagram.png • https://www.owasp.org/ • https://en.wikipedia.org/wiki/Cross-site_scripting • http://wordpress.org/ References: