Upgrade to Pro — share decks privately, control downloads, hide ads and more …

State of the Union: Advances in Web Application and Browser Security

Ben Toews
May 19, 2013
Technology
2
91

State of the Union: Advances in Web Application and Browser Security

Mr. IETF, Mr. W3c, members of the information security community, distinguished developers, and fellow hackers, Ben Toews and Scott Behrens present to you a state of the web security union address.

We have seen a surge of proposed standards and governing documents to improve web security. Client side flaws are being addressed by standards such as content-security-policy and IFRAME sandboxing. Data in transit is being more tightly secured using HTTP Strict Transport Security. There is a plethora of technologies available like X-frame-options, ORIGIN header, encrypted media extensions, X-XSS-Protection? We look at the intricacies of the proposed and accepted standards as well as how they are implemented. Security considerations will be addressed for these technologies from a design perspective and with a discussion on any weaknesses observed. In addition, information will be presented that breaks down which browser versions support these technologies as well as estimates of the number of users who run compatible browsers.

Developers should leave this talk with knowledge of how these security technologies work and where they can be applied. Security engineers will have a clearer understanding of these security technologies including how and when to recommend them as well as some common pitfalls associated with them.

See the feature support visualizations at http://btoe.ws/browserstats

Ben Toews

May 19, 2013
Tweet

More Decks by Ben Toews

See All by Ben Toews
GitHub AppSec: Keeping up with 111 prolific engineers
mastahyeti
0
96
The sky is falling: Nephological tales of security woe
mastahyeti
0
24
CSP
mastahyeti
7
280

Other Decks in Technology

See All in Technology
動画配信サービスのフロントエンド実装に学ぶ設計原則
yud0uhu
1
130
QA経験のないエンジニアリング マネージャーがQAのカジュアル面談に出て 苦労していること・気づいたこと / scrum fest niigata 2024
yoshikiiida
2
660
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
15
36k
SLOいつ決めましょう?
abnoumaru
3
260
PHP 9 に備えよ - 動的プロパティ、どうすればいぃ?
taisukearase
0
300
社内での継続的な機械学習勉強会の開催のコツ
yudai00
2
390
日本が誇るイタリアのダンスミュージック!? ユーロビートって何??
minorun365
PRO
2
190
Google Cloud Next '24 Recap in ZOZO AIにより変わる開発 運用/Development and operation changed by AI
gachimuchiengineer
0
190
kcp: Kubernetes APIs Are All You Need #techfeed_live / TechFeed Experts Night 28th
ytaka23
1
190
「知的単純作業」を自動化する、地に足の着いた大規模言語モデル (LLM) の活用
nrryuya
8
8.2k
PhpStorm超絶技巧40分集中講義 #phpconkagawa
yusuke
4
760
.NET GraphQL Client のリアル
sansantech
PRO
1
220

Featured

See All Featured
The Cult of Friendly URLs
andyhume
74
5.7k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
228
16k
Code Reviewing Like a Champion
maltzj
515
39k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
12
1.1k
The Invisible Side of Design
smashingmag
294
49k
Bootstrapping a Software Product
garrettdimon
PRO
302
110k
Art, The Web, and Tiny UX
lynnandtonic
290
19k
Practical Orchestrator
shlominoach
183
9.8k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
1
120
Unsuck your backbone
ammeep
664
57k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
67
14k
Writing Fast Ruby
sferik
622
60k

Transcript

  1. State of the Union Advances In Web Application and Browser

    Security

  2. Scott Behrens *Yes this photo is Photoshopped*

  3. Ben Toews

  4. ⾠ problems

  5. No one is paying attention

  6. normal web stuff

  7. HTML5 STANDARDS Forked Subset HTML5 Maintain Living Standard of HTML5

    + = InConsist3nCieS

  8. ✓ solutions

  9. •HTTP Strict Transport Security •Cross Origin Resource Sharing •Content Security

    Policy •X-XSS-Protection •nosniff •Iframe Sandbox •X-Frame-Options •Web Crypto API Solutions:

  10. Fuckin Chartz !?!?!?

  11. HTTP Strict Transport Security:

  12. Why ? HTTP Strict Transport Security:

  13. APT CHINA http://fc05.deviantart.net/fs71/f/2012/268/e/7/chinese_flag_map_by_shitalloverhumanity-d5fv2cc.png HTTP Strict Transport Security:

  14. STR ICT http://www.jokeblogger.com/sites/default/files/up/148/images/nun_ruler.jpg HTTP Strict Transport Security:

  15. Strict-Transport-Security: max-age=3600000; includeSubDomains HTTP Strict Transport Security:

  16. Do it 1. Add header 2. ... 3. ... 4.

    Profit?!?! HTTP Strict Transport Security:

  17. Security Concerns? HTTP Strict Transport Security:

  18. Cross-origin Resource Sharing

  19. Cross-Origin Resource Sharing (CORS)

  20. Problem? XMLHttpRequest -> Another Domain DENIED

  21. Solution? XMLHttpRequest (with Origin Header) - > Another Domain Server

    responds with Access-Control-Allow-Origin: * ACCESS GRANTED

  22. Client Sends: Origin: http://www.bobsbacon.net Server Sends Access Control Access-Control-Allow-Origin: http://

    www.bobsbacon.net If client and server orgin don’t match DENY

  23. What about 's It's the same except Set this in

    XMLHttpRequest xhr.withCredentials = True Server needs to send the following: Access-Control-Allow-Credentials: true

  24. Access-Control-Allow-Origin (required) Access-Control-Allow-Credentials Access-Control-Expose-Headers MOAR HEADERS

  25. Simple request methods: GET POST HEAD Simple request headers: Accept

    Accept-Language Content-Language Content-Type (only the ones below): application/x-www-form-urlencoded multipart/form-data text/plain Last-Event-ID

  26. THINGS CAN GET COMPLICATED http://www.html5rocks.com/en/tutorials/cors/

  27. Non Simple Preflight ✈ request (permission check) Server sends permissions

    Then actual request

  28. Preflight http://www.html5rocks.com/en/tutorials/cors/

  29. Server Response http://www.html5rocks.com/en/tutorials/cors/

  30. Request http://www.html5rocks.com/en/tutorials/cors/

  31. Response http://www.html5rocks.com/en/tutorials/cors/

  32. Server didn't send a response? XMLHttpRequest cannot load http://api.alice.com. Origin

    http:// api.bob.com is not allowed by Access-Control-Allow-Origin.

  33. Doesn't do CORS by default so send XDomainRequest object Keep

    SCHEME the same (http/https) Be specific on browser version!

  34. Be careful with user-credentials header

  35. Security? BEAT CORS WITH CSRF

  36. Cross-Domain XML Don't do this:

  37. ⾠problem: Cross-Site Scripting (XSS)

  38. Attacker controlled JavaScript being evaluated in the DOM XSS

  39. Old Fix Filter user input and encode output to neutralize

    special characters.

  40. ⚒solution: Content Security Policy.

  41. Content Security Policy:

  42. Content Security Policy: Disallow Inline Stuff: <script>alert(1)</script> <img src=/ onerror=alert(1)>

    <p style='background-image:expression(alert(1))'></p> <a href='javascript:alert(123)'>...</a>

  43. Content Security Policy: Disallow Dynamic Stuff: eval('alert(123)'); Function('alert(123)')(); setTimeout('alert(123)',1); setInterval('alert(123)',1);

  44. Content Security Policy: Content-Security-Policy: directive src-exp src-exp; directive src-exp src-exp;

  45. Content Security Policy: Directives • default-src • script-src • style-src

    • object-src • ...

  46. Content Security Policy: script-src https://somedomain.com:999

  47. Content Security Policy: script-src https://somedomain.com:999

  48. Content Security Policy: script-src https:

  49. Content Security Policy: script-src somedomain.com

  50. Content Security Policy: script-src *.somedomain.com

  51. Content Security Policy: script-src somedomain.com:999

  52. Content Security Policy: script-src self

  53. Content Security Policy: script-src unsafe-inline

  54. Content Security Policy: script-src unsafe-eval

  55. Content Security Policy: Do it 1. Remove inline junk. 2.

    Remove inline junk. 3. Remove inline junk. 4. Add CSP headers.

  56. Content Security Policy: WTF OM G ! CSP breaks bookmarklets

    and some browser extensions. Error reporting is meh.

  57. Content Security Policy: Security Concerns?

  58. ⾠problem: Cross-Site Scripting (XSS) is sneaky

  59. XSS still present on TONS of sites

  60. Browsers to the rescue! Firefox with XSS protection coming soon

  61. X-XSS-Protection

  62. IE and Chrome controlled by X-XSS-Protection header MODES: X-XSS-Protection: 1;

    mode=block X-XSS-Protection: 1 X-XSS-Protection: 0

  63. Lets Talk IE First Client requests resource -> <- Server

    sends header Browser either modifies or blocks XSS

  64. X-XSS-Protection: 1; mode=block Prevents rendering of the page

  65. X-XSS-Protection: 1; Detects XSS then attempts to modify page to

    block attack

  66. X-XSS-Protection: 0; Opt-Out

  67. XSS-Auditor Listens to X-XSS-Protection Headers On by default Integrated directly

    into WebKit ! ! FULL SUPPORT FOR WEBKIT BROWSERS

  68. XSS protection in Firefox? Coming to a theater near you!

  69. Problem$ False Positives Not Perfect Not much different than blacklisting

  70. Problem$ Does not protect against stored XSS

  71. Problem$ or Awesome for Hackers? Chrome/IE ✓ if response contain

    param from request, if so ▓ Used to use it to filter out script/inline events! Pass in request params! *This is fixed in Chrome now 

  72. D3v3lopers? Test if xss-protection breaks your application if break: fix_your_code()

    if !break: enable X-XSS-Protection: 1; mode=block

  73. D3v3lopers? Last line of D# Don't rely solely on browser

    XSS protection

  74. ⾠problem: Content-Type: text/plain is getting rendered as HTML

  75. ⚒solution: no-sniff

  76. nosniff

  77. Stop Sniffin Content Types nosniff

  78. Content-Type: text/plain MEANS nosniff Content-Type: text/plain

  79. X-Content-Type-Options: nosniff nosniff

  80. iframe Sandbox

  81. iframe Sandbox

  82. 3rd Party Widgets HOSTED ON My Website SHOULD YOU TRUST

    US?

  83. Sandboxing Provides RESTRICTIONS: Disable Forms/Scripts Disable Plugins Disable Popups Prevent

    links from targeting other browser contexts

  84. Browser parses attribute and enforces restrictions <iframe sandbox src="https://someadcompany.whatever.com/ widgets/adds_rule.html

    style="border: 0; width:130px; height:20px;"></iframe>

  85. $ecurity? SWITCH USER AGENT! CHECK SETTINGS: allow-same-origin allow-top-navigation allow-forms allow-scripts

    NOT [E]NABLED BY DEFAULT

  86. Developers Developer Developers Check User-Agent Untrusted files on same server

    with IFRAME = BAD

  87. X-Frame-Options

  88. X-Frame-Options

  89. CLICKJACKING ATTACKS

  90. User -> ☣Malicious Site☣ link with z-index=-1 iframe positioned over

    link User clicks link -> click happens on iframe

  91. X-Frame-Options Header tells browser if page can be rendered in

    frame Values: DENY SAMEORIGIN AllOW-FROM uri

  92. NOT A Standard Standard ...YET

  93. New Value? ALLOWALL

  94. Security should ✓for ALLOW-FROM scope Bypass by doing sudden redirect

    before final click

  95. DEVELOPERS SHOULD DENY WHEN POSSIBLE

  96. crypto is hard especially in JavaScript

  97. Web Crypto API: window.crypto.STUFF

  98. window.crypto.encrypt .decrypt Web Crypto API:

  99. window.crypto.sign .verify Web Crypto API:

  100. window.crypto.generateKey .deriveKey .importKey .exportKey Web Crypto API:

  101. HMAC using SHA-256 RSASSA-PKCS1-v1_5 using SHA-256 ECDSA using P-256 curve

    and SHA-256 AES-CBC Web Crypto API:

  102. http://www.nerdwallet.com/blog/investing/files/2012/11/ Secure.jpeg M04R CRYPT0 M04R SECURITIES Web Crypto API:

  103. http://polycrypt.net/ Web Crypto API:

  104. DEMO

  105. What about the future? Security Missconfigurations |________|___________________|_ | | C

    O N T E N T | | | |________________ |________|_INJECTION_________|_| `, | | | , Universal XSS 3rd Party Plugins Mobile Applications APIs

  106. http://btoe.ws/browserstats

  107. • https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#Sandboxed_frames • http://www.whatwg.org/ • https://l2exilium.net/item?id=5502505 • http://javascript.info/tutorial/clickjacking • https://bug-110857-attachments.webkit.org/attachment.cgi?id=190233

    • http://www.html5rocks.com/en/tutorials/cors/ • http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions- limitations-and-workarounds.aspx • http://www.w3.org/TR/cors/#simple-method • http://www.matasano.com/articles/javascript-cryptography/ • http://events.ccc.de/congress/2012/Fahrplan/events/5374.en.html • http://polycrypt.net/ • http://www.viagravaigra.com/images/viagra-banner.png • http://widgets-gadgets.com/images/Capturewidget.JPG • http://www.mimicemore.com/hr/wp-content/uploads/2011/02/www.jpg • http://www.kcconfidential.com/wp-content/uploads/2012/07/Crying+Baby+Natural+High +for+Some+Moms.jpg • https://www.owasp.org/index.php/File:2010-T10-ArchitectureDiagram.png • https://www.owasp.org/ • https://en.wikipedia.org/wiki/Cross-site_scripting • http://wordpress.org/ References: