Upgrade to Pro — share decks privately, control downloads, hide ads and more …

User Agent Lockdown - HackPra 2014

3c27881a0d8695811b0fa23bd794e696?s=47 Mike West
PRO
April 16, 2014
Programming
1
170

User Agent Lockdown - HackPra 2014

3c27881a0d8695811b0fa23bd794e696?s=128

Mike West
PRO

April 16, 2014
Tweet

More Decks by Mike West

See All by Mike West
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
0
810
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
0
130
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
0
1.3k
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
1
93
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
0
330
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
0
61
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
2
580
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
0
240
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
5
1.3k

Other Decks in Programming

See All in Programming
75486cbfd37125f121cf4a6c5614601c?s=48 hideokamoto
PRO
4
1.3k
B3a7c0d5c590642dbce68bce8929a2df?s=48 david74chou
1
160
9f96c3fd49e6a294e521175f2ad80b71?s=48 usamomokawa
1
290
4dca78303031ea5acf25b0183cd900f8?s=48 kanasann1106
0
380
7a4fa8b5922e77f29e03cffadd64bddf?s=48 faithandbrave
18
6.6k
B32c18d03687577950da29542d0a9180?s=48 kurumai
1
640
Bf04d1ee6fa2216133b23af8f609c70a?s=48 gatchan0807
0
240
5059d3f370ad7e1f4d8de4be79ae1a2c?s=48 rvirus0817
0
610
31107eb924f0f352bc3dc4916be5ba59?s=48 negi_andleek
0
180
72a2082c6a4dd79ad68befb3db911616?s=48 mraible
PRO
0
390
3cb4e761dbdb7aebd1ffd85f752e1e3e?s=48 sonatard
8
500
Ca1357a6e793898d30cec23068c3cb36?s=48 shingen29
0
310

Featured

See All Featured
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
74
1.6k
D83926c323d4f9289f947b4b4e76b939?s=48 jensimmons
209
11k
1b8ad785acdd1ce1c99914b1c2a4e10e?s=48 sugarenia
235
950k
Dad095ea7038f89f760419ce475d5d14?s=48 michaelherold
227
8.9k
78b475797a14c84799063c7cd073962f?s=48 holman
463
280k
5f83ef806155b403c3393160ce51f955?s=48 jlugia
218
16k
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
208
20k
0c6fd6a08d0f898159cda7cafcacf07f?s=48 afnizarnur
180
14k
465724d73fe3a92c0879fdfb43a3a6f3?s=48 philhawksworth
195
9k
79acae287842acf29084005533a7fb3b?s=48 hursman
111
9.5k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
780
240k
F57e2136eb9895eb95ff5dc8a1c02677?s=48 zakiwarfel
91
3.6k

Transcript

  1. User Agent Lockdown Mike West https://mikewest.org G+: mkw.st/+ Twitter: @mikewest

    Slides: https://mkw.st/r/hackpra14
  2. None

  3. http://traumwerk.stanford.edu/philolog/2009/10/homers_odyssey_in_art_sirens_f.html

  4. http://traumwerk.stanford.edu/philolog/2009/10/homers_odyssey_in_art_sirens_f.html

  5. http://traumwerk.stanford.edu/philolog/2009/10/homers_odyssey_in_art_sirens_f.html Principle of Least Privilege

  6. Privileges we should reconsider: 1. Browsers allow content to load

    over unencrypted connections. 2. Browsers accept whatever happens to live at a URL as canonical. 3. Browsers load any and all resources a page requests.

  7. "Enigma" - skittledog, http://flic.kr/p/9VjJz5 Never load unencrypted content.

  8. None
  9. None
  10. None

  11. Set-Cookie: ...; secure; HttpOnly

  12. Strict-Transport- Security: max-age=2592000; includeSubDomains

  13. None

  14. Public-Key-Pins: max-age=2592000; pin-sha256="4n972H…yw4uqe/baXc="

  15. https://www.startssl.com/

  16. https://www.ssllabs.com/ssltest/

  17. Verify resource integrity. "Stop Corruption" - kennymiller, https://www.flickr.com/photos/kennymiller/796971032

  18. <script src="https://cdn.example.net/script.js"></script>

  19. https://w3c.github.io/webappsec/specs/subresourceintegrity/ https://mkw.st/r/subint

  20. <script src="https://cdn.example.net/script.js" integrity="ni:///sha256;aje...87w?ct=application/javascript" ></script>

  21. "Finance - Financial Injection - Finance" - doug8888, http://www.flickr.com/photos/doug88888/4561376850/ Mitigate

    content injection.

  22. scheme://host:port

  23. <script> beAwesome(); </script> <script> beEvil(); </script>

  24. <script> beAwesome(); </script> <!-- <p>Hello, {$name}!</p> --> <p>Hello, <script> beEvil();

    </script></p>

  25. <style> p { color: {{USER_COLOR}}; } </style> <p> Hello {{USER_NAME}},

    view your <a href="{{USER_URL}}">Account</a>. </p> <script> var id = {{USER_ID}}; </script> <!-- DEBUG: {{INFO}} -->

  26. "I discount the probability of perfection." -Alex Russell

  27. "We are all idiots with deadlines." -Mike West

  28. http://www.html5rocks.com/en/tutorials/security/content-security-policy/ https://mkw.st/r/csp

  29. None

  30. Content-Security-Policy: default-src 'none'; style-src https://mikewestdotorg.hasacdn.net; frame-src https://www.youtube.com https://www.speakerdeck.com; script-src https://mikewestdotorg.hasacdn.net

    https://ssl.google-analytics.com; img-src 'self' https://mikewestdotorg.hasacdn.net https://ssl.google-analytics.com; font-src https://mikewestdotorg.hasacdn.net

  31. Content-Security-Policy: default-src ...; script-src ...; object-src ...; style-src ...; img-src

    ...; media-src ...; frame-src ...; font-src ...; connect-src ...; sandbox ...; report-uri https://example.com/reporter.cgi

  32. Content-Security-Policy-Report-Only: default-src https:; report-uri https://example.com/csp-violations { "csp-report": { "document-uri": "http://example.org/page.html",

    "referrer": "http://evil.example.com/haxor.html", "blocked-uri": "http://evil.example.com/img.png", "violated-directive": "default-src 'self'", "original-policy": "...", "source-file": "http://example.com/script.js", "line-number": 10, "column-number": 11, } }

  33. <script> function handleClick() { ... } </script> <button onclick="handleClick()">Click me!</button>

    <a href="javascript:handleClick()">Click me!</a>

  34. <!-- index.html --> <script src="clickHandler.js"></script> <button class="clckr">Click me!</button> <a href="#"

    class="clckr">Click me!</a> <!-- clickHandler.js --> function handleClick() { ... } function init() { for (var e in document.querySelectorAll('.clckr')) e.addEventListener('click', handleClick); }

  35. Content-Security-Policy: script-src 'nonce-THIS-IS-A-RANDOM-NONCE'; <button class="clckr">Click me!</button> <a href="#" class="clckr">Click me!</a>

    <script nonce="THIS-IS-A-RANDOM-NONCE"> function handleClick() { ... } function init() { var e; for (e in document.querySelectorAll('.clckr')) e.addEventListener('click', handleClick); } </script>

  36. Content-Security-Policy: script-src 'sha256-kjhhuy...poiIOY-AI'; <button class="clckr">Click me!</button> <a href="#" class="clckr">Click me!</a>

    <script> function handleClick() { ... } function init() { var e; for (e in document.querySelectorAll('.clckr')) e.addEventListener('click', handleClick); } </script>

  37. "Framed in the Valley" - cobalt123, http://www.flickr.com/photos/cobalt/5354090310/ Limit Unanticipated Framing.

  38. Click me! I am happy!

  39. "X-Frame-Options: All about Clickjacking?" https://cure53.de/xfo-clickjacking.pdf

  40. X-Frame-Options: DENY or X-Frame-Options: SAMEORIGIN

  41. Content-Security-Policy: frame-ancestors 'none' or Content-Security-Policy: frame-ancestors 'self' or Content-Security-Policy: frame-ancestors

    [source list]

  42. Thanks for your time! 1. HTTPS all the things. 2.

    Deploy Content Security Policy (mkw.st/r/csp) to mitigate content injection attacks. 3. Follow the progress of Subresource Integrity (mkw.st/r/subint). 4. Ask questions, now, or on Twitter: @mikewest.