Sécurité & HTTP @ Symfony Live Paris 2016

Slide 1

Slide 1 text

Sécurité & HTTP

Slide 2

Slide 2 text

Sécurité & HTTP Romain Neutron https://github.com/romainneutron

Slide 3

Slide 3 text

Sécurité & HTTP

Slide 4

Slide 4 text

Sécurité & HTTP

Slide 5

Slide 5 text

Sécurité & HTTP

Slide 6

Slide 6 text

Sécurité & HTTP

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

Sécurité & HTTP

Slide 9

Slide 9 text

$ curl -I https://github.com   HTTP/1.1 200 OK  Server: GitHub.com  Date: Mon, 04 Apr 2016 20:10:13 GMT  Content-Type: text/html; charset=utf-8  Status: 200 OK  Cache-Control: no-cache  Vary: X-PJAX  X-UA-Compatible: IE=Edge,chrome=1  Set-Cookie: logged_in=no; domain=.github.com; path=/; expires=Fri, 04 Apr 2036 20:10:13 -0000; secure; HttpOn Set-Cookie: _gh_sess=eyJzZXNzaW9uX2lkIjoiYzE1ZjE3NjA4Yjg1MWM3MTk4MjY0ZjdiMzY5ZDJhNzciLCJfY3NyZl  X-Request-Id: 048b988349db27c05f13900c2b8c8dd5  X-Runtime: 0.011717  Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-sr  Strict-Transport-Security: max-age=31536000; includeSubdomains; preload  Public-Key-Pins: max-age=1209600; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=";e2gyHMrW5Q06LspMn X-Content-Type-Options: nosniff  X-Frame-Options: deny  X-XSS-Protection: 1; mode=block  Vary: Accept-Encoding  X-Served-By: 7cc969f65c7ec8d9db2fa57dcc51d323  X-GitHub-Request-Id: 55A8461C:0E34:67919BE:5702CA25 Sécurité & HTTP

Slide 10

Slide 10 text

$ curl -I https://www.google.fr  HTTP/1.1 200 OK  Date: Mon, 04 Apr 2016 20:09:15 GMT  Expires: -1  Cache-Control: private, max-age=0  Content-Type: text/html; charset=ISO-8859-1  P3P: CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/151657?hl=en for more i Server: gws  X-XSS-Protection: 1; mode=block  X-Frame-Options: SAMEORIGIN  Set-Cookie: NID=78=qz0a3gQjdiDNPGOR3AAVCO72jOeyaj_EoA8nXeDud6dEqZty2mEdqd9j4gkSNYoqLNM9PyMu_7SgGDEv5lVxn24zII Alternate-Protocol: 443:quic  Alt-Svc: quic=":443"; ma=2592000; v="32,31,30,29,28,27,26,25"  Transfer-Encoding: chunked  Accept-Ranges: none  Vary: Accept-Encoding Sécurité & HTTP

Slide 11

Slide 11 text

$ curl -I https://www.dropbox.com  HTTP/1.1 200 OK  Server: nginx  Date: Mon, 04 Apr 2016 20:10:37 GMT  Content-Type: text/html; charset=utf-8  Connection: keep-alive  x-xss-protection: 1; mode=block  content-security-policy: img-src https://* data: blob: ; connect-src https://* ws://127.0.0.1:*/ws ; media-sr x-content-type-options: nosniff  set-cookie: locale=en; Domain=dropbox.com; expires=Sat, 03 Apr 2021 20:10:37 GMT; Path=/; secure  set-cookie: gvc=MTYxMzM2OTE1MjU0MzgyMTA2NDI1MzIxMzUyNzc3MDg1ODIzOTA4; expires=Sat, 03 Apr 2021 20:10:37 GMT; set-cookie: __Host-js_csrf=VQ1woPFdbo194pKVi50HJuTa; expires=Thu, 04 Apr 2019 20:10:37 GMT; Path=/; secure  set-cookie: t=VQ1woPFdbo194pKVi50HJuTa; Domain=dropbox.com; expires=Thu, 04 Apr 2019 20:10:37 GMT; httponly; set-cookie: puc=; expires=Mon, 04 Apr 2016 20:10:37 GMT; httponly; Path=/; secure  x-dropbox-request-id: 7772ee5113bda6243af26076c8e25206  pragma: no-cache  cache-control: no-cache  x-dropbox-http-protocol: None  x-frame-options: SAMEORIGIN  X-Server-Response-Time: 190  Strict-Transport-Security: max-age=15552000; includeSubDomains Sécurité & HTTP

Slide 12

Slide 12 text

Sécurité & HTTP

Slide 13

Slide 13 text

https://www.owasp.org/index.php/List_of_useful_HTTP_headers • X-XSS-Protection • X-Content-Type-Options • X-Frame-Options • Strict-Transport-Security • Content-Security-Policy • CSP in Real World • End of the world OWASP useful HTTP headers

Slide 14

Slide 14 text

Slide 15

Slide 15 text

X-Xss-Protection • Prevent XSS reﬂected attacks • Supported by IE8+ and Chrome • Enabled / disabled • mode-block to completely turn off rendering X-XSS-Protection: 1; mode=block http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-ﬁlter-with-the-x-xss-protection-http-header.aspx

Slide 16

Slide 16 text

Slide 17

Slide 17 text

Slide 18

Slide 18 text

X-Content-Type-Options • Supported by IE and Chrome • "nosniff" only supported value X-Content-Type-Options: nosniff https://blogs.msdn.microsoft.com/ie/2008/09/02/ie8-security-part-vi-beta-2-update/  https://en.wikipedia.org/wiki/Content_snifﬁng

Slide 19

Slide 19 text

Slide 20

Slide 20 text

X-Frame-Options • Supported by Chrome, IE 9, Safari and Firefox • Prevents clickjacking • Watch Alain’s talk --> X-Frame-Options: SAMEORIGIN

Slide 21

Slide 21 text

Sécurité & HTTP server {  listen 80;    server_name domain.com;  add_header x-xss-protection "1; mode=block"; add_header x-frame-options "DENY"; add_header x-content-type-options "nosniff"; } 

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

Slide 24

Slide 24 text

Strict-Transport-Security • RFC-7697 • Supported by Chrome, IE 11, Safari and Firefox • Enforce use of HTTPS on your website / Turns any insecure link to secure link • Protects from Protocol Downgrade • Blocks access if no trusted certiﬁcate is provided • Only valid after ﬁrst connection, but can be preloaded Strict-Transport-Security: max-age=expireTime [; includeSubdomains] [; preload] https://tools.ietf.org/html/rfc6797

Slide 25

Slide 25 text

Strict-Transport-Security Register on https://hstspreload.appspot.com/ for preload   Strict-Transport-Security: max-age=expireTime [; includeSubdomains] [; preload] https://tools.ietf.org/html/rfc6797

Slide 26

Slide 26 text

Strict-Transport-Security server {  listen 80;    server_name domain.com;  rewrite ^/(.*) https://$host/$1 permanent;  }  server {  listen 443;  ssl on;    server_name domain.com;  add_header Strict-Transport-Security “max-age=31536000;"; # ...  } https://tools.ietf.org/html/rfc6797

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

Slide 29

Slide 29 text

Content-Security-Policy • Supported by Chrome, IE 9, Safari and Firefox • Prevents XSS • Declare directives about what can be executed on your website Content-Security-Policy: default ‘self’; script-src ‘self’ https://mycdn.com; style-src ‘self’ https://mycdn.com https://www.w3.org/TR/2012/CR-CSP-20121115/

Slide 30

Slide 30 text

All these directives accept a source list • default-src - fallback for any non-declared directive • script-src - • style-src - / @import CSS rule • object-src - / / • img-src - sources • media-src - / / / sources • frame-src - / <frame> sources • font-src - @font-face CSS rule • connect-src - XHR open / WebSocket or EventSource constructor https://www.w3.org/TR/2012/CR-CSP-20121115/ Content-Security-Policy Level 1 - Directives

Slide 31

Slide 31 text

Source list structure: source1 source2 … sourceN; Special sources: • 'self' : the same origin as the current page (all directives) • 'unsafe-line' : inline script (script-src and style-src directives) • 'unsafe-eval' : eval / new Function() are disabled / setTimeout and setInterval with non- callable do not work (script-src directive) default-src: 'self'; script-src 'self' https://cdn.domain.com 'unsafe-eval'; https://www.w3.org/TR/2012/CR-CSP-20121115/ Content-Security-Policy Level 1 - Directives

Slide 32

Slide 32 text

Content-Security-Policy:   default-src 'self';   script-src 'self' https://cdn.domain.com;   style-src 'self' https://cdn.domain.com; https://www.w3.org/TR/2012/CR-CSP-20121115/ Content-Security-Policy Level 1 - Directives

Slide 33

Slide 33 text

'unsafe-eval' Warning: jQuery uses eval when inserting DOM node: # does not work  document  .getElementsByTagName('body')[0]  .innerHTML = '<script>console.log("Hello roro")'    # works  jQuery('body').html('console.log("Hello roro")') https://www.w3.org/TR/2012/CR-CSP-20121115/ Content-Security-Policy Level 1 - Directives

Slide 34

Slide 34 text

'unsafe-inline' What about my inline scripts?      window.api_key = '{{ api_key }}';        body {  background-color: red;  }    https://www.w3.org/TR/2012/CR-CSP-20121115/ Content-Security-Policy Level 1 - Directives

Slide 35

Slide 35 text

Content-Security-Policy:   default-src 'self';   script-src 'self' https://cdn.domain.com;   style-src 'self' https://cdn.domain.com; Content-Security-Policy:   default-src 'self';   script-src 'self' 'unsafe-eval' 'unsafe-inline' https://cdn.domain.com;   style-src 'self' 'unsafe-inline' https://cdn.domain.com; https://www.w3.org/TR/2012/CR-CSP-20121115/ Content-Security-Policy Level 1 - Directives

Slide 36

Slide 36 text

https://www.w3.org/TR/CSP2/ W3C Recommendation 2014-2015 • New directives • Hashes and nonces for inline scripting Content-Security-Policy Level 2

Slide 37

Slide 37 text

All these directives accept a source list     • base-uri - available document base-urls, no fallback on default-src • child-src - workers and frames. Deprecates frame-src • form-action - actions URLs, no fallback on default-src • frame-ancestors - Is the document embeddable in , , <object>, <applet> or <embed> - related to X-Frame-Options - 'none' is the 'DENY' • plugin-type - mime-types list. <object>, <embed> or <applet> should match the with their type attribute https://www.w3.org/TR/CSP2/ Content-Security-Policy Level 2 - Directives

Slide 38

Slide 38 text

Introduces nonces (random value per request) for inline scripting: # HTML    window.config.apiKey = 'api-key';      body { background-color: red; }  # HTTP header  Content-Security-Policy:   script-src 'self' 'nonce-c89143d4b599538c81058b80a6f975a6';  style-src 'self' 'nonce-5c5260e3c82f1724a903612c0fc11a0f'; Con: an attacker that can gain access to the nonce can execute whatever script. https://www.w3.org/TR/CSP2/ Content-Security-Policy Level 2 - Nonce

Slide 39

Slide 39 text

Introduces hashes (sha256, sha384 and sha512) for inline scripting: # HTML    window.config.apiKey = 'api-key';  # HTTP header  Content-Security-Policy:   script-src 'self' 'sha256-voRt1IK8+FVdRFaTgn8K6ET46mYOZvT7kYG6Wo3eJNU=' # PHP  $hash = base64_encode(openssl_digest($scriptContent, 'sha256', true)) https://www.w3.org/TR/CSP2/ Content-Security-Policy Level 2 - Hashes

Slide 40

Slide 40 text

Introduces hashes (sha256, sha384 and sha512) for inline scripting: # HTML    body { background-color: red; }  # HTTP header  Content-Security-Policy:   script-src 'self' 'sha256-xWFKpNfjw6Di/Op4dyVBe876d12Yggw8WSB6ojNM/bM=' # PHP  base64_encode(openssl_digest($scriptContent, 'sha256', true)) https://www.w3.org/TR/CSP2/ Content-Security-Policy Level 2 - Hashes

Slide 41

Slide 41 text

http://caniuse.com/#search=csp Content-Security-Policy Level 2 - Support

Slide 42

Slide 42 text

In CSP level 2 'unsafe-inline' is not considered if the a nonce or a hash is contained in the same source list Content-Security-Policy: script-src 'unsafe-inline' 'nonce-c89143d4b599538c81058b80a6f975a6' Is interpreted in CSP level 1 context as: Content-Security-Policy: script-src 'unsafe-inline' Is interpreted in CSP level 2 context as: Content-Security-Policy: script-src 'nonce-c89143d4b599538c81058b80a6f975a6' https://www.w3.org/TR/CSP2/ Content-Security-Policy Level 2 - Support

Slide 43

Slide 43 text

So you can use CSP level 2  with hashes and nonces  as long as you still include   the 'unsafe-inline' directive Chrome, Safari, IE 11, Safari and Firefox https://www.w3.org/TR/CSP2/ Content-Security-Policy Level 2

Slide 44

Slide 44 text

No content

Slide 45

Slide 45 text

• X-XSS-Protection • X-Content-Type-Options • X-Frame-Options • Strict-Transport-Security • Content-Security-Policy • CSP in Real World • End of the world https://www.owasp.org/index.php/List_of_useful_HTTP_headers OWASP useful HTTP headers

Slide 46

Slide 46 text

Content-Security-Policy  might be difﬁcult to implement  in a legacy project :( https://www.w3.org/TR/CSP2/ Content-Security-Policy - Project Setup

Slide 47

Slide 47 text

composer require nelmio/security-bundle csp: enforce:  default-src:  - 'self'  - 'https://%assets_domain%'  script-src:  - 'self'  - 'unsafe-inline'  - 'https://%assets_domain%'  style-src:  - 'self'  - 'unsafe-inline'  - 'https://%assets_domain%' report-uri: [ '/csp/report' ]  https://github.com/nelmio/NelmioSecurityBundle Content-Security-Policy - Project Setup

Slide 48

Slide 48 text

composer require nelmio/security-bundle   {% cspscript %}    window.api_key = '{{ api_key }}';    {% endcspscript %}    {% cspstyle %}    body {  background-color: red;  }    {% endcspstyle %} https://github.com/nelmio/NelmioSecurityBundle Content-Security-Policy - Project Setup

Slide 49

Slide 49 text

composer require nelmio/security-bundle csp: enforce:  default-src:  - 'self'  - 'https://%assets_domain%'  script-src:  - 'self'  - 'unsafe-inline'  - 'https://%assets_domain%'  style-src:  - 'self'  - 'unsafe-inline'  - 'https://%assets_domain%' report-uri: [ '/csp/report' ] https://github.com/nelmio/NelmioSecurityBundle Content-Security-Policy - Project Setup

Slide 50

Slide 50 text

composer require nelmio/security-bundle csp: enforce:  default-src:  - 'self'  - 'https://%assets_domain%'  script-src:  - 'self'  - 'unsafe-inline'  - 'https://%assets_domain%'  style-src:  - 'self'  - 'unsafe-inline'  - 'https://%assets_domain%' report-uri: [ '/csp/report' ] https://github.com/nelmio/NelmioSecurityBundle Content-Security-Policy - Project Setup

Slide 51

Slide 51 text

Content-Security-Policy-Report-Only • Don't apply the rules, just collect directives violations • Can be used alongside Content-Security-Policy header  to test a new version Content-Security-Policy-Report-Only:   default-src 'self'; report-uri /csp-report-endpoint/ https://www.w3.org/TR/CSP2/ Content-Security-Policy - Project Setup

Slide 52

Slide 52 text

Content-Security-Policy report-uri • Reports Content Security Policy violations Content-Security-Policy:   default-src 'self'; report-uri /csp-report-endpoint/ https://www.w3.org/TR/CSP2/ Content-Security-Policy - Project Setup

Slide 53

Slide 53 text

{  'blocked-uri': 'https://m74.dnsqa2016.com',  'column-number': 290,  'document-uri': 'https://blackfire.io/',  'effective-directive': 'script-src',  'line-number': 45,  'original-policy': 'default-src \'self\' https://d2vqbs7xgyce6n.cloudfront.n', 'referrer': 'https://www.google.pl/',  'source-file': 'https://www.google-analytics.com',  'status-code': 0,  'violated-directive': 'script-src \'self\' \'unsafe-inline\' https://www.gstat } https://www.w3.org/TR/CSP2/ Content-Security-Policy report-uri Content-Security-Policy - Project Setup

Slide 54

Slide 54 text

AngularJS Compatibility • Angular detects CSP usage, but it triggers a CSP security exception. • Force angular to behaves in CSP with ng-csp directive (provided natively within angular.js)     https://www.w3.org/TR/CSP2/ Content-Security-Policy - Project Setup

Slide 55

Slide 55 text

Is my website secured with Content-Security-Policy? Sécurité & HTTP

Slide 56

Slide 56 text

Sécurité & HTTP Is my website secured with Content-Security-Policy? • Browser extensions have incredible access, you can not do anything about it

Slide 57

Slide 57 text

Sécurité & HTTP Is my website secured with Content-Security-Policy? • Browser extensions have incredible access, you can not do anything about it • You still use trackers (GA) =>   disable them on sensitive pages

Slide 58

Slide 58 text

Slide 59

Slide 59 text

Slide 60

Slide 60 text

Remember the Great Cannon? Sécurité & HTTP

Slide 61

Slide 61 text

http://www.securityweek.com/great-cannon-attack-tool-used-china-censorship-enforcement Sécurité & HTTP: Subresource Integrity

Slide 62

Slide 62 text

Slide 63

Slide 63 text

No content

Slide 64

Slide 64 text

https://www.w3.org/TR/SRI/ http://githubengineering.com/subresource-integrity/ • W3C recommendation from late 2015 • For and <link> tags • Support sha256, sha-384 and sha512 message digests • Adds a hash to a resource to check integrity • Server should use CORS as deﬁned by spec (to mitigate brute force attack) <script   crossorigin=“anonymous”   src="/assets/application.js"   integrity="sha256-TvVUHzSfftWg1rcfL6TIJ0XKEGrgLyEq6lEpcmrG9qs="  > Sécurité & HTTP: Subresource Integrity

Slide 65

Slide 65 text

http://caniuse.com/#feat=subresource-integrity Sécurité & HTTP: Subresource Integrity

Slide 66

Slide 66 text

Slide 67

Slide 67 text

• X-XSS-Protection • X-Content-Type-Options • X-Frame-Options • Strict-Transport-Security • Content-Security-Policy • CSP in Real World • End of the world Subresource Integrity • Public Key Pinning https://www.owasp.org/index.php/List_of_useful_HTTP_headers OWASP useful HTTP headers

Slide 68

Slide 68 text

No content

Slide 69

Slide 69 text

Resources • https://blogs.dropbox.com/tech/2015/09/on-csp-reporting-and-filtering/ • https://blogs.dropbox.com/tech/2015/09/unsafe-inline-and-nonce-deployment/ • https://blogs.dropbox.com/tech/2015/09/csp-the-unexpected-eval/ • https://blogs.dropbox.com/tech/2015/09/csp-third-party-integrations-and-privilege-separation/ • http://githubengineering.com/subresource-integrity/ • https://blog.cloudflare.com/an-introduction-to-javascript-based-ddos/ • http://www.securityweek.com/great-cannon-attack-tool-used-china-censorship-enforcement • https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf • https://github.com/nelmio/NelmioSecurityBundle • https://www.owasp.org/index.php/List_of_useful_HTTP_headers • https://www.w3.org/TR/SRI/ • https://www.w3.org/TR/CSP2/ • https://www.w3.org/TR/2012/CR-CSP-20121115/ • https://tools.ietf.org/html/rfc6797 • http://caniuse.com/#feat=subresource-integrity • http://caniuse.com/#search=csp • https://blogs.msdn.microsoft.com/ie/2008/09/02/ie8-security-part-vi-beta-2-update/ • https://en.wikipedia.org/wiki/Content_sniffing • https://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx