Luke Crouch
For learning and doing web app security
Slide 2
Slide 2 text
Me
Luke Crouch
• Privacy & Security Engineer,
Mozilla
• Board member,
Techlahoma Foundation
• I’ve had 4 cups of coffee already
☕ ☕ ☕ ☕
Slide 3
Slide 3 text
This talk
• 112 slides in ~15m
• Mozilla Observatory
• Website
• Command-line tool
• API
• Questions
Slide 4
Slide 4 text
How many of you use a tool to
scan your web site or app for
security issues? 🙋
Slide 5
Slide 5 text
In Mozilla research,
16% say Yes
n=1,181 web engineers
*old data
Slide 6
Slide 6 text
In Mozilla research,
47% say No
n=1,181 web developers
*old data
Slide 7
Slide 7 text
Why don’t you use something to
scan your web site or app?
Slide 8
Slide 8 text
40% say:
I don’t need it
Slide 9
Slide 9 text
Can’t have security
vulnerabilities …
… if you don’t know about
your security vulnerabilities.
Slide 10
Slide 10 text
17% say they
“need to” use a
tool
Slide 11
Slide 11 text
THANK YOU!
Slide 12
Slide 12 text
Because even if your app or site
may not seem like a target …
Slide 13
Slide 13 text
Your users may be re-using their
password …
Slide 14
Slide 14 text
• their bank
• their PayPal
• their workplace
• their healthcare provider
• their password manager (!)
• their computer
• etc.
• their email
• which gives an attacker access
to all of those others!
Slide 15
Slide 15 text
So if your app is hacked, their
other accounts could get hacked
too.
Slide 16
Slide 16 text
Next (rhetorical) question …
Slide 17
Slide 17 text
Which of the following security tech applies
to your code?
• Mixed Content
• Subresource Integrity
• Cross-Origin Resource Sharing
• Cookies
• Secure
• HttpOnly
• Content Security Policy
• HTTP Strict Transport
Security
• Redirections
• Referrer Policy
• X-Frame-Options
• X-XSS-Protection
• X-Content-Type-Options
Slide 18
Slide 18 text
🤷🤷
Slide 19
Slide 19 text
Which of the following security tech applies
to your code?
• Mixed Content
• Subresource Integrity
• Cross-Origin Resource Sharing
• Cookies
• Secure
• HttpOnly
• Content Security Policy
• HTTP Strict Transport
Security
• Redirections
• Referrer Policy
• X-Frame-Options
• X-XSS-Protection
• X-Content-Type-Options
Slide 20
Slide 20 text
How do you know
what you need to know?
Slide 21
Slide 21 text
Luke Crouch
For learning and doing web app security
Slide 22
Slide 22 text
No content
Slide 23
Slide 23 text
No content
Slide 24
Slide 24 text
No content
Slide 25
Slide 25 text
No content
Slide 26
Slide 26 text
No content
Slide 27
Slide 27 text
No content
Slide 28
Slide 28 text
Observatory helps me focus on
learning the most important
security for my code right now.
Slide 29
Slide 29 text
Because the reason most of us don’t do all
this …
• Mixed Content
• Subresource Integrity
• Cross-Origin Resource Sharing
• Cookies
• Secure
• HttpOnly
• Content Security Policy
• HTTP Strict Transport
Security
• Redirections
• Referrer Policy
• X-Frame-Options
• X-XSS-Protection
• X-Content-Type-Options
Slide 30
Slide 30 text
we don’t have time to do it all.
Slide 31
Slide 31 text
But, there’s plenty of “quick wins”
you can get with a little bit of time
Slide 32
Slide 32 text
So, let’s get started …
Slide 33
Slide 33 text
⚠ Disclaimer: don’t be evil ⚠
Slide 34
Slide 34 text
You should only use security
scanning and testing tools
with permission
Slide 35
Slide 35 text
So … don’t go scan a bunch of
government websites
Slide 36
Slide 36 text
Now … let’s go scan a bunch of
government websites
Slide 37
Slide 37 text
hackerone.com
Slide 38
Slide 38 text
No content
Slide 39
Slide 39 text
No content
Slide 40
Slide 40 text
No content
Slide 41
Slide 41 text
So basically, GSA gives permission
to scan some sites, within certain
scope and under certain conditions
Slide 42
Slide 42 text
No content
Slide 43
Slide 43 text
Let’s try the first one on the list:
itdashboard.gov
Slide 44
Slide 44 text
No content
Slide 45
Slide 45 text
No content
Slide 46
Slide 46 text
No content
Slide 47
Slide 47 text
No content
Slide 48
Slide 48 text
Loading external scripts over
(insecure) HTTP - WCGW? 🤷
https://itdashboard.gov
/user-uploads/
js in image.jpg file
js in image.jpg file
Slide 66
Slide 66 text
No content
Slide 67
Slide 67 text
Does your server set the right
Content-Type for scripts and
styles?
Slide 68
Slide 68 text
Yes?
Slide 69
Slide 69 text
This is “easy” - you can add:
X-Content-Type-Options: nosniff
across your entire server.
Slide 70
Slide 70 text
X-Content-Type-Options
is the first recommended fix,
because it’s easier than others …
Slide 71
Slide 71 text
No?
Slide 72
Slide 72 text
Do you need to support old IE browsers?
• No?
• add X-Content-Type-Options: nosniff
• Yes?
• Sorry to hear that
• Does your site need to render user uploads in pages?
• No? add X-Content-Type-Options: nosniff
• Yes?
• Sorry again …
Slide 73
Slide 73 text
This is how improving your
security works
Slide 74
Slide 74 text
1. Find a potential vulnerability
2. Learn about the potential attack(s)
3. Determine how much if affects your code
specifically
4. Make an appropriate fix
5. Repeat
Slide 75
Slide 75 text
So, what’s next for
itdashboard.gov ?
Slide 76
Slide 76 text
Normally, you would make the
recommended fix …
Slide 77
Slide 77 text
No content
Slide 78
Slide 78 text
And then
Slide 79
Slide 79 text
But since GSA won’t give us
access to deploy code on
itdashboard.gov …
Slide 80
Slide 80 text
Let’s just check out the other
tests in the report …
Slide 81
Slide 81 text
No content
Slide 82
Slide 82 text
No content
Slide 83
Slide 83 text
X-XSS-Protection
Slide 84
Slide 84 text
No content
Slide 85
Slide 85 text
No content
Slide 86
Slide 86 text
But what does it actually do?
Slide 87
Slide 87 text
No content
Slide 88
Slide 88 text
https://itdashboard.gov/?param=alert(1)
…
Slide 89
Slide 89 text
X-XSS-Protection: 1; mode-block
Slide 90
Slide 90 text
https://itdashboard.gov/?param=alert(1)
…
Slide 91
Slide 91 text
No content
Slide 92
Slide 92 text
You might as well take care of older
browser users
(they need all they help they can get!)
Slide 93
Slide 93 text
Do you need to render HTML from url params?
• No?
• add X-XSS-Protection: 1; mode-block
• Yes?
• No you don’t. add X-XSS-Protection: 1; mode-block
• For real you do?
• No, for real you don’t.
https://http-observatory.security.mozilla.org/api/v1
• POST /analyze?host=itdashboard.gov
• hidden=true&rescan=true
• GET /analyze?host=itdashboard.gov
• returns a “scan object” with a scan ID
• GET /getScanResults?scan=
Slide 107
Slide 107 text
Now, let’s scan ALL the GSA
sites in scope …
Slide 108
Slide 108 text
No content
Slide 109
Slide 109 text
No content
Slide 110
Slide 110 text
⚠ Disclaimer: don’t be evil ⚠
Slide 111
Slide 111 text
You should only use security
scanning and testing tools with
permission
Slide 112
Slide 112 text
Questions
• Mozilla Observatory
• Website
• Command-line tool
• API
• 3rd-party scans
• What else?
Slide 113
Slide 113 text
Appendix
Slide 114
Slide 114 text
No content
Slide 115
Slide 115 text
No content
Slide 116
Slide 116 text
No content
Slide 117
Slide 117 text
No content
Slide 118
Slide 118 text
No content
Slide 119
Slide 119 text
No content
Slide 120
Slide 120 text
So, let’s go see where
itdashboard.gov
might be vulnerable?
Slide 121
Slide 121 text
No content
Slide 122
Slide 122 text
View source …
Slide 123
Slide 123 text
No content
Slide 124
Slide 124 text
src=“http://
Phrase not found 🤔
Slide 125
Slide 125 text
No content
Slide 126
Slide 126 text
“or use protocol-relative URLs”
like
src=“//
Slide 127
Slide 127 text
No content
Slide 128
Slide 128 text
So, if someone accessed this
page via insecure http:// , we
could hack the script
Slide 129
Slide 129 text
But, if someone accessed this
page via insecure http:// , we
could just hack the page
Slide 130
Slide 130 text
So when would this ever be a
real problem?
Slide 131
Slide 131 text
When would someone ever access
this page over
insecure http:// ? 🙋
Slide 132
Slide 132 text
What if someone types
“itdashboard.gov” without https?
Slide 133
Slide 133 text
What if another page links to
“itdashboard.gov” without https?
Slide 134
Slide 134 text
When would someone run this
page over
insecure http:// ?
Slide 135
Slide 135 text
When would someone run this
page at
http://127.0.0.1 ?