Tweet
Tweet

Slide 1

Slide 1 text

HTTP Security Headers Ken Lee [email protected] Wednesday, November 20, 13

Slide 2

Slide 2 text

This Talk Was Brought To You By Hosted by OWASP & the NYC Chapter The Etsy Security Team Wednesday, November 20, 13

Slide 3

Slide 3 text

What’s an Etsy? Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 4

Slide 4 text

Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 5

Slide 5 text

Security Headers? Why Security Headers? Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 6

Slide 6 text

Security Headers Fundamentally, a user security issue Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 7

Slide 7 text

Security Headers Fundamentally, a user security issue Changes are browser-impacting Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 8

Slide 8 text

Security Headers Fundamentally, a user security issue Changes are browser-impacting Unfortunately, browsers != users Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 9

Slide 9 text

Security Headers Fundamentally, a user security issue Changes are browser-impacting Unfortunately, browsers != users Often requires non-trivial changes Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 10

Slide 10 text

Security Headers Strategies for deployment Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 11

Slide 11 text

Security Headers Strategies for deployment Lessons learned from our bug bounty Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 12

Slide 12 text

Overview HTTP Strict Transport Security (HSTS) Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 13

Slide 13 text

Overview HTTP Strict Transport Security (HSTS) Content Security Policy (CSP) Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 14

Slide 14 text

Overview HTTP Strict Transport Security (HSTS) Content Security Policy (CSP) X-Frame-Options (XFO) Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 15

Slide 15 text

Overview HTTP Strict Transport Security (HSTS) Content Security Policy (CSP) X-Frame-Options (XFO) Miscellaneous Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 16

Slide 16 text

HSTS --What is it? A guarantee to visit the url using HTTPS Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 17

Slide 17 text

HSTS --What is it? A guarantee to visit the url using HTTPS You have to have seen the site before Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 18

Slide 18 text

What’s the Attack? The Classic Man-in-the-Middle Attack Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 19

Slide 19 text

What’s the Attack? The Classic Man-in-the-Middle Attack Let’s just turn on TLS/SSL for everything Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 20

Slide 20 text

What’s the Attack? The Classic Man-in-the-Middle Attack Let’s just turn on TLS/SSL for everything Make HTTPS canonical for your site Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 21

Slide 21 text

HTTP/HTTPS Traffic Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 22

Slide 22 text

HTTP/HTTPS Traffic Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 23

Slide 23 text

HSTS Background Infrastructure changes needed for SSL Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 24

Slide 24 text

HSTS Background Infrastructure changes needed for SSL Bundle HSTS as part of an SSL preference for users Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 25

Slide 25 text

The Old Ways Split Architecture Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 26

Slide 26 text

The Old Ways Split Architecture Most pages HTTP, “secure” ones HTTPS Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 27

Slide 27 text

The Old Ways Split Architecture Most pages HTTP, “secure” ones HTTPS Load balancers constrained rollout Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 28

Slide 28 text

On Load Balancers HTTP-> HTTPS logic handled by the LB Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 29

Slide 29 text

On Load Balancers HTTP-> HTTPS logic handled by the LB Difficult and slow to change Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 30

Slide 30 text

On Load Balancers HTTP-> HTTPS logic handled by the LB Difficult and slow to change Broke HTTPS plugins Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 31

Slide 31 text

Refactoring HTTP-> HTTPS logic handled by the app Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 32

Slide 32 text

Refactoring HTTP-> HTTPS logic handled by the app Make it easy to add new secure pages Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 33

Slide 33 text

Refactoring HTTP-> HTTPS logic handled by the app Make it easy to add new secure pages Transparency for developers Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 34

Slide 34 text

How Do I HTTPS Ramp it up! Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 35

Slide 35 text

How Do I HTTPS Ramp it up! Enabled HSTS if SSL preference “on” Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 36

Slide 36 text

How Do I HTTPS Ramp it up! Enabled HSTS if SSL preference “on” Bail-out Mechanism: Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 37

Slide 37 text

The HSTS Header Enabled header when full-site SSL “on” Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 38

Slide 38 text

The HSTS Header Enabled header when full-site SSL “on” Strict-Transport-Security: max-age=631138520; includeSubDomains Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 39

Slide 39 text

HSTS Part 2 Strict-Transport-Security: max-age=631138520; includeSubDomains All subdomains get HSTS that match the host Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 40

Slide 40 text

HSTS Part 3 Note the difference: HSTS on ‘www.etsy.com’ Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 41

Slide 41 text

HSTS Part 3 Note the difference: HSTS on ‘www.etsy.com’ Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 42

Slide 42 text

HSTS Part 3 Note the difference: HSTS on ‘www.etsy.com’ Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 43

Slide 43 text

HSTS Part 2 Check out Chrome’s HSTS settings chrome://net-internals/#hsts Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 44

Slide 44 text

HSTS Rollout Implement HTTPS management on app level Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 45

Slide 45 text

HSTS Rollout Implement HTTPS management on app level Rolled out to admins -> sellers -> buyers Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 46

Slide 46 text

HSTS Rollout Implement HTTPS management on app level Rolled out to admins -> sellers -> buyers Code-based “SSL wrangler” in repo Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 47

Slide 47 text

SSL Wranglin’ Controller to handle SSL transition Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 48

Slide 48 text

SSL Wranglin’ Controller to handle SSL transition Skipped for users with full-site SSL pref on Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 49

Slide 49 text

SSL Wranglin’ Controller to handle SSL transition Skipped for users with full-site SSL pref on On sign-out, set HSTS max-age=0 Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 50

Slide 50 text

Wins Fixes on-domain mixed content Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 51

Slide 51 text

Wins Fixes on-domain mixed content Browser transparently 302 redirects Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 52

Slide 52 text

SSL Concerns Do your CDNs support it? Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 53

Slide 53 text

SSL Concerns Do your CDNs support it? What about 3rd party content providers? Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 54

Slide 54 text

SSL Concerns Do your CDNs support it? What about 3rd party content providers? Can your servers/LBs handle it? Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 55

Slide 55 text

Kill Mixed Content You still need to fix off-domain HTTP Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 56

Slide 56 text

Kill Mixed Content You still need to fix off-domain HTTP Browser mixed content warnings Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 57

Slide 57 text

Kill Mixed Content You still need to fix off-domain HTTP Browser mixed content warnings Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 58

Slide 58 text

Mobile HSTS supported on mobile browsers Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 59

Slide 59 text

Mobile HSTS supported on mobile browsers Notably absent from others Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 60

Slide 60 text

Mobile HSTS supported on mobile browsers Notably absent from others Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 61

Slide 61 text

HSTS: Be Ready Not a crutch for fixing routing problems! Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 62

Slide 62 text

HSTS: Be Ready Not a crutch for fixing routing problems! There will be outliers Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 63

Slide 63 text

HSTS: Be Ready Not a crutch for fixing routing problems! There will be outliers SSL/TLS errors confuse users Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 64

Slide 64 text

HSTS: Be Ready Not a crutch for fixing routing problems! There will be outliers SSL/TLS errors confuse users Have a process for managing HSTS Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 65

Slide 65 text

X-Frame-Options Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 66

Slide 66 text

X-Frame-Options Framing sucks, get rid of framing! Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 67

Slide 67 text

X-Frame-Options How do you prevent this type of attack? Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 68

Slide 68 text

X-Frame-Options How do you prevent this type of attack? if (top!=self) top.location.href=self.location.href Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 69

Slide 69 text

X-Frame-Options How do you prevent this type of attack? if (top!=self) top.location.href=self.location.href Not really a defense at all Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 70

Slide 70 text

How Do I Use XFO? Figure out when you’re being framed Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 71

Slide 71 text

How Do I Use XFO? Figure out when you’re being framed Log the framing attempts Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 72

Slide 72 text

How Do I Use XFO? Figure out when you’re being framed Log the framing attempts Whitelist specific framing sites (search engines) Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 73

Slide 73 text

How Do I Use XFO? Figure out when you’re being framed Log the framing attempts Whitelist specific framing sites (search engines) Only allow whitelisted sites to frame Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 74

Slide 74 text

Be Careful Thoroughly vet your whitelist Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 75

Slide 75 text

Be Careful Thoroughly vet your whitelist Read about XFO’s options Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 76

Slide 76 text

Be Careful Thoroughly vet your whitelist Read about XFO’s options Test thoroughly Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 77

Slide 77 text

Non-Whitelisted sites Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 78

Slide 78 text

Non-Whitelisted sites Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 79

Slide 79 text

Don’t Forget... If you’re taking away framing, warn your users Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 80

Slide 80 text

Don’t Forget... If you’re taking away framing, warn your users Whitelisting will break everyone else Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 81

Slide 81 text

Let’s Talk CSP Policies can grow fairly large Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 82

Slide 82 text

Let’s Talk CSP Policies can grow fairly large Doesn’t like inline javascript by default Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 83

Slide 83 text

Let’s Talk CSP Policies can grow fairly large Doesn’t like inline javascript by default Where do I start? Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 84

Slide 84 text

CSP 1.0 Most websites have inline JS Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 85

Slide 85 text

CSP 1.0 Most websites have inline JS Removing/refactoring some of it just isn’t possible Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 86

Slide 86 text

CSP 1.0 Most websites have inline JS Removing/refactoring some of it just isn’t possible FF & Chrome use unprefixed ‘Content-Security-Policy’ Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 87

Slide 87 text

CSP 1.1 Will have browser javascript API support Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 88

Slide 88 text

CSP 1.1 Will have browser javascript API support Support for inline CSP in a tag Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 89

Slide 89 text

CSP 1.1 CSP 1.1 will allow for script-nonce and script-hash Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 90

Slide 90 text

CSP Lessons CSP introduced the idea of a reporting mechanism Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 91

Slide 91 text

CSP Lessons CSP introduced the idea of a reporting mechanism Identify pages with inline scripts => smaller policy size Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 92

Slide 92 text

CSP Lessons CSP introduced the idea of a reporting mechanism Identify pages with inline scripts => smaller policy size Log, aggregate reports to find mixed content Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 93

Slide 93 text

CSP Lessons CSP introduced the idea of a reporting mechanism Identify pages with inline scripts => smaller policy size Log, aggregate reports to find mixed content Some interesting results Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 94

Slide 94 text

Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 95

Slide 95 text

How Do I Deploy CSP? Organize and assess your existing javascript Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 96

Slide 96 text

How Do I Deploy CSP? Organize and assess your existing javascript Have specific template logic for handling javascript Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 97

Slide 97 text

How Do I Deploy CSP? Organize and assess your existing javascript Have specific template logic for handling javascript Give devs an ‘opt-out’ mechanism for inline js Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 98

Slide 98 text

How Do I Deploy CSP? Organize and assess your existing javascript Have specific template logic for handling javascript Give devs an ‘opt-out’ mechanism for inline js Deploy to specific parts/subdomains of your site Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 99

Slide 99 text

CSP Compliance Actively monitor the # of inline scripts you have left Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 100

Slide 100 text

Some CSP Tools Some tools for CSP Generation Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 101

Slide 101 text

Some CSP Tools Some tools for CSP Generation http://cspisawesome.com/ Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 102

Slide 102 text

Some CSP Tools Some tools for CSP Generation http://cspisawesome.com/ https://github.com/Kennysan/CSPTools Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 103

Slide 103 text

CSP Tools Browser proxy, automated browser, and csp parser Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 104

Slide 104 text

CSP Tools Browser proxy, automated browser, and csp parser Lets you create/test a CSP for your prod environment Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 105

Slide 105 text

CSP Tools Browser proxy, automated browser, and csp parser Lets you create/test a CSP for your prod environment https://github.com/Kennysan/CSPTools Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 106

Slide 106 text

X-XSS-Protection Originally IE XSS blocking mechanism Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 107

Slide 107 text

X-XSS-Protection Originally IE XSS blocking mechanism Looks for parameter arguments in response Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 108

Slide 108 text

X-XSS-Protection Originally IE XSS blocking mechanism Looks for parameter arguments in response Side effect: Clients can break your javascript Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 109

Slide 109 text

X-XSS-Protection X-XSS-Protection: 1; mode=block Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 110

Slide 110 text

X-XSS-Protection X-XSS-Protection: 1; mode=block Reflected XSS protection, but now... Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 111

Slide 111 text

X-XSS-Protection X-XSS-Protection: 1; mode=block Reflected XSS protection, but now... Chrome lets you specify a report url Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 112

Slide 112 text

X-XSS-Protection X-XSS-Protection: 1; mode=block Reflected XSS protection, but now... Chrome lets you specify a report url Clientside protection; serverside reporting Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 113

Slide 113 text

XSS Logging X-XSS-Protection: 1; mode=block; report-uri=/log.php Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 114

Slide 114 text

XSS Logging X-XSS-Protection: 1; mode=block; report-uri=/log.php Allows Chrome reflected XSS logging, ala CSP-style Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 115

Slide 115 text

XSS Logging X-XSS-Protection: 1; mode=block; report-uri=/log.php Allows Chrome reflected XSS logging, ala CSP-style Other browsers: Implement server-side XSS-Auditor Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 116

Slide 116 text

XSS Logging X-XSS-Protection: 1; mode=block; report-uri=/log.php Allows Chrome reflected XSS logging, ala CSP-style Other browsers: Implement server-side XSS-Auditor Look for this functionality in CSP 1.1 Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 117

Slide 117 text

X-Content-Type-Options X-Content-Type-Options: nosniff Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 118

Slide 118 text

X-Content-Type-Options X-Content-Type-Options: nosniff Older versions of IE will guess response content-type Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 119

Slide 119 text

X-Content-Type-Options X-Content-Type-Options: nosniff Older versions of IE will guess response content-type Ignores Content-Type specified! Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 120

Slide 120 text

X-Content-Type-Options X-Content-Type-Options: nosniff Older versions of IE will guess response content-type Ignores Content-Type specified! Example: query parameter lets you specify .html Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 121

Slide 121 text

X-Content-Type-Options X-Content-Type-Options: nosniff Older versions of IE will guess response content-type Ignores Content-Type specified! Example: query parameter lets you specify .html IE will consider the content to be text/html! Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 122

Slide 122 text

Final Thoughts Treat header deployment like any other code Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 123

Slide 123 text

Final Thoughts Treat header deployment like any other code Be agile with header development Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 124

Slide 124 text

Final Thoughts Treat header deployment like any other code Be agile with header development Can’t deploy everywhere? Have a plan--deploy in part Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 125

Slide 125 text

Final Thoughts Treat header deployment like any other code Be agile with header development Can’t deploy everywhere? Have a plan--deploy in part Starting with security is easier than baking it in later Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 126

Slide 126 text

Final Thoughts Treat header deployment like any other code Be agile with header development Can’t deploy everywhere? Have a plan--deploy in part Starting with security is easier than baking it in later Log early and often--you learn a lot Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

Slide 127

Slide 127 text

Thanks for Listening! @kennysan [email protected] github.com/kennysan Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13