Slide 1

Slide 1 text

QUICK WINS FOR BETTER WEBSITE SECURITY ! Dan Callahan ! [email protected] dancallahan.info @callahad

Slide 2

Slide 2 text

THREE PARTS Transmitting Rendering Storing

Slide 3

Slide 3 text

TRANSMITTING

Slide 4

Slide 4 text

USE SSL

Slide 5

Slide 5 text

Apple iOS / OS X TLS, 21 Feb 2014 gotofail.com goto fail; goto fail;

Slide 6

Slide 6 text

OpenSSL “Heartbleed,” 7 April 2014 heartbleed.com

Slide 7

Slide 7 text

SERIOUSLY, USE SSL

Slide 8

Slide 8 text

http://... Browser http://... Browser https://... https://...

Slide 9

Slide 9 text

http://... Browser http://... Browser https://... https://...

Slide 10

Slide 10 text

http://... Browser http://... Browser https://... https://...

Slide 11

Slide 11 text

http://... Browser http://... Browser https://... https://...

Slide 12

Slide 12 text

http://... Browser http://... Browser https://... https://...

Slide 13

Slide 13 text

http://... Browser http://... Browser https://... https://... Cookies Cookies

Slide 14

Slide 14 text

http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies Cookies

Slide 15

Slide 15 text

http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies Cookies

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies Cookies

Slide 20

Slide 20 text

USE SECURE COOKIES

Slide 21

Slide 21 text

Set-Cookie: xs=984ea98f98a6a19c

Slide 22

Slide 22 text

Set-Cookie: xs=984ea98f98a6a19c; secure

Slide 23

Slide 23 text

http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies Cookies

Slide 24

Slide 24 text

http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies

Slide 25

Slide 25 text

http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies

Slide 26

Slide 26 text

http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

https://www.bankofamerica.com http://bankofamerica.com http://www.bankofamerica.com

Slide 29

Slide 29 text

https://www.bankofamerica.com http://bankofamerica.com http://www.bankofamerica.com

Slide 30

Slide 30 text

https://www.bank0famerica.com bank0famerica.com? http://bankofamerica.com http://www.bankofamerica.com

Slide 31

Slide 31 text

http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies

Slide 32

Slide 32 text

http://... Browser http://... Browser https://... https://... Attacker Attacker

Slide 33

Slide 33 text

No content

Slide 34

Slide 34 text

USE STRICT TRANSPORT SECURITY

Slide 35

Slide 35 text

No content

Slide 36

Slide 36 text

No content

Slide 37

Slide 37 text

No content

Slide 38

Slide 38 text

Strict-Transport-Security: max-age=2592000

Slide 39

Slide 39 text

http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies

Slide 40

Slide 40 text

http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies

Slide 41

Slide 41 text

TRANSMIT RENDER STORE ! SSL ! Secure Cookies ! Strict Transport Security

Slide 42

Slide 42 text

RENDERING

Slide 43

Slide 43 text

Set-Cookie: xs=984ea98f98a6a19c; secure

Slide 44

Slide 44 text

Set-Cookie: xs=984ea98f98a6a19c; secure alert(document.cookie);

Slide 45

Slide 45 text

Set-Cookie: xs=984ea98f98a6a19c; secure alert(document.cookie); “xs=984ea98f98a6a19c”

Slide 46

Slide 46 text

USE HTTPONLY COOKIES

Slide 47

Slide 47 text

Set-Cookie: xs=984ea98f98a6a19c; secure alert(document.cookie); “xs=984ea98f98a6a19c”

Slide 48

Slide 48 text

Set-Cookie: xs=984ea98f98a6a19c; secure; HttpOnly alert(document.cookie); “xs=984ea98f98a6a19c”

Slide 49

Slide 49 text

Set-Cookie: xs=984ea98f98a6a19c; secure; HttpOnly alert(document.cookie); “”

Slide 50

Slide 50 text

USE A CONTENT SECURITY POLICY

Slide 51

Slide 51 text

Content-Security-Policy: default-src 'self'; img-src 'self' data:; script-src: 'self' https://api.example.com ! ! ! ! !

Slide 52

Slide 52 text

Content-Security-Policy: default-src 'self'; img-src 'self' data:; script-src: 'self' https://api.example.com ! Content-Security-Policy-Report-Only: default-src 'self'; img-src 'self' data:; script-src: 'self' https://api.example.com

Slide 53

Slide 53 text

TRANSMIT RENDER STORE ! SSL ! Secure Cookies ! Strict Transport Security ! HttpOnly Cookies ! Content Security Policy

Slide 54

Slide 54 text

TRANSMIT RENDER STORE ! SSL ! Secure Cookies ! Strict Transport Security ! HttpOnly Cookies ! Content Security Policy

Slide 55

Slide 55 text

SET FRAME OPTIONS

Slide 56

Slide 56 text

X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM uri

Slide 57

Slide 57 text

USE XSS PROTECTION

Slide 58

Slide 58 text

X-XSS-Protection: 1; mode=block

Slide 59

Slide 59 text

DISABLE MIME-TYPE SNIFFING

Slide 60

Slide 60 text

X-Content-Type-Options: nosniff

Slide 61

Slide 61 text

TRANSMIT RENDER STORE ! SSL ! Secure Cookies ! Strict Transport Security ! HttpOnly Cookies ! Content Security Policy ! Frame Options ! XSS Protection ! MIME-Type Sniffing

Slide 62

Slide 62 text

STORING

Slide 63

Slide 63 text

ISOLATE USER CONTENT

Slide 64

Slide 64 text

Not your main domain Not a subdomain github.io googleusercontent.com

Slide 65

Slide 65 text

DON’T USE PASSWORDS

Slide 66

Slide 66 text

No content

Slide 67

Slide 67 text

SUMMARY

Slide 68

Slide 68 text

TRANSMIT RENDER STORE ! SSL ! Secure Cookies ! Strict Transport Security ! HttpOnly Cookies ! Content Security Policy ! Frame Options ! XSS Protection ! MIME-Type Sniffing ! User Content Domain ! ! Don’t Store Passwords

Slide 69

Slide 69 text

FURTHER READING

Slide 70

Slide 70 text

OWASP Qualys SSL Labs owasp.org ssllabs.com

Slide 71

Slide 71 text

QUESTIONS? ! Dan Callahan ! [email protected] dancallahan.info @callahad