Headers HTTP et sécurité, blindez votre appli web

Sécurité & HTTP

View Slide

Sécurité & HTTP
Romain Neutron
https://github.com/romainneutron

View Slide

Sécurité & HTTP

View Slide

View Slide

Sécurité & HTTP

View Slide

$ curl -I https://github.com
 
HTTP/1.1 200 OK 
Server: GitHub.com 
Date: Mon, 04 Apr 2016 20:10:13 GMT 
Content-Type: text/html; charset=utf-8 
Status: 200 OK 
Cache-Control: no-cache 
Vary: X-PJAX 
X-UA-Compatible: IE=Edge,chrome=1 
Set-Cookie: logged_in=no; domain=.github.com; path=/; expires=Fri, 04 Apr 2036 20:10:13
Set-Cookie: _gh_sess=eyJzZXNzaW9uX2lkIjoiYzE1ZjE3NjA4Yjg1MWM3MTk4MjY0ZjdiMzY5ZDJhNzciLC
X-Request-Id: 048b988349db27c05f13900c2b8c8dd5 
X-Runtime: 0.011717 
Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content;
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload 
Public-Key-Pins: max-age=1209600; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB
X-Content-Type-Options: nosniff 
X-Frame-Options: deny 
X-XSS-Protection: 1; mode=block 
Vary: Accept-Encoding 
X-Served-By: 7cc969f65c7ec8d9db2fa57dcc51d323 
X-GitHub-Request-Id: 55A8461C:0E34:67919BE:5702CA25
Sécurité & HTTP

View Slide

$ curl -I https://www.google.fr 
HTTP/1.1 200 OK 
Date: Mon, 04 Apr 2016 20:09:15 GMT 
Expires: -1 
Cache-Control: private, max-age=0 
Content-Type: text/html; charset=ISO-8859-1 
P3P: CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/1
Server: gws 
X-XSS-Protection: 1; mode=block 
X-Frame-Options: SAMEORIGIN 
Set-Cookie: NID=78=qz0a3gQjdiDNPGOR3AAVCO72jOeyaj_EoA8nXeDud6dEqZty2mEdqd9j4gkSNYoqLNM9
iHcHNp7pwr9RQTo0A5id943sj; expires=Tue, 04-Oct 
Alternate-Protocol: 443:quic 
Alt-Svc: quic=":443"; ma=2592000; v="32,31,30,29,28,27,26,25" 
Transfer-Encoding: chunked 
Accept-Ranges: none 
Vary: Accept-Encoding
Sécurité & HTTP

View Slide

$ curl -I https://www.dropbox.com 
HTTP/1.1 200 OK 
Server: nginx 
Date: Mon, 04 Apr 2016 20:10:37 GMT 
Content-Type: text/html; charset=utf-8 
Connection: keep-alive 
x-xss-protection: 1; mode=block 
content-security-policy: img-src https://* data: blob: ; connect-src https://* ws://127
cf.dropb 
x-content-type-options: nosniff 
set-cookie: locale=en; Domain=dropbox.com; expires=Sat, 03 Apr 2021 20:10:37 GMT; Path=
set-cookie: gvc=MTYxMzM2OTE1MjU0MzgyMTA2NDI1MzIxMzUyNzc3MDg1ODIzOTA4; expires=Sat, 03 A
set-cookie: __Host-js_csrf=VQ1woPFdbo194pKVi50HJuTa; expires=Thu, 04 Apr 2019 20:10:37
set-cookie: t=VQ1woPFdbo194pKVi50HJuTa; Domain=dropbox.com; expires=Thu, 04 Apr 2019 20
set-cookie: puc=; expires=Mon, 04 Apr 2016 20:10:37 GMT; httponly; Path=/; secure 
x-dropbox-request-id: 7772ee5113bda6243af26076c8e25206 
pragma: no-cache 
cache-control: no-cache 
x-dropbox-http-protocol: None 
x-frame-options: SAMEORIGIN 
X-Server-Response-Time: 190 
Strict-Transport-Security: max-age=15552000; includeSubDomains
Sécurité & HTTP

View Slide

Sécurité & HTTP

View Slide

https://www.owasp.org/index.php/List_of_useful_HTTP_headers
• X-XSS-Protection
• X-Content-Type-Options
• X-Frame-Options
• Strict-Transport-Security
• Content-Security-Policy
• CSP in Real World
• End of the world
OWASP useful HTTP headers

View Slide

X-Xss-Protection
• Prevents XSS reﬂected attacks
• Supported by IE8+ and Chrome
• Enabled / disabled
• mode-block to completely turn off rendering
X-XSS-Protection: 1; mode=block
http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-ﬁlter-with-the-x-xss-protection-http-header.aspx
#BOUTIN

View Slide

• X-Frame-Options

View Slide

X-Content-Type-Options
• Supported by IE and Chrome
• "nosniff" only supported value
X-Content-Type-Options: nosniff
https://blogs.msdn.microsoft.com/ie/2008/09/02/ie8-security-part-vi-beta-2-update/ 
https://en.wikipedia.org/wiki/Content_snifﬁng

View Slide

• X-Frame-Options

View Slide

X-Frame-Options
• Supported by Chrome, IE 9, Safari
and Firefox
• Prevents clickjacking
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM https://example.com/

View Slide

X-Frame-Options

View Slide

Sécurité & HTTP
server { 
listen 80; 
 
server_name domain.com; 
add_header x-xss-protection "1; mode=block";
add_header x-frame-options "DENY";
add_header x-content-type-options "nosniff";
} 

View Slide

View Slide

• X-Frame-Options

View Slide

Strict-Transport-Security
• RFC-7697
• Supported by Chrome, IE 11, Safari and Firefox
• Enforce use of HTTPS on your website / Turns any insecure link to secure link
• Protects from Protocol Downgrade
• Blocks access if no trusted certiﬁcate is provided
• Only valid after ﬁrst connection, but can be preloaded
Strict-Transport-Security: max-age=expireTime [; includeSubdomains] [; preload]
https://tools.ietf.org/html/rfc6797

View Slide


View Slide

Register on https://hstspreload.appspot.com/ for
preload  
Strict-Transport-Security: max-age=expireTime [; includeSubdomains] [; preload]

View Slide

server { 
listen 80; 
 
rewrite ^/(.*) https://$host/$1 permanent; 
} 
server { 
listen 443; 
ssl on; 
 
add_header Strict-Transport-Security “max-age=31536000;";
# ... 
}

View Slide

View Slide

• X-Frame-Options

View Slide

Content-Security-Policy
• Supported by Chrome, IE 9, Safari and Firefox
• Prevents XSS
• Declare directives about what can be executed on your website
Content-Security-Policy: default ‘self’; script-src ‘self’ https://mycdn.com; style-src
‘self’ https://mycdn.com
https://www.w3.org/TR/2012/CR-CSP-20121115/

View Slide

All these directives accept a source list
• default-src - fallback for any non-declared directive
• script-src -
• style-src - / @import CSS rule
• object-src - / /
• img-src - sources
• media-src - / / / sources
• frame-src - / sources
• font-src - @font-face CSS rule
• connect-src - XHR open / WebSocket or EventSource constructor
Content-Security-Policy Level 1 - Directives

View Slide

Source list structure:
source1 source2 … sourceN;
Special sources:
• 'self' : the same origin as the current page (all directives)
• 'unsafe-inline' : inline script (script-src and style-src directives)
• 'unsafe-eval' : eval / new Function() are disabled / setTimeout and
setInterval with non-callable do not work (script-src directive)
default-src: 'self'; script-src 'self' https://cdn.domain.com 'unsafe-eval';

View Slide

Content-Security-Policy:  
default-src 'self';  
script-src 'self' https://cdn.domain.com;  
style-src 'self' https://cdn.domain.com;

View Slide

'unsafe-eval'
Warning: jQuery uses eval when inserting DOM node: # does not work  document  .getElementsByTagName('body')[0]  .innerHTML = '<script>console.log("Hello roro")' 
 
# works 
jQuery('body').html('console.log("Hello roro")')

View Slide

'unsafe-inline'
What about my inline scripts? 
 
  window.api_key = '{{ api_key }}';   
 
  body {  background-color: red;  }   

View Slide

script-src 'self' https://cdn.domain.com;  
style-src 'self' https://cdn.domain.com;
script-src 'self' 'unsafe-eval' 'unsafe-inline' https://cdn.domain.com;  
style-src 'self' 'unsafe-inline' https://cdn.domain.com;

View Slide

https://www.w3.org/TR/CSP2/
W3C Recommendation 2014-2015
• New directives
• Hashes and nonces for inline scripting
Content-Security-Policy Level 2

View Slide

All these directives accept a source list  
 
• base-uri - available document base-urls, no fallback on default-src
• child-src - workers and frames. Deprecates frame-src
• form-action - actions URLs, no fallback on default-src
• frame-ancestors - Is the document embeddable in , , ,
or - related to X-Frame-Options - 'none' is the 'DENY'
• plugin-type - mime-types list. , or should match the with
their type attribute

View Slide

Introduces nonces (random value per request) for inline scripting:
# HTML 
  window.config.apiKey = 'api-key';   
  body { background-color: red; }  
# HTTP header 
script-src 'self' 'nonce-c89143d4b599538c81058b80a6f975a6'; 
style-src 'self' 'nonce-5c5260e3c82f1724a903612c0fc11a0f';
Con: an attacker that can gain access to the nonce can execute whatever script.
Content-Security-Policy Level 2 - Nonce

View Slide

Introduces hashes (sha256, sha384 and sha512) for inline scripting:
# HTML 
  window.config.apiKey = 'api-key';  
# HTTP header 
script-src 'self' 'sha256-
voRt1IK8+FVdRFaTgn8K6ET46mYOZvT7kYG6Wo3eJNU='
# PHP 
$hash = base64_encode(openssl_digest($scriptContent, 'sha256', true))
Content-Security-Policy Level 2 - Hashes

View Slide

Introduces hashes (sha256, sha384 and sha512) for inline scripting:
# HTML 
  body { background-color: red; }  
# HTTP header 
script-src 'self' 'sha256-xWFKpNfjw6Di/Op4dyVBe876d12Yggw8WSB6ojNM/
bM='
# PHP 
base64_encode(openssl_digest($scriptContent, 'sha256', true))
Content-Security-Policy Level 2 - Hashes

View Slide

Content-Security-Policy Level 2 - Support
https://www.w3.org/TR/CSP2/ 
http://caniuse.com/#search=csp

View Slide

In CSP level 2 'unsafe-inline' is not interpreted if the a nonce or a hash is
contained in the same source list
Content-Security-Policy: script-src 'unsafe-inline' 'nonce-
c89143d4b599538c81058b80a6f975a6'
Is interpreted in CSP level 1 context as:
Content-Security-Policy: script-src 'unsafe-inline'
Is interpreted in CSP level 2 context as:
Content-Security-Policy: script-src 'nonce-c89143d4b599538c81058b80a6f975a6'
Content-Security-Policy Level 2 - Support

View Slide

So you can use CSP level 2 
with hashes and nonces 
as long as you still include  
the 'unsafe-inline' directive
Chrome, Safari, IE 11, Safari and Firefox
Content-Security-Policy Level 2

View Slide

View Slide

• X-Frame-Options

View Slide

Content-Security-Policy 
might be difﬁcult to implement 
in a legacy project :(
Content-Security-Policy - Project Setup

View Slide

PHP: composer require nelmio/security-bundle 
Ruby: Twitter Secure Headers
csp:
enforce: 
default-src: 
- 'self' 
- 'https://%assets_domain%' 
script-src: 
- 'self' 
- 'unsafe-inline' 
style-src: 
- 'self' 
- 'https://%assets_domain%'
report-uri: [ '/csp/report' ] 
https://github.com/nelmio/NelmioSecurityBundle

View Slide

{% cspscript %} 
  window.api_key = '{{ api_key }}';   
{% endcspscript %} 
 
{% cspstyle %} 
  body {  background-color: red;  }   
{% endcspstyle %}

View Slide

csp:
enforce: 
default-src: 
- 'self' 
script-src: 
- 'self' 
style-src: 
- 'self' 
- 'https://%assets_domain%'
report-uri: [ '/csp/report' ] 

View Slide

Content-Security-Policy-Report-Only
• Disable apply directives rules, just collect directives
violations
• Can be used alongside Content-Security-Policy header 
to test a new version
Content-Security-Policy-Report-Only:  
default-src 'self'; report-uri /csp-report-endpoint/

View Slide

Content-Security-Policy report-uri
• Reports Content Security Policy violations
default-src 'self'; report-uri /csp-report-endpoint/

View Slide

{ 
'blocked-uri': 'https://m74.dnsqa2016.com', 
'column-number': 290, 
'document-uri': 'https://blackfire.io/', 
'effective-directive': 'script-src', 
'line-number': 45, 
'original-policy': 'default-src \'self\' https://d2vqbs7xgyce6n.clou
'referrer': 'https://www.google.pl/', 
'source-file': 'https://www.google-analytics.com', 
'status-code': 0, 
'violated-directive': 'script-src \'self\' \'unsafe-inline\' https:/
}
Content-Security-Policy report-uri

View Slide

AngularJS Compatibility
• Angular detects CSP usage, but it triggers a CSP security
exception.
• Force angular to behaves in CSP with ng-csp directive (provided
natively within angular.js)
 
 


View Slide

Is my website secured with Content-Security-Policy?
Sécurité & HTTP

View Slide

• Browser extensions have incredible access, you can not do anything
about it
Sécurité & HTTP

View Slide

about it
• You still use trackers (GA) => disable them on sensitive pages
Sécurité & HTTP

View Slide

about it
• Your CDN can be compromised
Sécurité & HTTP

View Slide

Sécurité & HTTP
about it
• Your CDN can be compromised

View Slide

Remember the Great Cannon?
Sécurité & HTTP

View Slide

http://www.securityweek.com/great-cannon-attack-tool-used-china-censorship-enforcement
Remember the Great Cannon?
Sécurité & HTTP

View Slide

• X-Frame-Options

View Slide

View Slide

https://www.w3.org/TR/SRI/
http://githubengineering.com/subresource-integrity/
• W3C recommendation from late 2015
• For and <link> tags • Support sha256, sha-384 and sha512 message digests • Adds a hash to a resource to check integrity • Server should use CORS as deﬁned by spec (to mitigate brute force attack) <script   crossorigin=“anonymous”   src="/assets/application.js"   integrity="sha256-TvVUHzSfftWg1rcfL6TIJ0XKEGrgLyEq6lEpcmrG9qs="  >
Sécurité & HTTP: Subresource Integrity

View Slide

http://caniuse.com/#feat=subresource-integrity
Sécurité & HTTP: Subresource Integrity

View Slide

• X-Frame-Options
• End of the world Subresource Integrity

View Slide

• X-Frame-Options
• End of the world Subresource Integrity
• Public Key Pinning
https://www.owasp.org/index.php/List_of_useful_HTTP_headers 
https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead

View Slide

View Slide

Resources
• https://blogs.dropbox.com/tech/2015/09/on-csp-reporting-and-filtering/
• https://blogs.dropbox.com/tech/2015/09/unsafe-inline-and-nonce-deployment/
• https://blogs.dropbox.com/tech/2015/09/csp-the-unexpected-eval/
• https://blogs.dropbox.com/tech/2015/09/csp-third-party-integrations-and-privilege-separation/
• http://githubengineering.com/subresource-integrity/
• https://blog.cloudflare.com/an-introduction-to-javascript-based-ddos/
• http://www.securityweek.com/great-cannon-attack-tool-used-china-censorship-enforcement
• https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
• https://github.com/nelmio/NelmioSecurityBundle
• https://www.owasp.org/index.php/List_of_useful_HTTP_headers
• https://www.w3.org/TR/SRI/
• https://www.w3.org/TR/CSP2/
• https://www.w3.org/TR/2012/CR-CSP-20121115/
• https://tools.ietf.org/html/rfc6797
• http://caniuse.com/#feat=subresource-integrity
• http://caniuse.com/#search=csp
• https://blogs.msdn.microsoft.com/ie/2008/09/02/ie8-security-part-vi-beta-2-update/
• https://en.wikipedia.org/wiki/Content_sniffing
• https://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-
xss-protection-http-header.aspx
• https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead

View Slide

Headers HTTP et sécurité, blindez votre appli web

Headers HTTP et sécurité, blindez votre appli web

Romain Neutron

More Decks by Romain Neutron

Other Decks in Programming

Featured

Transcript