Your SlideShare is downloading. ×
0
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

HTML5 Security & Headers - X-Crawling-Response-Header -  by Tomoyuki Shigemori

902

Published on

HTML 5 enables data storage within the website visitor’s browser , bidirectional communication between the client and server, the gathering of location information all of which allow for a highly …

HTML 5 enables data storage within the website visitor’s browser , bidirectional communication between the client and server, the gathering of location information all of which allow for a highly usable website however all of these new technologies can also be leveraged by malicious actors and the impact that this will affect the visitors to the site are not being fully discussed or researched and there is a significant danger that the technology will be widely adapted without sufficient security precautions.
At JPCERT/CC we have issued a report titled “Security issues and findings regarding web applications using HTML 5.” In this report we outline items that should be considered in the development of web application using HTML5 and security issues that arise when transitioning web applications to HTML 5. The goal of the report is to disclose all our findings in an organised fashion and enable web security researchers and web application developers to have a basic foundational document.
In this presentation I will present based on the report and through demos, security issues to consider when developing web applications using HTML 5. Also I will present our findings regarding the current state of security of HTML 5 usage based on the data of 95000 website’s response headers.

Tomoyuki Shigemori

Tomoyuki Shigemori is an Information Security Analyst of Watch and Warning Group at JPCERT/CC (Japan Computer Emergency Response Team Coordination Center).
His expertise lies in information gathering and providing early warnings on cyber threats to relevant organizations including governmental entities and infrastructures.
He has delivered presentations in many conferences such as Open Source Conference 2013, Enterprise and Parallels Summit 2013 Japan. He has also contributed as a coauthor in publishing “How to protect your business from cyber attacks (NTT Publishing)” and some other books.

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
902
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
32
Comments
0
Likes
4
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. HTML5 Security & Headers - X-Crawling-Response-Header- JPCERT Coordination Center Watch and Warning Group, Information Security Analyst Tomoyuki Shigemori
  • 2. Copyright©2014 JPCERT/CC All rights reserved. Overview of JPCERT/CC Japan Computer Emergency Response Team Coordination Center • Founded in 1996 • An independent, non-profit organization • National CSIRT (Computer Security Incident Response Team) • Coordination center  JPCERT/CC, as a national CSIRT, monitors computer security incidents at a national level, identifies and handles incidents that could affect the economy and critical infrastructures, and warns critical stakeholders and the nation about computer security threats.  JPCERT/CC, as a coordination center, provides technical support in response to computer security incidents through coordination with other local and overseas CSIRTs. 1
  • 3. Copyright©2014 JPCERT/CC All rights reserved. Overview of JPCERT/CC - 3 pillars and 4 foundations -Prevent -Vulnerability Information Handling Monitor -Information gathering / analysis / sharing -Internet Traffic Monitoring Respond - Incident Handling Early Warning Information Information sharing with critical infrastructure enterprises, etc. CSIRT Establishment Support Capacity building for internal CSIRTs in enterprises / overseas national CSIRTs Artifact Analysis Analysis on attack methods / behavior of malware (unauthorized program) International Collaboration Collaboration with overseas organizations for smoother handling of incidents and vulnerabilities  Coordinate with developers on unknown vulnerability information  Secure Coding  Mitigating the damage through efficient incident handling  Information sharing to prevent similar incidents  Alerts / Advisories 2
  • 4. Copyright©2014 JPCERT/CC All rights reserved. What is HTML5? HTML5 is the next HTML standard. HTML5 enables us to build more flexible and highly convenient websites. It allows us to store data within the visitor’s browser, enables full-duplex communication between the visitor’s browser and web servers, obtain location information of the visitor, etc. It is becoming widely utilized in Asia-Pacific region including Japan. Major browsers are compatible with HTML5 (Some functions are not enabled). 3 Cross-domain Communication Full-duplex Communication Browser- Embedded MultimediaUI Enhancements Acceleration Online Application
  • 5. Copyright©2014 JPCERT/CC All rights reserved. What is HTML5? 4 While HTML5 enhances browser capabilities, it also brings new security concerns which were not an issue in previous versions of HTML. The possible impacts are not fully verified or widely known, which may affect users by attackers leveraging the security flaws of these new architectures. DoS Information Leakage XSSCSRF Open Redirect HTML5 is the next HTML standard. HTML5 enables us to build more flexible and highly convenient websites. It allows us to store data within the visitor’s browser, enables full-duplex communication between the visitor’s browser and web servers, obtain location information of the visitor, etc. It is becoming widely utilized in Asia-Pacific region including Japan. Major browsers are compatible with HTML5 (Some functions are not enabled).
  • 6. Copyright©2014 JPCERT/CC All rights reserved. Research Report on Security Issues of HTML5 Japanese version was published on October 2013 and English version will be coming up soon. https://www.jpcert.or.jp/research/html5.html (Japanese ver.) 5
  • 7. Copyright©2014 JPCERT/CC All rights reserved. Research Report Terms of Use The report is expected to be utilized as… Technical paper, basic information for guidelines Material for study meetings Reference for seminars For citing or reproducing the original document, please refer to the following: JPCERT/CC Terms of use https://www.jpcert.or.jp/guide.html (Japanese only) Sample) Source: JPCERT Coordination Center “Technical research report on security issue of web applications utilizing HTML5” https://www.jpcert.or.jp/research/HTML5-20131030.pdf 6
  • 8. Copyright©2014 JPCERT/CC All rights reserved.7 JavaScript API XMLHttpRequest
  • 9. Copyright©2014 JPCERT/CC All rights reserved. XMLHttpRequest(XHR) Summary 8 XMLHttpRequest (XHR) : —an API to communicate with HTTP using JavaScript —enables interactive web contents by asynchronous communication —widely used due to increased usage of AJAX —this function could only communicate with same origin in versions earlier than HTML5 Java Script ' Access-Control-Allow-Origin' : authorized origin or ‘*’ (wildcard) example.jp other.example.jp ' Origin' : loaded by the original source In order to allow Cookie, “Access-Control-Allow-Credentials” needs to be configured ※Origin : combination of host name, protocol and port number
  • 10. Copyright©2014 JPCERT/CC All rights reserved. Current Status of HTML5 9
  • 11. Copyright©2014 JPCERT/CC All rights reserved. Previous Survey Results Survey against 2,359 sites was conducted on November 2012 How about Cross-Origin Resource Sharing (CORS) headers with values other than ' Access-Control-Allow-Origin’? 10 Source:http://www.veracode.com/blog/2012/11/security-headers-report/ 0.25% of websites supports CORS
  • 12. Copyright©2014 JPCERT/CC All rights reserved. Fact-Finding on Websites utilizing HTML5 Following points were checked: —CORS headers (*1) —Headers with security features (*2) Approach to fact-finding —Crawl top page of websites on Alexa Top 1,000,000 (*3) —Check the HTTP header of the curl command response —If the website redirects to other points, final redirection point will be surveyed —Origin request header will be added to the sending request —Survey was conducted from 2013/12/26 to 2013/12/30 11 (*1) Response header which starts with ’Access-Control-’on headers used by CORS (*2) Specific headers with security features introduced in the research report (*3) http://www.alexa.com/topsites
  • 13. Copyright©2014 JPCERT/CC All rights reserved. CORS Headers Access-Control-Allow-Origin —Specifies the Origin that is allowed to access to resource Access-Control-Allow-Credentials —Configured ‘true’ for permission on accessing to response towards requests with authentication information such as Cookie Access-Control-Expose-Headers —Specifies the header which the browser can use Access-Control-Allow-Methods (preflight) —Specifies the method which allows transmission Access-Control-Allow-Headers (preflight) —Specifies the header which allows transmission Access-Control-Max-Age (preflight) —Specifies the time to cache a preflight response 12
  • 14. Copyright©2014 JPCERT/CC All rights reserved. Headers with Security Features X-XSS-Protection —Protects from XSS attack X-Frame-Options —Manages contents in accordance with the configuration in Content-Type header X-Frame-Options —Restricts embedding into a frame such as iframe Content-Security-Policy —Restricts the sources of contents to be loaded Content-Disposition —Controls download dialog of a file Strict-Transport-Security —Enforces the use of secure HTTPS connections 13
  • 15. Copyright©2014 JPCERT/CC All rights reserved. Key Findings 14
  • 16. Copyright©2014 JPCERT/CC All rights reserved. Current status on CORS 15 Number of websites which responded was 949,217 sites. Number of CORS enabled websites(*) was 7,218 sites. Only 0.76% of the websites had CORS enabled. 0 1000 2000 3000 4000 5000 6000 7000 8000 CORS Headers (Access-Control-xxx) 941999 7218 CORS enabled websites 非対応 対応 (*) Websites which returned headers related to CORS Not enabled Enabled
  • 17. Copyright©2014 JPCERT/CC All rights reserved. Access-Control-Allow-Origin 5.4% of the websites were configured improperly. If improperly configured, the value will be invalid and “Access-Control-Allow-Origin” will not work properly. 16 6650 377 ‘Access-Control-Allow- Origin’ Configuration 正しい設定 誤った設定 4741 1909 Value Configured(with proper configuration) * オリジン Proper Configuration Improper Configuration Origin
  • 18. Copyright©2014 JPCERT/CC All rights reserved. Access-Control-Allow-Origin Proper Configuration — scheme://host[:port][ scheme://host[:port]]* (※1) — null — * Improper configuration sample(either of the settings will be invalid) — No scheme: example.com — Multiple configuration with comma breaking: http://example1.com,http://example2.com — Wildcard usage: http://*.example.com — ‘/’ inserted at the end of origin :http://example.com/ — Multiple header: http://example1.com http://example2.com Attention!! Without the knowledge of proper configuration on how to add headers, it may weaken the authorization and create vulnerabilities. ※1:Some browsers forbid origin configuration with space breaking 17
  • 19. Copyright©2014 JPCERT/CC All rights reserved. Access-Control-Allow-Origin Websites with proper ‘Access-Control-Allow-Origin’ were configured as follows: —Approximately 71% configured to ‘*’ ⇒allows CORS from any website —Approximately 29% configured ‘origin’ ⇒CORS is only allowed from the website specified by the origin header 18 6650 377 ‘Access-Control-Allow- Origin’ Configuration 正しい設定 誤った設定 4741 1909 Value Configured(with proper configuration) * オリジン Proper Configuration Improper Configuration Origin
  • 20. Copyright©2014 JPCERT/CC All rights reserved. Access-Control-Allow-Credentials Websites enabling Access-Control-Allow-Credentials were 22% out of all of the CORS websites. Value set to ‘true’ is only valid. Value other than that operates as it is not set to ‘true’. Furthermore, there were several websites which value is set to ‘false’. 19 5622 1525 71 Access-Control-Allow-Credentials 設定なし TRUE FALSE No Configuration
  • 21. Copyright©2014 JPCERT/CC All rights reserved. Access-Control-Allow-Credentials In case ‘true’ is specified on Access-Control-Allow- Credentials, the value ‘*’ cannot be used for Access-Control- Allow-Origin. However,163 sites were configured to ‘*’. Please check beforehand whether it operates as it is intended!! 20 4573 163 4 Access-Control-Allow- Credentials 設定なし TRUE FALSE 599 1250 2 Access-Control-Allow- Credentials 設定なし TRUE FALSE Websites with value ‘*’ configured to Access-Control-Allow-Origin Websites with proper origin to ‘Access-Control-Allow-Origin’ No Configuration No Configuration
  • 22. Copyright©2014 JPCERT/CC All rights reserved. Access-Control-Allow-Credentials Within the 68% of the websites for which the origin was set in Access-Control-Allow-Origin, ‘true’ was configured in Access-Control-Allow-Credentials. 21 4573 163 4 Access-Control-Allow- Credentials 設定なし TRUE FALSE 599 1250 2 Access-Control-Allow- Credentials 設定なし TRUE FALSE Websites with value ‘*’ configured to Access-Control-Allow-Origin Websites with proper origin to Access-Control-Allow-Origin No Configuration No Configuration
  • 23. Copyright©2014 JPCERT/CC All rights reserved. Access-Control-Allow-Origin If the response header returned is as shown above, JavaScript loaded from http://example.com will operate as same as the client browser. ⇒ When arbitrary JavaScript can be executed from a website specified in Access-Control-Allow-Origin, it may become very dangerous. Then, is it safe if this vulnerability does not exist? 22 Sample of sending response header:for ‘true’ Access-Control-Allow-Origin: http://example.com Access-Control-Allow-Credentials: true 599 1250 2 Access-Control-Allow- Credentials 設定なし TRUE FALSE Websites with value ‘*’ configured in Access-Control-Allow-Origin No Configuration
  • 24. Copyright©2014 JPCERT/CC All rights reserved. Mashup Example 23 Mr. X’s image Mashup origin site Mashup site B Mashup site A Use favorite image as background. Provide favorite image related products. Origin: site A Origin: site B In order to allow Cookie added CORS to each site, generate value in Access- Control-Allow-Origin dynamically. A-C-Allow-Origin:siteB A-C-Allow-Credentials:true A-C-Allow-Origin: siteA A-C-Allow-Credentials:true Cookie
  • 25. Copyright©2014 JPCERT/CC All rights reserved. How can attacker leverage this? 24 Mr. X’s photo Mashup origin site evil web site (evil.examle.com) Origin: http://evil.example.com send outside Information Leakage Mr. X A-C-Allow-Origin: http://evil.example.com A-C-Allow-Credentials:true Cookie
  • 26. Copyright©2014 JPCERT/CC All rights reserved. Cross Origin Request utilizing XHR2 Sample Advisory 25 IPA Lectures on secure coding Web Application course https://www.ipa.go.jp/security/awareness/vendor/programmingv2/contents/704.html
  • 27. Copyright©2014 JPCERT/CC All rights reserved. Access-Control-Allow-Origin 194 sites inherited the value from the original origin header and configured in Access-Control-Allow-Origin header and sent it back!! Data may be intercepted if the user authenticated web page is configured as aforementioned. Furthermore, it may bypass CSRF token protection. 26 194 1056 Actual value of Allow-Origin http://example.com Other origin Actual request sent by the survey: GET / HTTP/1.1 HOST: <target> Origin: http://example.com
  • 28. Copyright©2014 JPCERT/CC All rights reserved. Password Change by CSRF 27 token=2a8bc84e token=2a8bc84e GET /passwd HTTP/1.1 Origin: http://evil.com POST /passwd HTTP/1.1 newpwd=infected& Issue a token Cookie Cookie Verify the token Java Script Access-Control-Allow-Origin: http://evil.com Access-Control-Allow-Credentials: true Origin: http://evil.com Obtain token by JavaScript XHR Password Changed
  • 29. Copyright©2014 JPCERT/CC All rights reserved. token=2a8bc84e GET /passwd HTTP/1.1 Origin: http://evil.com Verify & Restriction Cookie Java Script XHR Issue a token Access-Control-Allow-Origin: http://evil.com Access-Control-Allow-Credentials: true JavaScript cannot access to token Restriction on permitted page — Access-Control-Allow-Origin and Access-Control-Allow-Credentials should not be added to a web page which is not intended to be open to the public. (i.e. Configuration Change Page, Password Change Page) Verify origin header — In case of allowing particular web sites, verify the value of the Origin and then only add Access-Control-Allow-Origin and Access-Control-Allow- Credentials as necessary. Proper Configuration 28
  • 30. Copyright©2014 JPCERT/CC All rights reserved.29 Restriction on permitted page — Access-Control-Allow-Origin and Access-Control-Allow-Credentials should not be added to a web page which is not intended to be open to the public. (i.e. Configuration Change Page, Password Change Page) Configuration examples Verify the origin header In case of allowing particular web sites, verify the value of the Origin and then only add Access-Control-Allow-Origin and Access-Control-Allow- Credentials as necessary. <FilesMatch “¥.(jpeg|gif|png|img)$”> SetEnvIf Origin “^https?://.*$” ORIGIN=$0 Header set Access-Control-Allow-Origin %{ORIGIN}e env=ORIGIN </FilesMatch> Ex: Allow usage of the resource only by an image file SetEnvIf Origin “^https?://.*¥.example¥.com$” ORIGIN=$0 Header set Access-Control-Allow-Origin %{ORIGIN}e env=ORIGIN Ex: Only allow requests from sub domains of example.com to use the resource ※ Based on the application specification, consideration on proper configuration and sufficient testing is required upon applying this configuration.
  • 31. Copyright©2014 JPCERT/CC All rights reserved. Headers with Security Features 30
  • 32. Copyright©2014 JPCERT/CC All rights reserved. X-XSS-Protection Most sites with X-XSS-Protection enabled were configured to ‘1’;mode=block (Enable protection filter, blank page was displayed upon detection) 514 websites configured to ‘0’ (disabled) Attention!! Disabling the XSS Protection should be restricted to specific web pages such as a page having false-positive issues. 31 100 44169 514 1 1; mode=block 0 44783 904434 設定あり 設定なし Configured Not configured
  • 33. Copyright©2014 JPCERT/CC All rights reserved. Strict-Transport-Security 20,720 sites out of all sites were redirected to HTTPS. 1,754 sites configured HSTS. Over half of the sites configured max-age to 1 year. Attention!! If max-age is configured to ‘0’ , this website will be deleted from HSTS list of the browser. 32 1754 18966 HSTS configured HSTS not configured 969 187 119 93 49 337 max-age value 31536000 2592000 15768000 0 16070400 Other
  • 34. Copyright©2014 JPCERT/CC All rights reserved.33 Conclusion
  • 35. Copyright©2014 JPCERT/CC All rights reserved. Conclusion While HTML5 enhances browser capabilities, there are multiple architectural issues which we should be aware of upon use. Please refer to “Technical research report on security issue of web applications utilizing HTML5” for developing secure web applications. Any inquiries are welcome. Please contact to 34 JPCERT Coordination Center Email:ww-info@jpcert.or.jp Tel:+81-3-3518-4600 Web: https://www.jpcert.or.jp/
  • 36. Copyright©2014 JPCERT/CC All rights reserved.35 Appendix
  • 37. Copyright©2014 JPCERT/CC All rights reserved. Custom HTTP header X-Recruiting: We’re looking for talented people, join us: <URL>(We have cookies!) X-Recruiting: Like HTTP headers? Come write ours: <URL> x-poetry: Choose Life. Choose a job. Choose a career. X-<CompanyName>-jobs: you’re reading this … come work at xxx! Were-currently-looking-for-devs-like-you: Tweet @xxx for job details. 36
  • 38. Copyright©2014 JPCERT/CC All rights reserved. X-Want-A-Job-With-Us response header 37
  • 39. Copyright©2014 JPCERT/CC All rights reserved. discem file type 38 output to a file Compressed file…. :-c
  • 40. Copyright©2014 JPCERT/CC All rights reserved. extraction by bzip2 39 extraction confirm file type ASCII! Readable!!
  • 41. Copyright©2014 JPCERT/CC All rights reserved. finish? 40 rotate …
  • 42. Copyright©2014 JPCERT/CC All rights reserved. perl 41
  • 43. Copyright©2014 JPCERT/CC All rights reserved.42 Thank you for your attention

×