• Like
Kommer nya HTTP-headers rädda oss?
Upcoming SlideShare
Loading in...5
×

Kommer nya HTTP-headers rädda oss?

  • 2,363 views
Uploaded on

Presentation från OWASP Swedens seminariekväll 31/1 2011 om HTTP-säkerhet. Den här presentationen handlar om tre tämligen nya säkerhetsfeatures i form av HTTP-headers, nämligen HTTP Strict Transport …

Presentation från OWASP Swedens seminariekväll 31/1 2011 om HTTP-säkerhet. Den här presentationen handlar om tre tämligen nya säkerhetsfeatures i form av HTTP-headers, nämligen HTTP Strict Transport Security, X-Frame-Options och Content Security Policy.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
2,363
On Slideshare
0
From Embeds
0
Number of Embeds
3

Actions

Shares
Downloads
2
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n

Transcript

  • 1. Kommer nya HTTP-headersatt rädda oss?John Wilander, Omegapoint & OWASP OWASP
  • 2. 1. HTTP Strict Transport Security (Paypal)2. X-Frame-Options (Microsoft)3. Content Security Policy (Mozilla)4. X-Do-Not-Track (FTC-initiativ, Stanford-förslag) OWASP
  • 3. HTTP Strict Transport Securityhttp://tools.ietf.org/html/draft- hodges-strict-transport-sec-02 OWASP
  • 4. Moxie’s SSL Strip Terminerar SSL Normal https till servern Ändrar https till http Agerar klient OWASP
  • 5. Kräv SSL utan varningar i X sekunder framåtochgör det ev för alla mina subdomäner också OWASP
  • 6. Strict-Transport-Security: max-age=86400Strict-Transport-Security: max-age=86400;includeSubdomains OWASP
  • 7. X-Frame-Optionshttp://blogs.msdn.com/b/ie/archive/ 2009/01/27/ie8-security-part-vii- clickjacking-defenses.aspx OWASP
  • 8. Ingen sida får ladda mig i en frameellerendast min egen domän får ladda mig i frame OWASP
  • 9. X-Frame-Options: DENYX-Frame-Options: SAMEORIGIN OWASP
  • 10. Content Security Policy https://developer.mozilla.org/en/Introducing_Content_Security_Policy OWASP
  • 11. XSS blir inte ovanligare<img src="javascript:alert(XSS);"><body onload!#$%&()*~+-_.,:;?@[/|]^`=alert("XSS")><body background="javascript:alert(XSS)"><video poster=javascript:alert(1)//<form id=testonforminput=alert(1)><input></form><buttonform=test onformchange=alert(2)>X
  • 12. D Crockford anser !XSS viktigare än HTML5 http://blip.tv/play/g_MngeaxVgI%2Em4v
  • 13. Tillåt endast skript från vitlistade domänerochtillåt bara skript från filer, dvs inga inline-skript OWASP
  • 14. self = samma URL, protokoll och portnone = inga godkända domänerX-Content-Security-Policy: allow selftrustedscripts.foo.comAcceptera skript från min URL+port och från trustedscripts.foo.comX-Content-Security-Policy: allow self; img-src selfAcceptera skript och bilder från min URL+porthttps://developer.mozilla.org/en/Security/CSP/CSP_policy_directives OWASP
  • 15. Går att hacka? OWASP
  • 16. Response Splitting<% response.sendRedirect("/by_lang.jsp?lang="+ request.getParameter("lang"));%> OWASP
  • 17. Response Splitting<% response.sendRedirect("/by_lang.jsp?lang="+ request.getParameter("lang"));%> OWASP
  • 18. HTTP/1.1 302 Moved TemporarilyDate: Wed, 24 Dec 2010 12:53:28 GMTLocation: http://10.1.1.1/by_lang.jsp?lang=EnglishSet-Cookie:JSESSIONID=1pMRZOiOQzZiE6Y6iivsREg82pq9Bo1ape7h4YoHZ62RXjStrict-Transport-Security: max-age=10000X-Content-Security-Policy: allow ‘self’X-Frame-Options: DENY<html> ... </html> OWASP
  • 19. HTTP/1.1 302 Moved TemporarilyDate: Wed, 24 Dec 2010 12:53:28 GMTLocation: http://10.1.1.1/by_lang.jsp?lang=English[CRLF]Content-Length=0[CRLF]HTTP/1.1 200 OKSet-Cookie: JSESSIONID=sessionFixationX-Content-Security-Policy: allow attacker.comStrict-Transport-Security: max-age=1<html> ... </html>Set-Cookie:JSESSIONID=1pMRZOiOQzZiE6Y6iivsREg82pq9Bo1ape7h4YoHZ62RXj<html> ... </html> OWASP
  • 20. Meta Headers OWASP
  • 21. <META HTTP-EQUIV="X-Content-Security-Policy" CONTENT="allow attacker.com"> OWASP
  • 22. Från nuvarande specar• For security reasons, you cant use the <meta> element to configure the X-Content-Security- Policy header.• The X-Frame-Options directive is ignored if specified in a META tag.• UAs MUST NOT heed http-equiv="Strict- Transport-Security" attribute settings on <meta> elements in received content. OWASP
  • 23. Så, kommer nya HTTP headers rädda oss? OWASP
  • 24. Det finns utmaningar! OWASP
  • 25. Utmaningar1. Avgränsningar (scope)2. Betastandard bra nog att skeppa3. Övertyga och hjälpa utvecklare driftsätta
  • 26. Olika mekanismer för olika problem?1. HTTP Strict Transport Security (Paypal)2. X-Frame-Options (Microsoft)3. Content Security Policy (Mozilla) OWASP
  • 27. Olika mekanismer för olika problem?1. Site Security Policy (Mozilla+Google+Microsoft+PayPal+Facebook) OWASP
  • 28. Vad är det vi vitlistar?X-Content-Security-Policy: allow self foo.comVitlistade domäner<!-- Begin XSS zone 9cb3c2fd7ef861d762471c90de0496 --><!-- End XSS zone 9cb3c2fd7ef861d762471c90de0496 -->Vitlistade skriptzoner via kommentarselement och nycklar(http://www.thespanner.co.uk/2010/09/24/xss-zones)<meta name="script-nonce" content="142342fd7e"><script nonce=142342fd7e>...</script>Vitlistade element, segment av kod(http://www.gerv.net/security/script-keys + http://lists.w3.org/Archives/Public/public-web-security/2011Jan/0004.html)<script type="text/javascript" src="/acs.js">/*signature here*/</script>Vitlistad kod via signerade hashar(http://secinn.appspot.com/pstzine/read?issue=4&articleid=8) OWASP
  • 29. Header och/eller Meta?HTTP/1.1 200 OKX-Site-Security-Policy: ...<html> <head> <META HTTP-EQUIV="X-Site-Security- Policy" CONTENT="..."> </head> <body> </body></html> OWASP
  • 30. Header och/eller Meta?HTTP/1.1 200 OK Mer globaltX-Site-Security-Policy: ... Vem styr över appens headers?<html> <head> <META HTTP-EQUIV="X-Site-Security- Policy" CONTENT="..."> </head> <body> </body></html> OWASP
  • 31. Header och/eller Meta?HTTP/1.1 200 OK Mer globaltX-Site-Security-Policy: ... Vem styr över appens headers?<html> <head> <META HTTP-EQUIV="X-Site-Security- Policy" CONTENT="..."> </head> <body> Mer ”per sida” </body> Risk för injection</html> OWASP
  • 32. Header och/eller Meta?HTTP/1.1 200 OK Mer globaltX-Site-Security-Policy: ... Vem styr över appens headers?<html> <head> <META HTTP-EQUIV="X-Site-Security- Policy" CONTENT="..."> </head> <body> Mer ”per sida” </body> Risk för injection Båda?</html> Hierarkiska policies? First one wins? OWASP
  • 33. Eller kanske som css?<link href="http://owasp.org/policy.csp"rel="policy" type="text/policy" />script { src:url(https://chart.googleapis.com); inline: false;}#emailContent { javascript:false; forms: false; img: true;}
  • 34. Hur bygger vi ut?• img-src: bilder• media-src: <video>, <audio>• object-src: plugin-innehåll• frame-src: domäner som får laddas i <iframe>• font-src: typsnitt• xhr-src: domäner man får ajax:a till• style-src: stylesheets
  • 35. Hur bygger vi ut?• allow[img] = ..., allow[embed] = ...
  • 36. Verkligheten”We were able to get Bugzilla working withCSP and preventing XSS attacks (i.e. inlinescripts disabled), but it was not trivial andthe performance is not great.”
  • 37. http://www.owasp.org/index.php/Category:Summit_2011_Browser_Security_Track ... och public-web-security@w3.org
  • 38. 7 mars HTML5-säkerhethttp://marioheiderich.eventbrite.com
  • 39. john.wilander@owasp.org Twitter: @johnwilanderBlogg: http://appsandsecurity.blogspot.com OWASP