Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
HTTP Security Headers
every Java developer must know
Ayoma Wijethunga,
WSO2, Platform Security Team.
Ayoma Wijethunga
o Software Engineer at WSO2, Platform Security Team.
o Get in touch
o Email : ayoma@wso2.com
o LinkedIn :...
“To better defend yourself, think like a hacker”
Contents
o Headers
o X-XSS-Protection
o X-Frame-Options
o X-Content-Type-Options
o Content-Security-Policy
o Strict-Transp...
Storyline
Storyline
Alex
Responsible of
monitoring and
managing a data center
[Operations]
Bob
Black hat hacker
Image credit : http:...
Storyline - Attack Map
Attack 1
o Cross Site Scripting (XSS)
o Session Hijacking
o Set-Cookie httpOnly flag
o X-XSS Protec...
Lab Setup
Demonstration
Attack 1 (Demonstration)
Bob get the URL for Alice’s datacenter
monitoring and management control
panel.
http://javacolomb...
Attack Demonstration
Session Hijacking
Set-Cookie HttpOnly flag
o Mitigate the risk of client side scripts accessing protected cookies.
o Set-Cookie: <name>=<val...
Solution Demonstration
Set-Cookie httpOnly flag
Attack Demonstration
Cross Site Scripting (XSS)
X-XSS-Protection
o Request browsers to enable / disable reflected XSS protection
o Chrome / IE8+ - enables XSS protection ...
Solution Demonstration
X-XSS Protection
Beyond HTTP Headers
o Use cookies only if there is no other server side option.
o Do not give sensitive names to cookies.
...
Attack 2 (Demonstration)
Alice gets a link from Bob in disguise to
a malicious web application.
o Clickjacking o X-Frame-O...
Attack Demonstration
Clickjacking
X-Frame-Options
o Indicate whether or not a browser should be allowed to render a page in a
<frame> or <iframe>.
o Availab...
Solution Demonstration
X-Frame-Options
Beyond HTTP Headers
o HTTP GET (incl. links) should only be used for idempotent actions.
o Request secondary user confirma...
Attack 3 (Demonstration)
Alice gets a link from Bob in disguise to
a malicious web application.
o Sensitive Information
Le...
Access-Control-Allow-*
o Browsers enforce cross domain rules by default (users can loosen security).
o Access-Control-Allo...
Attack & Solution
Demonstration
Sensitive Information Leakage
Attack 4 (Demonstration)
Bob gain access to Alice’s network and
perform a Man in the Middle attack.
o Man in the Middle At...
Man in the Middle Setup
Image credit : https://tails.boum.org/doc/about/warning/index.en.html
o Passive
o Network Hub (L1)...
DNS Spoofing
javacolombo.
duckdns.org
192.168.56.1
DNS
javacolombo.
duckdns.org
10.10.10.3
Spoofed DNS
ARP Spoofing
javacolombo.
duckdns.org
192.168.56.1
54:ee:75:74:
85:21
DNS ARP
Man in the Middle - VirtualBox Setup
Malicious local DNS entry added to Alice’s PC :
o echo 10.10.10.3 javacolombo.duckdns...
Attack Demonstration
VirtualBox Man in the Middle Setup
Man in the Middle Attacks
Session Hijacking
Suggest a Solution
Is enabling HTTPS enough?
Attack Demonstration
with HTTPS enabled.
Man in the Middle Attacks
Session Hijacking
Set-Cookie Secure flag
o Mitigate the risk of sending protected cookies over HTTP.
o Set-Cookie: <name>=<value>[; <Max-Age...
Strict-Transport-Security
o Requests supported browsers to communicate with specified
domain only over HTTPS.
o Example : ...
Solution Demonstration
Set-Cookie secure flag
Strict-Transport-Security
Beyond HTTP Headers
o Use HTTPS all the time, if you handle sensitive data.
o Authenticated sessions must use HTTPS to ens...
Attack 5 (Demonstration)
Bob improves Man in the Middle attack
to bypass HTTPS.
o SSL Spoofing
o Session Hijacking
o Man i...
Attacks on HTTPS
o SSL Strip
o Removes HTTPS protection symbol (lock) in browser.
o SSL Split
o Get Alice to trust a diffe...
SSL Attacks
o Start SSLSplit, splitting all HTTP, HTTPS traffic arriving towards 10.10.10.3
and send same towards 192.168....
Attack Demonstration
SSL Spoofing
Session Hijacking
Man in the Middle Attacks
Public-Key-Pins
o Instructs browser to associate a specific cryptographic public key
with a host.
o Sends sha256 hash of p...
Solution Demonstration
Public-Key-Pins
Out of storyline
Content-Security-Policy
o Layer of security that helps to detect and mitigate certain types of attacks, including
Cross-Si...
Content-Security-Policy - Examples
o default-src Default policy for loading content such as JavaScript, Images, CSS
o scri...
X-Content-Type-Options
o Used to stop browser from using MIME-sniffing to determine content-type
of a resource.
o Prevent ...
Tomcat HttpHeaderSecurityFilter
o Available with Tomcat 7.0.63, X-XSS-Protection header was added in
7.0.68
<filter>
<filt...
Future Developments
IETF Drafts
Cookie Prefixes
o Mechanism of identifying whether a third-party has tampered HTTP
Cookies attributes set by the server.
o...
Encrypted Content-Encoding for HTTP
o Allows HTTP message payloads to be encrypted.
o Store a file/content on a server wit...
Q&A
Thank You!
http://ayomaonline.com
@ayomawdb
Upcoming SlideShare
Loading in …5
×

HTTP Security Headers Every Java Developer Must Know

Demonstration based session on HTTP headers relevant to security aspect of web applications. Target audience is web developers, and more attention is given to Java language.

  • Be the first to comment

HTTP Security Headers Every Java Developer Must Know

  1. 1. HTTP Security Headers every Java developer must know Ayoma Wijethunga, WSO2, Platform Security Team.
  2. 2. Ayoma Wijethunga o Software Engineer at WSO2, Platform Security Team. o Get in touch o Email : ayoma@wso2.com o LinkedIn : https://lk.linkedin.com/in/ayoma o Blog : http://ayomaonline.com o Twitter / Facebook / Github / Hangout : ayomawdb api android arduino automation building developing discusses diy electronics engineering iot jaggery java kali linux modular osgi prusa reprap security software ublox web wireshark wso2
  3. 3. “To better defend yourself, think like a hacker”
  4. 4. Contents o Headers o X-XSS-Protection o X-Frame-Options o X-Content-Type-Options o Content-Security-Policy o Strict-Transport-Security o Public-Key-Pins o Access-Control-Allow-* o Set-Cookie (security flags) o Security Threats o Cross Site Scripting (XSS) o Clickjacking o Session Hijacking o Sensitive Information Leakage o Man in the Middle Attacks o SSL Spoofing o Future Developments
  5. 5. Storyline
  6. 6. Storyline Alex Responsible of monitoring and managing a data center [Operations] Bob Black hat hacker Image credit : http://www.kameleon.pics
  7. 7. Storyline - Attack Map Attack 1 o Cross Site Scripting (XSS) o Session Hijacking o Set-Cookie httpOnly flag o X-XSS Protection Attack 4 o Man in the Middle Attacks o Session Hijacking o Set-Cookie secure flag o Strict-Transport-Security Attack 2 o Clickjacking o X-Frame-Options Attack 5 o SSL Spoofing o Session Hijacking o Man in the Middle Attacks o Public-Key-Pins Attack 3 o Sensitive Information Leakage o Access-Control-Allow-*
  8. 8. Lab Setup Demonstration
  9. 9. Attack 1 (Demonstration) Bob get the URL for Alice’s datacenter monitoring and management control panel. http://javacolombo.duckdns.org/server-admin o Cross Site Scripting (XSS) o Session Hijacking o Set-Cookie httpOnly flag o X-XSS Protection
  10. 10. Attack Demonstration Session Hijacking
  11. 11. Set-Cookie HttpOnly flag o Mitigate the risk of client side scripts accessing protected cookies. o Set-Cookie: <name>=<value>[; <Max-Age>=<age>][; expires=<date>] [; domain=<domain_name>][; path=<some_path>][; secure][; HttpOnly] o Tomcat 7+ sets HttpOnly flag for session_id by default. o In Tomcat 6, set useHttpOnly="true" on Context element of context.xml to enable. o With Java EE 6+, it is possible to define cookie-config in web.xml <session-config> <cookie-config> <http-only>true</http-only> </cookie-config> </session-config> o Cookie cookie = getMyCookie("gxsesmgt"); cookie.setHttpOnly(true); o More details : https://www.owasp.org/index.php/HttpOnly
  12. 12. Solution Demonstration Set-Cookie httpOnly flag
  13. 13. Attack Demonstration Cross Site Scripting (XSS)
  14. 14. X-XSS-Protection o Request browsers to enable / disable reflected XSS protection o Chrome / IE8+ - enables XSS protection by default o Firefox - enables XSS protection on demand o Available Directives o0 - Disabled o1 - Enable and render pages after sanitizing o1; mode=block- Enable and block pages with XSS o1; report=http://example.com/report - (chrome / WebKit only) o Use a Filter and response.addHeader("X-XSS-Protection", "1; mode=block"); o Use Tomcat built in security filter : HttpHeaderSecurityFilter ohttps://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#HTTP_Header_Security_Filter
  15. 15. Solution Demonstration X-XSS Protection
  16. 16. Beyond HTTP Headers o Use cookies only if there is no other server side option. o Do not give sensitive names to cookies. o Do not depend on browser level protection (Filters can be bypassed : <svg><script>/<1/>alert(document.domain)</script></svg>) o Validate user input. o Use proper encoding [ https://github.com/OWASP/owasp-java-encoder ]. o Attention on CSRF protection. o Renew session ID upon login & logout (session fixation).
  17. 17. Attack 2 (Demonstration) Alice gets a link from Bob in disguise to a malicious web application. o Clickjacking o X-Frame-Options
  18. 18. Attack Demonstration Clickjacking
  19. 19. X-Frame-Options o Indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. o Available Directives oDENY - prevents any domain from framing the content. oSAMEORIGIN - only allows the current site to frame the content. oALLOW-FROM uri - permits the specified 'uri' to frame this page. [this will fail open if the browser does not support it] o Use a Filter and response.addHeader("X-Frame-Options", "..."); o Use Tomcat built in security filter : HttpHeaderSecurityFilter ohttps://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#HTTP_Header_Security_Filter o More details : https://www.owasp.org/index. php/Clickjacking_Defense_Cheat_Sheet
  20. 20. Solution Demonstration X-Frame-Options
  21. 21. Beyond HTTP Headers o HTTP GET (incl. links) should only be used for idempotent actions. o Request secondary user confirmation for critical actions. o Use frame busting scripts for older browsers. o Example : <style>html { display:none }</style> <script> if (self == top) { document.documentElement.style.display = ’block'; } else { top.location = self.location; } </script> o https://www.owasp. org/images/0/0e/OWASP_AppSec_Research_2010_Busting_Frame_Busti ng_by_Rydstedt.pdf
  22. 22. Attack 3 (Demonstration) Alice gets a link from Bob in disguise to a malicious web application. o Sensitive Information Leakage o Access-Control-Allow-*
  23. 23. Access-Control-Allow-* o Browsers enforce cross domain rules by default (users can loosen security). o Access-Control-Allow-Origin: * o Allow any external domain to access resource (Never do this in production unless there is a good reason) o Access-Control-Allow-Origin: http://example.com o Allow only example.com to access resource o Access-Control-Request-Method: GET, HEAD, POST o Allow only GET, HEAD and POST requests to access resource o Access-Control-Request-Headers: X-PINGOTHER o Whitelist headers that browsers are allowed to access o Access-Control-Max-Age: <delta-seconds> o Number of seconds the preflight request results can be cached o Access-Control-Allow-Credentials: true | false o Give permission to include cookies if credentials are enabled in client (Never set to true in production unless there is a good reason) o https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
  24. 24. Attack & Solution Demonstration Sensitive Information Leakage
  25. 25. Attack 4 (Demonstration) Bob gain access to Alice’s network and perform a Man in the Middle attack. o Man in the Middle Attacks o Session Hijacking o Set-Cookie secure flag o Strict-Transport-Security
  26. 26. Man in the Middle Setup Image credit : https://tails.boum.org/doc/about/warning/index.en.html o Passive o Network Hub (L1), Network Taps, Routers with Monitor Port (DD-WRT) o Active o DNS Spoofing (spoofing Domain Name to IP mapping) o ARP Spoofing (spoofing IP to MAC mapping) o Techniques : https://www.blackhat.com/presentations/bh-europe-03/bh-europe-03-valleri. pdf
  27. 27. DNS Spoofing javacolombo. duckdns.org 192.168.56.1 DNS javacolombo. duckdns.org 10.10.10.3 Spoofed DNS
  28. 28. ARP Spoofing javacolombo. duckdns.org 192.168.56.1 54:ee:75:74: 85:21 DNS ARP
  29. 29. Man in the Middle - VirtualBox Setup Malicious local DNS entry added to Alice’s PC : o echo 10.10.10.3 javacolombo.duckdns.org | sudo tee -a /etc/hosts Bob’s iptables rules used to reroute traffic : o iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to- destination 192.168.56.1 o iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to- destination 192.168.56.1 o iptables -t nat -A POSTROUTING -j MASQUERADE
  30. 30. Attack Demonstration VirtualBox Man in the Middle Setup Man in the Middle Attacks Session Hijacking
  31. 31. Suggest a Solution
  32. 32. Is enabling HTTPS enough? Attack Demonstration with HTTPS enabled. Man in the Middle Attacks Session Hijacking
  33. 33. Set-Cookie Secure flag o Mitigate the risk of sending protected cookies over HTTP. o Set-Cookie: <name>=<value>[; <Max-Age>=<age>][; expires=<date>] [; domain=<domain_name>][; path=<some_path>][; secure][; HttpOnly] o Tomcat 6+ sets secure for session_id by default if and only if first request for session is using https. o With Java EE 6+, it is possible to define cookie-config in web.xml <session-config> <cookie-config> <secure>true</secure> </cookie-config> </session-config> o Cookie cookie = getMyCookie("gxsesmgt"); cookie.setSecure(true); o More details : https://www.owasp.org/index.php/SecureFlag
  34. 34. Strict-Transport-Security o Requests supported browsers to communicate with specified domain only over HTTPS. o Example : Strict-Transport-Security: max-age=31536000; includeSubDomains; preload o Use a Filter and response.addHeader("Strict-Transport-Security", "..."); o Use Tomcat built in security filter : HttpHeaderSecurityFilter ohttps://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#HTTP_Header_Security_Filter o HSTS Preload : https://hstspreload.appspot.com o Browser support : http://caniuse.com/#feat=stricttransportsecurity o More details : https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
  35. 35. Solution Demonstration Set-Cookie secure flag Strict-Transport-Security
  36. 36. Beyond HTTP Headers o Use HTTPS all the time, if you handle sensitive data. o Authenticated sessions must use HTTPS to ensure safety of user session. o Attention on network, system and physical security. o Disable HTTP access all together, if that is not required.
  37. 37. Attack 5 (Demonstration) Bob improves Man in the Middle attack to bypass HTTPS. o SSL Spoofing o Session Hijacking o Man in the Middle Attacks o Public-Key-Pins
  38. 38. Attacks on HTTPS o SSL Strip o Removes HTTPS protection symbol (lock) in browser. o SSL Split o Get Alice to trust a different certificate. o Compromise Alice’s computer and add a malicious trusted CA. o Compromise CA.
  39. 39. SSL Attacks o Start SSLSplit, splitting all HTTP, HTTPS traffic arriving towards 10.10.10.3 and send same towards 192.168.56.1 after logging: o sslsplit -D -l connections.log -j /tmp/sslsplit/ -S logdir -k evilca.key -c evilca.crt ssl 10.10.10.3 8444 192.168.56.1 443 tcp 10.10.10.3 8081 192.168.56.1 80 o Flush existing rules and redirect all HTTP and HTTPS traffic to SSLSplit: o iptables -t nat -F o iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to- ports 8081 o iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to- ports 8444
  40. 40. Attack Demonstration SSL Spoofing Session Hijacking Man in the Middle Attacks
  41. 41. Public-Key-Pins o Instructs browser to associate a specific cryptographic public key with a host. o Sends sha256 hash of public key in HTTP headers with a expiry. o Browsers maintain preloaded list of public key pins [https://wiki.mozilla. org/SecurityEngineering/Public_Key_Pinning] o Public-Key-Pins: pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs="; pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE="; max-age=5184000; includeSubdomains; report-uri="https://www.example.net/hpkp-report" o Sha256 hashing with key file : o openssl rsa -in ca.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
  42. 42. Solution Demonstration Public-Key-Pins
  43. 43. Out of storyline
  44. 44. Content-Security-Policy o Layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. o Designed to be fully backward compatible. o Replace X-XSS-Protection with frame-ancestors directive. o Content-Security-Policy : frame-ancestors none; o Replaces X-Frame-Options. with reflected-xss directive. o Content-Security-Policy : reflected-xss block; o http://www.html5rocks.com/en/tutorials/security/content-security-policy o https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives o http://content-security-policy.com
  45. 45. Content-Security-Policy - Examples o default-src Default policy for loading content such as JavaScript, Images, CSS o script-src Defines valid sources of JavaScript. o style-src Defines valid sources of stylesheets. o Example : Load content from ‘self’ and cdn.example.com, in addition allow loading scripts from js.example.com Content-Security-Policy: default-src 'self' cdn.example.com; script- src 'self' js.example.com; o Example : Disallow loading content of current page inside iframes and enable XSS protection Content-Security-Policy: frame-ancestors 'none'; reflected-xss 'block';
  46. 46. X-Content-Type-Options o Used to stop browser from using MIME-sniffing to determine content-type of a resource. o Prevent usage of maliciously crafted resources to perform attacks including XSS. o Use a Filter and response.addHeader("X-Content-Type-Options", "nosniff"); o Use Tomcat built in security filter : HttpHeaderSecurityFilter o https://tomcat.apache.org/tomcat-7.0-doc/config/filter. html#HTTP_Header_Security_Filter
  47. 47. Tomcat HttpHeaderSecurityFilter o Available with Tomcat 7.0.63, X-XSS-Protection header was added in 7.0.68 <filter> <filter-name>HttpHeaderSecurityFilter</filter-name> <display-name>HttpHeaderSecurityFilter</display-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> </filter> <filter-mapping> <filter-name>HttpHeaderSecurityFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> o Security headers enabled by default : o X-XSS-Protection: 1; mode=block o X-Content-Type-Options: nosniff o X-Frame-Options: DENY o Strict-Transport-Security: max-age=0; o https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#HTTP_Header_Security_Filter o https://github. com/apache/tomcat/blob/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter. java
  48. 48. Future Developments IETF Drafts
  49. 49. Cookie Prefixes o Mechanism of identifying whether a third-party has tampered HTTP Cookies attributes set by the server. o Defining security attributes of a cookie in the cookie name. o Set-Cookie: __Secure-JSESSIONID=12345678901234567890; Secure; Domain=example.com o "__Secure-" o "Secure" attribute & Domain o "__Host-" o Secure" attribute & "Path" attribute with a value of "/" o https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00
  50. 50. Encrypted Content-Encoding for HTTP o Allows HTTP message payloads to be encrypted. o Store a file/content on a server without exposing its contents to that server. HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Encoding: aesgcm Connection: close Encryption: keyid="http://example.org/bob/keys/123"; salt="XZwpw6o37R-6qoZjw6KwAw" [encrypted payload] o https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-01
  51. 51. Q&A
  52. 52. Thank You! http://ayomaonline.com @ayomawdb

×