SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
7.
Why are headers important to us?
Input&Parameter&Coverage&in&Web&Applica6on&
Scanners&
Non$Coverage$Rate$of$Input$Vectors$
60"
50"
GET$
40"
No"Coverage"
30"
Coverage"
20"
10"
0"
GET"
POST"
HTTP"Cookie" HTTP"Header"
Reference: Data compiled from InfoSec Institute 2012 study
It’s the least protected area...
POST$
HTTP$Cookie$
HTTP$Header$
14.
Content Security Policy (CSP)
•
Lets you specify a policy for where content in your
webpages can be loaded from
15.
Content Security Policy (CSP)
•
Lets you specify a policy for where content in your
webpages can be loaded from
•
Lets you put restrictions on script execution
16.
Content Security Policy (CSP)
•
Lets you specify a policy for where content in your
webpages can be loaded from
•
•
Lets you put restrictions on script execution
Headers
•
Content-Security-Policy - Chrome 25 (Firefox
nightlies)
•
•
X-Content-Security-Policy - Firefox 4+
X-WebKit-CSP - WebKit browsers (Chrome/Safari)
17.
CSP Directives
•
•
•
•
•
•
•
•
•
•
default-src - Specifies the default for other sources
script-src
style-src
object-src - plugins
img-src
media-src - video/audio
frame-src
font-src
connect-src
report-uri - Specifies where CSP violations can be reported
18.
CSP Sources (for the directives)
•
‘none’ - No content of this type is allowed (All
directives)
19.
CSP Sources (for the directives)
•
‘none’ - No content of this type is allowed (All
directives)
•
‘self’ - Content of this type can only be loaded from the
same origin (no content from other sites) (All directives)
20.
CSP Sources (for the directives)
•
‘none’ - No content of this type is allowed (All
directives)
•
‘self’ - Content of this type can only be loaded from the
same origin (no content from other sites) (All directives)
•
‘unsafe-inline’ - Allows unsafe inline content
•
Supported by style-src (inline css) and script-src (inline
script)
21.
CSP Sources (for the directives)
•
‘none’ - No content of this type is allowed (All
directives)
•
‘self’ - Content of this type can only be loaded from the
same origin (no content from other sites) (All directives)
•
‘unsafe-inline’ - Allows unsafe inline content
•
•
Supported by style-src (inline css) and script-src (inline
script)
‘unsafe-eval’ - Allow script functions considered unsafe
(such as eval())
•
Supported by script-src
22.
CSP Sources (for the directives)
•
And you can specify custom sources:
•
•
* - Allow content from anywhere
•
*.domain.com - Wildcard host, allow content from any
domain.com sub-domain
•
•
www.domain.com:81 - You can specify a port number
https: - Scheme only, load only content served over
https
https://www.domain.com - You can specify an absolute
URI for a host (path has no effect though)
23.
And then it all comes together
•
Content-Security-Policy: default-src ‘self’; script-src ‘self’
scripts.domain.com
•
•
•
This policy sets a default source of ‘self’ for all directives
•
•
Scripts can also be loaded from scripts.domain.com
script-src defines its own sources, replacing the default
In effect, scripts, stylesheets, images, flash animations, Java
applets, etc., can only be loaded from the same origin as the
page
This policy denies inline scripts and CSS!
24.
The “special” sources
• ‘unsafe-inline’ can allow inline scripts
(script-src) and styles (style-src)
• ‘unsafe-eval’ allows certain JavaScript
functions considered high risk (eval())
• Use these special sources with care
25.
CSP Reporting
•
You can specify a “report-uri” in the CSP header
26.
CSP Reporting
•
•
You can specify a “report-uri” in the CSP header
Must be a relative URI
27.
CSP Reporting
•
•
•
You can specify a “report-uri” in the CSP header
Must be a relative URI
Will post violation reports as JSON back to the
web application
28.
CSP Reporting
•
•
•
You can specify a “report-uri” in the CSP header
•
Content-Security-Policy-Report-Only
Must be a relative URI
Will post violation reports as JSON back to the
web application
•
Will not block scripts or resources violating the
policy
•
Will report them to the web application
30.
XSS Protection
• X-XSS-Protection: 1; mode=block
• Enables XSS Filter built into most recent
web browsers
• Role is to re-enable for a particular website
if it was disabled by the user
31.
XSS summarized
•
•
•
Make sure you validate your inputs
Make sure you encode everything you output
•
•
•
Input to the web application
Data from backend system
EVERYTHING!
Use CSP and XSS-Protection as an extra level of
defense, it’s not the cure!
33.
Click-jacking
•
A malicious site loads the vulnerable site in an
iframe
34.
Click-jacking
•
A malicious site loads the vulnerable site in an
iframe
•
The iframe is invisible and positioned in front of
something the user is likely to click on
35.
Click-jacking
•
A malicious site loads the vulnerable site in an
iframe
•
The iframe is invisible and positioned in front of
something the user is likely to click on
•
The user clicks on what appears to be an element
on the malicious site
•
The user really clicks in the iframe, triggering
some operation on the vulnerable site
36.
X-Frame-Options
•
•
X-Frame-Options: Deny | SameOrigin
Instructs the browser to not display the page in a
frame
•
When the page isn’t displayed, there’s nothing to
click on!
•
Browser support: Opera 10.5+, Chrome 4.1+, IE 8+,
Firefox 3.6.9+, Safari 4+
•
Remember: The request is still sent to - and
processed by - the web server!
38.
HTTP Strict Transport Security
(HTTPS stripping)
39.
HTTPS stripping explained
•
“Secure” websites use SSL/TLS to preserve the
confidentiality and integrity of the communication with a
browser
40.
HTTPS stripping explained
•
“Secure” websites use SSL/TLS to preserve the
confidentiality and integrity of the communication with a
browser
•
For usability, “secure” websites are still accessible
through insecure channels (HTTP on port 80)
•
•
They’ll redirect the user to HTTPS
•
The very first request is insecure, and open to attack!
User enters www.onlinebank.com - and is redirected
to https://www.onlinebank.com
41.
HTTPS stripping explained
•
SSL stripping is a MiTM attack
•
Attacker keeps the victim on HTTP, but passes
requests on over HTTPS to the target website
•
Practical attack demoed at BlackHat in 2009 (sslstrip)
42.
HTTPS stripping scenario
An attacker sitting in the middle of a HTTPS session
43.
HTTPS stripping scenario
An attacker sitting in the middle of a HTTPS session
An attacker performing a HTTPS stripping attack
44.
HTTP Strict Transport Security
•
Strict-Transport-Security: max-age=31536000; includeSubDomains
•
Max-age specifies for how many seconds the policy should be in
effect
•
includeSubDomains - optional
•
Instructs the browser to only communicate to that hostname over
SSL/TLS
•
Fails hard on certificate errors
•
The user does not have the option to click through certificate
warnings
•
Browser support: Chrome 4+, Firefox 4+, Opera 12
46.
Session hijacking explained
•
Means getting access to a user’s privileged session > steal
session tokens
47.
Session hijacking explained
•
Means getting access to a user’s privileged session > steal
session tokens
•
Session tokens mean cookies
48.
Session hijacking explained
•
Means getting access to a user’s privileged session > steal
session tokens
•
•
Session tokens mean cookies
Protect the cookies!
49.
Session hijacking explained
•
Means getting access to a user’s privileged session > steal
session tokens
•
•
•
Session tokens mean cookies
Protect the cookies!
Cookies can be marked with the ‘httpOnly’ flag > makes
them inaccessible to JS, they won’t be included in
requests from applets
50.
Session hijacking explained
•
Means getting access to a user’s privileged session > steal
session tokens
•
•
•
Session tokens mean cookies
•
Cookies can be marked with the “secure” flag > instructs
the browser to only send them with HTTPS requests
Protect the cookies!
Cookies can be marked with the ‘httpOnly’ flag > makes
them inaccessible to JS, they won’t be included in
requests from applets
52.
IE MIME Sniffing
•
HTTP responses include a header stating what type
of content is included
53.
IE MIME Sniffing
•
HTTP responses include a header stating what type
of content is included
•
To compensate for misconfigured servers and bad
programming, IE introduced MIME sniffing back in the
days (IE4)
54.
IE MIME Sniffing
•
HTTP responses include a header stating what type
of content is included
•
To compensate for misconfigured servers and bad
programming, IE introduced MIME sniffing back in the
days (IE4)
•
They introduced the “X-Content-Type-Options:
nosniff” header in IE9 to disable the behavior
55.
IE MIME Sniffing
•
HTTP responses include a header stating what type
of content is included
•
To compensate for misconfigured servers and bad
programming, IE introduced MIME sniffing back in the
days (IE4)
•
They introduced the “X-Content-Type-Options:
nosniff” header in IE9 to disable the behavior
•
Always serve your content with the correct content
type, and the “X-Content-Type-Options” header
56.
In Summary...we need more header
detection and protection!
58.
gethead Current Features
• Written in Python 2.7.5
• Performs HTTP Header Analysis
• Reports Header Vulnerabilities
• Open Source
59.
gethead December Features
•
•
•
•
•
Support for git updates
•
Export with multi-format options (XML, HTML, TXT)
Support for Python 3.x
Complete Header Analysis
Rank Vulnerabilities by Severity
Export Findings with Description, Impact, Execution, Fix,
and References
60.
gethead February Features
•
Replay & Inline Upstream Proxy Support to import into
WebInspect
•
•
•
•
Scan domains, sub-domains, and multi-services
Header Injection & Fuzzing functionality
HTTP Header Policy Bypassing
Modularize and port to more platforms
(e.g. gMinor, Kali, Burp Extension, Metasploit, Chrome)