SlideShare a Scribd company logo
1 of 62
Download to read offline
HTTP Header Analysis
@httphacker httphacker.com
Agenda

• Why are headers important to us?
Agenda

• Why are headers important to us?	

• What Checks are in AppSec Scanners?
Agenda

• Why are headers important to us?	

• What Checks are in AppSec Scanners?	

• Review of Header Attributes
Agenda

• Why are headers important to us?	

• What Checks are in AppSec Scanners?	

• Review of Header Attributes	

• Demo of gethead.py
Why are headers important to us?
Why are headers important to us?
Input&Parameter&Coverage&in&Web&Applica6on&
Scanners&

Non$Coverage$Rate$of$Input$Vectors$

60"
50"

GET$

40"

No"Coverage"

30"

Coverage"

20"
10"
0"
GET"

POST"

HTTP"Cookie" HTTP"Header"

Reference: Data compiled from InfoSec Institute 2012 study

It’s the least protected area...

POST$
HTTP$Cookie$
HTTP$Header$
Opportunity
POST /.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/boot.ini&url=httphacker.com HTTP/1.0	

Referer: domain.com/external.xml	

Accept: */*	

User-Agent: Mozilla/5.0 Gecko/20110614 Firefox/3.6.18	

Host: domain.com	

Connection: Keep-Alive	

Cookie: oAuth[access_token]=%31%33%33%37%22%3e%3c%73%43%72%49%70%54%3e%61%6c
%65%72%74%28%68	

%74%74%70%68%61%63%6b%65%72%29%3c%2f
%73%43%72%49%70%54%3e;PHPSESSID=k04mk749i6cur91k;	

!
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd"> ]><REQUEST><FROM>null</
FROM><METHOD>SEND</METHOD><MESSAGE type=”MSG”><HEAD><ID>612117752013</
ID><FROM>null</FROM><DESTINATION>UserManagerService&xxe;</
DESTINATION><ACTION>logout</ACTION><EVENT>null</EVENT></HEAD><BODY /></
MESSAGE></REQUEST>	

!
username:http&password=hacker
What Checks are in AppSec
Scanners?
What Checks are in AppSec
Scanners?
What is missing in AppSec Scanners?
Let’s review some of these headers...
Content Security Policy
(CSP)
Content Security Policy (CSP)

•

Lets you specify a policy for where content in your
webpages can be loaded from
Content Security Policy (CSP)

•

Lets you specify a policy for where content in your
webpages can be loaded from	


•

Lets you put restrictions on script execution
Content Security Policy (CSP)
•

Lets you specify a policy for where content in your
webpages can be loaded from	


•
•

Lets you put restrictions on script execution	

Headers	


•

Content-Security-Policy - Chrome 25 (Firefox
nightlies)	


•
•

X-Content-Security-Policy - Firefox 4+	

X-WebKit-CSP - WebKit browsers (Chrome/Safari)
CSP Directives
•
•
•
•
•
•
•
•
•
•

default-src - Specifies the default for other sources	

script-src	

style-src	

object-src - plugins	

img-src	

media-src - video/audio	

frame-src	

font-src	

connect-src	

report-uri - Specifies where CSP violations can be reported
CSP Sources (for the directives)

•

‘none’ - No content of this type is allowed (All
directives)
CSP Sources (for the directives)

•

‘none’ - No content of this type is allowed (All
directives)	


•

‘self’ - Content of this type can only be loaded from the
same origin (no content from other sites) (All directives)
CSP Sources (for the directives)

•

‘none’ - No content of this type is allowed (All
directives)	


•

‘self’ - Content of this type can only be loaded from the
same origin (no content from other sites) (All directives)	


•

‘unsafe-inline’ - Allows unsafe inline content	


•

Supported by style-src (inline css) and script-src (inline
script)
CSP Sources (for the directives)
•

‘none’ - No content of this type is allowed (All
directives)	


•

‘self’ - Content of this type can only be loaded from the
same origin (no content from other sites) (All directives)	


•

‘unsafe-inline’ - Allows unsafe inline content	


•

•

Supported by style-src (inline css) and script-src (inline
script)	


‘unsafe-eval’ - Allow script functions considered unsafe
(such as eval())	


•

Supported by script-src
CSP Sources (for the directives)
•

And you can specify custom sources:	


•
•

* - Allow content from anywhere	


•

*.domain.com - Wildcard host, allow content from any
domain.com sub-domain	


•
•

www.domain.com:81 - You can specify a port number	


https: - Scheme only, load only content served over
https	


https://www.domain.com - You can specify an absolute
URI for a host (path has no effect though)
And then it all comes together
•

Content-Security-Policy: default-src ‘self’; script-src ‘self’
scripts.domain.com	


•
•
•

This policy sets a default source of ‘self’ for all directives	


•
•

Scripts can also be loaded from scripts.domain.com	


script-src defines its own sources, replacing the default	

In effect, scripts, stylesheets, images, flash animations, Java
applets, etc., can only be loaded from the same origin as the
page	


This policy denies inline scripts and CSS!
The “special” sources

• ‘unsafe-inline’ can allow inline scripts
(script-src) and styles (style-src)	


• ‘unsafe-eval’ allows certain JavaScript

functions considered high risk (eval())	


• Use these special sources with care
CSP Reporting

•

You can specify a “report-uri” in the CSP header
CSP Reporting

•
•

You can specify a “report-uri” in the CSP header	

Must be a relative URI
CSP Reporting

•
•
•

You can specify a “report-uri” in the CSP header	

Must be a relative URI	

Will post violation reports as JSON back to the
web application
CSP Reporting

•
•
•

You can specify a “report-uri” in the CSP header	


•

Content-Security-Policy-Report-Only	


Must be a relative URI	

Will post violation reports as JSON back to the
web application	


•

Will not block scripts or resources violating the
policy	


•

Will report them to the web application
XSS Protection
XSS Protection

• X-XSS-Protection: 1; mode=block	

• Enables XSS Filter built into most recent
web browsers	


• Role is to re-enable for a particular website
if it was disabled by the user
XSS summarized

•
•

•

Make sure you validate your inputs	

Make sure you encode everything you output	


•
•
•

Input to the web application	

Data from backend system	

EVERYTHING!	


Use CSP and XSS-Protection as an extra level of
defense, it’s not the cure!
X-Frame-Options
(Click-jacking)
Click-jacking

•

A malicious site loads the vulnerable site in an
iframe
Click-jacking

•

A malicious site loads the vulnerable site in an
iframe	


•

The iframe is invisible and positioned in front of
something the user is likely to click on
Click-jacking

•

A malicious site loads the vulnerable site in an
iframe	


•

The iframe is invisible and positioned in front of
something the user is likely to click on	


•

The user clicks on what appears to be an element
on the malicious site	


•

The user really clicks in the iframe, triggering
some operation on the vulnerable site
X-Frame-Options

•
•

X-Frame-Options: Deny | SameOrigin	

Instructs the browser to not display the page in a
frame	


•

When the page isn’t displayed, there’s nothing to
click on!	


•

Browser support: Opera 10.5+, Chrome 4.1+, IE 8+,
Firefox 3.6.9+, Safari 4+	


•

Remember: The request is still sent to - and
processed by - the web server!
X-Frame-Options Client Message
HTTP Strict Transport Security
(HTTPS stripping)
HTTPS stripping explained

•

“Secure” websites use SSL/TLS to preserve the
confidentiality and integrity of the communication with a
browser
HTTPS stripping explained
•

“Secure” websites use SSL/TLS to preserve the
confidentiality and integrity of the communication with a
browser	


•

For usability, “secure” websites are still accessible
through insecure channels (HTTP on port 80)	


•
•

They’ll redirect the user to HTTPS	


•

The very first request is insecure, and open to attack!

User enters www.onlinebank.com - and is redirected
to https://www.onlinebank.com
HTTPS stripping explained

•

SSL stripping is a MiTM attack	


•

Attacker keeps the victim on HTTP, but passes
requests on over HTTPS to the target website	


•

Practical attack demoed at BlackHat in 2009 (sslstrip)
HTTPS stripping scenario

An attacker sitting in the middle of a HTTPS session
HTTPS stripping scenario

An attacker sitting in the middle of a HTTPS session

An attacker performing a HTTPS stripping attack
HTTP Strict Transport Security
•

Strict-Transport-Security: max-age=31536000; includeSubDomains	


•

Max-age specifies for how many seconds the policy should be in
effect	


•

includeSubDomains - optional	


•

Instructs the browser to only communicate to that hostname over
SSL/TLS	


•

Fails hard on certificate errors	


•

The user does not have the option to click through certificate
warnings	


•

Browser support: Chrome 4+, Firefox 4+, Opera 12
Session hijacking
Securing Cookies
Session hijacking explained

•

Means getting access to a user’s privileged session > steal
session tokens
Session hijacking explained

•

Means getting access to a user’s privileged session > steal
session tokens	


•

Session tokens mean cookies
Session hijacking explained

•

Means getting access to a user’s privileged session > steal
session tokens	


•
•

Session tokens mean cookies	

Protect the cookies!
Session hijacking explained
•

Means getting access to a user’s privileged session > steal
session tokens	


•
•
•

Session tokens mean cookies	

Protect the cookies!	

Cookies can be marked with the ‘httpOnly’ flag > makes
them inaccessible to JS, they won’t be included in
requests from applets
Session hijacking explained
•

Means getting access to a user’s privileged session > steal
session tokens	


•
•
•

Session tokens mean cookies	


•

Cookies can be marked with the “secure” flag > instructs
the browser to only send them with HTTPS requests

Protect the cookies!	

Cookies can be marked with the ‘httpOnly’ flag > makes
them inaccessible to JS, they won’t be included in
requests from applets
IE MIME sniffing

(Content-Type Options)
IE MIME Sniffing

•

HTTP responses include a header stating what type
of content is included
IE MIME Sniffing

•

HTTP responses include a header stating what type
of content is included	


•

To compensate for misconfigured servers and bad
programming, IE introduced MIME sniffing back in the
days (IE4)
IE MIME Sniffing

•

HTTP responses include a header stating what type
of content is included	


•

To compensate for misconfigured servers and bad
programming, IE introduced MIME sniffing back in the
days (IE4)	


•

They introduced the “X-Content-Type-Options:
nosniff” header in IE9 to disable the behavior
IE MIME Sniffing

•

HTTP responses include a header stating what type
of content is included	


•

To compensate for misconfigured servers and bad
programming, IE introduced MIME sniffing back in the
days (IE4)	


•

They introduced the “X-Content-Type-Options:
nosniff” header in IE9 to disable the behavior	


•

Always serve your content with the correct content
type, and the “X-Content-Type-Options” header
In Summary...we need more header
detection and protection!
gethead Project

https://github.com/httphacker
gethead Current Features

• Written in Python 2.7.5	

• Performs HTTP Header Analysis	

• Reports Header Vulnerabilities	

• Open Source
gethead December Features
•
•
•
•
•

Support for git updates	


•

Export with multi-format options (XML, HTML, TXT)

Support for Python 3.x	

Complete Header Analysis	

Rank Vulnerabilities by Severity	

Export Findings with Description, Impact, Execution, Fix,
and References
gethead February Features
•

Replay & Inline Upstream Proxy Support to import into
WebInspect	


•
•
•
•

Scan domains, sub-domains, and multi-services	

Header Injection & Fuzzing functionality	

HTTP Header Policy Bypassing	

Modularize and port to more platforms
(e.g. gMinor, Kali, Burp Extension, Metasploit, Chrome)
Thank you.

More Related Content

What's hot

OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!Lewis Ardern
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!Lewis Ardern
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web ServicesRob Daigneau
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 
Reviewing AngularJS
Reviewing AngularJSReviewing AngularJS
Reviewing AngularJSLewis Ardern
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Open source security
Open source securityOpen source security
Open source securitylrigknat
 
Secureyourrestapi 140530183606-phpapp02
Secureyourrestapi 140530183606-phpapp02Secureyourrestapi 140530183606-phpapp02
Secureyourrestapi 140530183606-phpapp02Subhajit Bhuiya
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Securitylevigross
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army FrameworkOAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army FrameworkBrent Shaffer
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraKrzysztof Kotowicz
 
SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Inve...
SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Inve...SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Inve...
SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Inve...Amazon Web Services
 

What's hot (20)

OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIs
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web Services
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 
Reviewing AngularJS
Reviewing AngularJSReviewing AngularJS
Reviewing AngularJS
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best Practices
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
 
Open source security
Open source securityOpen source security
Open source security
 
Secureyourrestapi 140530183606-phpapp02
Secureyourrestapi 140530183606-phpapp02Secureyourrestapi 140530183606-phpapp02
Secureyourrestapi 140530183606-phpapp02
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army FrameworkOAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
 
SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Inve...
SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Inve...SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Inve...
SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Inve...
 

Similar to DefCamp 2013 - Http header analysis

Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headersAndre N. Klingsheim
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersdevObjective
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security PoliciesMatias Korhonen
 
Web security for app developers
Web security for app developersWeb security for app developers
Web security for app developersPablo Gazmuri
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableCollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableDarren Duke
 
Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security IntroCash Williams
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸Amazon Web Services
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsSecuRing
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Build your own analytics power tools
Build your own analytics power toolsBuild your own analytics power tools
Build your own analytics power toolsAlban Gérôme
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Gareth Davies
 

Similar to DefCamp 2013 - Http header analysis (20)

Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headers
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security Policies
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Web security for app developers
Web security for app developersWeb security for app developers
Web security for app developers
 
Flashack
FlashackFlashack
Flashack
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableCollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
 
Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security Intro
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
NullMQ @ PDX
NullMQ @ PDXNullMQ @ PDX
NullMQ @ PDX
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Build your own analytics power tools
Build your own analytics power toolsBuild your own analytics power tools
Build your own analytics power tools
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016
 

More from DefCamp

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht HackingDefCamp
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of TrustDefCamp
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?DefCamp
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXDefCamp
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...DefCamp
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDefCamp
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)DefCamp
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFADefCamp
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationDefCamp
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money downDefCamp
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...DefCamp
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochDefCamp
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareDefCamp
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?DefCamp
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured DefCamp
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...DefCamp
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.DefCamp
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber SecurityDefCamp
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering holeDefCamp
 

More from DefCamp (20)

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
 

Recently uploaded

What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 

Recently uploaded (20)

What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 

DefCamp 2013 - Http header analysis

  • 2. Agenda • Why are headers important to us?
  • 3. Agenda • Why are headers important to us? • What Checks are in AppSec Scanners?
  • 4. Agenda • Why are headers important to us? • What Checks are in AppSec Scanners? • Review of Header Attributes
  • 5. Agenda • Why are headers important to us? • What Checks are in AppSec Scanners? • Review of Header Attributes • Demo of gethead.py
  • 6. Why are headers important to us?
  • 7. Why are headers important to us? Input&Parameter&Coverage&in&Web&Applica6on& Scanners& Non$Coverage$Rate$of$Input$Vectors$ 60" 50" GET$ 40" No"Coverage" 30" Coverage" 20" 10" 0" GET" POST" HTTP"Cookie" HTTP"Header" Reference: Data compiled from InfoSec Institute 2012 study It’s the least protected area... POST$ HTTP$Cookie$ HTTP$Header$
  • 8. Opportunity POST /.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/boot.ini&url=httphacker.com HTTP/1.0 Referer: domain.com/external.xml Accept: */* User-Agent: Mozilla/5.0 Gecko/20110614 Firefox/3.6.18 Host: domain.com Connection: Keep-Alive Cookie: oAuth[access_token]=%31%33%33%37%22%3e%3c%73%43%72%49%70%54%3e%61%6c %65%72%74%28%68 %74%74%70%68%61%63%6b%65%72%29%3c%2f %73%43%72%49%70%54%3e;PHPSESSID=k04mk749i6cur91k; ! <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd"> ]><REQUEST><FROM>null</ FROM><METHOD>SEND</METHOD><MESSAGE type=”MSG”><HEAD><ID>612117752013</ ID><FROM>null</FROM><DESTINATION>UserManagerService&xxe;</ DESTINATION><ACTION>logout</ACTION><EVENT>null</EVENT></HEAD><BODY /></ MESSAGE></REQUEST> ! username:http&password=hacker
  • 9. What Checks are in AppSec Scanners?
  • 10. What Checks are in AppSec Scanners?
  • 11. What is missing in AppSec Scanners?
  • 12. Let’s review some of these headers...
  • 14. Content Security Policy (CSP) • Lets you specify a policy for where content in your webpages can be loaded from
  • 15. Content Security Policy (CSP) • Lets you specify a policy for where content in your webpages can be loaded from • Lets you put restrictions on script execution
  • 16. Content Security Policy (CSP) • Lets you specify a policy for where content in your webpages can be loaded from • • Lets you put restrictions on script execution Headers • Content-Security-Policy - Chrome 25 (Firefox nightlies) • • X-Content-Security-Policy - Firefox 4+ X-WebKit-CSP - WebKit browsers (Chrome/Safari)
  • 17. CSP Directives • • • • • • • • • • default-src - Specifies the default for other sources script-src style-src object-src - plugins img-src media-src - video/audio frame-src font-src connect-src report-uri - Specifies where CSP violations can be reported
  • 18. CSP Sources (for the directives) • ‘none’ - No content of this type is allowed (All directives)
  • 19. CSP Sources (for the directives) • ‘none’ - No content of this type is allowed (All directives) • ‘self’ - Content of this type can only be loaded from the same origin (no content from other sites) (All directives)
  • 20. CSP Sources (for the directives) • ‘none’ - No content of this type is allowed (All directives) • ‘self’ - Content of this type can only be loaded from the same origin (no content from other sites) (All directives) • ‘unsafe-inline’ - Allows unsafe inline content • Supported by style-src (inline css) and script-src (inline script)
  • 21. CSP Sources (for the directives) • ‘none’ - No content of this type is allowed (All directives) • ‘self’ - Content of this type can only be loaded from the same origin (no content from other sites) (All directives) • ‘unsafe-inline’ - Allows unsafe inline content • • Supported by style-src (inline css) and script-src (inline script) ‘unsafe-eval’ - Allow script functions considered unsafe (such as eval()) • Supported by script-src
  • 22. CSP Sources (for the directives) • And you can specify custom sources: • • * - Allow content from anywhere • *.domain.com - Wildcard host, allow content from any domain.com sub-domain • • www.domain.com:81 - You can specify a port number https: - Scheme only, load only content served over https https://www.domain.com - You can specify an absolute URI for a host (path has no effect though)
  • 23. And then it all comes together • Content-Security-Policy: default-src ‘self’; script-src ‘self’ scripts.domain.com • • • This policy sets a default source of ‘self’ for all directives • • Scripts can also be loaded from scripts.domain.com script-src defines its own sources, replacing the default In effect, scripts, stylesheets, images, flash animations, Java applets, etc., can only be loaded from the same origin as the page This policy denies inline scripts and CSS!
  • 24. The “special” sources • ‘unsafe-inline’ can allow inline scripts (script-src) and styles (style-src) • ‘unsafe-eval’ allows certain JavaScript functions considered high risk (eval()) • Use these special sources with care
  • 25. CSP Reporting • You can specify a “report-uri” in the CSP header
  • 26. CSP Reporting • • You can specify a “report-uri” in the CSP header Must be a relative URI
  • 27. CSP Reporting • • • You can specify a “report-uri” in the CSP header Must be a relative URI Will post violation reports as JSON back to the web application
  • 28. CSP Reporting • • • You can specify a “report-uri” in the CSP header • Content-Security-Policy-Report-Only Must be a relative URI Will post violation reports as JSON back to the web application • Will not block scripts or resources violating the policy • Will report them to the web application
  • 30. XSS Protection • X-XSS-Protection: 1; mode=block • Enables XSS Filter built into most recent web browsers • Role is to re-enable for a particular website if it was disabled by the user
  • 31. XSS summarized • • • Make sure you validate your inputs Make sure you encode everything you output • • • Input to the web application Data from backend system EVERYTHING! Use CSP and XSS-Protection as an extra level of defense, it’s not the cure!
  • 33. Click-jacking • A malicious site loads the vulnerable site in an iframe
  • 34. Click-jacking • A malicious site loads the vulnerable site in an iframe • The iframe is invisible and positioned in front of something the user is likely to click on
  • 35. Click-jacking • A malicious site loads the vulnerable site in an iframe • The iframe is invisible and positioned in front of something the user is likely to click on • The user clicks on what appears to be an element on the malicious site • The user really clicks in the iframe, triggering some operation on the vulnerable site
  • 36. X-Frame-Options • • X-Frame-Options: Deny | SameOrigin Instructs the browser to not display the page in a frame • When the page isn’t displayed, there’s nothing to click on! • Browser support: Opera 10.5+, Chrome 4.1+, IE 8+, Firefox 3.6.9+, Safari 4+ • Remember: The request is still sent to - and processed by - the web server!
  • 38. HTTP Strict Transport Security (HTTPS stripping)
  • 39. HTTPS stripping explained • “Secure” websites use SSL/TLS to preserve the confidentiality and integrity of the communication with a browser
  • 40. HTTPS stripping explained • “Secure” websites use SSL/TLS to preserve the confidentiality and integrity of the communication with a browser • For usability, “secure” websites are still accessible through insecure channels (HTTP on port 80) • • They’ll redirect the user to HTTPS • The very first request is insecure, and open to attack! User enters www.onlinebank.com - and is redirected to https://www.onlinebank.com
  • 41. HTTPS stripping explained • SSL stripping is a MiTM attack • Attacker keeps the victim on HTTP, but passes requests on over HTTPS to the target website • Practical attack demoed at BlackHat in 2009 (sslstrip)
  • 42. HTTPS stripping scenario An attacker sitting in the middle of a HTTPS session
  • 43. HTTPS stripping scenario An attacker sitting in the middle of a HTTPS session An attacker performing a HTTPS stripping attack
  • 44. HTTP Strict Transport Security • Strict-Transport-Security: max-age=31536000; includeSubDomains • Max-age specifies for how many seconds the policy should be in effect • includeSubDomains - optional • Instructs the browser to only communicate to that hostname over SSL/TLS • Fails hard on certificate errors • The user does not have the option to click through certificate warnings • Browser support: Chrome 4+, Firefox 4+, Opera 12
  • 46. Session hijacking explained • Means getting access to a user’s privileged session > steal session tokens
  • 47. Session hijacking explained • Means getting access to a user’s privileged session > steal session tokens • Session tokens mean cookies
  • 48. Session hijacking explained • Means getting access to a user’s privileged session > steal session tokens • • Session tokens mean cookies Protect the cookies!
  • 49. Session hijacking explained • Means getting access to a user’s privileged session > steal session tokens • • • Session tokens mean cookies Protect the cookies! Cookies can be marked with the ‘httpOnly’ flag > makes them inaccessible to JS, they won’t be included in requests from applets
  • 50. Session hijacking explained • Means getting access to a user’s privileged session > steal session tokens • • • Session tokens mean cookies • Cookies can be marked with the “secure” flag > instructs the browser to only send them with HTTPS requests Protect the cookies! Cookies can be marked with the ‘httpOnly’ flag > makes them inaccessible to JS, they won’t be included in requests from applets
  • 52. IE MIME Sniffing • HTTP responses include a header stating what type of content is included
  • 53. IE MIME Sniffing • HTTP responses include a header stating what type of content is included • To compensate for misconfigured servers and bad programming, IE introduced MIME sniffing back in the days (IE4)
  • 54. IE MIME Sniffing • HTTP responses include a header stating what type of content is included • To compensate for misconfigured servers and bad programming, IE introduced MIME sniffing back in the days (IE4) • They introduced the “X-Content-Type-Options: nosniff” header in IE9 to disable the behavior
  • 55. IE MIME Sniffing • HTTP responses include a header stating what type of content is included • To compensate for misconfigured servers and bad programming, IE introduced MIME sniffing back in the days (IE4) • They introduced the “X-Content-Type-Options: nosniff” header in IE9 to disable the behavior • Always serve your content with the correct content type, and the “X-Content-Type-Options” header
  • 56. In Summary...we need more header detection and protection!
  • 58. gethead Current Features • Written in Python 2.7.5 • Performs HTTP Header Analysis • Reports Header Vulnerabilities • Open Source
  • 59. gethead December Features • • • • • Support for git updates • Export with multi-format options (XML, HTML, TXT) Support for Python 3.x Complete Header Analysis Rank Vulnerabilities by Severity Export Findings with Description, Impact, Execution, Fix, and References
  • 60. gethead February Features • Replay & Inline Upstream Proxy Support to import into WebInspect • • • • Scan domains, sub-domains, and multi-services Header Injection & Fuzzing functionality HTTP Header Policy Bypassing Modularize and port to more platforms (e.g. gMinor, Kali, Burp Extension, Metasploit, Chrome)
  • 61.