Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[Wroclaw #4] Web Application Security Headers-2 (HSTS, HPKP)

Marek Puchalski

  • Login to see the comments

  • Be the first to like this

[Wroclaw #4] Web Application Security Headers-2 (HSTS, HPKP)

  1. 1. Web Application Security Headers (Part 2) Marek Puchalski marek.puchalski@capgemini.com marek.puchalski@owasp.org https://marek.puchal.ski
  2. 2. Table of Content • HTTP Headers • Transport Layer Security (TLS/SSL) • HTTP Strict Transport Security • HTTP Public Key Pinning
  3. 3. HTTP HEADERS
  4. 4. HTTP Headers GET http://oasp-ci.cloudapp.net/oasp4j- sample/services/rest/offermanagement/v1/offer HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:37.0) Gecko/20100101 Firefox/37.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 X-CSRF-TOKEN: fcbfc729-15d2-4f04-8e50-082f20cb2dfb Referer: http://oasp-ci.cloudapp.net/oasp4j- sample/jsclient/ Cookie: JSESSIONID=F340544E6AE9078812ECF61139D03C7B Connection: keep-alive Host: oasp-ci.cloudapp.net HTTP request HTTP/1.1 200 OK Date: Sat, 11 Jul 2015 20:28:36 GMT Server: Apache-Coyote/1.1 Content-Type: application/json;charset=UTF-8 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive [{"id":1,"modificationCounter":1,"revision":null,"name":null," description":"Schnitzel- Menü","number":null,"mealId":1,"drinkId":10,"sideDishId":5," state":"NORMAL","price":"6.99"},{"id":2,"modificationCounte r":1, (…) HTTP response
  5. 5. Facts about HTTP Headers • Headers can be used to steer browsers (and applications) behaviour • You can define your own headers • If the browser does not know or support the header, it will ignore the header • Response headers are client side controls that are implemented on the server side
  6. 6. Security-relevant Headers (after OWASP ASVS v3.0) • V9.4 Level 1: Cache-Control • V10.11 Level 1: HTTP Strict Transport Security (HSTS) • V11.4 Level 2 and V11.7 Level 1: Content Security Policy (CSP) • V11.6 Level 1: X-Content-Type-Options, Content- Disposition • V11.8 Level 1: X-XSS-Protection • V10.10 Level 3: HTTP Public Key Pinning • V11.10 Level 2: X-Frame-Options (deprecated)
  7. 7. TRANSPORT LAYER SECURITY (TLS/SSL)
  8. 8. TLS/SSL • TLS is the S in HTTPS ;) • It gives us following things: – Confidentiality - adversary can't see unencrypted data – Integrity - adversary can't change data undetected – Authentication - to know which server we are connected to
  9. 9. Why TLS? • Because the world is cruel „Any unencrypted traffic, visible to an adversary, is not just an information leak, but an attack vector they can use to exploit your systems.” Nick Weaver • Current state of the art: encrypt everything
  10. 10. Need to know more? • Advanced HTTPS Defense Strategies (Jim Manico) • Youtube: https://www.youtube.com/watch?v=uix4f45VndQ • Presentation: http://www.slideshare.net/proidea_conferences/jim- manico-advanced-https-defense-strategies
  11. 11. HTTP STRICT TRANSPORT SECURITY (HSTS)
  12. 12. Threats addressed by HSTS • Passive network attackers - eavesdropping of unencrypted communication. Even more dangerous when environment allows for non- secure cookies. • Active network attackers - TLS striping or invisible proxy relying on user to accept the flawed certificate. • Web Site Development and Deployment Bugs - page is loading additional resources over an insecure connection (mixed content).
  13. 13. Without HSTS: Mixed content example
  14. 14. Without HSTS: Insecure redirect
  15. 15. With HSTS: Secure redirect
  16. 16. Without HSTS: Insecure choice
  17. 17. With HSTS: Secure… lack of other choices
  18. 18. HSTS Header Strict-Transport-Security : max- age=31536000; includeSubdomains; preload • max-age - how long insecure requests are forbiden (in seconds) • includeSubdomains - should sub domains be also included (optional) • preload - allow HSTS to be hardcoded in the browsers. Solves the "trust on first use" (TOFU) problem. HSTS for a domain can be registered on hstspreload.appspot.com (optional)
  19. 19. What can go wrong? • Want to go back to HTTP? No way... • Your subdomains do not support HTTPS and you turned includeSubdomains on.
  20. 20. HSTS and Security Standards • OWASP ASVS v3.0 V10.11: Verify that HTTP Strict Transport Security headers are included on all requests and for all subdomains, such as Strict-Transport-Security: max- age=15724800; includeSubdomains • OWASP ASVS v3.0 V10.12: Verify that production website URL has been submitted to preloaded list of Strict Transport Security domains maintained by web browser vendors.
  21. 21. How many sites use HSTS? HSTS present HSTS missing Source: https://scotthelme.co.uk/alexa-top-1-million-crawl-aug- 2016/ (August 2016)
  22. 22. Browser support for HSTS HSTS present HSTS missing Source: http://caniuse.com/#feat=stricttransportsecurity
  23. 23. Enforce HSTS (and HPKP) in Chrome chrome://net-internals/#hsts
  24. 24. HTTP PUBLIC KEY PINNING
  25. 25. PKI in a nutshell you RA (CA) Create public/private key Fill some data Create and send CSR Send signed certificate Profit
  26. 26. Question: Which CA should you buy certificates from? • Let’s encrypt – because it’s free, automated and open :) • But honestly, it does not matter. Any CA recognized by your browser can gice you technically the same thing – signed certificate.
  27. 27. Question: What can happen if a CA gets hacked? • One could fabricate certificates for EVERY domain in the internet. (Security of the WHOLE INTERNET is in danger) „If a company can ‚put the entire Internet at risk’ (…) the system is fundamentally flawed.” https://news.ycombinator.com/item?id=9253676
  28. 28. Question: How often did CAs fail in the past? • 2011, Comodo got hacked • 2011, Diginotar got hacked, got used to attack iranian google users, went bankrupt... • 2013, This time: French government... • 2013, Trustwave selling an intermediate CA cert to a private company • 2015, MCS Holdings...
  29. 29. HPKP Header Public-Key-Pins: pin-sha256=<hash1>; pin-sha256=<hash2>; max-age=2592000; report-uri=<uri>; includeSubdomains • pin-sha256 - certificate thumbprint, can be from own certificate or any certificate in the chain or even CSR. • max-age - how long pinned certificate must be served (in seconds). • report-uri - report violations to this uri. Usually not the same uri as the target system. • includeSubdomains - all subdomains must use the same pins.
  30. 30. Generate hashes • For the certificate: openssl rsa -pubout -in pub.key - outform der | openssl dgst -sha256 -binary | base64 • For the CSR: openssl req -noout -in my.csr - pubkey | openssl rsa -pubin - outform der | openssl dgst -sha256 -binary | base64
  31. 31. ☠ DANGER ☠ It is very easy to get HPKP wrong. And if you do it wrong, you will run a DOS against your system. Good practice: • Pin at least your certificate, CSR and a backup CSR. • If you don't ping CSRs, pin at least two certificates (one backup) and don't forget to order and activate new certificates at least max-age before they expire. • NOTE: HPKP has the TOFU (trust on first use) problem
  32. 32. Good News • There is also a Public-Key-Pins- Report-Only header, which has the same syntax as HPKP, but does only reporting. Good for testing purposes.
  33. 33. HPKP and Security Standards • OWASP ASVS v3.0 V10.10: Verify that TLS certificate public key pinning is implemented with production and backup public keys.
  34. 34. How many sites use HPKP? HPKP present HPKP missing Source: https://scotthelme.co.uk/alexa-top-1-million-crawl-aug- 2016/ (August 2016)
  35. 35. Browser support for HPKP Source: http://caniuse.com/#feat=publickeypinning
  36. 36. QUESTIONS? marek.puchalski@capgemini.com marek.puchalski@owasp.org

×