The State of Declarative Security in HTTP Response Headers - Bank Study


Published on

The banking industry is grappling with the problem of malware infections in
clients. The exploitation of web vulnerabilities in a bank’s website can expose
online monetary transactions to fraud. Vulnerabilities such as Cross-Site
Scripting (XSS), clickjacking, MIME sniffing and Cross-Site Request Forgery
(CSRF) allow information in one session to be stolen from another. However,
browser security can play a critical role in preventing successful exploitation.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The State of Declarative Security in HTTP Response Headers - Bank Study

  1. 1. FEATUREThe state of HTTPdeclarative securityin online banking Aditya Sood Richard EnbodywebsitesAditya Sood and Richard Enbody, Michigan State UniversityThe banking industry is grappling with the problem of malware infections in and trusted environment for transac-clients. The exploitation of web vulnerabilities in a bank’s website can expose tions. The aim of this study is to gaugeonline monetary transactions to fraud. Vulnerabilities such as Cross-Site the deployment of declarative security inScripting (XSS), clickjacking, MIME sniffing and Cross-Site Request Forgery the real world, and in banking in partic-(CSRF) allow information in one session to be stolen from another. However, ular. Since declarative security is relative-browser security can play a critical role in preventing successful exploitation. ly new, one would not expect widespread adoption. This study reflects the currentTo this end, new and flexible protection The initial HTTP declarative response state of security in online banking withfeatures have been introduced in the headers are X-XSS-Protection, X-Frame- respect to declarative security.form of declarative security in HTTP Options, X-Content-Type-Options,response headers. These protection X-Download-Options and X-Content- Declarative security andmechanisms are based on the concept Security-Policy. Strict-Transport-Securityof providing explicit security parameters can also be considered in this category, threat modelthat can be used to compel browsers to but it has a different naming convention. The HTTP header protections targetperform specific security functions. Declarative security in HTTP response specific attack vectors. These types of Declarative security obliges a devel- headers has been introduced to make the protection are a set of opt-in securityoper to specially configure the appli- browsers more proactive and intelligent mechanisms addressing a specific threatcation that sends HTTP response in dealing with the manipulative content landscape. These attacks include click-headers so that, on receiving them, that is a result of the exploitation of web jacking, MIME sniffing, manipulatingbrowsers trigger security protections. vulnerabilities. file downloads, CSRF and XSS vari-These declarative security parameters This research is based on an analysis of ants that have proven to be difficultcan also be specified in the web server the traffic flow of major bank websites to handle in real time. Each techniqueconfiguration file. The result is that in order to understand how declara- includes an HTTP header that has todeclarative security can be considered tive security is being deployed in online be declared by the developer on the webas a portable and flexible defence. No banking. Banking websites were selected server as well as the security actions thatprotection method is foolproof, but from a list of the world’s top 40-plus saf- the browser triggers on the client side.for implementing generic protection, est banks of 2010 as provided by Global Once a specific HTTP header is detect-HTTP declarative response headers Finance.1 The ranking is based on the ed, the browser is supposed to executeyield promising results. In addition, long-term credit and the total assets of the required security mechanisms. Ofthis concept is gaining traction as it has the banks. Basically, it determines the course, this protection strategy fails ifbeen adopted by Microsoft and Mozilla solvency and the relative credit-wor- the HTTP headers are not defined. Asin order to strengthen the security of thiness of the bank. We start with the a result, control lies in the ability andtheir browsers. assumption that the efficacy of security expertise of the developers and admin- Declarative HTTP response head- practices is directly proportional to the istrators to use these protection headersers are not a part of the HTTP 1.0/1.1 bank’s assets. Banks with greater assets as a part of their applications. Let usspecification. However, they are compat- tend to have more rigorous security take a look at specific headers and howible with HTTP and work efficiently. mechanisms in order to provide a safe they work. 11July 2011 Computer Fraud & Security
  2. 2. FEATURE actually clicking on a hidden link. This this option for a full domain becauseX-Frame-Options HTTP response header can prevent it can deny frames that load legitimateThe X-Frame-Options HTTP response the malicious framing of a legitimate websites. However, it is a good practiceheader is used to control the framing of website. The DENY parameter compels to implement X-Frame-Options ina web page by a third-party website or browsers to prevent rendering of the application code to apply an extra layera malicious domain.2,3 Generally, click- website in a frame (irrespective of par- of security in the critical web pages.jacking and auto-framing techniques ent frame), whereas the SAMEORIGIN A website might use frame-busting orare used to conduct stealth attacks by parameter allows the framing of web frame-killing code such as:concealing part of the user interface in pages on the same domain but restrictsthe browser.4,5,6 The framing of a web- the framing of a website from the third- <script type=“text/site plays a critical role in a successful party parent frames. The header also javascript”>clickjacking attack in conjunction with requires secure frame communication if(top != self)CSRF attacks.7 Users believe that they to preserve integrity.8 In a real-time top.location.are clicking on a legitimate link, but are environment, it is not feasible to apply replace(location);</ script> …or… <script>if(top. location != location) top.location =self. location;</script> X-XSS-Protection The X-XSS-Protection HTTP response header has been implement- ed by Microsoft to sanitise reflective XSS attacks.9,10 Once a browser such as Internet Explorer receives this header it enables the XSS filter which prevents the rendering of content explicitly. Further, another HTTP response header has been released by Mozilla, named X-Content-Security- Policy, that works in a similar fashion to avoid rendering of malicious con- tent in the Mozilla browser.11 These HTTP declarative security headers are used to lower the risk of XSS attacks. However, some problems have been witnessed in the X-XSS-Protection header. 12 X-Content-Type-Options An attacker can inject code based on the content type set by the server. Browsers follow the content-type parameter in order to render the content of the pageFigure 1: Applied declarative security as HTTP response headers in the world’s top 43 popular banks. correctly. They have to ensure that12 Computer Fraud & Security July 2011
  3. 3. FEATUREcontent is rendered according to the datatype set by the server. Browsers shouldnot sniff out any other content type thatis not specified by the server. Hence,the browser has to avoid sniffing MIMEcontent that is not appropriate. Basically,the X-Content-Type-Options header canbe used to prevent malicious renderingof content inside files by only allowingthe parameter specified in the content-type HTTP response header.13,14X-Download-OptionsAs we know, browsers such as InternetExplorer provide an inbuilt functional-ity to open files directly on the domainwhen a download dialogue box is initi-ated. The X-Download-Options param-eter is provided by Microsoft in orderto combat attacks that occur from thedirect opening of files in the domain.15 Figure 2: An iframe injected into a vulnerable bank website.This HTTP response header forces IEto modify the user interface downloaddialog box, removing the open button Testing of attacks. The objective of this testing is(specifying a no-open value in the head- to check whether the critical web pageser). This prevents the user from opening The motivation behind this experiment (configuration pages and web pages withmalicious files that might run content was to test the acceptability of new authentication) in the banks’ websites aredirectly on the domain. protection features in an industry most implementing declarative security. susceptible to exploitation on the web. During the course of the experiment,Strict-Transport-Security it’s possible to judge how well the top MethodologyStrict-Transport-Security is a declara- banks are deploying this HTTP declara- In order to perform analytical tests, a listtive header that is used by websites to tive security. In general, a robust security of the top banks of 2010, as defined byforce browsers to send all types of data solution is comprised of a collaborative Global Finance, was selected. The banksover HTTPS.15,16 A number of websites implementation of client and server secu- were chosen from around the world baseduse both HTTP and HTTPS interfaces rity. HTTP declarative security provides on their financial ratings. This choice wasto set sessions. It is considered as a risk an efficient way to provide some control made as the security of those banks thatbecause an attacker can inject malicious of browsers in order to avoid a number attract the top ratings is critical for safetraffic to trick browsers in order to stealcookies if this parameter is deployed inall the communication processes underHTTPS. This should not be confusedwith the ‘secure’ parameter because itis only defined for exchanging cookiesover HTTPS, whereas Strict-Transport-Security applies to the overall communi-cation. In general, X-Frame-Options andX-XSS-Protection have been used collabo-ratively to reduce the intensity of attacks.However, other response headers are used Figure 3: XSS exploited in a bank’s website in spite of Internet Explorer XSS specific applications and web servers. 13July 2011 Computer Fraud & Security
  4. 4. FEATURE The outcome of this experiment is entirely based on the detection of differ- ent HTTP declarative security response headers. The research also covered all the sub-domains that are the subset of the main bank domains. The tests didn’t take into consideration different types of attacks such as HTTP response splitting, which alters the state of HTTP response headers. Something close to 7,786 web pages were analysed, including support- ing resources that are present in the dif- ferent bank domains. Overall, the experi- ment was conducted on close to 200 bank websites, although this article only covers the results of the top banks. Results Some interesting results arose during the course of this study. At the time of running these tests, not a single bank website out of the top 50 banks is using declarative security in HTTP response headers. It seems that the declarative security model has not been accepted by the online banking industry. Figure 1Figure 4: XSS exploited in a bank’s website in spite of Google Chrome XSS Auditor. shows the results of this experiment. The NH parameter suggests that no servermonetary transactions. The largest used the Firefox add-on HttpFox, header was received in the response.banks tend to be the preferred choice which is an HTTP traffic analyser Some of the banks did not send aof the attackers. for scrutinising the state of different ‘server:’ header in the responses and one The testing involved Perl-based HTTP headers.17 Other standard traf- of them used explicit names. The CDC,HTTP response enumeration scripts fic monitoring tools such as Wireshark BBVA, OCBC and DB banks did notwhich sent a crafted HTTP request to and Netmon by Microsoft were used disclose the ‘server:’ header in HTTPthe web server and detected required for packet dissection analysis. The tests responses. Barclays bank alternativelyHTTP declarative security response were conducted in Internet Explorer, changed the server header with ‘Red’,headers. In addition to this, the tests Firefox and Google Chrome. ‘Blue’, ‘Green’ and ‘Black’ values on con- secutive requests. During the research, a number of vulnerabilities were spotted in this set of banks. These were reported to the administrators of the banks’ websites. For completeness, the research included some tests to show that attacks are indeed possible. Figure 2 shows an iframe injection attack in one bank web- site that does not use X-Frame-Options. Since most of the browsers implement protection mechanisms based on declara- tive security, almost all browsers were tested in order to execute XSS. ApartFigure 5: XSS – Content-Rendering scripting attack. from this, a lot of XSS injections were14 Computer Fraud & Security July 2011
  5. 5. FEATUREevident in the banks’ websites. Most of in HTTP response headers can be con- frame-busting-and-click-jacking-ui-the reflective XSS attacks were rendered sidered as an additional defence, even redressing>.successfully by the browsers having if proprietary web security solutions are 4. Hansen, R; Grossman, J.XSS filters. Figure 3 shows a successful deployed, because it triggers the security ‘Clickjacking’. Ha.ckers, 15 SepXSS attack in Internet Explorer con- element in browsers. The online banking 2009. Accessed June 2011. <http://ducted in one of the vulnerable bank industry should implement these protec- Figure 4 shows the successful tions as opt-in security to thwart generic jacking>.XSS bypass in Google Chrome version targeted attacks. 5. Stone, Paul. ‘Next Generation10.0.648.127. The examples discussed Clickjacking Attacks’. BlackHatin this section show the ineffectiveness About the authors Conference, 14 Apr 2010. Accessedof client-side XSS filters in a number Aditya K Sood is a security researcher, con- June 2011. <https://media.blackhat.of browsers. However, continuous sultant and PhD candidate at Michigan com/bh-eu-10/presentations/Stone/research and development is resulting State University. He has worked in the BlackHat-EU-2010-Stone-Next-in more secure client-side XSS filtering. security domain for Armorize, COSEINC Generation-Clickjacking-slides.For generic XSS vulnerabilities, these and KPMG and founded SecNiche Security. pdf>.filters provide appropriate protections He has been an active speaker at confer- 6. Balduzzi, M; Egele, M; Kirda, E;by default, as well as offering some secu- ences such as RSA, Toorcon, Hacker Halted, Balzarotti, D; Kruegel, C. ‘A solution forrity with declarative security in HTTP TRISC, EuSecwest, XCON, OWASP the automated detection of clickjackingresponse headers. AppSec, CERT-IN and has written content attacks’. In ASI-ACCS’10, 2010. XSS attacks are versatile in nature. Even for HITB Ezine, ISSA, ISACA, Elsevier, 7. Barth, A; Jackson, C; Mitchell, JC.with the presence of filters, it is often easy Hakin9 and Usenix Login. ‘Robust defenses for cross-site requestto bypass them. However, in certain cases Dr Richard Enbody is an Associate forgery’. In proceedings of 15ththe declarative security headers used to Professor in the Department of Computer ACM Conference on Computer andcontrol XSS fail. In addition to this, it’s Science and Engineering, Michigan State CommunicationsSecurityalso notable that it was possible to manip- University. He joined the faculty in 1987 (CCS 2008), 2008.ulate the content-type of the required after earning his PhD in Computer Science 8. Barth, A; Jackson, C; to conduct the attack. In this attack, from the University of Minnesota. His ‘Securing frame communication init was possible to render a malicious PDF research interests are in computer security, browsers’. Communications of thein one of the vulnerable bank domains computer architecture, web-based distance ACM(CACM 2009), 2009.which executed the script. On testing, it education and parallel processing. He has 9. ‘Event 1046 – Cross-Site Scriptingwas found that the domain was not con- two patents pending on hardware buffer- Filter’. MSDN. <http://msdn.figured to send X-Content-Type-Options. overflow protection, which will prevent most 5 shows a successful content-type computer worms and viruses. He recently co- dd565647%28v=vs.85%29.aspx>.manipulation attack by exploiting the RFI authored a CS1 Python book, The Practice 10. ‘IE8 Security Part IV: The XSSvulnerability in one of the bank websites. of Computing using Python. Filter’. IEBlog, 2 Jul 2008. AccessedThis experiment shows the state of declar- June 2011. <http://blogs.msdn.ative security in bank websites. References com/b/ie/archive/2008/07/02/ie8- 1. ‘World’s 50 Safest Banks 2010’. security-part-iv-the-xss-filter.aspx>. Global Finance, 2 Sep 2010. 11. Secure Content Policy. MozillaConclusion Accessed June 2011. <http://www. Developer Network. 21 May 2010.This was a survey of the deployment of Accessed June 2011. <https://wiki.HTTP declarative security in the world’s worlds-50-safest-banks-2010.html>>.top banks. After analysing domains 2. Lam, Jason. ‘Adoption of x-frame- 12. Coates, Michael. ‘IE8 XSS Filterand sub domains, it was found that, at options header’. SANS AppSec Blog, Bug’. 20 Nov 2009. Accessed Junethe time of conducting these tests, not 15 Oct 2009. Accessed June 2011. 2011. <http://michael-coates.blogspot.a single bank website shows the use of < com/2009/11/ie8-xss-filter-bug.html>.declarative security in the HTTP response fighter/2009/10/15/adoption-of-x- 13. ‘HOWTO protect against mali-headers. Hence, the results show that frame-options-header/>. cious images and other non-exploitation of security flaws can be 3. ‘Preventing Framebusting and HTML content’. Google Code.reduced to some extent using declarative Clickjacking’. Coderrr, 13 Feb 2009. Restricted access. < because it forces the browser to Accessed 2011. <http://coderrr.word- protection. Declarative security ArticleContentSniffing>. 15July 2011 Computer Fraud & Security
  6. 6. FEATURE14. ‘IE8 Security Part VI: Beta 2 Update’. 16. ‘Strict Transport Security’. W3C Resources IEBlog, 3 Sep 2008. Accessed June Open Specification, 18 Dec 2009. 2011. < Accessed June 2011. <http://lists. • ‘IE8 Security Part V: archive/2008/09/02/ie8-security-part- Comprehensive Protection’. IEBlog, vi-beta-2-update.aspx>. archive/2009Dec/att-0048/draft-hodg- 2 Jul 2008. Accessed June 2011.15. Jackson, C; Barth, A. ‘ForceHTTPS: es-strict-transport-sec-06.plain.html>. < Protecting High-Security Web Sites 17. HttpFox browser add-on. Mozilla. archive/2008/07/02/ie8-security- from Network Attacks’. In proceedings Accessed June 2011. <https://addons. part-v-comprehensive-protection. of the 17th International World Wide aspx>. Web Conference (WWW 2008). fox/>.Security in the valuechainSimon Walker, Quantainia Simon WalkerStephen Bonner, Barclay’s Bank’s CISO, recently likened technology controls to literate that needs to be globally acces-the railings around a balcony – they allow you to get closer to the edge without sible, you’re mapping quite neatly ontofalling off. Indeed, risk analysis of information assets is not wholly unlike buy- the demographic that is often keenest toing and selling houses. It is a complex process, there are lots of hoops to jump attempt breaking technology.through, and there is a number of pitfalls. Neither of these are particularly abstruseOne of the most common errors is to ensure that products and services deliver facts, so what can have gone wrong?base actions on superficially attractive but on their promised value; it prevents nasty,practically inadequate information – for expensive surprises; and it is the basis forexample, overestimating the value of the sound decision-making. Perhaps most Sony’s value chainproperty you’re trying to sell, or under- importantly, it may be what stops your Initial suggestions from Sony that theestimating how painful a big mortgage chief executive having to make embarrass- incident was orchestrated by ‘hacktivist’might become. Skimping on research will ing public statements about subjects he group Anonymous have since been dis-almost certainly result in pain later on. doesn’t really understand. missed by the group itself. AnonymousYou might be tempted to base decisions was quick to issue a denial of this accusa-on a convenient pipedream – ‘my small tion. This seems to have been an attempthouse is worth at least £1m. Buyers will The PlayStation Network by Sony to excuse the incident and is inbe queuing up. Never mind the leaking The recent high-profile hacking of the any case an irrelevance: the root causes ofroof. Or the illegal extension. And I won’t Sony PlayStation Network (PSN) has the incident were endemic, not a result ofspend money on a lick of paint, or the provided some invaluable lessons for us the actions of external influences.railings on the balcony.’ But this fantasy all. The PSN service has a clear customer The ‘value chain’ is a model thatwill rarely survive contact with reality. proposition. Its prime attractions rest in describes the activities of a firm within So it is with the risk assessment of the open architecture and ready supply a specific industry, and consists of bothinformation assets. Just like property of downloadable games to purchase. Ease primary and support activities. In Sony’sdeals, the security assessor is likely to be of access to services tends to mean quick case the former would include research,part of a chain. A common pitfall is for authentication and seamless payment, development, manufacture, marketingsenior leadership to skip over security risk which also means that user details, includ- and sales, and after-sales service. Supportassessment activity because the results are ing card details, are stored somewhere activities would traditionally includedifficult to interpret, or merely politically easily accessible. Where you have such organisational infrastructure elements –inconvenient. A classic example here is data stored, you have a cluster of informa- the internal IT, HR and other functionspenetration testing. Effective security risk tion assets and hence you have something that span the primary productive ones.assessment, on the other hand, makes worth stealing. Also, if you’re releasing a Each element has costs, and addssense on a number of levels: it helps product for the young and technology- (or subtracts) value from the end result.16 Computer Fraud & Security July 2011