Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Getting Browsers to Improve the Security of Your Webapp

150 views

Published on

Most web developers have some knowledge of input sanitization and encryption, but what happens when you forget an edge case or when users are connected to a rogue access point?

Through the use of technologies like strict transport security, content security policy, sub-resource integrity, and the referrer policy, web developers can instruct browsers to add a second layer of defenses against the most common attacks.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Getting Browsers to Improve the Security of Your Webapp

  1. 1. François Marier @fmarier Getting Browsers to Improve the Security of Your Webapp
  2. 2. external resources user content cookies encryption
  3. 3. external resources
  4. 4. Subresource integrity mechanism for preventing tampering of static assets
  5. 5. https://ajax.googleapis.com/ajax /libs/jquery/1.9.1/jquery.min.js
  6. 6. what would happen if that server were compromised?
  7. 7. Bad Things™ steal sessions leak confidential data redirect to phishing sites enlist DDoS zombies
  8. 8. simple solution
  9. 9. instead of this: <script src=”https://ajax.googleapis.com...”> integrity=”sha256-1z4uG/+cVbhShP...” crossorigin=”anonymous”>
  10. 10. <script src=”https://ajax.googleapis.com...”> integrity=”sha256-1z4uG/+cVbhShP...” crossorigin=”anonymous”> do this:
  11. 11. guarantee: script won't change or it'll be blocked
  12. 12. rel=”noopener” mechanism for disabling the window.opener object
  13. 13. My Account ● Change my address ● Change my billing card ● Reset my password ● Delete my account ● Watch some cute kittens!
  14. 14. My Account ● Change my address ● Change my billing card ● Reset my password ● Delete my account ● Watch some cute kittens! kittens!!!!!!!!
  15. 15. <a href=”...” target=”_blank”>
  16. 16. window.opener.location
  17. 17. window.opener.location
  18. 18. window.opener.location = 'http://stealmypasswd.org';
  19. 19. My Account ● Change my address ● Change my billing card ● Reset my password ● Delete my account ● Watch some cute kittens! kittens!!!!!!!!
  20. 20. Session Expired Username: Password: Log back in! kittens!!!!!!!!
  21. 21. Session Expired Username: Password: Log back in! esnowden **********
  22. 22. My Account ● Change my address ● Change my billing card ● Reset my password ● Delete my account ● Watch some cute kittens!
  23. 23. solutions
  24. 24. <a href=”...” target=”_blank”>
  25. 25. <a href=”...” target=”_blank” rel=”noopener”>
  26. 26. window.opener == null
  27. 27. Referrer Policy mechanism for trimming the Referer header
  28. 28. http://example.com/search?q=serious+medical+condition Click here for the cheapest insurance around! Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
  29. 29. Referrer-Policy: no-referrer <meta name="referrer" content="origin"> <a href="http://example.com" referrer="origin">
  30. 30. Referrer-Policy: no-referrer <meta name="referrer" content="no-referrer"> <a href="http://example.com" referrer="origin">
  31. 31. Referrer-Policy: no-referrer <meta name="referrer" content="no-referrer"> <a href="http://example.com" referrerPolicy="no-referrer">
  32. 32. no-referrer no-referrer-when-downgrade same-origin strict-origin strict-origin-when-cross-origin
  33. 33. no-referrer no-referrer-when-downgrade same-origin strict-origin strict-origin-when-cross-origin
  34. 34. no-referrer no-referrer-when-downgrade same-origin strict-origin strict-origin-when-cross-origin
  35. 35. no-referrer no-referrer-when-downgrade same-origin strict-origin-when-cross-origin
  36. 36. no-referrer no-referrer-when-downgrade same-origin strict-origin-when-cross-origin https://developer.mozilla.org/docs/Web/HTTP/Headers/Referrer-Policy
  37. 37. user content
  38. 38. Sandboxed iframes mechanism for restricting embedded documents
  39. 39. <iframe src=”resume.html”>
  40. 40. window.parent
  41. 41. seriousapp.com seriousappusercontent.com
  42. 42. <iframe src=”resume.html” sandbox=””>
  43. 43. scripts popups forms
  44. 44. scripts popups forms https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox
  45. 45. X-Content-Type-Options mechanism for disabling content type sniffing
  46. 46. PDF
  47. 47. Review Papers ● Witty-Title.pdf ● Serious-Sounding-Topic.pdf ● Series-of-buzzwords.pdf ● Celebrity-Paper.pdf ● Half-Ass-Paper.pdf
  48. 48. %PDF-1.5 <html> <body> <script> ... </script> </body> </html>
  49. 49. %PDF-1.5 <html> <body> <script> ... </script> </body> </html>
  50. 50. <form action=”review.cgi”> <input type=”hidden” name=”paper-id” value=”42”> <input type=”hidden” name=”score” value=”100”> </form>
  51. 51. X-Content-Type-Options: nosniff
  52. 52. Content Security Policy aka CSP mechanism for preventing XSS
  53. 53. telling the browser the content that is allowed to load
  54. 54. Hi y'all<script> alert('p0wned'); </script>! Tweet! What's on your mind?
  55. 55. without CSP
  56. 56. Hi y'all! John Doe - just moments ago p0wned Ok
  57. 57. with CSP
  58. 58. Hi y'all! John Doe - just moments ago
  59. 59. Content-Security-Policy: script-src 'self' https://cdn.example.com
  60. 60. script-src object-src style-src img-src media-src font-src connect-src ...
  61. 61. script-src object-src style-src img-src media-src font-src connect-src ... https://developer.mozilla.org/docs/Web/HTTP/CSP
  62. 62. cookies
  63. 63. 1234
  64. 64. Set-Cookie: sessionid=1234
  65. 65. 1234
  66. 66. 1234
  67. 67. document.cookie
  68. 68. Cookie options mechanism for restricting the scope of cookies
  69. 69. Set-Cookie: sessionid=1234; httponly
  70. 70. document.cookie == null
  71. 71. Set-Cookie: sessionid=1234; secure
  72. 72. 1234
  73. 73. good, but not great
  74. 74. 1234
  75. 75. Set-Cookie: sessionid=1234
  76. 76. 1234
  77. 77. 666
  78. 78. 666
  79. 79. Cookie prefixes mechanism for enforcing cookie restrictions
  80. 80. Set-Cookie: __Secure-sessionid=1234; secure
  81. 81. __Secure-sessionid=666
  82. 82. encryption
  83. 83. HTTPS mechanism for securing information in transit
  84. 84. if you're not using it, now is the time to start :)
  85. 85. HTTPS is not enough you need to do it properly
  86. 86. RC4
  87. 87. SHA-1 RC4
  88. 88. SHA-11024-bit certificates RC4
  89. 89. SHA-11024-bit certificates RC4 weak DH parameters
  90. 90. https://mozilla.github.io/server-side-tls/ssl-config-generator/
  91. 91. https://www.ssllabs.com/ssltest/
  92. 92. Strict Transport Security aka HSTS mechanism for preventing HTTPS to HTTP downgrades
  93. 93. telling the browser that your site should never be reached over HTTP
  94. 94. GET bank.com 301→ GET https://bank.com 200→ no HSTS, no sslstrip
  95. 95. GET bank.com → 200 no HSTS, with sslstrip
  96. 96. what does HSTS look like?
  97. 97. Strict-Transport-Security: max-age=31536000
  98. 98. with HSTS, with sslstrip GET https://bank.com 200→
  99. 99. no HTTP traffic for sslstrip to tamper with
  100. 100. https://hstspreload.org/
  101. 101. referrer policy subresource integrity noopener cookie prefixes cookie options sandboxed iframes x-content-type-options content security policy https strict transport security
  102. 102. Questions? feedback: francois@mozilla.com @fmarier mozilla.dev.security © 2017 François Marier <francois@mozilla.com> This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
  103. 103. photo credits: explosion: https://www.flickr.com/photos/-cavin-/2313239884/ kittens: https://www.flickr.com/photos/londonlooks/5693093073 cookie: https://www.flickr.com/photos/amagill/34754258/

×