Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Protecting Java EE Web Apps with Secure HTTP Headers

12,530 views

Published on

Published in: Technology

Protecting Java EE Web Apps with Secure HTTP Headers

  1. 1. Protecng  Java  EE  Web  Apps   with  Secure  HTTP  Headers   JavaOne  2012   1  
  2. 2. About  •  Frank  Kim   –  Consultant,  ThinkSec   –  Author,  SANS  Secure  Coding  in  Java   –  SANS  Applicaon  Security  Curriculum  Lead  •  Shout  out   –  Thanks  to  Jason  Lam  who  co-­‐authored  these  slides   2  
  3. 3. JavaOne  Rock  Star   3  
  4. 4. Outline  •  XSS  •  Session  Hijacking  •  Clickjacking  •  Wrap  Up   4  
  5. 5. Cross-­‐Site  Scripng  (XSS)  •  Occurs  when  unvalidated  data  is  rendered  in   the  browser  •  Types  of  XSS   –  Reflected   –  Stored   –  Document  Object  Model  (DOM)  based   5  
  6. 6.    XSS  Demo   6  
  7. 7. HYpOnly  Flag  •  Ensures  that  the  Cookie  cannot  be  accessed   via  client  side  scripts  (e.g.  JavaScript)   –  Set  by  default  for  the  JSESSIONID  in  Tomcat  7  •  Configure  in  web.xml  as  of  Servlet  3.0   <session-config> <cookie-config> <http-only>true</http-only> </cookie-config> </session-config>•  Programmacally   String cookie = "mycookie=test; Secure; HttpOnly"; response.addHeader("Set-Cookie", cookie); 7  
  8. 8. X-­‐XSS-­‐Protecon  •  Blocks  common  reflected  XSS   –  Enabled  by  default  in  IE,  Safari,  Chrome   –  Not  supported  by  Firefox   •  Bug  528661  open  to  address  •  X-­‐XSS-­‐Protecon:  1   –  Browser  modifies  the  response  to  block  XSS  •  X-­‐XSS-­‐Protecon:  0   –  Disables  the  XSS  filter  •  X-­‐XSS-­‐Protecon:  1;  mode=block   –  Prevents  rendering  of  the  page  enrely   8  
  9. 9. Java  Code  •  X-­‐XSS-­‐Protecon:  1  response.addHeader("X-XSS-Protection", "1");•  X-­‐XSS-­‐Protecon:  0  response.addHeader("X-XSS-Protection", "0");•  X-­‐XSS-­‐Protecon:  1;  mode=block  response.addHeader("X-XSS-Protection", "1; mode=block"); 9  
  10. 10.    X-­‐XSS-­‐Protecon  Demo   10  
  11. 11. Content  Security  Policy  •  Helps  migate  reflected  XSS   –  Originally  developed  by  Mozilla   –  Currently  a  W3C  draf   •  hYps://dvcs.w3.org/hg/content-­‐security-­‐policy/raw-­‐ file/p/csp-­‐specificaon.dev.html  •  Supported  browsers   –  Firefox  and  IE  10  using  X-­‐Content-­‐Security-­‐Policy   –  Chrome  and  Safari  using  X-­‐WebKit-­‐CSP  header   11  
  12. 12. CSP  Requirements  •  No  inline  scripts   –  Cant  put  code  in  <script>  blocks   –  Cant  do  inline  event  handlers  like            <a onclick="javascript">•  No  inline  styles   –  Cant  write  styles  inline   12  
  13. 13. CSP  Direcves  •  default-­‐src  •  script-­‐src  •  object-­‐src  •  style-­‐src  •  img-­‐src  •  media-­‐src  •  frame-­‐src  •  font-­‐src  •  connect-­‐src   13  
  14. 14. CSP  Examples  1)  Only  load  resources  from  the  same  origin  X-Content-Security-Policy: default-src self2)  Example  from  mikewest.org  x-content-security-policy: default-src none; style-src https://mikewestdotorg.hasacdn.net; frame-src https://www.youtube.com http://www.slideshare.net; script-src https://mikewestdotorg.hasacdn.net https://ssl.google-analytics.com; img-src self https://mikewestdotorg.hasacdn.net https://ssl.google-analytics.com data:; font-src https://mikewestdotorg.hasacdn.net 14  
  15. 15. Report  Only  •  Facebook  Example  x-content-security-policy-report-only: allow *; script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:*; options inline-script eval-script; report-uri https://www.facebook.com/csp.php 15  
  16. 16.    Content  Security  Policy  Demo   16  
  17. 17. Outline  •  XSS  •  Session  Hijacking  •  Clickjacking  •  Wrap  Up   17  
  18. 18. Session  Hijacking   mybank.com  Vicm   Internet"Public WiFi " Network" 1)  Vicm  goes  to  mybank.com  via  HTTP   AYacker   18  
  19. 19. Session  Hijacking   mybank.com  Vicm   Internet"Public WiFi " Network" 2)  A:acker  sniffs  the  public  wifi  network  and   AYacker   steals  the  JSESSIONID   19  
  20. 20. Session  Hijacking   mybank.com  Vicm   Internet"Public WiFi " Network" 3)  A:acker  uses  the  stolen  JSESSIONID   AYacker   to  access  the  vicms  session   20  
  21. 21. Secure  Flag  •  Ensures  that  the  Cookie  is  only  sent  via  SSL  •  Configure  in  web.xml  as  of  Servlet  3.0   <session-config> <cookie-config> <secure>true</secure> </cookie-config> </session-config>•  Programmacally   Cookie cookie = new Cookie("mycookie", "test"); cookie.setSecure(true); 21  
  22. 22. Strict-­‐Transport-­‐Security  •  Tells  browser  to  only  talk  to  the  server  via  HTTPS   –  First  me  your  site  accessed  via  HTTPS  and  the  header   is  used  the  browser  stores  the  cerficate  info   –  Subsequent  requests  to  HTTP  automacally  use  HTTPS  •  Supported  browsers   –  Implemented  in  Firefox  and  Chrome   –  Currently  an  IETF  draf    Strict-Transport-Security: max-age=seconds [; includeSubdomains] 22  
  23. 23. Outline  •  XSS  •  Session  Hijacking  •  Clickjacking  •  Wrap  Up   23  
  24. 24. Clickjacking  •  Tricks  the  user  into  clicking  a  hidden  buYon   –  User  has  no  idea  the  buYon  was  clicked  •  Works  by  concealing  the  target  site  site   –  Vicm  site  placed  in  an  invisible  iframe   –  AYacker  site  overlays  the  vicm  site   Image  source:  hYp://seclab.stanford.edu/websec/framebusng/framebust.pdf    
  25. 25.    Clickjacking  Demo   25  
  26. 26. Clickjacking  Code  •  Put  the  vicm  in  an  invisible  iframe    <iframe id="attacker" width=1000 height=400 src="http://victim" style="opacity:0.0; position:absolute;left:10;bottom:100"></iframe>   26  
  27. 27. Adobe  Flash  Example  •  Clickjacking  discovered  by  Jeremiah  Grossman   &  Robert  "Rsnake"  Hansen  •  Showed  how  to  use  Flash  to  spy  on  users   –  Use  Clickjacking  to  trick  users  into  enabling  the   mic  and  camera  via  Flash   27  
  28. 28. Facebook  Example  •  The  "best  passport  applicaon  rejecon  in   history"  became  popular  on  Facebook   28  
  29. 29. Facebook  Like  Code  <div style="overflow:hidden; width:10px; height:12px;filter:alpha(opacity=0); -moz-opacity:0.0; -khtml-opacity:0.0; opacity:0.0; position:absolute;" id="icontainer"><iframe src"http://www.facebook.com/plugins/like.php?href=http://credittreport.info/the-best-passport-application-rejection-in-history.html&amp;layout=standard&amp;show_faces=false&amp;width=450&amp;action=like&amp;font=tahoma&amp;colorscheme=light&amp;height=80" scrolling="no" frame border="0" style="border:none;overflow:hidden;width:50px; height:23px;"allowTransparency="true" id="likee" name="likee"></iframe></div> Source:  hYps://isc.sans.edu/diary.html?storyid=8893    
  30. 30. Facebook  Like  Code  <div style="overflow:hidden; width:10px; height:12px;filter:alpha(opacity=0); -moz-opacity:0.0; -khtml-opacity:0.0; opacity:0.0; position:absolute;" id="icontainer"><iframe src"http://www.facebook.com/plugins/like.php?href=http://credittreport.info/the-best-passport-application-rejection-in-history.html&amp;layout=standard&amp;show_faces=false&amp;width=450&amp;action=like&amp;font=tahoma&amp;colorscheme=light&amp;height=80" scrolling="no" frame border="0" style="border:none;overflow:hidden;width:50px; height:23px;"allowTransparency="true" id="likee" name="likee"></iframe></div> Source:  hYps://isc.sans.edu/diary.html?storyid=8893    
  31. 31. Facebook  Like  Code  <div style="overflow:hidden; width:10px; height:12px;filter:alpha(opacity=0); -moz-opacity:0.0; -khtml-opacity:0.0; opacity:0.0; position:absolute;" id="icontainer"><iframe src"http://www.facebook.com/plugins/like.php?href=http://credittreport.info/the-best-passport-application-rejection-in-history.html&amp;layout=standard&amp;show_faces=false&amp;width=450&amp;action=like&amp;font=tahoma&amp;colorscheme=light&amp;height=80" scrolling="no" frame border="0" style="border:none;overflow:hidden;width:50px; height:23px;"allowTransparency="true" id="likee" name="likee"></iframe></div> Source:  hYps://isc.sans.edu/diary.html?storyid=8893    
  32. 32. Facebook  Like  Code  <div style="overflow:hidden; width:10px; height:12px;filter:alpha(opacity=0); -moz-opacity:0.0; -khtml-opacity:0.0; opacity:0.0; position:absolute;" id="icontainer"><iframe src"http://www.facebook.com/plugins/like.php?href=http://credittreport.info/the-best-passport-application-rejection-in-history.html&amp;layout=standard&amp;show_faces=false&amp;width=450&amp;action=like&amp;font=tahoma&amp;colorscheme=light&amp;height=80" scrolling="no" frame border="0" style="border:none;overflow:hidden;width:50px; height:23px;"allowTransparency="true" id="likee" name="likee"></iframe></div> Source:  hYps://isc.sans.edu/diary.html?storyid=8893    
  33. 33.    Like  BuYon  Demo   33  
  34. 34. Like  BuYon  Code  var like = document.createElement(iframe);...function mouseMove(e) { if (IE) { tempX = event.clientX + document.body.scrollLeft; tempY = event.clientY + document.body.scrollTop; } else { tempX = e.pageX; tempY = e.pageY; } if (tempX < 0) tempX = 0; if (tempY < 0) tempY = 0; like.style.top = (tempY - 8) + px; Like  buYon  moves   like.style.left = (tempX - 25) + px; with  cursor   return true} Source:  hYp://erickerr.com/like-­‐clickjacking    
  35. 35. Why  Likejacking?  •  Send  vicms  to  evil  sites  with  malware  •  Trick  users  into  signing  up  for  unwanted   subscripon  services  •  Drive  traffic  to  sites  to  increase  ad  revenue  •  Adscend  Media   –  Alleged  to  have  made  up  to  $1.2  million  per   month  via  Clickjacking   –  Facebook  and  Washington  State  filed  lawsuits   against  them  in  January  2012   35  
  36. 36. How  to  Fix?  •  Use  X-­‐Frame-­‐Opons     –  HTTP  Response  Header  supported  by  all  recent  browsers  •  Three  opons   –  DENY   •  Prevents  any  site  from  framing  the  page     –  SAMEORIGIN   •  Allows  framing  only  from  the  same  origin   –  ALLOW-­‐FROM  origin   •  Allows  framing  only  from  the  specified  origin   •  Only  supported  by  IE  (based  on  my  tesng)   •  Firefox  Bug  690168  -­‐  "This  was  an  unintenonal  oversight"   36  
  37. 37. Java  Code  •  DENY  response.addHeader("X-Frame-Options", "DENY");•  SAMEORIGIN  response.addHeader("X-Frame-Options", "SAMEORIGIN");•  ALLOW-­‐FROM  String value = "ALLOW-FROM http://www.trustedsite.com:8080";response.addHeader("X-Frame-Options", value); 37  
  38. 38.    X-­‐Frame-­‐Opons  Demo   38  
  39. 39. Using  X-­‐Frame-­‐Opons  •  You  might  not  want  to  use  it  for  the  enre  site   –  Prevents  legimate  framing  of  your  site  (i.e.   Google  Image  Search)  •  For  sensive  transacons   –  Use  SAMEORIGIN   –  And  test  thoroughly  •  If  the  page  should  never  be  framed   –  Then  use  DENY   39  
  40. 40. Frame  Busng  Code  •  What  about  older  browsers  that  dont  support   X-­‐Frame-­‐Opons?  •  JavaScript  code  like  this  is  commonly  used   if (top != self) top.location = self.location;•  Not  full-­‐proof   –  Various  techniques  can  be  used  to  bypass  frame   busng  code   40  
  41. 41. Some  An-­‐Frame  Busng  Techniques  •  IE  <iframe  security=restricted>   –  Disables  JavaScript  within  the  iframe  •  onBeforeUnload  -­‐  204  Flushing   –  Repeatedly  send  a  204  (No  Content)  response  so   the  onBeforeUnload  handler  gets  canceled  •  Browser  XSS  Filters   –  Chrome  XSSAuditor  filter  cancels  inline  scripts  if   they  are  also  found  as  a  parameter  <iframe src="http://www.victim.com/?v=if(top+!%3D+self)+%7B+top.location%3Dself.location%3B+%7D"> 41  
  42. 42. Outline  •  XSS  •  Session  Hijacking  •  Clickjacking  •  Wrap  Up   42  
  43. 43. Summary  •  Use  the  following  HTTP  Response  Headers   þ  Set-­‐Cookie  HYpOnly   þ  X-­‐XSS-­‐Protecon:  1;  mode=block   þ  Set-­‐Cookie  Secure   þ  Strict-­‐Transport-­‐Security   þ  X-­‐Frame-­‐Opons:  SAMEORIGIN  •  Plan  to  use  the  following   þ  Content  Security  Policy   43  
  44. 44. 44  
  45. 45.  Frank  Kim        frank@thinksec.com  @thinksec                @sansappsec                     45  
  46. 46. References  •  Content  Security  Policy   –  hYps://dvcs.w3.org/hg/content-­‐security-­‐policy/raw-­‐file/p/csp-­‐ specificaon.dev.html  •  Busng  Frame  Busng:  A  Study  of  Clickjacking  Vulnerabilies  on   Popular  Sites   –  hYp://seclab.stanford.edu/websec/framebusng/framebust.pdf  •  Like  Clickjacking   –  hYp://erickerr.com/like-­‐clickjacking  •  Clickjacking  AYacks  on  Facebooks  Like  Plugin   –  hYps://isc.sans.edu/diary.html?storyid=8893  •  Lessons  from  Facebooks  Security  Bug  Bounty  Program   –  hYps://nealpoole.com/blog/2011/08/lessons-­‐from-­‐facebooks-­‐ security-­‐bug-­‐bounty-­‐program/  •  Google+  Gets  a  "+1"  for  Browser  Security   –  hYp://www.barracudalabs.com/wordpress/index.php/2011/07/21/ google-­‐gets-­‐a-­‐1-­‐for-­‐browser-­‐security-­‐3/   46  

×