Protecting Java EE Web Apps with Secure HTTP Headers

11,076 views

Published on

Published in: Technology
2 Comments
6 Likes
Statistics
Notes
No Downloads
Views
Total views
11,076
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
119
Comments
2
Likes
6
Embeds 0
No embeds

No notes for slide

Protecting Java EE Web Apps with Secure HTTP Headers

  1. 1. Protecng  Java  EE  Web  Apps   with  Secure  HTTP  Headers   JavaOne  2012   1  
  2. 2. About  •  Frank  Kim   –  Consultant,  ThinkSec   –  Author,  SANS  Secure  Coding  in  Java   –  SANS  Applicaon  Security  Curriculum  Lead  •  Shout  out   –  Thanks  to  Jason  Lam  who  co-­‐authored  these  slides   2  
  3. 3. JavaOne  Rock  Star   3  
  4. 4. Outline  •  XSS  •  Session  Hijacking  •  Clickjacking  •  Wrap  Up   4  
  5. 5. Cross-­‐Site  Scripng  (XSS)  •  Occurs  when  unvalidated  data  is  rendered  in   the  browser  •  Types  of  XSS   –  Reflected   –  Stored   –  Document  Object  Model  (DOM)  based   5  
  6. 6.    XSS  Demo   6  
  7. 7. HYpOnly  Flag  •  Ensures  that  the  Cookie  cannot  be  accessed   via  client  side  scripts  (e.g.  JavaScript)   –  Set  by  default  for  the  JSESSIONID  in  Tomcat  7  •  Configure  in  web.xml  as  of  Servlet  3.0   <session-config> <cookie-config> <http-only>true</http-only> </cookie-config> </session-config>•  Programmacally   String cookie = "mycookie=test; Secure; HttpOnly"; response.addHeader("Set-Cookie", cookie); 7  
  8. 8. X-­‐XSS-­‐Protecon  •  Blocks  common  reflected  XSS   –  Enabled  by  default  in  IE,  Safari,  Chrome   –  Not  supported  by  Firefox   •  Bug  528661  open  to  address  •  X-­‐XSS-­‐Protecon:  1   –  Browser  modifies  the  response  to  block  XSS  •  X-­‐XSS-­‐Protecon:  0   –  Disables  the  XSS  filter  •  X-­‐XSS-­‐Protecon:  1;  mode=block   –  Prevents  rendering  of  the  page  enrely   8  
  9. 9. Java  Code  •  X-­‐XSS-­‐Protecon:  1  response.addHeader("X-XSS-Protection", "1");•  X-­‐XSS-­‐Protecon:  0  response.addHeader("X-XSS-Protection", "0");•  X-­‐XSS-­‐Protecon:  1;  mode=block  response.addHeader("X-XSS-Protection", "1; mode=block"); 9  
  10. 10.    X-­‐XSS-­‐Protecon  Demo   10  
  11. 11. Content  Security  Policy  •  Helps  migate  reflected  XSS   –  Originally  developed  by  Mozilla   –  Currently  a  W3C  draf   •  hYps://dvcs.w3.org/hg/content-­‐security-­‐policy/raw-­‐ file/p/csp-­‐specificaon.dev.html  •  Supported  browsers   –  Firefox  and  IE  10  using  X-­‐Content-­‐Security-­‐Policy   –  Chrome  and  Safari  using  X-­‐WebKit-­‐CSP  header   11  
  12. 12. CSP  Requirements  •  No  inline  scripts   –  Cant  put  code  in  <script>  blocks   –  Cant  do  inline  event  handlers  like            <a onclick="javascript">•  No  inline  styles   –  Cant  write  styles  inline   12  
  13. 13. CSP  Direcves  •  default-­‐src  •  script-­‐src  •  object-­‐src  •  style-­‐src  •  img-­‐src  •  media-­‐src  •  frame-­‐src  •  font-­‐src  •  connect-­‐src   13  
  14. 14. CSP  Examples  1)  Only  load  resources  from  the  same  origin  X-Content-Security-Policy: default-src self2)  Example  from  mikewest.org  x-content-security-policy: default-src none; style-src https://mikewestdotorg.hasacdn.net; frame-src https://www.youtube.com http://www.slideshare.net; script-src https://mikewestdotorg.hasacdn.net https://ssl.google-analytics.com; img-src self https://mikewestdotorg.hasacdn.net https://ssl.google-analytics.com data:; font-src https://mikewestdotorg.hasacdn.net 14  
  15. 15. Report  Only  •  Facebook  Example  x-content-security-policy-report-only: allow *; script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:*; options inline-script eval-script; report-uri https://www.facebook.com/csp.php 15  
  16. 16.    Content  Security  Policy  Demo   16  
  17. 17. Outline  •  XSS  •  Session  Hijacking  •  Clickjacking  •  Wrap  Up   17  
  18. 18. Session  Hijacking   mybank.com  Vicm   Internet"Public WiFi " Network" 1)  Vicm  goes  to  mybank.com  via  HTTP   AYacker   18  
  19. 19. Session  Hijacking   mybank.com  Vicm   Internet"Public WiFi " Network" 2)  A:acker  sniffs  the  public  wifi  network  and   AYacker   steals  the  JSESSIONID   19  
  20. 20. Session  Hijacking   mybank.com  Vicm   Internet"Public WiFi " Network" 3)  A:acker  uses  the  stolen  JSESSIONID   AYacker   to  access  the  vicms  session   20  
  21. 21. Secure  Flag  •  Ensures  that  the  Cookie  is  only  sent  via  SSL  •  Configure  in  web.xml  as  of  Servlet  3.0   <session-config> <cookie-config> <secure>true</secure> </cookie-config> </session-config>•  Programmacally   Cookie cookie = new Cookie("mycookie", "test"); cookie.setSecure(true); 21  
  22. 22. Strict-­‐Transport-­‐Security  •  Tells  browser  to  only  talk  to  the  server  via  HTTPS   –  First  me  your  site  accessed  via  HTTPS  and  the  header   is  used  the  browser  stores  the  cerficate  info   –  Subsequent  requests  to  HTTP  automacally  use  HTTPS  •  Supported  browsers   –  Implemented  in  Firefox  and  Chrome   –  Currently  an  IETF  draf    Strict-Transport-Security: max-age=seconds [; includeSubdomains] 22  
  23. 23. Outline  •  XSS  •  Session  Hijacking  •  Clickjacking  •  Wrap  Up   23  
  24. 24. Clickjacking  •  Tricks  the  user  into  clicking  a  hidden  buYon   –  User  has  no  idea  the  buYon  was  clicked  •  Works  by  concealing  the  target  site  site   –  Vicm  site  placed  in  an  invisible  iframe   –  AYacker  site  overlays  the  vicm  site   Image  source:  hYp://seclab.stanford.edu/websec/framebusng/framebust.pdf    
  25. 25.    Clickjacking  Demo   25  
  26. 26. Clickjacking  Code  •  Put  the  vicm  in  an  invisible  iframe    <iframe id="attacker" width=1000 height=400 src="http://victim" style="opacity:0.0; position:absolute;left:10;bottom:100"></iframe>   26  
  27. 27. Adobe  Flash  Example  •  Clickjacking  discovered  by  Jeremiah  Grossman   &  Robert  "Rsnake"  Hansen  •  Showed  how  to  use  Flash  to  spy  on  users   –  Use  Clickjacking  to  trick  users  into  enabling  the   mic  and  camera  via  Flash   27  
  28. 28. Facebook  Example  •  The  "best  passport  applicaon  rejecon  in   history"  became  popular  on  Facebook   28  
  29. 29. Facebook  Like  Code  <div style="overflow:hidden; width:10px; height:12px;filter:alpha(opacity=0); -moz-opacity:0.0; -khtml-opacity:0.0; opacity:0.0; position:absolute;" id="icontainer"><iframe src"http://www.facebook.com/plugins/like.php?href=http://credittreport.info/the-best-passport-application-rejection-in-history.html&amp;layout=standard&amp;show_faces=false&amp;width=450&amp;action=like&amp;font=tahoma&amp;colorscheme=light&amp;height=80" scrolling="no" frame border="0" style="border:none;overflow:hidden;width:50px; height:23px;"allowTransparency="true" id="likee" name="likee"></iframe></div> Source:  hYps://isc.sans.edu/diary.html?storyid=8893    
  30. 30. Facebook  Like  Code  <div style="overflow:hidden; width:10px; height:12px;filter:alpha(opacity=0); -moz-opacity:0.0; -khtml-opacity:0.0; opacity:0.0; position:absolute;" id="icontainer"><iframe src"http://www.facebook.com/plugins/like.php?href=http://credittreport.info/the-best-passport-application-rejection-in-history.html&amp;layout=standard&amp;show_faces=false&amp;width=450&amp;action=like&amp;font=tahoma&amp;colorscheme=light&amp;height=80" scrolling="no" frame border="0" style="border:none;overflow:hidden;width:50px; height:23px;"allowTransparency="true" id="likee" name="likee"></iframe></div> Source:  hYps://isc.sans.edu/diary.html?storyid=8893    
  31. 31. Facebook  Like  Code  <div style="overflow:hidden; width:10px; height:12px;filter:alpha(opacity=0); -moz-opacity:0.0; -khtml-opacity:0.0; opacity:0.0; position:absolute;" id="icontainer"><iframe src"http://www.facebook.com/plugins/like.php?href=http://credittreport.info/the-best-passport-application-rejection-in-history.html&amp;layout=standard&amp;show_faces=false&amp;width=450&amp;action=like&amp;font=tahoma&amp;colorscheme=light&amp;height=80" scrolling="no" frame border="0" style="border:none;overflow:hidden;width:50px; height:23px;"allowTransparency="true" id="likee" name="likee"></iframe></div> Source:  hYps://isc.sans.edu/diary.html?storyid=8893    
  32. 32. Facebook  Like  Code  <div style="overflow:hidden; width:10px; height:12px;filter:alpha(opacity=0); -moz-opacity:0.0; -khtml-opacity:0.0; opacity:0.0; position:absolute;" id="icontainer"><iframe src"http://www.facebook.com/plugins/like.php?href=http://credittreport.info/the-best-passport-application-rejection-in-history.html&amp;layout=standard&amp;show_faces=false&amp;width=450&amp;action=like&amp;font=tahoma&amp;colorscheme=light&amp;height=80" scrolling="no" frame border="0" style="border:none;overflow:hidden;width:50px; height:23px;"allowTransparency="true" id="likee" name="likee"></iframe></div> Source:  hYps://isc.sans.edu/diary.html?storyid=8893    
  33. 33.    Like  BuYon  Demo   33  
  34. 34. Like  BuYon  Code  var like = document.createElement(iframe);...function mouseMove(e) { if (IE) { tempX = event.clientX + document.body.scrollLeft; tempY = event.clientY + document.body.scrollTop; } else { tempX = e.pageX; tempY = e.pageY; } if (tempX < 0) tempX = 0; if (tempY < 0) tempY = 0; like.style.top = (tempY - 8) + px; Like  buYon  moves   like.style.left = (tempX - 25) + px; with  cursor   return true} Source:  hYp://erickerr.com/like-­‐clickjacking    
  35. 35. Why  Likejacking?  •  Send  vicms  to  evil  sites  with  malware  •  Trick  users  into  signing  up  for  unwanted   subscripon  services  •  Drive  traffic  to  sites  to  increase  ad  revenue  •  Adscend  Media   –  Alleged  to  have  made  up  to  $1.2  million  per   month  via  Clickjacking   –  Facebook  and  Washington  State  filed  lawsuits   against  them  in  January  2012   35  
  36. 36. How  to  Fix?  •  Use  X-­‐Frame-­‐Opons     –  HTTP  Response  Header  supported  by  all  recent  browsers  •  Three  opons   –  DENY   •  Prevents  any  site  from  framing  the  page     –  SAMEORIGIN   •  Allows  framing  only  from  the  same  origin   –  ALLOW-­‐FROM  origin   •  Allows  framing  only  from  the  specified  origin   •  Only  supported  by  IE  (based  on  my  tesng)   •  Firefox  Bug  690168  -­‐  "This  was  an  unintenonal  oversight"   36  
  37. 37. Java  Code  •  DENY  response.addHeader("X-Frame-Options", "DENY");•  SAMEORIGIN  response.addHeader("X-Frame-Options", "SAMEORIGIN");•  ALLOW-­‐FROM  String value = "ALLOW-FROM http://www.trustedsite.com:8080";response.addHeader("X-Frame-Options", value); 37  
  38. 38.    X-­‐Frame-­‐Opons  Demo   38  
  39. 39. Using  X-­‐Frame-­‐Opons  •  You  might  not  want  to  use  it  for  the  enre  site   –  Prevents  legimate  framing  of  your  site  (i.e.   Google  Image  Search)  •  For  sensive  transacons   –  Use  SAMEORIGIN   –  And  test  thoroughly  •  If  the  page  should  never  be  framed   –  Then  use  DENY   39  
  40. 40. Frame  Busng  Code  •  What  about  older  browsers  that  dont  support   X-­‐Frame-­‐Opons?  •  JavaScript  code  like  this  is  commonly  used   if (top != self) top.location = self.location;•  Not  full-­‐proof   –  Various  techniques  can  be  used  to  bypass  frame   busng  code   40  
  41. 41. Some  An-­‐Frame  Busng  Techniques  •  IE  <iframe  security=restricted>   –  Disables  JavaScript  within  the  iframe  •  onBeforeUnload  -­‐  204  Flushing   –  Repeatedly  send  a  204  (No  Content)  response  so   the  onBeforeUnload  handler  gets  canceled  •  Browser  XSS  Filters   –  Chrome  XSSAuditor  filter  cancels  inline  scripts  if   they  are  also  found  as  a  parameter  <iframe src="http://www.victim.com/?v=if(top+!%3D+self)+%7B+top.location%3Dself.location%3B+%7D"> 41  
  42. 42. Outline  •  XSS  •  Session  Hijacking  •  Clickjacking  •  Wrap  Up   42  
  43. 43. Summary  •  Use  the  following  HTTP  Response  Headers   þ  Set-­‐Cookie  HYpOnly   þ  X-­‐XSS-­‐Protecon:  1;  mode=block   þ  Set-­‐Cookie  Secure   þ  Strict-­‐Transport-­‐Security   þ  X-­‐Frame-­‐Opons:  SAMEORIGIN  •  Plan  to  use  the  following   þ  Content  Security  Policy   43  
  44. 44. 44  
  45. 45.  Frank  Kim        frank@thinksec.com  @thinksec                @sansappsec                     45  
  46. 46. References  •  Content  Security  Policy   –  hYps://dvcs.w3.org/hg/content-­‐security-­‐policy/raw-­‐file/p/csp-­‐ specificaon.dev.html  •  Busng  Frame  Busng:  A  Study  of  Clickjacking  Vulnerabilies  on   Popular  Sites   –  hYp://seclab.stanford.edu/websec/framebusng/framebust.pdf  •  Like  Clickjacking   –  hYp://erickerr.com/like-­‐clickjacking  •  Clickjacking  AYacks  on  Facebooks  Like  Plugin   –  hYps://isc.sans.edu/diary.html?storyid=8893  •  Lessons  from  Facebooks  Security  Bug  Bounty  Program   –  hYps://nealpoole.com/blog/2011/08/lessons-­‐from-­‐facebooks-­‐ security-­‐bug-­‐bounty-­‐program/  •  Google+  Gets  a  "+1"  for  Browser  Security   –  hYp://www.barracudalabs.com/wordpress/index.php/2011/07/21/ google-­‐gets-­‐a-­‐1-­‐for-­‐browser-­‐security-­‐3/   46  

×