Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

List of useful security related http headers

HTTP 보안헤더

List of useful security related http headers

  1. 1. List of useful security-related HTTP headers 주한익 joohanik@coresec.co.kr
  2. 2. List of useful security-related HTTP headers 2 헤더 이름 설명 사용예 HTTP Strict-Transport-Security
 (HSTS) HTTP Strict-Transport-Security(HSTS)는 브라우저가 서버에 연결할 때 SSL/TLS 기반 HTTP 사용을 강제하는 헤더입니다. 헤당 헤더는 쿠키 혹은 외부 링크를 악용한 웹 어플 리케이션의 세션 관련 취약점 (e.g. Session Hijacking) 피해를 완화 하거나 SSL Strip 같은 다운그래이드 공격을 방어할 수 있습니다. Strict-Transport-Security: max- age=16070400; includeSubDomains X-Frame-Options Frame-Options 클릭재킹 공격에 대한 보호를 위해 만들어진 헤더입니다. 헤더의 지시자 값에 따라 <frame>, <iframe>, <object>에 로드된 페이지의 랜더링 조건을 제어할 수 있습니다. X-Frame-Options: deny X-XSS-Protection 브라우저에 내장되어 있는 교차 사이트 스크립팅 필터를 활성화시키는 헤더입니다. 기 능을 제공하는 대부분의 웹 브라우저는 기본적으로 활성화 되어 있으나 사용자에 의해 비활성화 되어있을 경우 다시 활성화 시킬 수 있는 역할을 합니다. X-XSS-Protection: 1;mode=block X-Content-Type Options HTTP 응답 헤더 중 하나인 Content-Type 지시자의 값을 무시하도록 동작하는 브라우 저의 MIME-sniffing 기능을 악용한 교차 사이트 스크립팅 혹은 Drive-By download 공격에 대응하기 위한 헤더입니다. "nosniff" 지시자를 제외하고는 사용할 수 있습니다. X-Content-Type-Options: nosniff Content-Security-Policy X-Content-Security-Policy X-WebKit-CSP 해당 헤더는 브라우저가 페이지에 대한 랜더링을 수행하는 정책에 영향(e.g. 명시적으 로 허용하지 않는한 인라인 자바스크립트를 동작시키지 않음)을 주는 헤더입니다. 교차 사이트 스크립팅 공격을 포함한 다양한 공격을 예방할 수 있습니다. Content-Security-Policy: default-src 'self'; script-src 'self' Content-Security-Policy-Report- Only Content-Security-Policy 헤더와 동일한 기능을 하는 헤더입니다. 다만 제한 정책에 위 반되는 경우 실제 차단을 하지 않고 지정된 경로에 리포팅 정보를 보냅니다. Content-Security-Policy 헤더와 중복으로 사용하여 "제한 및 차단"과 "리포팅"을 동시 에 사용할 수 있습니다. Content-Security-Policy-Report-Only: default-src 'self'; report-uri http:// loghost.example.com/reports.jsp https://www.owasp.org/index.php/List_of_useful_HTTP_headers
  3. 3. Strict-Transport-Security 3 * SSL strip .. How can we stop this attack? http://courses.oreillyschool.com/webapp2/http_headers.html
  4. 4. Strict-Transport-Security 4 * HTTP Strict Transport Security (HSTS) overview . Web security policy mechanism which is necessary to protect secure HTTPS websites against downgrade attacks, and which greatly simplifies protection against cookie hijacking . It allows web servers to declare that web browser should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol . IETF standards track protocol and is specified in RFC 6797 . Communicated by the server to the user agent via a HTTP response header field named "Strict-Transport-Security" http://blog.c22.cc/2010/08/27/http-strict-transport-security/http://blog.c22.cc/2010/08/27/http-strict-transport-security/
  5. 5. Strict-Transport-Security 5 http://www.asd.gov.au/publications/protect/protecting_web_apps.htm
  6. 6. Strict-Transport-Security 6 * Preloading HSTS overview . When connecting to an HSTS host for the first time, the browser won't know whether or not to use a secure connection, because it has never received an HSTS header from that host . Active could prevent the browser from ever connecting securely . To mitigate this attack, Browser have added a list of hosts that want HSTS enforced by default . When a user connects to one of these hosts for the first time, the browser will know that is must use a secure connection . If a network attacker prevents secure connections to the server, the browser will not attempt to connect over an insecure protocol, thus maintaining the user's security
  7. 7. Strict-Transport-Security 7 * Manually enforcing HSTS in google chrome https://scotthelme.co.uk/manually-enforcing-hsts-chrome/
  8. 8. Strict-Transport-Security 8 * EFF(Electronic Frontier Foundation)'s "HTTPS Everywhere" extension
  9. 9. Strict-Transport-Security 9 * Limitations . Still dependent on them adding new hosts. The only downside is that the user must add all of the hosts that they wish to be enforced to the list manually . The initial request remains unprotected from active attacks if it uses an insecure protocol such as plain HTTP or the
 initial request was obtained over an insecure channel . Can't prevent advanced attacks against TLS itself, such as the BEAST(Browser Exploit Against SSL/TLS) or CRIME(Compression Ratio Info-leak Made Easy) attacks
  10. 10. X-Frame-Options 10 * Clickjacking .. How can we stop this attack?
 . Tricking users into enabling their webcam and microphone through Flash
 . Tricking users into making their social networking profile information public
 . Making users follow someone on Twitter
 . Sharing links on Facebook http://khalil-shreateh.com/khalil.shtml/index.php/personal-security/ 90-spam-and-scams-protect-yourself-from-being-a-victim-of-cyber- fraud.html?showall=1 http://www.anzaq.com/2013/05/what-is-clickjacking.html
  11. 11. X-Frame-Options 11 * X-Frame-Options overview . The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed 
 to render a page in a <frame>, <iframe> or <object>
 . Sites can use this to avoid clickjacking attack, by ensuring that their contents is not embedded into other sites . There are three possible values for X-Frame-Options (DENY, SAMEORIGIN, ALLOW-FROM uri) . The frame-ancestors directive from the CSP Level 2 specification officially replaces this non-standard header http://www.troyhunt.com/2013/05/clickjack-attack-hidden- threat-right-in.html http://wordpress.stackexchange.com/questions/81607/receiving-this- content-cannot-be-displayed-in-a-frame-error-on-login-page
  12. 12. X-Frame-Options 12 * Limitations . Per-page policy specification . Problems with multi-domain sites . ALLOW-FROM browser support . Multiple options not supported . X-Frame-Options Deprecated . Proxies . Nested Frames don't work with SAMEORIGIN and ALLOW-FROM //friendlysite.invalid //framed.invalid/parent ALLOW-FROM http://friendlysite.invalid //framed.invalid/child SAMEORIGIN //friendlysite.invalid 페이지에 있는 프레임이 //framed.invalid.parent 페이지를 로드할 경우 랜더링이 정상적으로 수행됨. (ALLOW-FROM으로 허용했으므로) //framed.invalid/parent 페이지에 있는 프레임이 동일한 도메인에 있는//framed.invalid/child 페이지를 로드하더라도 랜더링이 되지 않음. (상위레벨 브라우징 컨텍스트의 우선순위가 높게 적용되므로) 물론 //framed.invalid/child 페이지도 ALLOW-FROM http://friendlysite.invalid 지정하면 문제가 해결될 수 있으나 //frame.invalid/parent 페이지가 최상위 레벨이 될 경우 //framed.invalid/child 페이지가 로드되지 않는 문제가 발생하게 됨.
  13. 13. X-XSS-Protection 13 * XSS(Cross Site Scripting) .. How can we stop this attack? Stored type Cross-Site Scripting Reflected type Cross-Site Scripting
  14. 14. X-XSS-Protection 14 * X-XSS-Protection overview . New feature to help prevent reflected cross-site scripting attacks (Internet Explorer 8) . Detects Javascript in URL and HTTP POST requests. . If JavaScript is detected, the XSS filter searches evidence of reflection, information that would be returned to the attacking website if the attacking request were submitted unchanged. . If reflection is detected, the XSS filter sanitizes the original request so that the additional Javascript cannot be executed.
  15. 15. X-XSS-Protection 15 * Disable Internet Explorer X-XSS-Protection . https://msdn.microsoft.com/en-us/library/dd565647(VS.85).aspx . This feature can be disabled by setting an HTTP header (X-XSS-Protection: 0) or Internet Explorer options Internet Explorer options http://www.staysecureweb.com/get-protected-xss-cross-site-scripting-internet-explorer/
  16. 16. X-Contents-Type-Options 16 * Background of this features . Microsoft has a feature for Internet Explorer that attempt to determine the correct content type, regardless of what is specified by the web server .. this feature is know as MIME Sniffing . One of the steps of this feature is that it compares the first 256 bytes of a file to a list of known file headers . While this feature allows users to browse the web more successfully, it also introduces an attack vector Web Browser Web Server HTTP Request HTTP Response HTTP/1.1 200 OK ... Content-Type: image/jpeg Content-Length: 231 <html> ... </html> Attacker <html> ... </html> file.jpg 1 2 3 . Content-Type 확장자 무시 . 파일 헤더 검사 후 타입 결정 (MIME Sniffing) . 태그 실행 (XSS Attack) IE6, IE7
  17. 17. X-Contents-Type-Options 17 * X-Contents-Type overview . The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type . This reduce exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable or dynamic HTML files
  18. 18. X-Contents-Type-Options 18 * Security recommendations . Web developers Familiarize yourself with the risks of file uploads, implement safeguards and add relevant HTTP headers for 
 uploaded files if necessary . Web server administrators Add the X-Content-Type-Options: nosniff header to your web server. This also applies to web servers other then Microsoft IIS . System administrators and end users Disable MIME Sniffing in Internet Explorer and/or set the security level to High. For IE9 MIME Sniffing can disabled at the following location: Internet Options -> Security level -> Miscellaneous -> Enable MIME Sniffing -> Disable . Penetration testers While testing file uploads in web applications, attempt to upload HTML code in files with different extensions and don't forget to perform these test using different browsers . Microsoft Please change the default MIME Sniffing behavior of Internet Explorer and refrain from handling files as HTML when the web server says otherwise. At least prevent this from happening for most 'known file types' and most 'ambiguous file types'. http://blog.fox-it.com/2012/05/08/mime-sniffing-feature-or-vulnerability/ http://www.h-online.com/security/features/Risky-MIME-sniffing-in-Internet-Explorer-746229.html
  19. 19. Content-Security-Policy 19 * Content-Security-Policy overview . HTTP header that allows you to create a whitelist of sources of trusted content, and instructs the browser to only execute or render resources from those sources . Event if an attacker can find a hole through which to inject script, the script won't match the whilelist, and therefore won't be executed
  20. 20. Content-Security-Policy 20 * Resource directives . script-src Controls a set of script-related privileges for a specific page . connect-src Limits the origins to which you can connect (via XHR, WebSockets, and EventSource) . font-src Specifies the origins that can serve web fonts. Google's Web Fonts could be enabled via font-src (https://themes.googleusercontent.com) . frame-src Lists the origins that can be embedded as frames. For example frame-src https://youtube.com would enable embedding YouTube videos, but no other origins . img-src Defines the origin from which images can be loaded . media-src Restricts the origins allowed to deliver video and audio . object-src Allow control over Flash and other plugins . style-src script-src's counterpart for stylesheets
  21. 21. Content-Security-Policy 21 * Four keywords . 'none' As you might expect, matches nothing . 'self' Matches the current origin, but not its subdomains . 'unsafe-inline' Allows inline Javascript and CSS . 'unsafe-eval' Allow text-to-Javscript mechanisms like eval * Examples . You have an application that loads all of it's resources from a content delivery network (https://cdn.example.net), and know that you don't need framed content or any plugins at all Content-Security-Policy: default-src https://cdn.example.net; frame-src 'none'; object-src 'none'
  22. 22. Content-Security-Policy 22 * Reporting . Instruct the browser to POST JSON-formatted violation reports to a location specified in a report-uri directive Content-Security-Policy: default-src 'self'; ...; report-uri /my_amazing_csp_report_parser; . Can ask the browser to monitor a policy, reporting violations, but bot enforcing the restrictions Instead of sending a Content-Security-Policy header, send a Content-Security-Policy-Report-Only header Content-Security-Policy-Report-Only: default-src 'self'; ...; report-uri /my_amazing_csp_report_parser; http://www.html5rocks.com/en/tutorials/security/content-security-policy/?redirect_from_locale=ko

×