SlideShare a Scribd company logo

Securing your web application through HTTP headers

A
Andre N. Klingsheim

1) HTTP headers can be used to secure web applications from common attacks like cross-site scripting and clickjacking. Content Security Policy, X-Frame-Options, and HTTP Strict Transport Security are some useful security headers. 2) Content Security Policy allows specifying whitelist sources for things like scripts, stylesheets, and images to load from to prevent XSS. X-Frame-Options prevents clickjacking by not displaying pages within frames. HTTP Strict Transport Security forces HTTPS usage to prevent SSL stripping attacks. 3) Other useful headers include setting secure and HttpOnly flags on cookies to prevent session hijacking, and using X-Content-Type-Options to prevent MIME type sniffing in Internet Explorer. Adding these security

Technology
1 of 35
Download to read offline
SECURING YOUR WEB APPLICATION THROUGH HTTP HEADERS Booster — 14. March 2013 André N. Klingsheim (@klingsen) AppSec AS 1
OUTLINE • HTTP headers • Attacks and security headers • Cross site scripting (XSS) — Content Security Policy • Clickjacking — X-Frame-options • SSL stripping++ — HTTP Strict Transport Security • Session hijacking — Cookie security settings • MIME type attacks — X-Download-Options, X-Content-Type-options 2
DEMO 3
HYGIENE: VERSION HEADERS • Web servers and web application frameworks tend to include version headers in the HTTP responses • There really is no reason to leak this information to an attacker • Get rid of them and save the bandwith! • Demo 4
Cross site scripting (XSS) CONTENT SECURITY POLICY 5
CROSS SITE SCRIPTING (XSS) • Reflected • User controlled data from the request is included in the response • Persistent • Attacker is able to store the attack server side, the stored attack is later included in response(s) • DOM based • Does not involve the server, happens on the client side - XSS (Cross Site Scripting) Prevention Cheat Sheet - OWASP Top 10 for JavaScript – A2: Cross Site Scripting – XSS 6
DEMO 7
CONTENT SECURITY POLICY (CSP) • Lets you specify a policy for where content in your webpages can be loaded from • Lets you put restrictions on script execution • Headers • Content-Security-Policy – Chrome 25 • X-Content-Security-Policy – Firefox 4+ • X-WebKit-Csp – WebKit browsers (Chrome/Safari) • W3C Candidate recommendation • Will end up being a proper standard! 8
CSP DIRECTIVES • default-src — Specifies the default for other sources • script-src • style-src • object-src — plugins • img-src • media-src — video/audio • frame-src • font-src • connect-src • report-uri — Specifies where CSP violations can be reported 9
CSP SOURCES (FOR THE DIRECTIVES) • 'none' — No content of this type is allowed (All directives) • 'self' — Content of this type can only be loaded from the same origin (no content from other sites) (All directives) • 'unsafe-inline' — Allows unsafe inline content. • Supported by style-src (inline css) and script-src (inline script) • 'unsafe-eval' — Allows script functions considered unsafe (such as eval()) • Supported by script-src • And you can specify custom sources: • * — Allow content from anywhere • https: — Scheme only, load only content served over https • *.nwebsec.com — Wildcard host, allow content from any nwebsec.com sub-domain. • www.nwebsec.com:81 — You can specify a port number • https://www.nwebsec.com — You can of specify an absolute URI for a host (path has no effect though) 10
AND THEN IT ALL COMES TOGETHER • Content-Security-Policy: default-src 'self'; script-src 'self' scripts.nwebsec.codeplex.com • This policy sets a default source of 'self' for all directives. • script-src defines its own sources, replacing the default (hence the inclusion of 'self') • In effect, scripts, stylesheets, images, flash animations, Java applets etc can only be loaded from the same origin as the page • Scripts can also be loaded from scripts.nwebsec.codeplex.com • This policy denies inline scripts and CSS! 11
THE "SPECIAL" SOURCES • 'unsafe-inline' can allow inline scripts (script-src) and styles (style-src) • 'unsafe-eval' allows certain JavaScript functions considered high risk (eval()) • Use these special sources with care 12
CSP REPORTING • You can specify a "report-uri" in the CSP header • Must be a relative URI • Will post violation reports as JSON back to the web application • Content-Security-Policy-Report-Only • Will not block scripts or resources violating the policy • Will report them to the web application 13
XSS SUMMARIZED • Make sure you validate your inputs • Make sure you encode everything you output • Input to the web application • Data from backend systems • EVERYTHING! • Use CSP as an extra level of defense, it's not the cure! 14
X-Frame-Options CLICKJACKING 15
CLICKJACKING • A malicious site loads the vulnerable site in an iframe • The iframe is invisible, and positioned in front of something the user is likely to click on • The user clicks on what appears to be an element on the malicious site • The user really clicks in the iframe, triggering some operation on the vulnerable site 16
CLICKJACKING DEMO Vulnerable site Evil site Delete something! Click me! 17
FRAMESNIFFING • You can specify an URL with an anchor when loading an iFrame • Browsers would scroll to the anchor tag, or the html element with the relevant id attribute • This scrolling can be detected with JavaScript • Note: Vulnerability has been fixed in latest versions of browsers 18
X-FRAME-OPTIONS • X-Frame-Options: Deny | SameOrigin • Instructs the browser to not display the page in a frame • When the page isn’t displayed, there’s nothing to click on! • Browser support: Opera 10.5, Chrome 4.1, IE 8, Firefox 3.6.9, Safari 4 • Remember: The request is still sent to — and prosessed by — the web server! 19
X-FRAME-OPTIONS SEQUENCE DIAGRAM Attacker Target 20
Strict-Transport-Security HTTPS STRIPPING 21
HTTPS STRIPPING EXPLAINED • "Secure" websites use SSL/TLS to preserve the confidentiality and integrity of the communication with a browser • For usability, "secure" websites are still accessible through insecure channels (HTTP on port 80) • They’ll redirect the user to HTTPS • User enters www.onlinebank.com — and is redirected to https://www.onlinebank.com • The very first request is insecure, and open to attack! • SSL stripping is a middleperson attack • Attacker keeps the victim on HTTP, but passes requests on over HTTPS to the target website • Practical attack demoed at Black Hat in 2009 (sslstrip) http://www.thoughtcrime.org/software/sslstrip/ 22
HOW "SECURE BROWSING" USUALLY WORKS www.onlinebank.com (unprotected) Redirect: https://www.onlinebank.com (unprotected) https://www.onlinebank.com (protected) Online bank 23
HTTPS STRIPPING www.onlinebank.com (unprotected) https://www.onlinebank.com (protected) Response (unprotected) Response (protected) http://www.onlinebank.com (unprotected) https://www.onlinebank.com (protected) Attacker Online bank Response (unprotected) Response (protected) 24
DEMO 25
HTTP STRICT TRANSPORT SECURITY • Strict-Transport-Security: max-age=31536000; includeSubDomains • Max-age specifies for how many seconds the policy should be in effect • includeSubDomains — optional • Instructs the browser to only communicate to that hostname over SSL/TLS • Fails hard on certificate errors • The user does not have the option to click through certificate warnings • Browser support: Chrome 4+, Firefox 4+, Opera 12 26
Securing cookies SESSION HIJACKING 27
SESSION HIJACKING EXPLAINED • Means getting access to a user's privileged session -> steal session tokens • On the web, session tokens mean cookies • Protect the cookies! • Cookies can be marked with the "httpOnly" flag -> makes them inaccessible to JS, they won't be included in requests from applets. • Cookies can be marked with the "secure" flag -> instructs the browser to only send them with HTTPS requests 28
DEMO 29
X-Content-Type-Options: nosniff IE MIME SNIFFING 30
IE MIME SNIFFING • HTTP responses include a header stating what type of content is included • E.g. Content-Type: text/html; charset=utf-8 • To compensate for misconfigured servers and bad programming, IE introduced MIME sniffing back in the days (IE4) • Some undesires side effects when IE guesses wrong • They introduced the "X-Content-Type-Options: nosniff " header in IE9 to disable the behaviour • Always serve your content with the correct content type, and the "X-Content-Type-Options" header • Demo! 31
COST/BENEFIT OF SECURITY HEADERS 32
ADDING HEADERS IS EASY • Benefits • Usually a single line of code in any "webpage" • Can often be added through config • Prevents well known attacks • Cost • Low • CSP can be expensive, might require rewrite of existing applications 33
SOME REFERENCES • Blog: Security through HTTP response headers • http://www.dotnetnoob.com/2012/09/security-through-http-response-headers.html • The NWebsec security library for ASP.NET • http://nwebsec.codeplex.com/ • The NWebsec demo site • http://www.nwebsec.com/ • The application used for demo here • https://github.com/klings/Booster2013 34
@klingsen THANK YOU! 35

Recommended

Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
Frank Kim
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP Headers
Frank Kim
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
Markus Eisele
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
Ayoma Wijethunga
 
Security vulnerabilities - 2018
Security vulnerabilities - 2018Security vulnerabilities - 2018
Security vulnerabilities - 2018
Marius Vorster
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysis
DefCamp
 
Browser Security
Browser SecurityBrowser Security
Browser Security
Roberto Suggi Liverani
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Krzysztof Kotowicz
 

Recommended

Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
Frank Kim
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP Headers
Frank Kim
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
Markus Eisele
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
Ayoma Wijethunga
 
Security vulnerabilities - 2018
Security vulnerabilities - 2018Security vulnerabilities - 2018
Security vulnerabilities - 2018
Marius Vorster
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysis
DefCamp
 
Browser Security
Browser SecurityBrowser Security
Browser Security
Roberto Suggi Liverani
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Krzysztof Kotowicz
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidence
Krzysztof Kotowicz
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
Krzysztof Kotowicz
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front end
Erlend Oftedal
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
DefconRussia
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
Krzysztof Kotowicz
 
Html5 security
Html5 securityHtml5 security
Html5 security
Krishna T
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
kriptonium
 
Html5 for Security Folks
Html5 for Security FolksHtml5 for Security Folks
Html5 for Security Folks
n|u - The Open Security Community
 
An Overview of Common Vulnerabilities in Wordpress
An Overview of Common Vulnerabilities in WordpressAn Overview of Common Vulnerabilities in Wordpress
An Overview of Common Vulnerabilities in Wordpress
Analytive
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
Conviso Application Security
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
GreenD0g
 
Story of http headers
Story of http headersStory of http headers
Story of http headers
Vandana Verma
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection Vulnerabilities
Mindfire Solutions
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
Kishor Kumar
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser Security
Sanjeev Verma, PhD
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
Krzysztof Kotowicz
 
Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017
Philippe Gamache
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
Victor Bucutea
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
Shreeraj Shah
 
Mobile Api and Caching
Mobile Api and CachingMobile Api and Caching
Mobile Api and Caching
New Relic
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
OWASP
 

More Related Content

What's hot

Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidence
Krzysztof Kotowicz
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
Krzysztof Kotowicz
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front end
Erlend Oftedal
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
DefconRussia
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
Krzysztof Kotowicz
 
Html5 security
Html5 securityHtml5 security
Html5 security
Krishna T
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
kriptonium
 
Html5 for Security Folks
Html5 for Security FolksHtml5 for Security Folks
Html5 for Security Folks
n|u - The Open Security Community
 
An Overview of Common Vulnerabilities in Wordpress
An Overview of Common Vulnerabilities in WordpressAn Overview of Common Vulnerabilities in Wordpress
An Overview of Common Vulnerabilities in Wordpress
Analytive
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
Conviso Application Security
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
GreenD0g
 
Story of http headers
Story of http headersStory of http headers
Story of http headers
Vandana Verma
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection Vulnerabilities
Mindfire Solutions
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
Kishor Kumar
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser Security
Sanjeev Verma, PhD
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
Krzysztof Kotowicz
 
Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017
Philippe Gamache
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
Victor Bucutea
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
Shreeraj Shah
 

What's hot (20)

Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidence
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front end
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
Html5 for Security Folks
Html5 for Security FolksHtml5 for Security Folks
Html5 for Security Folks
 
An Overview of Common Vulnerabilities in Wordpress
An Overview of Common Vulnerabilities in WordpressAn Overview of Common Vulnerabilities in Wordpress
An Overview of Common Vulnerabilities in Wordpress
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
 
Story of http headers
Story of http headersStory of http headers
Story of http headers
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection Vulnerabilities
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser Security
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
 
Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
 

Viewers also liked

Mobile Api and Caching
Mobile Api and CachingMobile Api and Caching
Mobile Api and Caching
New Relic
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
OWASP
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
devObjective
 
Online banking trojans
Online banking trojansOnline banking trojans
Online banking trojans
Andre N. Klingsheim
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Akash Mahajan
 
HTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English versionHTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English version
Michal Špaček
 
Security "for free" through HTTP headers
Security "for free" through HTTP headersSecurity "for free" through HTTP headers
Security "for free" through HTTP headers
Andre N. Klingsheim
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers
한익 주
 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in Turkey
Dr. Emin İslam Tatlı
 
How to secure your web applications with NGINX
How to secure your web applications with NGINXHow to secure your web applications with NGINX
How to secure your web applications with NGINX
Wallarm
 
ONLINE BANKING
ONLINE BANKINGONLINE BANKING
ONLINE BANKING
deepa
 
Online banking
Online bankingOnline banking
Online banking
Preet Raj
 
Security In Internet Banking
Security In Internet BankingSecurity In Internet Banking
Security In Internet Banking
Chiheb Chebbi
 
E banking security
E banking securityE banking security
E banking security
Iman Rahmanian
 
Online banking ppt
Online banking pptOnline banking ppt
Online banking ppt
Vishnu V S
 
Security HTTP Headers
Security HTTP HeadersSecurity HTTP Headers
Security HTTP Headers
Chang Yu-Sheng
 
Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...
Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...
Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...
IOSR Journals
 
Project on E-banking
Project on E-bankingProject on E-banking
Project on E-banking
Prarthana Srinivasan
 
Internet banking - College Project
Internet banking - College ProjectInternet banking - College Project
Internet banking - College Project
Sheril Daniel
 
Web Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSWeb Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORS
Perfectial, LLC
 

Viewers also liked (20)

Mobile Api and Caching
Mobile Api and CachingMobile Api and Caching
Mobile Api and Caching
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Online banking trojans
Online banking trojansOnline banking trojans
Online banking trojans
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash Mahajan
 
HTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English versionHTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English version
 
Security "for free" through HTTP headers
Security "for free" through HTTP headersSecurity "for free" through HTTP headers
Security "for free" through HTTP headers
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers
 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in Turkey
 
How to secure your web applications with NGINX
How to secure your web applications with NGINXHow to secure your web applications with NGINX
How to secure your web applications with NGINX
 
ONLINE BANKING
ONLINE BANKINGONLINE BANKING
ONLINE BANKING
 
Online banking
Online bankingOnline banking
Online banking
 
Security In Internet Banking
Security In Internet BankingSecurity In Internet Banking
Security In Internet Banking
 
E banking security
E banking securityE banking security
E banking security
 
Online banking ppt
Online banking pptOnline banking ppt
Online banking ppt
 
Security HTTP Headers
Security HTTP HeadersSecurity HTTP Headers
Security HTTP Headers
 
Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...
Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...
Study of Online Banking Security Mechanism in India: Take ICICI Bank as an Ex...
 
Project on E-banking
Project on E-bankingProject on E-banking
Project on E-banking
 
Internet banking - College Project
Internet banking - College ProjectInternet banking - College Project
Internet banking - College Project
 
Web Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSWeb Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORS
 

Similar to Securing your web application through HTTP headers

Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comes
Yury Chemerkin
 
HTML5 - The Promise & The Peril
HTML5 - The Promise & The PerilHTML5 - The Promise & The Peril
HTML5 - The Promise & The Peril
Security Innovation
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Divyanshu
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
Nathan Van Gheem
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security Policies
Matias Korhonen
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Cyber Security Alliance
 
Browser security — ROOTS
Browser security — ROOTSBrowser security — ROOTS
Browser security — ROOTS
Andre N. Klingsheim
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
Stormpath
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
Matias Korhonen
 
Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header Security
Mikal Villa
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Philippe De Ryck
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
chuckbt
 
14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.ppt
ssuserec53e73
 
14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.ppt
ssuserec53e73
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
Krzysztof Kotowicz
 
www.webre24h.com - Ajax security
www.webre24h.com - Ajax securitywww.webre24h.com - Ajax security
www.webre24h.com - Ajax security
webre24h
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QA
CodeFest
 
Codefest2015
Codefest2015Codefest2015
Codefest2015
Denis Kolegov
 

Similar to Securing your web application through HTTP headers (20)

Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comes
 
HTML5 - The Promise & The Peril
HTML5 - The Promise & The PerilHTML5 - The Promise & The Peril
HTML5 - The Promise & The Peril
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security Policies
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Browser security — ROOTS
Browser security — ROOTSBrowser security — ROOTS
Browser security — ROOTS
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header Security
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
 
14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.ppt
 
14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.ppt
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
 
www.webre24h.com - Ajax security
www.webre24h.com - Ajax securitywww.webre24h.com - Ajax security
www.webre24h.com - Ajax security
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QA
 
Codefest2015
Codefest2015Codefest2015
Codefest2015
 

Recently uploaded

Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 

Recently uploaded (20)

Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 

Securing your web application through HTTP headers

  • 1. SECURING YOUR WEB APPLICATION THROUGH HTTP HEADERS Booster — 14. March 2013 André N. Klingsheim (@klingsen) AppSec AS 1
  • 2. OUTLINE • HTTP headers • Attacks and security headers • Cross site scripting (XSS) — Content Security Policy • Clickjacking — X-Frame-options • SSL stripping++ — HTTP Strict Transport Security • Session hijacking — Cookie security settings • MIME type attacks — X-Download-Options, X-Content-Type-options 2
  • 3. DEMO 3
  • 4. HYGIENE: VERSION HEADERS • Web servers and web application frameworks tend to include version headers in the HTTP responses • There really is no reason to leak this information to an attacker • Get rid of them and save the bandwith! • Demo 4
  • 5. Cross site scripting (XSS) CONTENT SECURITY POLICY 5
  • 6. CROSS SITE SCRIPTING (XSS) • Reflected • User controlled data from the request is included in the response • Persistent • Attacker is able to store the attack server side, the stored attack is later included in response(s) • DOM based • Does not involve the server, happens on the client side - XSS (Cross Site Scripting) Prevention Cheat Sheet - OWASP Top 10 for JavaScript – A2: Cross Site Scripting – XSS 6
  • 7. DEMO 7
  • 8. CONTENT SECURITY POLICY (CSP) • Lets you specify a policy for where content in your webpages can be loaded from • Lets you put restrictions on script execution • Headers • Content-Security-Policy – Chrome 25 • X-Content-Security-Policy – Firefox 4+ • X-WebKit-Csp – WebKit browsers (Chrome/Safari) • W3C Candidate recommendation • Will end up being a proper standard! 8
  • 9. CSP DIRECTIVES • default-src — Specifies the default for other sources • script-src • style-src • object-src — plugins • img-src • media-src — video/audio • frame-src • font-src • connect-src • report-uri — Specifies where CSP violations can be reported 9
  • 10. CSP SOURCES (FOR THE DIRECTIVES) • 'none' — No content of this type is allowed (All directives) • 'self' — Content of this type can only be loaded from the same origin (no content from other sites) (All directives) • 'unsafe-inline' — Allows unsafe inline content. • Supported by style-src (inline css) and script-src (inline script) • 'unsafe-eval' — Allows script functions considered unsafe (such as eval()) • Supported by script-src • And you can specify custom sources: • * — Allow content from anywhere • https: — Scheme only, load only content served over https • *.nwebsec.com — Wildcard host, allow content from any nwebsec.com sub-domain. • www.nwebsec.com:81 — You can specify a port number • https://www.nwebsec.com — You can of specify an absolute URI for a host (path has no effect though) 10
  • 11. AND THEN IT ALL COMES TOGETHER • Content-Security-Policy: default-src 'self'; script-src 'self' scripts.nwebsec.codeplex.com • This policy sets a default source of 'self' for all directives. • script-src defines its own sources, replacing the default (hence the inclusion of 'self') • In effect, scripts, stylesheets, images, flash animations, Java applets etc can only be loaded from the same origin as the page • Scripts can also be loaded from scripts.nwebsec.codeplex.com • This policy denies inline scripts and CSS! 11
  • 12. THE "SPECIAL" SOURCES • 'unsafe-inline' can allow inline scripts (script-src) and styles (style-src) • 'unsafe-eval' allows certain JavaScript functions considered high risk (eval()) • Use these special sources with care 12
  • 13. CSP REPORTING • You can specify a "report-uri" in the CSP header • Must be a relative URI • Will post violation reports as JSON back to the web application • Content-Security-Policy-Report-Only • Will not block scripts or resources violating the policy • Will report them to the web application 13
  • 14. XSS SUMMARIZED • Make sure you validate your inputs • Make sure you encode everything you output • Input to the web application • Data from backend systems • EVERYTHING! • Use CSP as an extra level of defense, it's not the cure! 14
  • 16. CLICKJACKING • A malicious site loads the vulnerable site in an iframe • The iframe is invisible, and positioned in front of something the user is likely to click on • The user clicks on what appears to be an element on the malicious site • The user really clicks in the iframe, triggering some operation on the vulnerable site 16
  • 17. CLICKJACKING DEMO Vulnerable site Evil site Delete something! Click me! 17
  • 18. FRAMESNIFFING • You can specify an URL with an anchor when loading an iFrame • Browsers would scroll to the anchor tag, or the html element with the relevant id attribute • This scrolling can be detected with JavaScript • Note: Vulnerability has been fixed in latest versions of browsers 18
  • 19. X-FRAME-OPTIONS • X-Frame-Options: Deny | SameOrigin • Instructs the browser to not display the page in a frame • When the page isn’t displayed, there’s nothing to click on! • Browser support: Opera 10.5, Chrome 4.1, IE 8, Firefox 3.6.9, Safari 4 • Remember: The request is still sent to — and prosessed by — the web server! 19
  • 20. X-FRAME-OPTIONS SEQUENCE DIAGRAM Attacker Target 20
  • 22. HTTPS STRIPPING EXPLAINED • "Secure" websites use SSL/TLS to preserve the confidentiality and integrity of the communication with a browser • For usability, "secure" websites are still accessible through insecure channels (HTTP on port 80) • They’ll redirect the user to HTTPS • User enters www.onlinebank.com — and is redirected to https://www.onlinebank.com • The very first request is insecure, and open to attack! • SSL stripping is a middleperson attack • Attacker keeps the victim on HTTP, but passes requests on over HTTPS to the target website • Practical attack demoed at Black Hat in 2009 (sslstrip) http://www.thoughtcrime.org/software/sslstrip/ 22
  • 23. HOW "SECURE BROWSING" USUALLY WORKS www.onlinebank.com (unprotected) Redirect: https://www.onlinebank.com (unprotected) https://www.onlinebank.com (protected) Online bank 23
  • 24. HTTPS STRIPPING www.onlinebank.com (unprotected) https://www.onlinebank.com (protected) Response (unprotected) Response (protected) http://www.onlinebank.com (unprotected) https://www.onlinebank.com (protected) Attacker Online bank Response (unprotected) Response (protected) 24
  • 25. DEMO 25
  • 26. HTTP STRICT TRANSPORT SECURITY • Strict-Transport-Security: max-age=31536000; includeSubDomains • Max-age specifies for how many seconds the policy should be in effect • includeSubDomains — optional • Instructs the browser to only communicate to that hostname over SSL/TLS • Fails hard on certificate errors • The user does not have the option to click through certificate warnings • Browser support: Chrome 4+, Firefox 4+, Opera 12 26
  • 28. SESSION HIJACKING EXPLAINED • Means getting access to a user's privileged session -> steal session tokens • On the web, session tokens mean cookies • Protect the cookies! • Cookies can be marked with the "httpOnly" flag -> makes them inaccessible to JS, they won't be included in requests from applets. • Cookies can be marked with the "secure" flag -> instructs the browser to only send them with HTTPS requests 28
  • 29. DEMO 29
  • 31. IE MIME SNIFFING • HTTP responses include a header stating what type of content is included • E.g. Content-Type: text/html; charset=utf-8 • To compensate for misconfigured servers and bad programming, IE introduced MIME sniffing back in the days (IE4) • Some undesires side effects when IE guesses wrong • They introduced the "X-Content-Type-Options: nosniff " header in IE9 to disable the behaviour • Always serve your content with the correct content type, and the "X-Content-Type-Options" header • Demo! 31
  • 33. ADDING HEADERS IS EASY • Benefits • Usually a single line of code in any "webpage" • Can often be added through config • Prevents well known attacks • Cost • Low • CSP can be expensive, might require rewrite of existing applications 33
  • 34. SOME REFERENCES • Blog: Security through HTTP response headers • http://www.dotnetnoob.com/2012/09/security-through-http-response-headers.html • The NWebsec security library for ASP.NET • http://nwebsec.codeplex.com/ • The NWebsec demo site • http://www.nwebsec.com/ • The application used for demo here • https://github.com/klings/Booster2013 34