SlideShare a Scribd company logo

[Wroclaw #4] Web Application Security Headers-2 (HSTS, HPKP)

Download as PPTX, PDF
OWASP
OWASP

Marek Puchalski

Internet
1 of 36
Web Application Security Headers (Part 2) Marek Puchalski marek.puchalski@capgemini.com marek.puchalski@owasp.org https://marek.puchal.ski
Table of Content • HTTP Headers • Transport Layer Security (TLS/SSL) • HTTP Strict Transport Security • HTTP Public Key Pinning
HTTP HEADERS
HTTP Headers GET http://oasp-ci.cloudapp.net/oasp4j- sample/services/rest/offermanagement/v1/offer HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:37.0) Gecko/20100101 Firefox/37.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 X-CSRF-TOKEN: fcbfc729-15d2-4f04-8e50-082f20cb2dfb Referer: http://oasp-ci.cloudapp.net/oasp4j- sample/jsclient/ Cookie: JSESSIONID=F340544E6AE9078812ECF61139D03C7B Connection: keep-alive Host: oasp-ci.cloudapp.net HTTP request HTTP/1.1 200 OK Date: Sat, 11 Jul 2015 20:28:36 GMT Server: Apache-Coyote/1.1 Content-Type: application/json;charset=UTF-8 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive [{"id":1,"modificationCounter":1,"revision":null,"name":null," description":"Schnitzel- Menü","number":null,"mealId":1,"drinkId":10,"sideDishId":5," state":"NORMAL","price":"6.99"},{"id":2,"modificationCounte r":1, (…) HTTP response
Facts about HTTP Headers • Headers can be used to steer browsers (and applications) behaviour • You can define your own headers • If the browser does not know or support the header, it will ignore the header • Response headers are client side controls that are implemented on the server side
Security-relevant Headers (after OWASP ASVS v3.0) • V9.4 Level 1: Cache-Control • V10.11 Level 1: HTTP Strict Transport Security (HSTS) • V11.4 Level 2 and V11.7 Level 1: Content Security Policy (CSP) • V11.6 Level 1: X-Content-Type-Options, Content- Disposition • V11.8 Level 1: X-XSS-Protection • V10.10 Level 3: HTTP Public Key Pinning • V11.10 Level 2: X-Frame-Options (deprecated)
TRANSPORT LAYER SECURITY (TLS/SSL)
TLS/SSL • TLS is the S in HTTPS ;) • It gives us following things: – Confidentiality - adversary can't see unencrypted data – Integrity - adversary can't change data undetected – Authentication - to know which server we are connected to
Why TLS? • Because the world is cruel „Any unencrypted traffic, visible to an adversary, is not just an information leak, but an attack vector they can use to exploit your systems.” Nick Weaver • Current state of the art: encrypt everything
Need to know more? • Advanced HTTPS Defense Strategies (Jim Manico) • Youtube: https://www.youtube.com/watch?v=uix4f45VndQ • Presentation: http://www.slideshare.net/proidea_conferences/jim- manico-advanced-https-defense-strategies
HTTP STRICT TRANSPORT SECURITY (HSTS)
Threats addressed by HSTS • Passive network attackers - eavesdropping of unencrypted communication. Even more dangerous when environment allows for non- secure cookies. • Active network attackers - TLS striping or invisible proxy relying on user to accept the flawed certificate. • Web Site Development and Deployment Bugs - page is loading additional resources over an insecure connection (mixed content).
Without HSTS: Mixed content example
Without HSTS: Insecure redirect
With HSTS: Secure redirect
Without HSTS: Insecure choice
With HSTS: Secure… lack of other choices
HSTS Header Strict-Transport-Security : max- age=31536000; includeSubdomains; preload • max-age - how long insecure requests are forbiden (in seconds) • includeSubdomains - should sub domains be also included (optional) • preload - allow HSTS to be hardcoded in the browsers. Solves the "trust on first use" (TOFU) problem. HSTS for a domain can be registered on hstspreload.appspot.com (optional)
What can go wrong? • Want to go back to HTTP? No way... • Your subdomains do not support HTTPS and you turned includeSubdomains on.
HSTS and Security Standards • OWASP ASVS v3.0 V10.11: Verify that HTTP Strict Transport Security headers are included on all requests and for all subdomains, such as Strict-Transport-Security: max- age=15724800; includeSubdomains • OWASP ASVS v3.0 V10.12: Verify that production website URL has been submitted to preloaded list of Strict Transport Security domains maintained by web browser vendors.
How many sites use HSTS? HSTS present HSTS missing Source: https://scotthelme.co.uk/alexa-top-1-million-crawl-aug- 2016/ (August 2016)
Browser support for HSTS HSTS present HSTS missing Source: http://caniuse.com/#feat=stricttransportsecurity
Enforce HSTS (and HPKP) in Chrome chrome://net-internals/#hsts
HTTP PUBLIC KEY PINNING
PKI in a nutshell you RA (CA) Create public/private key Fill some data Create and send CSR Send signed certificate Profit
Question: Which CA should you buy certificates from? • Let’s encrypt – because it’s free, automated and open :) • But honestly, it does not matter. Any CA recognized by your browser can gice you technically the same thing – signed certificate.
Question: What can happen if a CA gets hacked? • One could fabricate certificates for EVERY domain in the internet. (Security of the WHOLE INTERNET is in danger) „If a company can ‚put the entire Internet at risk’ (…) the system is fundamentally flawed.” https://news.ycombinator.com/item?id=9253676
Question: How often did CAs fail in the past? • 2011, Comodo got hacked • 2011, Diginotar got hacked, got used to attack iranian google users, went bankrupt... • 2013, This time: French government... • 2013, Trustwave selling an intermediate CA cert to a private company • 2015, MCS Holdings...
HPKP Header Public-Key-Pins: pin-sha256=<hash1>; pin-sha256=<hash2>; max-age=2592000; report-uri=<uri>; includeSubdomains • pin-sha256 - certificate thumbprint, can be from own certificate or any certificate in the chain or even CSR. • max-age - how long pinned certificate must be served (in seconds). • report-uri - report violations to this uri. Usually not the same uri as the target system. • includeSubdomains - all subdomains must use the same pins.
Generate hashes • For the certificate: openssl rsa -pubout -in pub.key - outform der | openssl dgst -sha256 -binary | base64 • For the CSR: openssl req -noout -in my.csr - pubkey | openssl rsa -pubin - outform der | openssl dgst -sha256 -binary | base64
☠ DANGER ☠ It is very easy to get HPKP wrong. And if you do it wrong, you will run a DOS against your system. Good practice: • Pin at least your certificate, CSR and a backup CSR. • If you don't ping CSRs, pin at least two certificates (one backup) and don't forget to order and activate new certificates at least max-age before they expire. • NOTE: HPKP has the TOFU (trust on first use) problem
Good News • There is also a Public-Key-Pins- Report-Only header, which has the same syntax as HPKP, but does only reporting. Good for testing purposes.
HPKP and Security Standards • OWASP ASVS v3.0 V10.10: Verify that TLS certificate public key pinning is implemented with production and backup public keys.
How many sites use HPKP? HPKP present HPKP missing Source: https://scotthelme.co.uk/alexa-top-1-million-crawl-aug- 2016/ (August 2016)
Browser support for HPKP Source: http://caniuse.com/#feat=publickeypinning
QUESTIONS? marek.puchalski@capgemini.com marek.puchalski@owasp.org

Recommended

SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSesSSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSesTiago Mendo
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersdevObjective
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanAkash Mahajan
 
HTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English versionHTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English versionMichal Špaček
 
Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headersAndre N. Klingsheim
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
 
Security "for free" through HTTP headers
Security "for free" through HTTP headersSecurity "for free" through HTTP headers
Security "for free" through HTTP headersAndre N. Klingsheim
 

Recommended

SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSesSSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSesTiago Mendo
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersdevObjective
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanAkash Mahajan
 
HTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English versionHTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English versionMichal Špaček
 
Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headersAndre N. Klingsheim
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
 
Security "for free" through HTTP headers
Security "for free" through HTTP headersSecurity "for free" through HTTP headers
Security "for free" through HTTP headersAndre N. Klingsheim
 
[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dAppsOWASP
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scaleOWASP
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentestOWASP
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core SecurityOWASP
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architectureOWASP
 
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS InfrastructureOWASP
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and DefensesOWASP
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...OWASP
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilitiesOWASP
 
[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computing[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computingOWASP
 
[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOC[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOCOWASP
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 
[OPD 2019] Rumpkernels meet fuzzing
[OPD 2019] Rumpkernels meet fuzzing[OPD 2019] Rumpkernels meet fuzzing
[OPD 2019] Rumpkernels meet fuzzingOWASP
 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSSOWASP
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security WorldOWASP
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP
 
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contractsOWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contractsOWASP
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝9953056974 Low Rate Call Girls In Saket, Delhi NCR
 

More Related Content

More from OWASP

[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dAppsOWASP
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scaleOWASP
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentestOWASP
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core SecurityOWASP
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architectureOWASP
 
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS InfrastructureOWASP
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and DefensesOWASP
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...OWASP
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilitiesOWASP
 
[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computing[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computingOWASP
 
[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOC[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOCOWASP
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 
[OPD 2019] Rumpkernels meet fuzzing
[OPD 2019] Rumpkernels meet fuzzing[OPD 2019] Rumpkernels meet fuzzing
[OPD 2019] Rumpkernels meet fuzzingOWASP
 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSSOWASP
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security WorldOWASP
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP
 
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contractsOWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contractsOWASP
 

More from OWASP (20)

[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture
 
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
 
[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computing[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computing
 
[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOC[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOC
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
 
[OPD 2019] Rumpkernels meet fuzzing
[OPD 2019] Rumpkernels meet fuzzing[OPD 2019] Rumpkernels meet fuzzing
[OPD 2019] Rumpkernels meet fuzzing
 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
 
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contractsOWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
 

Recently uploaded

VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Personfurqan222004
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一3sw2qly1
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneVIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneCall girls in Ahmedabad High profile
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaimessage0108
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Deliverybabeytanya
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 

Recently uploaded (20)

VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Person
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneVIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of india
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
 

[Wroclaw #4] Web Application Security Headers-2 (HSTS, HPKP)

  • 1. Web Application Security Headers (Part 2) Marek Puchalski marek.puchalski@capgemini.com marek.puchalski@owasp.org https://marek.puchal.ski
  • 2. Table of Content • HTTP Headers • Transport Layer Security (TLS/SSL) • HTTP Strict Transport Security • HTTP Public Key Pinning
  • 4. HTTP Headers GET http://oasp-ci.cloudapp.net/oasp4j- sample/services/rest/offermanagement/v1/offer HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:37.0) Gecko/20100101 Firefox/37.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 X-CSRF-TOKEN: fcbfc729-15d2-4f04-8e50-082f20cb2dfb Referer: http://oasp-ci.cloudapp.net/oasp4j- sample/jsclient/ Cookie: JSESSIONID=F340544E6AE9078812ECF61139D03C7B Connection: keep-alive Host: oasp-ci.cloudapp.net HTTP request HTTP/1.1 200 OK Date: Sat, 11 Jul 2015 20:28:36 GMT Server: Apache-Coyote/1.1 Content-Type: application/json;charset=UTF-8 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive [{"id":1,"modificationCounter":1,"revision":null,"name":null," description":"Schnitzel- Menü","number":null,"mealId":1,"drinkId":10,"sideDishId":5," state":"NORMAL","price":"6.99"},{"id":2,"modificationCounte r":1, (…) HTTP response
  • 5. Facts about HTTP Headers • Headers can be used to steer browsers (and applications) behaviour • You can define your own headers • If the browser does not know or support the header, it will ignore the header • Response headers are client side controls that are implemented on the server side
  • 6. Security-relevant Headers (after OWASP ASVS v3.0) • V9.4 Level 1: Cache-Control • V10.11 Level 1: HTTP Strict Transport Security (HSTS) • V11.4 Level 2 and V11.7 Level 1: Content Security Policy (CSP) • V11.6 Level 1: X-Content-Type-Options, Content- Disposition • V11.8 Level 1: X-XSS-Protection • V10.10 Level 3: HTTP Public Key Pinning • V11.10 Level 2: X-Frame-Options (deprecated)
  • 8. TLS/SSL • TLS is the S in HTTPS ;) • It gives us following things: – Confidentiality - adversary can't see unencrypted data – Integrity - adversary can't change data undetected – Authentication - to know which server we are connected to
  • 9. Why TLS? • Because the world is cruel „Any unencrypted traffic, visible to an adversary, is not just an information leak, but an attack vector they can use to exploit your systems.” Nick Weaver • Current state of the art: encrypt everything
  • 10. Need to know more? • Advanced HTTPS Defense Strategies (Jim Manico) • Youtube: https://www.youtube.com/watch?v=uix4f45VndQ • Presentation: http://www.slideshare.net/proidea_conferences/jim- manico-advanced-https-defense-strategies
  • 11. HTTP STRICT TRANSPORT SECURITY (HSTS)
  • 12. Threats addressed by HSTS • Passive network attackers - eavesdropping of unencrypted communication. Even more dangerous when environment allows for non- secure cookies. • Active network attackers - TLS striping or invisible proxy relying on user to accept the flawed certificate. • Web Site Development and Deployment Bugs - page is loading additional resources over an insecure connection (mixed content).
  • 17. With HSTS: Secure… lack of other choices
  • 18. HSTS Header Strict-Transport-Security : max- age=31536000; includeSubdomains; preload • max-age - how long insecure requests are forbiden (in seconds) • includeSubdomains - should sub domains be also included (optional) • preload - allow HSTS to be hardcoded in the browsers. Solves the "trust on first use" (TOFU) problem. HSTS for a domain can be registered on hstspreload.appspot.com (optional)
  • 19. What can go wrong? • Want to go back to HTTP? No way... • Your subdomains do not support HTTPS and you turned includeSubdomains on.
  • 20. HSTS and Security Standards • OWASP ASVS v3.0 V10.11: Verify that HTTP Strict Transport Security headers are included on all requests and for all subdomains, such as Strict-Transport-Security: max- age=15724800; includeSubdomains • OWASP ASVS v3.0 V10.12: Verify that production website URL has been submitted to preloaded list of Strict Transport Security domains maintained by web browser vendors.
  • 21. How many sites use HSTS? HSTS present HSTS missing Source: https://scotthelme.co.uk/alexa-top-1-million-crawl-aug- 2016/ (August 2016)
  • 22. Browser support for HSTS HSTS present HSTS missing Source: http://caniuse.com/#feat=stricttransportsecurity
  • 23. Enforce HSTS (and HPKP) in Chrome chrome://net-internals/#hsts
  • 24. HTTP PUBLIC KEY PINNING
  • 25. PKI in a nutshell you RA (CA) Create public/private key Fill some data Create and send CSR Send signed certificate Profit
  • 26. Question: Which CA should you buy certificates from? • Let’s encrypt – because it’s free, automated and open :) • But honestly, it does not matter. Any CA recognized by your browser can gice you technically the same thing – signed certificate.
  • 27. Question: What can happen if a CA gets hacked? • One could fabricate certificates for EVERY domain in the internet. (Security of the WHOLE INTERNET is in danger) „If a company can ‚put the entire Internet at risk’ (…) the system is fundamentally flawed.” https://news.ycombinator.com/item?id=9253676
  • 28. Question: How often did CAs fail in the past? • 2011, Comodo got hacked • 2011, Diginotar got hacked, got used to attack iranian google users, went bankrupt... • 2013, This time: French government... • 2013, Trustwave selling an intermediate CA cert to a private company • 2015, MCS Holdings...
  • 29. HPKP Header Public-Key-Pins: pin-sha256=<hash1>; pin-sha256=<hash2>; max-age=2592000; report-uri=<uri>; includeSubdomains • pin-sha256 - certificate thumbprint, can be from own certificate or any certificate in the chain or even CSR. • max-age - how long pinned certificate must be served (in seconds). • report-uri - report violations to this uri. Usually not the same uri as the target system. • includeSubdomains - all subdomains must use the same pins.
  • 30. Generate hashes • For the certificate: openssl rsa -pubout -in pub.key - outform der | openssl dgst -sha256 -binary | base64 • For the CSR: openssl req -noout -in my.csr - pubkey | openssl rsa -pubin - outform der | openssl dgst -sha256 -binary | base64
  • 31. ☠ DANGER ☠ It is very easy to get HPKP wrong. And if you do it wrong, you will run a DOS against your system. Good practice: • Pin at least your certificate, CSR and a backup CSR. • If you don't ping CSRs, pin at least two certificates (one backup) and don't forget to order and activate new certificates at least max-age before they expire. • NOTE: HPKP has the TOFU (trust on first use) problem
  • 32. Good News • There is also a Public-Key-Pins- Report-Only header, which has the same syntax as HPKP, but does only reporting. Good for testing purposes.
  • 33. HPKP and Security Standards • OWASP ASVS v3.0 V10.10: Verify that TLS certificate public key pinning is implemented with production and backup public keys.
  • 34. How many sites use HPKP? HPKP present HPKP missing Source: https://scotthelme.co.uk/alexa-top-1-million-crawl-aug- 2016/ (August 2016)
  • 35. Browser support for HPKP Source: http://caniuse.com/#feat=publickeypinning