Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers. Sunny Wear OWASP Tampa Chapter December

Transcription

1 Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny Wear OWASP Tampa Chapter December 1

2 About the Speaker Security Architect Areas of Network and Data Security Architecture Author Secure Coding Field Manual available on Amazon Educator/Mentor/Coach/Consultant: Secure Coding Code Analysis Manual Security Code Reviews Secure Designs and Architecture Principles Programmer understanding of Tests Results 2

3 2013 celebrity photo hack Apple icloud (hack occurring in 2013) Naked celebrity photos 3

4 What is SOP? Same Origin Policy Web Security Model Policy enforced by browser Constrained to origin: protocol, port, hostname h\ps://developer.mozilla.org/en-us/docs/web/security/same-origin_policy 4

5 SOP Protects foreign requests from in your session as long as the foreign request is coming from a different origin. Example: 1) User logged into h\ps://mybank.com 2) Opens tab to vulnerable site which has planted XSS; The XSS injects malicious iframe into user s session in other tab: h\ps://mybank.com 3) SOP stops this a\empt (different hostname, different protocol) 5

6 SOP Caveat SOP is great however, it will NOT protect you against externally referenced images, styles and scripts! External scripts are allowed by SOP! Why? SOP sees does not view these components (js, img, css) as data so allows access to foreign sites and their 6

7 Bypassing SOP Implement any (e.g., Click bu\ons) on the user s behalf Using JSONp, see BlackHat Europe 2014 Talk by Ben Hayak CallBacks Legi@mately used by Google and others to share data Can become the injec@on points for an a\acker Any page on the domain becomes vulnerable 7

8 Defenses & Countermeasures Content Security Policy Secure HTTP Headers HTML5 8

9 What is Content Security Policy? Content Security Policy (CSP) is a whitelist you can define in your web applica@on to authorize the execu@on of scripts Delivered via HTTP Header (configure web server or programma@cally add) Allows whitelis@ng of approved sources of content that browser may load including JavaScript and Cascading Stylesheets Its like a cheap/poor man s version of a Web Applica@on Firewall (WAF) for injec@on-related a\acks 9

10 Why should I care about Content Security Policy? Effec@ve countermeasure to XSS a\acks, which usually lead to CSRF a\acks Protects the DOM, prevents data leakage, protects against AJAX a\acks Protects against externally referenced images, styles and scripts which Same Origin Policy (SOP) does not do Protects against iframe injec@on (i.e., clickjacking) 10

11 Can I see an example of CSP? Example: This CSP specifics that only content from this website is allowed to execute, including externally referenced images, styles and scripts 11

12 Are there cost-efficiencies to be gained by using CSP? YES! CSP protects your web and all subdomains (so long as you specify). This means it will protect areas of your web inadvertently missed by programmers in their techniques. It will protect areas of your web where may reside that are not detected by your code analyzer (e.g., HP It will protect areas of your web inadvertently not tested by web app pen-testers CSP provides techniques that can save money in the following areas: Pen-test costs, including QA and Deployment costs code analyzer development costs related to a\acks (SQLi, iframe, clickjacking, XSS, etc.) 12

13 How do I implement CSP? Several Op@ons Available including the following: 1. IIS Configura@on 2. Apache Configura@on 3. Programma@cally Any programming language providing the ability to set HTTP Response headers can be used Example shown is Java: Full Java Servlet example here: h\ps:// 13

14 What are available in CSP? 14

15 If I implement CSP, will my web page code break? Any inline JS or inline CSS calls would be broken unless you use direc@ve but I recommend against using the direc@ve since it will allow a\acker-controlled scripts to execute on your website. You can use a nonce or hashed-values for inline JS or CSS excep@ons, if you like. Any exis@ng inline JS or inline CSS needs to be externalized to a JS or CSS file and referenced in your web page by using the explicit <script> tags. For example, if you have a block of JS code for Google Analy@cs, you would have to create an external file and reference it like this: <script src="/assets/js/ga.min.js"></script> Also, any inline event handlers like onclick"domystuff();" have to be removed and replaced with addeventlistener() calls instead. 15

16 What does CSP look like from a client browser perspec@ve? 16

17 Which browsers are with CSP headers? Full table here: h\p://caniuse.com/contentsecuritypolicy 17

18 Can I watch a demo to see how CSP works? Yes! 18

19 Are there other HTTP Response Headers available that can protect my web Yes! In to Content-Security-Policy, you may add these securityrelated HTTP Response Headers: HTTP Strict Transport Security To ensure that users of your site must always use HTTPS, add this header. It will even work on old bookmarks, forcing users to instead use HTTPS. HTTP Public Key Pinning To ensure that only YOUR server s TLS digital cer@ficate is authorized for client browsers to trust, add this header. This prevents a\acker-controlled cer@ficates for your server (should the CA be compromised) from being accepted by clients. X-Frame Op;ons To ensure that no malicious iframes are loaded or executed on your website; protects against clickjacking a\ack. X-XSS Protec;on Ensures the use of built-in browser protec@on against XSS a\acks. Sewngs are 0 (disable) and 1 (enable) with a telling the browser to block the execu@on of a script if it detects an a\ack. X-Content-Type Op;ons Provides the direc@ve the sniffing of the mime-type for an uploaded file. By not allowing this sniff to occur, this mi@gates spoofing of the content-type to circumvent whitelis@ng techniques within the applica@on code. 19

20 X-FRAME Header SAMEORIGIN DENY (Recommended) ALLOW-FROM: <explicit domain> h\ps:// List_of_useful_HTTP_headers Protects against Clickjacking of iframes) 20

21 HTML 5 Whitelis@ng Never allow client-side callback func@ons Whitelist callback domains, redirects always on server-side 21

22 References BlackHat 2014 Talk: Same Origin Method (Ben Hayak): h\ps:// Defcon 21 Talk: How to use CSP to stop XSS (Ken Lee): h\ps:// 22