SlideShare a Scribd company logo

Protecting Java EE Web Apps with Secure HTTP Headers

Frank Kim
Frank Kim
Technology
1 of 46
Download to read offline
Protec'ng  Java  EE  Web  Apps   with  Secure  HTTP  Headers   JavaOne  2012   1  
About   •  Frank  Kim   –  Consultant,  ThinkSec   –  Author,  SANS  Secure  Coding  in  Java   –  SANS  Applica'on  Security  Curriculum  Lead   •  Shout  out   –  Thanks  to  Jason  Lam  who  co-­‐authored  these  slides   2  
JavaOne  Rock  Star   3  
Outline   •  XSS   •  Session  Hijacking   •  Clickjacking   •  Wrap  Up   4  
Cross-­‐Site  Scrip'ng  (XSS)   •  Occurs  when  unvalidated  data  is  rendered  in   the  browser   •  Types  of  XSS   –  Reflected   –  Stored   –  Document  Object  Model  (DOM)  based   5  
    XSS  Demo   6  
HYpOnly  Flag   •  Ensures  that  the  Cookie  cannot  be  accessed   via  client  side  scripts  (e.g.  JavaScript)   –  Set  by  default  for  the  JSESSIONID  in  Tomcat  7   •  Configure  in  web.xml  as  of  Servlet  3.0   <session-config> <cookie-config> <http-only>true</http-only> </cookie-config> </session-config> •  Programma'cally   String cookie = "mycookie=test; Secure; HttpOnly"; response.addHeader("Set-Cookie", cookie); 7  
X-­‐XSS-­‐Protec'on   •  Blocks  common  reflected  XSS   –  Enabled  by  default  in  IE,  Safari,  Chrome   –  Not  supported  by  Firefox   •  Bug  528661  open  to  address   •  X-­‐XSS-­‐Protec'on:  1   –  Browser  modifies  the  response  to  block  XSS   •  X-­‐XSS-­‐Protec'on:  0   –  Disables  the  XSS  filter   •  X-­‐XSS-­‐Protec'on:  1;  mode=block   –  Prevents  rendering  of  the  page  en'rely   8  
Java  Code   •  X-­‐XSS-­‐Protec'on:  1   response.addHeader("X-XSS-Protection", "1"); •  X-­‐XSS-­‐Protec'on:  0   response.addHeader("X-XSS-Protection", "0"); •  X-­‐XSS-­‐Protec'on:  1;  mode=block   response.addHeader("X-XSS-Protection", "1; mode=block"); 9  
    X-­‐XSS-­‐Protec'on  Demo   10  
Content  Security  Policy   •  Helps  mi'gate  reflected  XSS   –  Originally  developed  by  Mozilla   –  Currently  a  W3C  draf   •  hYps://dvcs.w3.org/hg/content-­‐security-­‐policy/raw-­‐ file/'p/csp-­‐specifica'on.dev.html   •  Supported  browsers   –  Firefox  and  IE  10  using  X-­‐Content-­‐Security-­‐Policy   –  Chrome  and  Safari  using  X-­‐WebKit-­‐CSP  header   11  
CSP  Requirements   •  No  inline  scripts   –  Can't  put  code  in  <script>  blocks   –  Can't  do  inline  event  handlers  like            <a onclick="javascript"> •  No  inline  styles   –  Can't  write  styles  inline   12  
CSP  Direc'ves   •  default-­‐src   •  script-­‐src   •  object-­‐src   •  style-­‐src   •  img-­‐src   •  media-­‐src   •  frame-­‐src   •  font-­‐src   •  connect-­‐src   13  
CSP  Examples   1)  Only  load  resources  from  the  same  origin   X-Content-Security-Policy: default-src 'self' 2)  Example  from  mikewest.org   x-content-security-policy: default-src 'none'; style-src https://mikewestdotorg.hasacdn.net; frame-src https://www.youtube.com http://www.slideshare.net; script-src https://mikewestdotorg.hasacdn.net https://ssl.google-analytics.com; img-src 'self' https://mikewestdotorg.hasacdn.net https://ssl.google-analytics.com data:; font-src https://mikewestdotorg.hasacdn.net 14  
Report  Only   •  Facebook  Example   x-content-security-policy-report-only: allow *; script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:*; options inline-script eval-script; report-uri https://www.facebook.com/csp.php 15  
    Content  Security  Policy  Demo   16  
Outline   •  XSS   •  Session  Hijacking   •  Clickjacking   •  Wrap  Up   17  
Session  Hijacking   mybank.com   Vic'm   Internet" Public WiFi " Network" 1)  Vic'm  goes  to  mybank.com  via  HTTP   AYacker   18  
Session  Hijacking   mybank.com   Vic'm   Internet" Public WiFi " Network" 2)  A:acker  sniffs  the  public  wifi  network  and   AYacker   steals  the  JSESSIONID   19  
Session  Hijacking   mybank.com   Vic'm   Internet" Public WiFi " Network" 3)  A:acker  uses  the  stolen  JSESSIONID   AYacker   to  access  the  vic'm's  session   20  
Secure  Flag   •  Ensures  that  the  Cookie  is  only  sent  via  SSL   •  Configure  in  web.xml  as  of  Servlet  3.0   <session-config> <cookie-config> <secure>true</secure> </cookie-config> </session-config> •  Programma'cally   Cookie cookie = new Cookie("mycookie", "test"); cookie.setSecure(true); 21  
Strict-­‐Transport-­‐Security   •  Tells  browser  to  only  talk  to  the  server  via  HTTPS   –  First  'me  your  site  accessed  via  HTTPS  and  the  header   is  used  the  browser  stores  the  cer'ficate  info   –  Subsequent  requests  to  HTTP  automa'cally  use  HTTPS   •  Supported  browsers   –  Implemented  in  Firefox  and  Chrome   –  Currently  an  IETF  draf     Strict-Transport-Security: max-age=seconds [; includeSubdomains] 22  
Outline   •  XSS   •  Session  Hijacking   •  Clickjacking   •  Wrap  Up   23  
Clickjacking   •  Tricks  the  user  into  clicking  a  hidden  buYon   –  User  has  no  idea  the  buYon  was  clicked   •  Works  by  concealing  the  target  site  site   –  Vic'm  site  placed  in  an  invisible  iframe   –  AYacker  site  overlays  the  vic'm  site   Image  source:  hYp://seclab.stanford.edu/websec/framebus'ng/framebust.pdf    
    Clickjacking  Demo   25  
Clickjacking  Code   •  Put  the  vic'm  in  an  invisible  iframe     <iframe id="attacker" width=1000 height=400 src="http://victim" style="opacity:0.0; position:absolute;left:10;bottom:100"> </iframe>   26  
Adobe  Flash  Example   •  Clickjacking  discovered  by  Jeremiah  Grossman   &  Robert  "Rsnake"  Hansen   •  Showed  how  to  use  Flash  to  spy  on  users   –  Use  Clickjacking  to  trick  users  into  enabling  the   mic  and  camera  via  Flash   27  
Facebook  Example   •  The  "best  passport  applica'on  rejec'on  in   history"  became  popular  on  Facebook   28  
Facebook  Like  Code   <div style="overflow:hidden; width:10px; height:12px; filter:alpha(opacity=0); -moz-opacity:0.0; -khtml-opacity: 0.0; opacity:0.0; position:absolute;" id="icontainer"> <iframe src"http://www.facebook.com/plugins/like.php? href=http://credittreport.info/the-best-passport- application-rejection-in-history.html&amp; layout=standard&amp;show_faces=false&amp;width=450&amp;act ion=like&amp;font=tahoma&amp;colorscheme=light&amp;height= 80" scrolling="no" frame border="0" style="border:none; overflow:hidden;width:50px; height:23px;" allowTransparency="true" id="likee" name="likee"> </iframe> </div> Source:  hYps://isc.sans.edu/diary.html?storyid=8893    
Facebook  Like  Code   <div style="overflow:hidden; width:10px; height:12px; filter:alpha(opacity=0); -moz-opacity:0.0; -khtml-opacity: 0.0; opacity:0.0; position:absolute;" id="icontainer"> <iframe src"http://www.facebook.com/plugins/like.php? href=http://credittreport.info/the-best-passport- application-rejection-in-history.html&amp; layout=standard&amp;show_faces=false&amp;width=450&amp;act ion=like&amp;font=tahoma&amp;colorscheme=light&amp;height= 80" scrolling="no" frame border="0" style="border:none; overflow:hidden;width:50px; height:23px;" allowTransparency="true" id="likee" name="likee"> </iframe> </div> Source:  hYps://isc.sans.edu/diary.html?storyid=8893    
Facebook  Like  Code   <div style="overflow:hidden; width:10px; height:12px; filter:alpha(opacity=0); -moz-opacity:0.0; -khtml-opacity: 0.0; opacity:0.0; position:absolute;" id="icontainer"> <iframe src"http://www.facebook.com/plugins/like.php? href=http://credittreport.info/the-best-passport- application-rejection-in-history.html&amp; layout=standard&amp;show_faces=false&amp;width=450&amp;act ion=like&amp;font=tahoma&amp;colorscheme=light&amp;height= 80" scrolling="no" frame border="0" style="border:none; overflow:hidden;width:50px; height:23px;" allowTransparency="true" id="likee" name="likee"> </iframe> </div> Source:  hYps://isc.sans.edu/diary.html?storyid=8893    
Facebook  Like  Code   <div style="overflow:hidden; width:10px; height:12px; filter:alpha(opacity=0); -moz-opacity:0.0; -khtml-opacity: 0.0; opacity:0.0; position:absolute;" id="icontainer"> <iframe src"http://www.facebook.com/plugins/like.php? href=http://credittreport.info/the-best-passport- application-rejection-in-history.html&amp; layout=standard&amp;show_faces=false&amp;width=450&amp;act ion=like&amp;font=tahoma&amp;colorscheme=light&amp;height= 80" scrolling="no" frame border="0" style="border:none; overflow:hidden;width:50px; height:23px;" allowTransparency="true" id="likee" name="likee"> </iframe> </div> Source:  hYps://isc.sans.edu/diary.html?storyid=8893    
    Like  BuYon  Demo   33  
Like  BuYon  Code   var like = document.createElement('iframe'); ... function mouseMove(e) { if (IE) { tempX = event.clientX + document.body.scrollLeft; tempY = event.clientY + document.body.scrollTop; } else { tempX = e.pageX; tempY = e.pageY; } if (tempX < 0) tempX = 0; if (tempY < 0) tempY = 0; like.style.top = (tempY - 8) + 'px'; Like  buYon  moves   like.style.left = (tempX - 25) + 'px'; with  cursor   return true } Source:  hYp://erickerr.com/like-­‐clickjacking    
Why  Likejacking?   •  Send  vic'ms  to  evil  sites  with  malware   •  Trick  users  into  signing  up  for  unwanted   subscrip'on  services   •  Drive  traffic  to  sites  to  increase  ad  revenue   •  Adscend  Media   –  Alleged  to  have  made  up  to  $1.2  million  per   month  via  Clickjacking   –  Facebook  and  Washington  State  filed  lawsuits   against  them  in  January  2012   35  
How  to  Fix?   •  Use  X-­‐Frame-­‐Op'ons     –  HTTP  Response  Header  supported  by  all  recent  browsers   •  Three  op'ons   –  DENY   •  Prevents  any  site  from  framing  the  page     –  SAMEORIGIN   •  Allows  framing  only  from  the  same  origin   –  ALLOW-­‐FROM  origin   •  Allows  framing  only  from  the  specified  origin   •  Only  supported  by  IE  (based  on  my  tes'ng)   •  Firefox  Bug  690168  -­‐  "This  was  an  uninten'onal  oversight"   36  
Java  Code   •  DENY   response.addHeader("X-Frame-Options", "DENY"); •  SAMEORIGIN   response.addHeader("X-Frame-Options", "SAMEORIGIN"); •  ALLOW-­‐FROM   String value = "ALLOW-FROM http://www.trustedsite.com:8080"; response.addHeader("X-Frame-Options", value); 37  
    X-­‐Frame-­‐Op'ons  Demo   38  
Using  X-­‐Frame-­‐Op'ons   •  You  might  not  want  to  use  it  for  the  en're  site   –  Prevents  legi'mate  framing  of  your  site  (i.e.   Google  Image  Search)   •  For  sensi've  transac'ons   –  Use  SAMEORIGIN   –  And  test  thoroughly   •  If  the  page  should  never  be  framed   –  Then  use  DENY   39  
Frame  Bus'ng  Code   •  What  about  older  browsers  that  don't  support   X-­‐Frame-­‐Op'ons?   •  JavaScript  code  like  this  is  commonly  used   if (top != self) top.location = self.location; •  Not  full-­‐proof   –  Various  techniques  can  be  used  to  bypass  frame   bus'ng  code   40  
Some  An'-­‐Frame  Bus'ng  Techniques   •  IE  <iframe  security=restricted>   –  Disables  JavaScript  within  the  iframe   •  onBeforeUnload  -­‐  204  Flushing   –  Repeatedly  send  a  204  (No  Content)  response  so   the  onBeforeUnload  handler  gets  canceled   •  Browser  XSS  Filters   –  Chrome  XSSAuditor  filter  cancels  inline  scripts  if   they  are  also  found  as  a  parameter   <iframe src="http://www.victim.com/?v=if(top+!%3D +self)+%7B+top.location%3Dself.location%3B+%7D"> 41  
Outline   •  XSS   •  Session  Hijacking   •  Clickjacking   •  Wrap  Up   42  
Summary   •  Use  the  following  HTTP  Response  Headers   þ  Set-­‐Cookie  HYpOnly   þ  X-­‐XSS-­‐Protec'on:  1;  mode=block   þ  Set-­‐Cookie  Secure   þ  Strict-­‐Transport-­‐Security   þ  X-­‐Frame-­‐Op'ons:  SAMEORIGIN   •  Plan  to  use  the  following   þ  Content  Security  Policy   43  
44  
  Frank  Kim         frank@thinksec.com   @thinksec                @sansappsec                     45  
References   •  Content  Security  Policy   –  hYps://dvcs.w3.org/hg/content-­‐security-­‐policy/raw-­‐file/'p/csp-­‐ specifica'on.dev.html   •  Bus'ng  Frame  Bus'ng:  A  Study  of  Clickjacking  Vulnerabili'es  on   Popular  Sites   –  hYp://seclab.stanford.edu/websec/framebus'ng/framebust.pdf   •  Like  Clickjacking   –  hYp://erickerr.com/like-­‐clickjacking   •  Clickjacking  AYacks  on  Facebook's  Like  Plugin   –  hYps://isc.sans.edu/diary.html?storyid=8893   •  Lessons  from  Facebook's  Security  Bug  Bounty  Program   –  hYps://nealpoole.com/blog/2011/08/lessons-­‐from-­‐facebooks-­‐ security-­‐bug-­‐bounty-­‐program/   •  Google+  Gets  a  "+1"  for  Browser  Security   –  hYp://www.barracudalabs.com/wordpress/index.php/2011/07/21/ google-­‐gets-­‐a-­‐1-­‐for-­‐browser-­‐security-­‐3/   46  

Recommended

Introduction XSS
Introduction XSSIntroduction XSS
Introduction XSS
Aymeric Lagier
 
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices
Lior Rotkovitch
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
Ayoma Wijethunga
 
Les principales failles de sécurité des applications Web actuelles
Les principales failles de sécurité des applications Web actuellesLes principales failles de sécurité des applications Web actuelles
Les principales failles de sécurité des applications Web actuelles
Xavier Kress
 
Tutorial su JMS (Java Message Service)
Tutorial su JMS (Java Message Service)Tutorial su JMS (Java Message Service)
Tutorial su JMS (Java Message Service)
Federico Paparoni
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
SharePointRadi
 

Recommended

Introduction XSS
Introduction XSSIntroduction XSS
Introduction XSS
Aymeric Lagier
 
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices
Lior Rotkovitch
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
Ayoma Wijethunga
 
Les principales failles de sécurité des applications Web actuelles
Les principales failles de sécurité des applications Web actuellesLes principales failles de sécurité des applications Web actuelles
Les principales failles de sécurité des applications Web actuelles
Xavier Kress
 
Tutorial su JMS (Java Message Service)
Tutorial su JMS (Java Message Service)Tutorial su JMS (Java Message Service)
Tutorial su JMS (Java Message Service)
Federico Paparoni
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
SharePointRadi
 
Security Patterns for Microservice Architectures
Security Patterns for Microservice ArchitecturesSecurity Patterns for Microservice Architectures
Security Patterns for Microservice Architectures
VMware Tanzu
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introduction
Jimmy Saigon
 
JSON based CSRF
JSON based CSRFJSON based CSRF
JSON based CSRF
Amit Dubey
 
Comprendre la securite web
Comprendre la securite webComprendre la securite web
Comprendre la securite web
Christophe Villeneuve
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
Vous avez dit protocoles Web d'authentification et d'autorisation ! De quoi p...
Vous avez dit protocoles Web d'authentification et d'autorisation ! De quoi p...Vous avez dit protocoles Web d'authentification et d'autorisation ! De quoi p...
Vous avez dit protocoles Web d'authentification et d'autorisation ! De quoi p...
Philippe Beraud
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4hackers.com
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
XSS
XSSXSS
XSS
Hrishikesh Mishra
 
Rapport atelier Web App Security 2015
Rapport atelier Web App Security 2015Rapport atelier Web App Security 2015
Rapport atelier Web App Security 2015
Hamza Ben Marzouk
 
Wi-Fi Roaming Security and Privacy
Wi-Fi Roaming Security and PrivacyWi-Fi Roaming Security and Privacy
Wi-Fi Roaming Security and Privacy
Karri Huhtanen
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
Abdul Rahman Sherzad
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharCross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Sandeep Kumbhar
 
Борьба с фишингом. Пошаговая инструкция
Борьба с фишингом. Пошаговая инструкцияБорьба с фишингом. Пошаговая инструкция
Борьба с фишингом. Пошаговая инструкция
Aleksey Lukatskiy
 
From Java 17 to 21- A Showcase of JDK Security Enhancements
From Java 17 to 21- A Showcase of JDK Security EnhancementsFrom Java 17 to 21- A Showcase of JDK Security Enhancements
From Java 17 to 21- A Showcase of JDK Security Enhancements
Ana-Maria Mihalceanu
 
IBM Datapower Security Scenarios - Using JWT to secure microservices
IBM Datapower Security Scenarios - Using JWT to secure microservicesIBM Datapower Security Scenarios - Using JWT to secure microservices
IBM Datapower Security Scenarios - Using JWT to secure microservices
sandipg123
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumeration
Vi Tính Hoàng Nam
 
Những lỗi bảo mật web thường gặp ở phần application
Những lỗi bảo mật web thường gặp ở phần applicationNhững lỗi bảo mật web thường gặp ở phần application
Những lỗi bảo mật web thường gặp ở phần application
Ngoc Dao
 
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceConfess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
Masoud Kalali
 

More Related Content

What's hot

F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introduction
Jimmy Saigon
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
Abdul Rahman Sherzad
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 

What's hot (20)

Security Patterns for Microservice Architectures
Security Patterns for Microservice ArchitecturesSecurity Patterns for Microservice Architectures
Security Patterns for Microservice Architectures
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introduction
 
JSON based CSRF
JSON based CSRFJSON based CSRF
JSON based CSRF
 
Comprendre la securite web
Comprendre la securite webComprendre la securite web
Comprendre la securite web
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
Vous avez dit protocoles Web d'authentification et d'autorisation ! De quoi p...
Vous avez dit protocoles Web d'authentification et d'autorisation ! De quoi p...Vous avez dit protocoles Web d'authentification et d'autorisation ! De quoi p...
Vous avez dit protocoles Web d'authentification et d'autorisation ! De quoi p...
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
XSS
XSSXSS
XSS
 
Rapport atelier Web App Security 2015
Rapport atelier Web App Security 2015Rapport atelier Web App Security 2015
Rapport atelier Web App Security 2015
 
Wi-Fi Roaming Security and Privacy
Wi-Fi Roaming Security and PrivacyWi-Fi Roaming Security and Privacy
Wi-Fi Roaming Security and Privacy
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharCross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
 
Борьба с фишингом. Пошаговая инструкция
Борьба с фишингом. Пошаговая инструкцияБорьба с фишингом. Пошаговая инструкция
Борьба с фишингом. Пошаговая инструкция
 
From Java 17 to 21- A Showcase of JDK Security Enhancements
From Java 17 to 21- A Showcase of JDK Security EnhancementsFrom Java 17 to 21- A Showcase of JDK Security Enhancements
From Java 17 to 21- A Showcase of JDK Security Enhancements
 
IBM Datapower Security Scenarios - Using JWT to secure microservices
IBM Datapower Security Scenarios - Using JWT to secure microservicesIBM Datapower Security Scenarios - Using JWT to secure microservices
IBM Datapower Security Scenarios - Using JWT to secure microservices
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumeration
 

Viewers also liked

Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Akash Mahajan
 

Viewers also liked (7)

Những lỗi bảo mật web thường gặp ở phần application
Những lỗi bảo mật web thường gặp ở phần applicationNhững lỗi bảo mật web thường gặp ở phần application
Những lỗi bảo mật web thường gặp ở phần application
 
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceConfess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash Mahajan
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
 

Similar to Protecting Java EE Web Apps with Secure HTTP Headers

Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comes
Yury Chemerkin
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
Krzysztof Kotowicz
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
drewz lin
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
michelemanzotti
 
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
David Johansson
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5
Krishna T
 

Similar to Protecting Java EE Web Apps with Secure HTTP Headers (20)

Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headers
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidence
 
Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comes
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
02-browser-sec-model-sop.pptx
02-browser-sec-model-sop.pptx02-browser-sec-model-sop.pptx
02-browser-sec-model-sop.pptx
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - Introduction
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 
Rails Security
Rails SecurityRails Security
Rails Security
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5
 
Web security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersWeb security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsers
 

Recently uploaded

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Recently uploaded (20)

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Protecting Java EE Web Apps with Secure HTTP Headers

  • 1. Protec'ng  Java  EE  Web  Apps   with  Secure  HTTP  Headers   JavaOne  2012   1  
  • 2. About   •  Frank  Kim   –  Consultant,  ThinkSec   –  Author,  SANS  Secure  Coding  in  Java   –  SANS  Applica'on  Security  Curriculum  Lead   •  Shout  out   –  Thanks  to  Jason  Lam  who  co-­‐authored  these  slides   2  
  • 4. Outline   •  XSS   •  Session  Hijacking   •  Clickjacking   •  Wrap  Up   4  
  • 5. Cross-­‐Site  Scrip'ng  (XSS)   •  Occurs  when  unvalidated  data  is  rendered  in   the  browser   •  Types  of  XSS   –  Reflected   –  Stored   –  Document  Object  Model  (DOM)  based   5  
  • 6.     XSS  Demo   6  
  • 7. HYpOnly  Flag   •  Ensures  that  the  Cookie  cannot  be  accessed   via  client  side  scripts  (e.g.  JavaScript)   –  Set  by  default  for  the  JSESSIONID  in  Tomcat  7   •  Configure  in  web.xml  as  of  Servlet  3.0   <session-config> <cookie-config> <http-only>true</http-only> </cookie-config> </session-config> •  Programma'cally   String cookie = "mycookie=test; Secure; HttpOnly"; response.addHeader("Set-Cookie", cookie); 7  
  • 8. X-­‐XSS-­‐Protec'on   •  Blocks  common  reflected  XSS   –  Enabled  by  default  in  IE,  Safari,  Chrome   –  Not  supported  by  Firefox   •  Bug  528661  open  to  address   •  X-­‐XSS-­‐Protec'on:  1   –  Browser  modifies  the  response  to  block  XSS   •  X-­‐XSS-­‐Protec'on:  0   –  Disables  the  XSS  filter   •  X-­‐XSS-­‐Protec'on:  1;  mode=block   –  Prevents  rendering  of  the  page  en'rely   8  
  • 9. Java  Code   •  X-­‐XSS-­‐Protec'on:  1   response.addHeader("X-XSS-Protection", "1"); •  X-­‐XSS-­‐Protec'on:  0   response.addHeader("X-XSS-Protection", "0"); •  X-­‐XSS-­‐Protec'on:  1;  mode=block   response.addHeader("X-XSS-Protection", "1; mode=block"); 9  
  • 10.     X-­‐XSS-­‐Protec'on  Demo   10  
  • 11. Content  Security  Policy   •  Helps  mi'gate  reflected  XSS   –  Originally  developed  by  Mozilla   –  Currently  a  W3C  draf   •  hYps://dvcs.w3.org/hg/content-­‐security-­‐policy/raw-­‐ file/'p/csp-­‐specifica'on.dev.html   •  Supported  browsers   –  Firefox  and  IE  10  using  X-­‐Content-­‐Security-­‐Policy   –  Chrome  and  Safari  using  X-­‐WebKit-­‐CSP  header   11  
  • 12. CSP  Requirements   •  No  inline  scripts   –  Can't  put  code  in  <script>  blocks   –  Can't  do  inline  event  handlers  like            <a onclick="javascript"> •  No  inline  styles   –  Can't  write  styles  inline   12  
  • 13. CSP  Direc'ves   •  default-­‐src   •  script-­‐src   •  object-­‐src   •  style-­‐src   •  img-­‐src   •  media-­‐src   •  frame-­‐src   •  font-­‐src   •  connect-­‐src   13  
  • 14. CSP  Examples   1)  Only  load  resources  from  the  same  origin   X-Content-Security-Policy: default-src 'self' 2)  Example  from  mikewest.org   x-content-security-policy: default-src 'none'; style-src https://mikewestdotorg.hasacdn.net; frame-src https://www.youtube.com http://www.slideshare.net; script-src https://mikewestdotorg.hasacdn.net https://ssl.google-analytics.com; img-src 'self' https://mikewestdotorg.hasacdn.net https://ssl.google-analytics.com data:; font-src https://mikewestdotorg.hasacdn.net 14  
  • 15. Report  Only   •  Facebook  Example   x-content-security-policy-report-only: allow *; script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:*; options inline-script eval-script; report-uri https://www.facebook.com/csp.php 15  
  • 16.     Content  Security  Policy  Demo   16  
  • 17. Outline   •  XSS   •  Session  Hijacking   •  Clickjacking   •  Wrap  Up   17  
  • 18. Session  Hijacking   mybank.com   Vic'm   Internet" Public WiFi " Network" 1)  Vic'm  goes  to  mybank.com  via  HTTP   AYacker   18  
  • 19. Session  Hijacking   mybank.com   Vic'm   Internet" Public WiFi " Network" 2)  A:acker  sniffs  the  public  wifi  network  and   AYacker   steals  the  JSESSIONID   19  
  • 20. Session  Hijacking   mybank.com   Vic'm   Internet" Public WiFi " Network" 3)  A:acker  uses  the  stolen  JSESSIONID   AYacker   to  access  the  vic'm's  session   20  
  • 21. Secure  Flag   •  Ensures  that  the  Cookie  is  only  sent  via  SSL   •  Configure  in  web.xml  as  of  Servlet  3.0   <session-config> <cookie-config> <secure>true</secure> </cookie-config> </session-config> •  Programma'cally   Cookie cookie = new Cookie("mycookie", "test"); cookie.setSecure(true); 21  
  • 22. Strict-­‐Transport-­‐Security   •  Tells  browser  to  only  talk  to  the  server  via  HTTPS   –  First  'me  your  site  accessed  via  HTTPS  and  the  header   is  used  the  browser  stores  the  cer'ficate  info   –  Subsequent  requests  to  HTTP  automa'cally  use  HTTPS   •  Supported  browsers   –  Implemented  in  Firefox  and  Chrome   –  Currently  an  IETF  draf     Strict-Transport-Security: max-age=seconds [; includeSubdomains] 22  
  • 23. Outline   •  XSS   •  Session  Hijacking   •  Clickjacking   •  Wrap  Up   23  
  • 24. Clickjacking   •  Tricks  the  user  into  clicking  a  hidden  buYon   –  User  has  no  idea  the  buYon  was  clicked   •  Works  by  concealing  the  target  site  site   –  Vic'm  site  placed  in  an  invisible  iframe   –  AYacker  site  overlays  the  vic'm  site   Image  source:  hYp://seclab.stanford.edu/websec/framebus'ng/framebust.pdf    
  • 25.     Clickjacking  Demo   25  
  • 26. Clickjacking  Code   •  Put  the  vic'm  in  an  invisible  iframe     <iframe id="attacker" width=1000 height=400 src="http://victim" style="opacity:0.0; position:absolute;left:10;bottom:100"> </iframe>   26  
  • 27. Adobe  Flash  Example   •  Clickjacking  discovered  by  Jeremiah  Grossman   &  Robert  "Rsnake"  Hansen   •  Showed  how  to  use  Flash  to  spy  on  users   –  Use  Clickjacking  to  trick  users  into  enabling  the   mic  and  camera  via  Flash   27  
  • 28. Facebook  Example   •  The  "best  passport  applica'on  rejec'on  in   history"  became  popular  on  Facebook   28  
  • 29. Facebook  Like  Code   <div style="overflow:hidden; width:10px; height:12px; filter:alpha(opacity=0); -moz-opacity:0.0; -khtml-opacity: 0.0; opacity:0.0; position:absolute;" id="icontainer"> <iframe src"http://www.facebook.com/plugins/like.php? href=http://credittreport.info/the-best-passport- application-rejection-in-history.html&amp; layout=standard&amp;show_faces=false&amp;width=450&amp;act ion=like&amp;font=tahoma&amp;colorscheme=light&amp;height= 80" scrolling="no" frame border="0" style="border:none; overflow:hidden;width:50px; height:23px;" allowTransparency="true" id="likee" name="likee"> </iframe> </div> Source:  hYps://isc.sans.edu/diary.html?storyid=8893    
  • 30. Facebook  Like  Code   <div style="overflow:hidden; width:10px; height:12px; filter:alpha(opacity=0); -moz-opacity:0.0; -khtml-opacity: 0.0; opacity:0.0; position:absolute;" id="icontainer"> <iframe src"http://www.facebook.com/plugins/like.php? href=http://credittreport.info/the-best-passport- application-rejection-in-history.html&amp; layout=standard&amp;show_faces=false&amp;width=450&amp;act ion=like&amp;font=tahoma&amp;colorscheme=light&amp;height= 80" scrolling="no" frame border="0" style="border:none; overflow:hidden;width:50px; height:23px;" allowTransparency="true" id="likee" name="likee"> </iframe> </div> Source:  hYps://isc.sans.edu/diary.html?storyid=8893    
  • 31. Facebook  Like  Code   <div style="overflow:hidden; width:10px; height:12px; filter:alpha(opacity=0); -moz-opacity:0.0; -khtml-opacity: 0.0; opacity:0.0; position:absolute;" id="icontainer"> <iframe src"http://www.facebook.com/plugins/like.php? href=http://credittreport.info/the-best-passport- application-rejection-in-history.html&amp; layout=standard&amp;show_faces=false&amp;width=450&amp;act ion=like&amp;font=tahoma&amp;colorscheme=light&amp;height= 80" scrolling="no" frame border="0" style="border:none; overflow:hidden;width:50px; height:23px;" allowTransparency="true" id="likee" name="likee"> </iframe> </div> Source:  hYps://isc.sans.edu/diary.html?storyid=8893    
  • 32. Facebook  Like  Code   <div style="overflow:hidden; width:10px; height:12px; filter:alpha(opacity=0); -moz-opacity:0.0; -khtml-opacity: 0.0; opacity:0.0; position:absolute;" id="icontainer"> <iframe src"http://www.facebook.com/plugins/like.php? href=http://credittreport.info/the-best-passport- application-rejection-in-history.html&amp; layout=standard&amp;show_faces=false&amp;width=450&amp;act ion=like&amp;font=tahoma&amp;colorscheme=light&amp;height= 80" scrolling="no" frame border="0" style="border:none; overflow:hidden;width:50px; height:23px;" allowTransparency="true" id="likee" name="likee"> </iframe> </div> Source:  hYps://isc.sans.edu/diary.html?storyid=8893    
  • 33.     Like  BuYon  Demo   33  
  • 34. Like  BuYon  Code   var like = document.createElement('iframe'); ... function mouseMove(e) { if (IE) { tempX = event.clientX + document.body.scrollLeft; tempY = event.clientY + document.body.scrollTop; } else { tempX = e.pageX; tempY = e.pageY; } if (tempX < 0) tempX = 0; if (tempY < 0) tempY = 0; like.style.top = (tempY - 8) + 'px'; Like  buYon  moves   like.style.left = (tempX - 25) + 'px'; with  cursor   return true } Source:  hYp://erickerr.com/like-­‐clickjacking    
  • 35. Why  Likejacking?   •  Send  vic'ms  to  evil  sites  with  malware   •  Trick  users  into  signing  up  for  unwanted   subscrip'on  services   •  Drive  traffic  to  sites  to  increase  ad  revenue   •  Adscend  Media   –  Alleged  to  have  made  up  to  $1.2  million  per   month  via  Clickjacking   –  Facebook  and  Washington  State  filed  lawsuits   against  them  in  January  2012   35  
  • 36. How  to  Fix?   •  Use  X-­‐Frame-­‐Op'ons     –  HTTP  Response  Header  supported  by  all  recent  browsers   •  Three  op'ons   –  DENY   •  Prevents  any  site  from  framing  the  page     –  SAMEORIGIN   •  Allows  framing  only  from  the  same  origin   –  ALLOW-­‐FROM  origin   •  Allows  framing  only  from  the  specified  origin   •  Only  supported  by  IE  (based  on  my  tes'ng)   •  Firefox  Bug  690168  -­‐  "This  was  an  uninten'onal  oversight"   36  
  • 37. Java  Code   •  DENY   response.addHeader("X-Frame-Options", "DENY"); •  SAMEORIGIN   response.addHeader("X-Frame-Options", "SAMEORIGIN"); •  ALLOW-­‐FROM   String value = "ALLOW-FROM http://www.trustedsite.com:8080"; response.addHeader("X-Frame-Options", value); 37  
  • 38.     X-­‐Frame-­‐Op'ons  Demo   38  
  • 39. Using  X-­‐Frame-­‐Op'ons   •  You  might  not  want  to  use  it  for  the  en're  site   –  Prevents  legi'mate  framing  of  your  site  (i.e.   Google  Image  Search)   •  For  sensi've  transac'ons   –  Use  SAMEORIGIN   –  And  test  thoroughly   •  If  the  page  should  never  be  framed   –  Then  use  DENY   39  
  • 40. Frame  Bus'ng  Code   •  What  about  older  browsers  that  don't  support   X-­‐Frame-­‐Op'ons?   •  JavaScript  code  like  this  is  commonly  used   if (top != self) top.location = self.location; •  Not  full-­‐proof   –  Various  techniques  can  be  used  to  bypass  frame   bus'ng  code   40  
  • 41. Some  An'-­‐Frame  Bus'ng  Techniques   •  IE  <iframe  security=restricted>   –  Disables  JavaScript  within  the  iframe   •  onBeforeUnload  -­‐  204  Flushing   –  Repeatedly  send  a  204  (No  Content)  response  so   the  onBeforeUnload  handler  gets  canceled   •  Browser  XSS  Filters   –  Chrome  XSSAuditor  filter  cancels  inline  scripts  if   they  are  also  found  as  a  parameter   <iframe src="http://www.victim.com/?v=if(top+!%3D +self)+%7B+top.location%3Dself.location%3B+%7D"> 41  
  • 42. Outline   •  XSS   •  Session  Hijacking   •  Clickjacking   •  Wrap  Up   42  
  • 43. Summary   •  Use  the  following  HTTP  Response  Headers   þ  Set-­‐Cookie  HYpOnly   þ  X-­‐XSS-­‐Protec'on:  1;  mode=block   þ  Set-­‐Cookie  Secure   þ  Strict-­‐Transport-­‐Security   þ  X-­‐Frame-­‐Op'ons:  SAMEORIGIN   •  Plan  to  use  the  following   þ  Content  Security  Policy   43  
  • 44. 44  
  • 45.   Frank  Kim         frank@thinksec.com   @thinksec                @sansappsec                     45  
  • 46. References   •  Content  Security  Policy   –  hYps://dvcs.w3.org/hg/content-­‐security-­‐policy/raw-­‐file/'p/csp-­‐ specifica'on.dev.html   •  Bus'ng  Frame  Bus'ng:  A  Study  of  Clickjacking  Vulnerabili'es  on   Popular  Sites   –  hYp://seclab.stanford.edu/websec/framebus'ng/framebust.pdf   •  Like  Clickjacking   –  hYp://erickerr.com/like-­‐clickjacking   •  Clickjacking  AYacks  on  Facebook's  Like  Plugin   –  hYps://isc.sans.edu/diary.html?storyid=8893   •  Lessons  from  Facebook's  Security  Bug  Bounty  Program   –  hYps://nealpoole.com/blog/2011/08/lessons-­‐from-­‐facebooks-­‐ security-­‐bug-­‐bounty-­‐program/   •  Google+  Gets  a  "+1"  for  Browser  Security   –  hYp://www.barracudalabs.com/wordpress/index.php/2011/07/21/ google-­‐gets-­‐a-­‐1-­‐for-­‐browser-­‐security-­‐3/   46