SlideShare una empresa de Scribd logo

Kommer nya HTTP-headers rädda oss?

Descargar como KEY, PDF
J
johnwilander

Presentation från OWASP Swedens seminariekväll 31/1 2011 om HTTP-säkerhet. Den här presentationen handlar om tre tämligen nya säkerhetsfeatures i form av HTTP-headers, nämligen HTTP Strict Transport Security, X-Frame-Options och Content Security Policy.

Tecnología
1 de 39
Kommer nya HTTP-headers att rädda oss? John Wilander, Omegapoint & OWASP OWASP
1. HTTP Strict Transport Security (Paypal) 2. X-Frame-Options (Microsoft) 3. Content Security Policy (Mozilla) 4. X-Do-Not-Track (FTC-initiativ, Stanford-förslag) OWASP
HTTP Strict Transport Security http://tools.ietf.org/html/draft- hodges-strict-transport-sec-02 OWASP
Moxie’s SSL Strip Terminerar SSL Normal https till servern Ändrar https till http Agerar klient OWASP
Kräv SSL utan varningar i X sekunder framåt och gör det ev för alla mina subdomäner också OWASP
Strict-Transport-Security: max-age=86400 Strict-Transport-Security: max-age=86400; includeSubdomains OWASP
X-Frame-Options http://blogs.msdn.com/b/ie/archive/ 2009/01/27/ie8-security-part-vii- clickjacking-defenses.aspx OWASP
Ingen sida får ladda mig i en frame eller endast min egen domän får ladda mig i frame OWASP
X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN OWASP
Content Security Policy https://developer.mozilla.org/en/ Introducing_Content_Security_Policy OWASP
XSS blir inte ovanligare <img src="javascript:alert('XSS');"> <body onload!#$%&()*~+-_.,:;?@[/| ]^`=alert("XSS")> <body background="javascript:alert('XSS')"> <video poster=javascript:alert(1)// <form id=test onforminput=alert(1)><input></form><button form=test onformchange=alert(2)>X
D Crockford anser !XSS viktigare än HTML5 http://blip.tv/play/g_MngeaxVgI%2Em4v
Tillåt endast skript från vitlistade domäner och tillåt bara skript från filer, dvs inga inline-skript OWASP
'self' = samma URL, protokoll och port 'none' = inga godkända domäner X-Content-Security-Policy: allow 'self' trustedscripts.foo.com Acceptera skript från min URL+port och från trustedscripts.foo.com X-Content-Security-Policy: allow 'self'; img-src 'self' Acceptera skript och bilder från min URL+port https://developer.mozilla.org/en/Security/CSP/CSP_policy_directives OWASP
Går att hacka? OWASP
Response Splitting <% response.sendRedirect("/by_lang.jsp?lang="+ request.getParameter("lang")); %> OWASP
Response Splitting <% response.sendRedirect("/by_lang.jsp?lang="+ request.getParameter("lang")); %> OWASP
HTTP/1.1 302 Moved Temporarily Date: Wed, 24 Dec 2010 12:53:28 GMT Location: http://10.1.1.1/by_lang.jsp? lang=English Set-Cookie: JSESSIONID=1pMRZOiOQzZiE6Y6iivsREg82pq9Bo1ape7h 4YoHZ62RXj Strict-Transport-Security: max-age=10000 X-Content-Security-Policy: allow ‘self’ X-Frame-Options: DENY <html> ... </html> OWASP
HTTP/1.1 302 Moved Temporarily Date: Wed, 24 Dec 2010 12:53:28 GMT Location: http://10.1.1.1/by_lang.jsp? lang=English[CRLF]Content-Length=0[CRLF] HTTP/1.1 200 OK Set-Cookie: JSESSIONID=sessionFixation X-Content-Security-Policy: allow attacker.com Strict-Transport-Security: max-age=1 <html> ... </html> Set-Cookie: JSESSIONID=1pMRZOiOQzZiE6Y6iivsREg82pq9Bo1ape7h 4YoHZ62RXj <html> ... </html> OWASP
Meta Headers OWASP
<META HTTP-EQUIV="X-Content-Security- Policy" CONTENT="allow attacker.com"> OWASP
Från nuvarande specar • For security reasons, you can't use the <meta> element to configure the X-Content-Security- Policy header. • The X-Frame-Options directive is ignored if specified in a META tag. • UAs MUST NOT heed http-equiv="Strict- Transport-Security" attribute settings on <meta> elements in received content. OWASP
Så, kommer nya HTTP headers rädda oss? OWASP
Det finns utmaningar! OWASP
Utmaningar 1. Avgränsningar (scope) 2. Betastandard bra nog att skeppa 3. Övertyga och hjälpa utvecklare driftsätta
Olika mekanismer för olika problem? 1. HTTP Strict Transport Security (Paypal) 2. X-Frame-Options (Microsoft) 3. Content Security Policy (Mozilla) OWASP
Olika mekanismer för olika problem? 1. Site Security Policy (Mozilla+Google+Microsoft+PayPal+Facebook) OWASP
Vad är det vi vitlistar? X-Content-Security-Policy: allow 'self' foo.com Vitlistade domäner <!-- Begin XSS zone 9cb3c2fd7ef861d762471c90de0496 --> <!-- End XSS zone 9cb3c2fd7ef861d762471c90de0496 --> Vitlistade skriptzoner via kommentarselement och nycklar (http://www.thespanner.co.uk/2010/09/24/xss-zones) <meta name="script-nonce" content="142342fd7e"> <script nonce=142342fd7e>...</script>' Vitlistade element, segment av kod (http://www.gerv.net/security/script-keys + http://lists.w3.org/Archives/Public/public-web-security/2011Jan/0004.html) <script type="text/javascript" src="/acs.js">/ *signature here*/</script> Vitlistad kod via signerade hashar (http://secinn.appspot.com/pstzine/read?issue=4&articleid=8) OWASP
Header och/eller Meta? HTTP/1.1 200 OK X-Site-Security-Policy: ... <html> <head> <META HTTP-EQUIV="X-Site-Security- Policy" CONTENT="..."> </head> <body> </body> </html> OWASP
Header och/eller Meta? HTTP/1.1 200 OK Mer globalt X-Site-Security-Policy: ... Vem styr över appens headers? <html> <head> <META HTTP-EQUIV="X-Site-Security- Policy" CONTENT="..."> </head> <body> </body> </html> OWASP
Header och/eller Meta? HTTP/1.1 200 OK Mer globalt X-Site-Security-Policy: ... Vem styr över appens headers? <html> <head> <META HTTP-EQUIV="X-Site-Security- Policy" CONTENT="..."> </head> <body> Mer ”per sida” </body> Risk för injection </html> OWASP
Header och/eller Meta? HTTP/1.1 200 OK Mer globalt X-Site-Security-Policy: ... Vem styr över appens headers? <html> <head> <META HTTP-EQUIV="X-Site-Security- Policy" CONTENT="..."> </head> <body> Mer ”per sida” </body> Risk för injection Båda? </html> Hierarkiska policies? First one wins? OWASP
Eller kanske som css? <link href="http://owasp.org/policy.csp" rel="policy" type="text/policy" /> script { src:url(https://chart.googleapis.com); inline: false; } #emailContent { javascript:false; forms: false; img: true; }
Hur bygger vi ut? • img-src: bilder • media-src: <video>, <audio> • object-src: plugin-innehåll • frame-src: domäner som får laddas i <iframe> • font-src: typsnitt • xhr-src: domäner man får ajax:a till • style-src: stylesheets
Hur bygger vi ut? • allow[img] = ..., allow[embed] = ...
Verkligheten ”We were able to get Bugzilla working with CSP and preventing XSS attacks (i.e. inline scripts disabled), but it was not trivial and the performance is not great.”
http://www.owasp.org/index.php/Category:Summit_2011_Browser_Security_Track ... och public-web-security@w3.org
7 mars HTML5-säkerhet http://marioheiderich.eventbrite.com
john.wilander@owasp.org Twitter: @johnwilander Blogg: http://appsandsecurity.blogspot.com OWASP

Recomendados

bizkovaS@seznam.cz
bizkovaS@seznam.czbizkovaS@seznam.cz
bizkovaS@seznam.czbizkovaS
 
Soutez bizkova
Soutez bizkovaSoutez bizkova
Soutez bizkovabizkovaS
 
Peran IKU dalam Rengiat RBP
Peran IKU dalam Rengiat RBPPeran IKU dalam Rengiat RBP
Peran IKU dalam Rengiat RBPrbpkalbar
 
Paparan pelaksanaan tugas tim pokja rbp
Paparan pelaksanaan tugas tim pokja rbpPaparan pelaksanaan tugas tim pokja rbp
Paparan pelaksanaan tugas tim pokja rbprbpkalbar
 
Paparan sosialisasi rbp
Paparan sosialisasi rbpPaparan sosialisasi rbp
Paparan sosialisasi rbprbpkalbar
 
ISI Naskap-NKP patroli-AKBP DADANG DK-JAMBI
ISI Naskap-NKP patroli-AKBP DADANG DK-JAMBI ISI Naskap-NKP patroli-AKBP DADANG DK-JAMBI
ISI Naskap-NKP patroli-AKBP DADANG DK-JAMBI Dadang DjokoKaryanto
 
JavaScript Beyond jQuery (Jfokus 2013)
JavaScript Beyond jQuery (Jfokus 2013)JavaScript Beyond jQuery (Jfokus 2013)
JavaScript Beyond jQuery (Jfokus 2013)johnwilander
 
Tre sårbarheter i webbappar
Tre sårbarheter i webbapparTre sårbarheter i webbappar
Tre sårbarheter i webbapparjohnwilander
 

Recomendados

bizkovaS@seznam.cz
bizkovaS@seznam.czbizkovaS@seznam.cz
bizkovaS@seznam.czbizkovaS
 
Soutez bizkova
Soutez bizkovaSoutez bizkova
Soutez bizkovabizkovaS
 
Peran IKU dalam Rengiat RBP
Peran IKU dalam Rengiat RBPPeran IKU dalam Rengiat RBP
Peran IKU dalam Rengiat RBPrbpkalbar
 
Paparan pelaksanaan tugas tim pokja rbp
Paparan pelaksanaan tugas tim pokja rbpPaparan pelaksanaan tugas tim pokja rbp
Paparan pelaksanaan tugas tim pokja rbprbpkalbar
 
Paparan sosialisasi rbp
Paparan sosialisasi rbpPaparan sosialisasi rbp
Paparan sosialisasi rbprbpkalbar
 
ISI Naskap-NKP patroli-AKBP DADANG DK-JAMBI
ISI Naskap-NKP patroli-AKBP DADANG DK-JAMBI ISI Naskap-NKP patroli-AKBP DADANG DK-JAMBI
ISI Naskap-NKP patroli-AKBP DADANG DK-JAMBI Dadang DjokoKaryanto
 
JavaScript Beyond jQuery (Jfokus 2013)
JavaScript Beyond jQuery (Jfokus 2013)JavaScript Beyond jQuery (Jfokus 2013)
JavaScript Beyond jQuery (Jfokus 2013)johnwilander
 
Tre sårbarheter i webbappar
Tre sårbarheter i webbapparTre sårbarheter i webbappar
Tre sårbarheter i webbapparjohnwilander
 
Web Integration Patterns in the Era of HTML5
Web Integration Patterns in the Era of HTML5Web Integration Patterns in the Era of HTML5
Web Integration Patterns in the Era of HTML5johnwilander
 
Hotlinking is Too Hot for Comfort
Hotlinking is Too Hot for ComfortHotlinking is Too Hot for Comfort
Hotlinking is Too Hot for Comfortjohnwilander
 
Stateless Anti-Csrf
Stateless Anti-CsrfStateless Anti-Csrf
Stateless Anti-Csrfjohnwilander
 
Advanced CSRF and Stateless Anti-CSRF
Advanced CSRF and Stateless Anti-CSRFAdvanced CSRF and Stateless Anti-CSRF
Advanced CSRF and Stateless Anti-CSRFjohnwilander
 
Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)johnwilander
 
JavaScript för Javautvecklare
JavaScript för JavautvecklareJavaScript för Javautvecklare
JavaScript för Javautvecklarejohnwilander
 
Application Security, in Six Parts (HackPra 2012)
Application Security, in Six Parts (HackPra 2012)Application Security, in Six Parts (HackPra 2012)
Application Security, in Six Parts (HackPra 2012)johnwilander
 
RIPE: Runtime Intrusion Prevention Evaluator
RIPE: Runtime Intrusion Prevention EvaluatorRIPE: Runtime Intrusion Prevention Evaluator
RIPE: Runtime Intrusion Prevention Evaluatorjohnwilander
 
Application Security for RIAs
Application Security for RIAsApplication Security for RIAs
Application Security for RIAsjohnwilander
 

Más contenido relacionado

Más de johnwilander

Web Integration Patterns in the Era of HTML5
Web Integration Patterns in the Era of HTML5Web Integration Patterns in the Era of HTML5
Web Integration Patterns in the Era of HTML5johnwilander
 
Hotlinking is Too Hot for Comfort
Hotlinking is Too Hot for ComfortHotlinking is Too Hot for Comfort
Hotlinking is Too Hot for Comfortjohnwilander
 
Stateless Anti-Csrf
Stateless Anti-CsrfStateless Anti-Csrf
Stateless Anti-Csrfjohnwilander
 
Advanced CSRF and Stateless Anti-CSRF
Advanced CSRF and Stateless Anti-CSRFAdvanced CSRF and Stateless Anti-CSRF
Advanced CSRF and Stateless Anti-CSRFjohnwilander
 
Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)johnwilander
 
JavaScript för Javautvecklare
JavaScript för JavautvecklareJavaScript för Javautvecklare
JavaScript för Javautvecklarejohnwilander
 
Application Security, in Six Parts (HackPra 2012)
Application Security, in Six Parts (HackPra 2012)Application Security, in Six Parts (HackPra 2012)
Application Security, in Six Parts (HackPra 2012)johnwilander
 
RIPE: Runtime Intrusion Prevention Evaluator
RIPE: Runtime Intrusion Prevention EvaluatorRIPE: Runtime Intrusion Prevention Evaluator
RIPE: Runtime Intrusion Prevention Evaluatorjohnwilander
 
Application Security for RIAs
Application Security for RIAsApplication Security for RIAs
Application Security for RIAsjohnwilander
 

Más de johnwilander (9)

Web Integration Patterns in the Era of HTML5
Web Integration Patterns in the Era of HTML5Web Integration Patterns in the Era of HTML5
Web Integration Patterns in the Era of HTML5
 
Hotlinking is Too Hot for Comfort
Hotlinking is Too Hot for ComfortHotlinking is Too Hot for Comfort
Hotlinking is Too Hot for Comfort
 
Stateless Anti-Csrf
Stateless Anti-CsrfStateless Anti-Csrf
Stateless Anti-Csrf
 
Advanced CSRF and Stateless Anti-CSRF
Advanced CSRF and Stateless Anti-CSRFAdvanced CSRF and Stateless Anti-CSRF
Advanced CSRF and Stateless Anti-CSRF
 
Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)
 
JavaScript för Javautvecklare
JavaScript för JavautvecklareJavaScript för Javautvecklare
JavaScript för Javautvecklare
 
Application Security, in Six Parts (HackPra 2012)
Application Security, in Six Parts (HackPra 2012)Application Security, in Six Parts (HackPra 2012)
Application Security, in Six Parts (HackPra 2012)
 
RIPE: Runtime Intrusion Prevention Evaluator
RIPE: Runtime Intrusion Prevention EvaluatorRIPE: Runtime Intrusion Prevention Evaluator
RIPE: Runtime Intrusion Prevention Evaluator
 
Application Security for RIAs
Application Security for RIAsApplication Security for RIAs
Application Security for RIAs
 

Kommer nya HTTP-headers rädda oss?

  • 1. Kommer nya HTTP-headers att rädda oss? John Wilander, Omegapoint & OWASP OWASP
  • 2. 1. HTTP Strict Transport Security (Paypal) 2. X-Frame-Options (Microsoft) 3. Content Security Policy (Mozilla) 4. X-Do-Not-Track (FTC-initiativ, Stanford-förslag) OWASP
  • 3. HTTP Strict Transport Security http://tools.ietf.org/html/draft- hodges-strict-transport-sec-02 OWASP
  • 4. Moxie’s SSL Strip Terminerar SSL Normal https till servern Ändrar https till http Agerar klient OWASP
  • 5. Kräv SSL utan varningar i X sekunder framåt och gör det ev för alla mina subdomäner också OWASP
  • 8. Ingen sida får ladda mig i en frame eller endast min egen domän får ladda mig i frame OWASP
  • 10. Content Security Policy https://developer.mozilla.org/en/ Introducing_Content_Security_Policy OWASP
  • 11. XSS blir inte ovanligare <img src="javascript:alert('XSS');"> <body onload!#$%&()*~+-_.,:;?@[/| ]^`=alert("XSS")> <body background="javascript:alert('XSS')"> <video poster=javascript:alert(1)// <form id=test onforminput=alert(1)><input></form><button form=test onformchange=alert(2)>X
  • 12. D Crockford anser !XSS viktigare än HTML5 http://blip.tv/play/g_MngeaxVgI%2Em4v
  • 13. Tillåt endast skript från vitlistade domäner och tillåt bara skript från filer, dvs inga inline-skript OWASP
  • 14. 'self' = samma URL, protokoll och port 'none' = inga godkända domäner X-Content-Security-Policy: allow 'self' trustedscripts.foo.com Acceptera skript från min URL+port och från trustedscripts.foo.com X-Content-Security-Policy: allow 'self'; img-src 'self' Acceptera skript och bilder från min URL+port https://developer.mozilla.org/en/Security/CSP/CSP_policy_directives OWASP
  • 16. Response Splitting <% response.sendRedirect("/by_lang.jsp?lang="+ request.getParameter("lang")); %> OWASP
  • 17. Response Splitting <% response.sendRedirect("/by_lang.jsp?lang="+ request.getParameter("lang")); %> OWASP
  • 18. HTTP/1.1 302 Moved Temporarily Date: Wed, 24 Dec 2010 12:53:28 GMT Location: http://10.1.1.1/by_lang.jsp? lang=English Set-Cookie: JSESSIONID=1pMRZOiOQzZiE6Y6iivsREg82pq9Bo1ape7h 4YoHZ62RXj Strict-Transport-Security: max-age=10000 X-Content-Security-Policy: allow ‘self’ X-Frame-Options: DENY <html> ... </html> OWASP
  • 19. HTTP/1.1 302 Moved Temporarily Date: Wed, 24 Dec 2010 12:53:28 GMT Location: http://10.1.1.1/by_lang.jsp? lang=English[CRLF]Content-Length=0[CRLF] HTTP/1.1 200 OK Set-Cookie: JSESSIONID=sessionFixation X-Content-Security-Policy: allow attacker.com Strict-Transport-Security: max-age=1 <html> ... </html> Set-Cookie: JSESSIONID=1pMRZOiOQzZiE6Y6iivsREg82pq9Bo1ape7h 4YoHZ62RXj <html> ... </html> OWASP
  • 20. Meta Headers OWASP
  • 22. Från nuvarande specar • For security reasons, you can't use the <meta> element to configure the X-Content-Security- Policy header. • The X-Frame-Options directive is ignored if specified in a META tag. • UAs MUST NOT heed http-equiv="Strict- Transport-Security" attribute settings on <meta> elements in received content. OWASP
  • 23. Så, kommer nya HTTP headers rädda oss? OWASP
  • 25. Utmaningar 1. Avgränsningar (scope) 2. Betastandard bra nog att skeppa 3. Övertyga och hjälpa utvecklare driftsätta
  • 26. Olika mekanismer för olika problem? 1. HTTP Strict Transport Security (Paypal) 2. X-Frame-Options (Microsoft) 3. Content Security Policy (Mozilla) OWASP
  • 27. Olika mekanismer för olika problem? 1. Site Security Policy (Mozilla+Google+Microsoft+PayPal+Facebook) OWASP
  • 28. Vad är det vi vitlistar? X-Content-Security-Policy: allow 'self' foo.com Vitlistade domäner <!-- Begin XSS zone 9cb3c2fd7ef861d762471c90de0496 --> <!-- End XSS zone 9cb3c2fd7ef861d762471c90de0496 --> Vitlistade skriptzoner via kommentarselement och nycklar (http://www.thespanner.co.uk/2010/09/24/xss-zones) <meta name="script-nonce" content="142342fd7e"> <script nonce=142342fd7e>...</script>' Vitlistade element, segment av kod (http://www.gerv.net/security/script-keys + http://lists.w3.org/Archives/Public/public-web-security/2011Jan/0004.html) <script type="text/javascript" src="/acs.js">/ *signature here*/</script> Vitlistad kod via signerade hashar (http://secinn.appspot.com/pstzine/read?issue=4&articleid=8) OWASP
  • 29. Header och/eller Meta? HTTP/1.1 200 OK X-Site-Security-Policy: ... <html> <head> <META HTTP-EQUIV="X-Site-Security- Policy" CONTENT="..."> </head> <body> </body> </html> OWASP
  • 30. Header och/eller Meta? HTTP/1.1 200 OK Mer globalt X-Site-Security-Policy: ... Vem styr över appens headers? <html> <head> <META HTTP-EQUIV="X-Site-Security- Policy" CONTENT="..."> </head> <body> </body> </html> OWASP
  • 31. Header och/eller Meta? HTTP/1.1 200 OK Mer globalt X-Site-Security-Policy: ... Vem styr över appens headers? <html> <head> <META HTTP-EQUIV="X-Site-Security- Policy" CONTENT="..."> </head> <body> Mer ”per sida” </body> Risk för injection </html> OWASP
  • 32. Header och/eller Meta? HTTP/1.1 200 OK Mer globalt X-Site-Security-Policy: ... Vem styr över appens headers? <html> <head> <META HTTP-EQUIV="X-Site-Security- Policy" CONTENT="..."> </head> <body> Mer ”per sida” </body> Risk för injection Båda? </html> Hierarkiska policies? First one wins? OWASP
  • 33. Eller kanske som css? <link href="http://owasp.org/policy.csp" rel="policy" type="text/policy" /> script { src:url(https://chart.googleapis.com); inline: false; } #emailContent { javascript:false; forms: false; img: true; }
  • 34. Hur bygger vi ut? • img-src: bilder • media-src: <video>, <audio> • object-src: plugin-innehåll • frame-src: domäner som får laddas i <iframe> • font-src: typsnitt • xhr-src: domäner man får ajax:a till • style-src: stylesheets
  • 35. Hur bygger vi ut? • allow[img] = ..., allow[embed] = ...
  • 36. Verkligheten ”We were able to get Bugzilla working with CSP and preventing XSS attacks (i.e. inline scripts disabled), but it was not trivial and the performance is not great.”
  • 38. 7 mars HTML5-säkerhet http://marioheiderich.eventbrite.com
  • 39. john.wilander@owasp.org Twitter: @johnwilander Blogg: http://appsandsecurity.blogspot.com OWASP

Notas del editor

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n
  11. \n
  12. \n
  13. \n
  14. \n
  15. \n
  16. \n
  17. \n
  18. \n
  19. \n
  20. \n
  21. \n
  22. \n
  23. \n
  24. \n
  25. \n
  26. \n
  27. \n
  28. \n
  29. \n
  30. \n
  31. \n
  32. \n
  33. \n
  34. \n
  35. \n
  36. \n
  37. \n
  38. \n
  39. \n