SlideShare una empresa de Scribd logo

List of useful security related http headers

한익 주
한익 주

HTTP 보안헤더

Tecnología
1 de 22
Descargar para leer sin conexión
List of useful security-related HTTP headers 주한익 joohanik@coresec.co.kr
List of useful security-related HTTP headers 2 헤더 이름 설명 사용예 HTTP Strict-Transport-Security
 (HSTS) HTTP Strict-Transport-Security(HSTS)는 브라우저가 서버에 연결할 때 SSL/TLS 기반 HTTP 사용을 강제하는 헤더입니다. 헤당 헤더는 쿠키 혹은 외부 링크를 악용한 웹 어플 리케이션의 세션 관련 취약점 (e.g. Session Hijacking) 피해를 완화 하거나 SSL Strip 같은 다운그래이드 공격을 방어할 수 있습니다. Strict-Transport-Security: max- age=16070400; includeSubDomains X-Frame-Options Frame-Options 클릭재킹 공격에 대한 보호를 위해 만들어진 헤더입니다. 헤더의 지시자 값에 따라 <frame>, <iframe>, <object>에 로드된 페이지의 랜더링 조건을 제어할 수 있습니다. X-Frame-Options: deny X-XSS-Protection 브라우저에 내장되어 있는 교차 사이트 스크립팅 필터를 활성화시키는 헤더입니다. 기 능을 제공하는 대부분의 웹 브라우저는 기본적으로 활성화 되어 있으나 사용자에 의해 비활성화 되어있을 경우 다시 활성화 시킬 수 있는 역할을 합니다. X-XSS-Protection: 1;mode=block X-Content-Type Options HTTP 응답 헤더 중 하나인 Content-Type 지시자의 값을 무시하도록 동작하는 브라우 저의 MIME-sniffing 기능을 악용한 교차 사이트 스크립팅 혹은 Drive-By download 공격에 대응하기 위한 헤더입니다. "nosniff" 지시자를 제외하고는 사용할 수 있습니다. X-Content-Type-Options: nosniff Content-Security-Policy X-Content-Security-Policy X-WebKit-CSP 해당 헤더는 브라우저가 페이지에 대한 랜더링을 수행하는 정책에 영향(e.g. 명시적으 로 허용하지 않는한 인라인 자바스크립트를 동작시키지 않음)을 주는 헤더입니다. 교차 사이트 스크립팅 공격을 포함한 다양한 공격을 예방할 수 있습니다. Content-Security-Policy: default-src 'self'; script-src 'self' Content-Security-Policy-Report- Only Content-Security-Policy 헤더와 동일한 기능을 하는 헤더입니다. 다만 제한 정책에 위 반되는 경우 실제 차단을 하지 않고 지정된 경로에 리포팅 정보를 보냅니다. Content-Security-Policy 헤더와 중복으로 사용하여 "제한 및 차단"과 "리포팅"을 동시 에 사용할 수 있습니다. Content-Security-Policy-Report-Only: default-src 'self'; report-uri http:// loghost.example.com/reports.jsp https://www.owasp.org/index.php/List_of_useful_HTTP_headers
Strict-Transport-Security 3 * SSL strip .. How can we stop this attack? http://courses.oreillyschool.com/webapp2/http_headers.html
Strict-Transport-Security 4 * HTTP Strict Transport Security (HSTS) overview . Web security policy mechanism which is necessary to protect secure HTTPS websites against downgrade attacks, and which greatly simplifies protection against cookie hijacking . It allows web servers to declare that web browser should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol . IETF standards track protocol and is specified in RFC 6797 . Communicated by the server to the user agent via a HTTP response header field named "Strict-Transport-Security" http://blog.c22.cc/2010/08/27/http-strict-transport-security/http://blog.c22.cc/2010/08/27/http-strict-transport-security/
Strict-Transport-Security 5 http://www.asd.gov.au/publications/protect/protecting_web_apps.htm
Strict-Transport-Security 6 * Preloading HSTS overview . When connecting to an HSTS host for the first time, the browser won't know whether or not to use a secure connection, because it has never received an HSTS header from that host . Active could prevent the browser from ever connecting securely . To mitigate this attack, Browser have added a list of hosts that want HSTS enforced by default . When a user connects to one of these hosts for the first time, the browser will know that is must use a secure connection . If a network attacker prevents secure connections to the server, the browser will not attempt to connect over an insecure protocol, thus maintaining the user's security
Strict-Transport-Security 7 * Manually enforcing HSTS in google chrome https://scotthelme.co.uk/manually-enforcing-hsts-chrome/
Strict-Transport-Security 8 * EFF(Electronic Frontier Foundation)'s "HTTPS Everywhere" extension
Strict-Transport-Security 9 * Limitations . Still dependent on them adding new hosts. The only downside is that the user must add all of the hosts that they wish to be enforced to the list manually . The initial request remains unprotected from active attacks if it uses an insecure protocol such as plain HTTP or the
 initial request was obtained over an insecure channel . Can't prevent advanced attacks against TLS itself, such as the BEAST(Browser Exploit Against SSL/TLS) or CRIME(Compression Ratio Info-leak Made Easy) attacks
X-Frame-Options 10 * Clickjacking .. How can we stop this attack?
 . Tricking users into enabling their webcam and microphone through Flash
 . Tricking users into making their social networking profile information public
 . Making users follow someone on Twitter
 . Sharing links on Facebook http://khalil-shreateh.com/khalil.shtml/index.php/personal-security/ 90-spam-and-scams-protect-yourself-from-being-a-victim-of-cyber- fraud.html?showall=1 http://www.anzaq.com/2013/05/what-is-clickjacking.html
X-Frame-Options 11 * X-Frame-Options overview . The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed 
 to render a page in a <frame>, <iframe> or <object>
 . Sites can use this to avoid clickjacking attack, by ensuring that their contents is not embedded into other sites . There are three possible values for X-Frame-Options (DENY, SAMEORIGIN, ALLOW-FROM uri) . The frame-ancestors directive from the CSP Level 2 specification officially replaces this non-standard header http://www.troyhunt.com/2013/05/clickjack-attack-hidden- threat-right-in.html http://wordpress.stackexchange.com/questions/81607/receiving-this- content-cannot-be-displayed-in-a-frame-error-on-login-page
X-Frame-Options 12 * Limitations . Per-page policy specification . Problems with multi-domain sites . ALLOW-FROM browser support . Multiple options not supported . X-Frame-Options Deprecated . Proxies . Nested Frames don't work with SAMEORIGIN and ALLOW-FROM //friendlysite.invalid //framed.invalid/parent ALLOW-FROM http://friendlysite.invalid //framed.invalid/child SAMEORIGIN //friendlysite.invalid 페이지에 있는 프레임이 //framed.invalid.parent 페이지를 로드할 경우 랜더링이 정상적으로 수행됨. (ALLOW-FROM으로 허용했으므로) //framed.invalid/parent 페이지에 있는 프레임이 동일한 도메인에 있는//framed.invalid/child 페이지를 로드하더라도 랜더링이 되지 않음. (상위레벨 브라우징 컨텍스트의 우선순위가 높게 적용되므로) 물론 //framed.invalid/child 페이지도 ALLOW-FROM http://friendlysite.invalid 지정하면 문제가 해결될 수 있으나 //frame.invalid/parent 페이지가 최상위 레벨이 될 경우 //framed.invalid/child 페이지가 로드되지 않는 문제가 발생하게 됨.
X-XSS-Protection 13 * XSS(Cross Site Scripting) .. How can we stop this attack? Stored type Cross-Site Scripting Reflected type Cross-Site Scripting
X-XSS-Protection 14 * X-XSS-Protection overview . New feature to help prevent reflected cross-site scripting attacks (Internet Explorer 8) . Detects Javascript in URL and HTTP POST requests. . If JavaScript is detected, the XSS filter searches evidence of reflection, information that would be returned to the attacking website if the attacking request were submitted unchanged. . If reflection is detected, the XSS filter sanitizes the original request so that the additional Javascript cannot be executed.
X-XSS-Protection 15 * Disable Internet Explorer X-XSS-Protection . https://msdn.microsoft.com/en-us/library/dd565647(VS.85).aspx . This feature can be disabled by setting an HTTP header (X-XSS-Protection: 0) or Internet Explorer options Internet Explorer options http://www.staysecureweb.com/get-protected-xss-cross-site-scripting-internet-explorer/
X-Contents-Type-Options 16 * Background of this features . Microsoft has a feature for Internet Explorer that attempt to determine the correct content type, regardless of what is specified by the web server .. this feature is know as MIME Sniffing . One of the steps of this feature is that it compares the first 256 bytes of a file to a list of known file headers . While this feature allows users to browse the web more successfully, it also introduces an attack vector Web Browser Web Server HTTP Request HTTP Response HTTP/1.1 200 OK ... Content-Type: image/jpeg Content-Length: 231 <html> ... </html> Attacker <html> ... </html> file.jpg 1 2 3 . Content-Type 확장자 무시 . 파일 헤더 검사 후 타입 결정 (MIME Sniffing) . 태그 실행 (XSS Attack) IE6, IE7
X-Contents-Type-Options 17 * X-Contents-Type overview . The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type . This reduce exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable or dynamic HTML files
X-Contents-Type-Options 18 * Security recommendations . Web developers Familiarize yourself with the risks of file uploads, implement safeguards and add relevant HTTP headers for 
 uploaded files if necessary . Web server administrators Add the X-Content-Type-Options: nosniff header to your web server. This also applies to web servers other then Microsoft IIS . System administrators and end users Disable MIME Sniffing in Internet Explorer and/or set the security level to High. For IE9 MIME Sniffing can disabled at the following location: Internet Options -> Security level -> Miscellaneous -> Enable MIME Sniffing -> Disable . Penetration testers While testing file uploads in web applications, attempt to upload HTML code in files with different extensions and don't forget to perform these test using different browsers . Microsoft Please change the default MIME Sniffing behavior of Internet Explorer and refrain from handling files as HTML when the web server says otherwise. At least prevent this from happening for most 'known file types' and most 'ambiguous file types'. http://blog.fox-it.com/2012/05/08/mime-sniffing-feature-or-vulnerability/ http://www.h-online.com/security/features/Risky-MIME-sniffing-in-Internet-Explorer-746229.html
Content-Security-Policy 19 * Content-Security-Policy overview . HTTP header that allows you to create a whitelist of sources of trusted content, and instructs the browser to only execute or render resources from those sources . Event if an attacker can find a hole through which to inject script, the script won't match the whilelist, and therefore won't be executed
Content-Security-Policy 20 * Resource directives . script-src Controls a set of script-related privileges for a specific page . connect-src Limits the origins to which you can connect (via XHR, WebSockets, and EventSource) . font-src Specifies the origins that can serve web fonts. Google's Web Fonts could be enabled via font-src (https://themes.googleusercontent.com) . frame-src Lists the origins that can be embedded as frames. For example frame-src https://youtube.com would enable embedding YouTube videos, but no other origins . img-src Defines the origin from which images can be loaded . media-src Restricts the origins allowed to deliver video and audio . object-src Allow control over Flash and other plugins . style-src script-src's counterpart for stylesheets
Content-Security-Policy 21 * Four keywords . 'none' As you might expect, matches nothing . 'self' Matches the current origin, but not its subdomains . 'unsafe-inline' Allows inline Javascript and CSS . 'unsafe-eval' Allow text-to-Javscript mechanisms like eval * Examples . You have an application that loads all of it's resources from a content delivery network (https://cdn.example.net), and know that you don't need framed content or any plugins at all Content-Security-Policy: default-src https://cdn.example.net; frame-src 'none'; object-src 'none'
Content-Security-Policy 22 * Reporting . Instruct the browser to POST JSON-formatted violation reports to a location specified in a report-uri directive Content-Security-Policy: default-src 'self'; ...; report-uri /my_amazing_csp_report_parser; . Can ask the browser to monitor a policy, reporting violations, but bot enforcing the restrictions Instead of sending a Content-Security-Policy header, send a Content-Security-Policy-Report-Only header Content-Security-Policy-Report-Only: default-src 'self'; ...; report-uri /my_amazing_csp_report_parser; http://www.html5rocks.com/en/tutorials/security/content-security-policy/?redirect_from_locale=ko

Recomendados

Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
Jeremiah Grossman
 
Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)
Jeremiah Grossman
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser Security
Sanjeev Verma, PhD
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
Ayoma Wijethunga
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
Shreeraj Shah
 
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
Jeremiah Grossman
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP Headers
Frank Kim
 
Browser Security
Browser SecurityBrowser Security
Browser Security
Roberto Suggi Liverani
 

Recomendados

Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
Jeremiah Grossman
 
Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)
Jeremiah Grossman
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser Security
Sanjeev Verma, PhD
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
Ayoma Wijethunga
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
Shreeraj Shah
 
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
Jeremiah Grossman
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP Headers
Frank Kim
 
Browser Security
Browser SecurityBrowser Security
Browser Security
Roberto Suggi Liverani
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
Frank Kim
 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in Turkey
Dr. Emin İslam Tatlı
 
Inception framework
Inception frameworkInception framework
Inception framework
한익 주
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
GreenD0g
 
WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)
Jeremiah Grossman
 
Real web-attack-scenario
Real web-attack-scenarioReal web-attack-scenario
Real web-attack-scenario
OWASP (Open Web Application Security Project)
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008
Jeremiah Grossman
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
Matt Johansen
 
New web attacks-nethemba
New web attacks-nethembaNew web attacks-nethemba
New web attacks-nethemba
OWASP (Open Web Application Security Project)
 
Se linux course1
Se linux course1Se linux course1
Se linux course1
OWASP (Open Web Application Security Project)
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
LogeekNightUkraine
 
Web browser privacy and security
Web browser privacy and security Web browser privacy and security
Web browser privacy and security
amiable_indian
 
Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers
zakieh alizadeh
 
Security vulnerabilities - 2018
Security vulnerabilities - 2018Security vulnerabilities - 2018
Security vulnerabilities - 2018
Marius Vorster
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
Information Technology
 
Site Security Policy - Yahoo! Security Week
Site Security Policy - Yahoo! Security WeekSite Security Policy - Yahoo! Security Week
Site Security Policy - Yahoo! Security Week
guest9663eb
 
Sandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStorageSandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStorage
tomasperezv
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
nyccamp
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Jeremiah Grossman
 
Ruby on Rails Security
Ruby on Rails SecurityRuby on Rails Security
Ruby on Rails Security
amiable_indian
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
devObjective
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Akash Mahajan
 

Más contenido relacionado

La actualidad más candente

WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)
Jeremiah Grossman
 
Site Security Policy - Yahoo! Security Week
Site Security Policy - Yahoo! Security WeekSite Security Policy - Yahoo! Security Week
Site Security Policy - Yahoo! Security Week
guest9663eb
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Jeremiah Grossman
 
Ruby on Rails Security
Ruby on Rails SecurityRuby on Rails Security
Ruby on Rails Security
amiable_indian
 

La actualidad más candente (20)

Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in Turkey
 
Inception framework
Inception frameworkInception framework
Inception framework
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
 
WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)
 
Real web-attack-scenario
Real web-attack-scenarioReal web-attack-scenario
Real web-attack-scenario
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
 
New web attacks-nethemba
New web attacks-nethembaNew web attacks-nethemba
New web attacks-nethemba
 
Se linux course1
Se linux course1Se linux course1
Se linux course1
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
 
Web browser privacy and security
Web browser privacy and security Web browser privacy and security
Web browser privacy and security
 
Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers
 
Security vulnerabilities - 2018
Security vulnerabilities - 2018Security vulnerabilities - 2018
Security vulnerabilities - 2018
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 
Site Security Policy - Yahoo! Security Week
Site Security Policy - Yahoo! Security WeekSite Security Policy - Yahoo! Security Week
Site Security Policy - Yahoo! Security Week
 
Sandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStorageSandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStorage
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 
Ruby on Rails Security
Ruby on Rails SecurityRuby on Rails Security
Ruby on Rails Security
 

Destacado

Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Akash Mahajan
 
Firefox OS Update (2013)
Firefox OS Update (2013)Firefox OS Update (2013)
Firefox OS Update (2013)
Channy Yun
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
OWASP
 
Security "for free" through HTTP headers
Security "for free" through HTTP headersSecurity "for free" through HTTP headers
Security "for free" through HTTP headers
Andre N. Klingsheim
 

Destacado (20)

Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash Mahajan
 
Firefox OS Update (2013)
Firefox OS Update (2013)Firefox OS Update (2013)
Firefox OS Update (2013)
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
 
"EL PLAN DE EMPRESA. CLAVES DEL EXITO PARA EMPRENDER"
"EL PLAN DE EMPRESA. CLAVES DEL EXITO PARA EMPRENDER""EL PLAN DE EMPRESA. CLAVES DEL EXITO PARA EMPRENDER"
"EL PLAN DE EMPRESA. CLAVES DEL EXITO PARA EMPRENDER"
 
URBAN OASIS FEATURED ON AEROPORTS DE PARIS
URBAN OASIS FEATURED ON AEROPORTS DE PARIS URBAN OASIS FEATURED ON AEROPORTS DE PARIS
URBAN OASIS FEATURED ON AEROPORTS DE PARIS
 
06 isoyetas 25 años
06 isoyetas 25 años06 isoyetas 25 años
06 isoyetas 25 años
 
HTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English versionHTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English version
 
Tarea upaep
Tarea upaepTarea upaep
Tarea upaep
 
Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headers
 
Security "for free" through HTTP headers
Security "for free" through HTTP headersSecurity "for free" through HTTP headers
Security "for free" through HTTP headers
 
Hertfordshire life deconstruction
Hertfordshire life deconstructionHertfordshire life deconstruction
Hertfordshire life deconstruction
 
Analisis de transformadores
Analisis de transformadoresAnalisis de transformadores
Analisis de transformadores
 
Springcamp 2015 - xss는 네가 맡아라
Springcamp 2015 - xss는 네가 맡아라Springcamp 2015 - xss는 네가 맡아라
Springcamp 2015 - xss는 네가 맡아라
 
Conceptos
ConceptosConceptos
Conceptos
 
How to secure your web applications with NGINX
How to secure your web applications with NGINXHow to secure your web applications with NGINX
How to secure your web applications with NGINX
 
Maquinas III reaccion y conmutacion
Maquinas III reaccion y conmutacionMaquinas III reaccion y conmutacion
Maquinas III reaccion y conmutacion
 
Homebrew Updater
Homebrew UpdaterHomebrew Updater
Homebrew Updater
 
Security HTTP Headers
Security HTTP HeadersSecurity HTTP Headers
Security HTTP Headers
 
Informe rev03
Informe rev03Informe rev03
Informe rev03
 

Similar a List of useful security related http headers

Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
George Boobyer
 
White paper screen
White paper screenWhite paper screen
White paper screen
eltincho89
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environment
ajitdhumale
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
ClubHack
 

Similar a List of useful security related http headers (20)

QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web security
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
 
Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header Security
 
White paper screen
White paper screenWhite paper screen
White paper screen
 
HTTP basics in relation to Applicaiton Security - OWASP
HTTP basics in relation to Applicaiton Security - OWASPHTTP basics in relation to Applicaiton Security - OWASP
HTTP basics in relation to Applicaiton Security - OWASP
 
Browser security
Browser securityBrowser security
Browser security
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
XST - Cross Site Tracing
XST - Cross Site TracingXST - Cross Site Tracing
XST - Cross Site Tracing
 
Xssandcsrf
XssandcsrfXssandcsrf
Xssandcsrf
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP Applications
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environment
 
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web Applications
 
Content security policy
Content security policyContent security policy
Content security policy
 
Attacking Web Proxies
Attacking Web ProxiesAttacking Web Proxies
Attacking Web Proxies
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Web Development Security
Web Development SecurityWeb Development Security
Web Development Security
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
 

Último

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 

Último (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

List of useful security related http headers

  • 1. List of useful security-related HTTP headers 주한익 joohanik@coresec.co.kr
  • 2. List of useful security-related HTTP headers 2 헤더 이름 설명 사용예 HTTP Strict-Transport-Security
 (HSTS) HTTP Strict-Transport-Security(HSTS)는 브라우저가 서버에 연결할 때 SSL/TLS 기반 HTTP 사용을 강제하는 헤더입니다. 헤당 헤더는 쿠키 혹은 외부 링크를 악용한 웹 어플 리케이션의 세션 관련 취약점 (e.g. Session Hijacking) 피해를 완화 하거나 SSL Strip 같은 다운그래이드 공격을 방어할 수 있습니다. Strict-Transport-Security: max- age=16070400; includeSubDomains X-Frame-Options Frame-Options 클릭재킹 공격에 대한 보호를 위해 만들어진 헤더입니다. 헤더의 지시자 값에 따라 <frame>, <iframe>, <object>에 로드된 페이지의 랜더링 조건을 제어할 수 있습니다. X-Frame-Options: deny X-XSS-Protection 브라우저에 내장되어 있는 교차 사이트 스크립팅 필터를 활성화시키는 헤더입니다. 기 능을 제공하는 대부분의 웹 브라우저는 기본적으로 활성화 되어 있으나 사용자에 의해 비활성화 되어있을 경우 다시 활성화 시킬 수 있는 역할을 합니다. X-XSS-Protection: 1;mode=block X-Content-Type Options HTTP 응답 헤더 중 하나인 Content-Type 지시자의 값을 무시하도록 동작하는 브라우 저의 MIME-sniffing 기능을 악용한 교차 사이트 스크립팅 혹은 Drive-By download 공격에 대응하기 위한 헤더입니다. "nosniff" 지시자를 제외하고는 사용할 수 있습니다. X-Content-Type-Options: nosniff Content-Security-Policy X-Content-Security-Policy X-WebKit-CSP 해당 헤더는 브라우저가 페이지에 대한 랜더링을 수행하는 정책에 영향(e.g. 명시적으 로 허용하지 않는한 인라인 자바스크립트를 동작시키지 않음)을 주는 헤더입니다. 교차 사이트 스크립팅 공격을 포함한 다양한 공격을 예방할 수 있습니다. Content-Security-Policy: default-src 'self'; script-src 'self' Content-Security-Policy-Report- Only Content-Security-Policy 헤더와 동일한 기능을 하는 헤더입니다. 다만 제한 정책에 위 반되는 경우 실제 차단을 하지 않고 지정된 경로에 리포팅 정보를 보냅니다. Content-Security-Policy 헤더와 중복으로 사용하여 "제한 및 차단"과 "리포팅"을 동시 에 사용할 수 있습니다. Content-Security-Policy-Report-Only: default-src 'self'; report-uri http:// loghost.example.com/reports.jsp https://www.owasp.org/index.php/List_of_useful_HTTP_headers
  • 3. Strict-Transport-Security 3 * SSL strip .. How can we stop this attack? http://courses.oreillyschool.com/webapp2/http_headers.html
  • 4. Strict-Transport-Security 4 * HTTP Strict Transport Security (HSTS) overview . Web security policy mechanism which is necessary to protect secure HTTPS websites against downgrade attacks, and which greatly simplifies protection against cookie hijacking . It allows web servers to declare that web browser should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol . IETF standards track protocol and is specified in RFC 6797 . Communicated by the server to the user agent via a HTTP response header field named "Strict-Transport-Security" http://blog.c22.cc/2010/08/27/http-strict-transport-security/http://blog.c22.cc/2010/08/27/http-strict-transport-security/
  • 6. Strict-Transport-Security 6 * Preloading HSTS overview . When connecting to an HSTS host for the first time, the browser won't know whether or not to use a secure connection, because it has never received an HSTS header from that host . Active could prevent the browser from ever connecting securely . To mitigate this attack, Browser have added a list of hosts that want HSTS enforced by default . When a user connects to one of these hosts for the first time, the browser will know that is must use a secure connection . If a network attacker prevents secure connections to the server, the browser will not attempt to connect over an insecure protocol, thus maintaining the user's security
  • 7. Strict-Transport-Security 7 * Manually enforcing HSTS in google chrome https://scotthelme.co.uk/manually-enforcing-hsts-chrome/
  • 8. Strict-Transport-Security 8 * EFF(Electronic Frontier Foundation)'s "HTTPS Everywhere" extension
  • 9. Strict-Transport-Security 9 * Limitations . Still dependent on them adding new hosts. The only downside is that the user must add all of the hosts that they wish to be enforced to the list manually . The initial request remains unprotected from active attacks if it uses an insecure protocol such as plain HTTP or the
 initial request was obtained over an insecure channel . Can't prevent advanced attacks against TLS itself, such as the BEAST(Browser Exploit Against SSL/TLS) or CRIME(Compression Ratio Info-leak Made Easy) attacks
  • 10. X-Frame-Options 10 * Clickjacking .. How can we stop this attack?
 . Tricking users into enabling their webcam and microphone through Flash
 . Tricking users into making their social networking profile information public
 . Making users follow someone on Twitter
 . Sharing links on Facebook http://khalil-shreateh.com/khalil.shtml/index.php/personal-security/ 90-spam-and-scams-protect-yourself-from-being-a-victim-of-cyber- fraud.html?showall=1 http://www.anzaq.com/2013/05/what-is-clickjacking.html
  • 11. X-Frame-Options 11 * X-Frame-Options overview . The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed 
 to render a page in a <frame>, <iframe> or <object>
 . Sites can use this to avoid clickjacking attack, by ensuring that their contents is not embedded into other sites . There are three possible values for X-Frame-Options (DENY, SAMEORIGIN, ALLOW-FROM uri) . The frame-ancestors directive from the CSP Level 2 specification officially replaces this non-standard header http://www.troyhunt.com/2013/05/clickjack-attack-hidden- threat-right-in.html http://wordpress.stackexchange.com/questions/81607/receiving-this- content-cannot-be-displayed-in-a-frame-error-on-login-page
  • 12. X-Frame-Options 12 * Limitations . Per-page policy specification . Problems with multi-domain sites . ALLOW-FROM browser support . Multiple options not supported . X-Frame-Options Deprecated . Proxies . Nested Frames don't work with SAMEORIGIN and ALLOW-FROM //friendlysite.invalid //framed.invalid/parent ALLOW-FROM http://friendlysite.invalid //framed.invalid/child SAMEORIGIN //friendlysite.invalid 페이지에 있는 프레임이 //framed.invalid.parent 페이지를 로드할 경우 랜더링이 정상적으로 수행됨. (ALLOW-FROM으로 허용했으므로) //framed.invalid/parent 페이지에 있는 프레임이 동일한 도메인에 있는//framed.invalid/child 페이지를 로드하더라도 랜더링이 되지 않음. (상위레벨 브라우징 컨텍스트의 우선순위가 높게 적용되므로) 물론 //framed.invalid/child 페이지도 ALLOW-FROM http://friendlysite.invalid 지정하면 문제가 해결될 수 있으나 //frame.invalid/parent 페이지가 최상위 레벨이 될 경우 //framed.invalid/child 페이지가 로드되지 않는 문제가 발생하게 됨.
  • 13. X-XSS-Protection 13 * XSS(Cross Site Scripting) .. How can we stop this attack? Stored type Cross-Site Scripting Reflected type Cross-Site Scripting
  • 14. X-XSS-Protection 14 * X-XSS-Protection overview . New feature to help prevent reflected cross-site scripting attacks (Internet Explorer 8) . Detects Javascript in URL and HTTP POST requests. . If JavaScript is detected, the XSS filter searches evidence of reflection, information that would be returned to the attacking website if the attacking request were submitted unchanged. . If reflection is detected, the XSS filter sanitizes the original request so that the additional Javascript cannot be executed.
  • 15. X-XSS-Protection 15 * Disable Internet Explorer X-XSS-Protection . https://msdn.microsoft.com/en-us/library/dd565647(VS.85).aspx . This feature can be disabled by setting an HTTP header (X-XSS-Protection: 0) or Internet Explorer options Internet Explorer options http://www.staysecureweb.com/get-protected-xss-cross-site-scripting-internet-explorer/
  • 16. X-Contents-Type-Options 16 * Background of this features . Microsoft has a feature for Internet Explorer that attempt to determine the correct content type, regardless of what is specified by the web server .. this feature is know as MIME Sniffing . One of the steps of this feature is that it compares the first 256 bytes of a file to a list of known file headers . While this feature allows users to browse the web more successfully, it also introduces an attack vector Web Browser Web Server HTTP Request HTTP Response HTTP/1.1 200 OK ... Content-Type: image/jpeg Content-Length: 231 <html> ... </html> Attacker <html> ... </html> file.jpg 1 2 3 . Content-Type 확장자 무시 . 파일 헤더 검사 후 타입 결정 (MIME Sniffing) . 태그 실행 (XSS Attack) IE6, IE7
  • 17. X-Contents-Type-Options 17 * X-Contents-Type overview . The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type . This reduce exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable or dynamic HTML files
  • 18. X-Contents-Type-Options 18 * Security recommendations . Web developers Familiarize yourself with the risks of file uploads, implement safeguards and add relevant HTTP headers for 
 uploaded files if necessary . Web server administrators Add the X-Content-Type-Options: nosniff header to your web server. This also applies to web servers other then Microsoft IIS . System administrators and end users Disable MIME Sniffing in Internet Explorer and/or set the security level to High. For IE9 MIME Sniffing can disabled at the following location: Internet Options -> Security level -> Miscellaneous -> Enable MIME Sniffing -> Disable . Penetration testers While testing file uploads in web applications, attempt to upload HTML code in files with different extensions and don't forget to perform these test using different browsers . Microsoft Please change the default MIME Sniffing behavior of Internet Explorer and refrain from handling files as HTML when the web server says otherwise. At least prevent this from happening for most 'known file types' and most 'ambiguous file types'. http://blog.fox-it.com/2012/05/08/mime-sniffing-feature-or-vulnerability/ http://www.h-online.com/security/features/Risky-MIME-sniffing-in-Internet-Explorer-746229.html
  • 19. Content-Security-Policy 19 * Content-Security-Policy overview . HTTP header that allows you to create a whitelist of sources of trusted content, and instructs the browser to only execute or render resources from those sources . Event if an attacker can find a hole through which to inject script, the script won't match the whilelist, and therefore won't be executed
  • 20. Content-Security-Policy 20 * Resource directives . script-src Controls a set of script-related privileges for a specific page . connect-src Limits the origins to which you can connect (via XHR, WebSockets, and EventSource) . font-src Specifies the origins that can serve web fonts. Google's Web Fonts could be enabled via font-src (https://themes.googleusercontent.com) . frame-src Lists the origins that can be embedded as frames. For example frame-src https://youtube.com would enable embedding YouTube videos, but no other origins . img-src Defines the origin from which images can be loaded . media-src Restricts the origins allowed to deliver video and audio . object-src Allow control over Flash and other plugins . style-src script-src's counterpart for stylesheets
  • 21. Content-Security-Policy 21 * Four keywords . 'none' As you might expect, matches nothing . 'self' Matches the current origin, but not its subdomains . 'unsafe-inline' Allows inline Javascript and CSS . 'unsafe-eval' Allow text-to-Javscript mechanisms like eval * Examples . You have an application that loads all of it's resources from a content delivery network (https://cdn.example.net), and know that you don't need framed content or any plugins at all Content-Security-Policy: default-src https://cdn.example.net; frame-src 'none'; object-src 'none'
  • 22. Content-Security-Policy 22 * Reporting . Instruct the browser to POST JSON-formatted violation reports to a location specified in a report-uri directive Content-Security-Policy: default-src 'self'; ...; report-uri /my_amazing_csp_report_parser; . Can ask the browser to monitor a policy, reporting violations, but bot enforcing the restrictions Instead of sending a Content-Security-Policy header, send a Content-Security-Policy-Report-Only header Content-Security-Policy-Report-Only: default-src 'self'; ...; report-uri /my_amazing_csp_report_parser; http://www.html5rocks.com/en/tutorials/security/content-security-policy/?redirect_from_locale=ko