Embed Size (px)
Citation preview
Care&FeedingofProgrammers:AddressingAppSecGapsusingHTTPHeaders
SunnyWear
1
©SunshineSolu@ons,LLCDecember2015
OWASPTampaChapterDecemberMee@ng
AbouttheSpeaker
December2015 ©SunshineSolu@ons,LLC 2
• Informa@onSecurityArchitect• Areasofexper@se:Applica@on,NetworkandDataSecurityArchitecture
• Author–SecureCodingFieldManualavailableonAmazon• Educator/Mentor/Coach/Consultant:
• SecureCoding• Sta@cCodeAnalysis• ManualSecurityCodeReviews• SecureDesignsandArchitecturePrinciples• ProgrammerunderstandingofPenetra@onTestsResults
• Contact:@SunnyWear
2013celebrityphotohack
• AppleiCloud(hackoccurringin2013)• Nakedcelebrityphotos
December2015 ©SunshineSolu@ons,LLC 3
SameOriginPolicy• WhatisSOP?– WebApplica@onSecurityModel– Policyenforcedbybrowser– Constrainedtoorigin:protocol,port,hostname
December2015 ©SunshineSolu@ons,LLC 4
h\ps://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
SOPProtec@on• Protectsforeignrequestsfromexecu@nginyourauthen@catedsessionaslongastheforeignrequestiscomingfromadifferentorigin.
• Example:– 1)Userloggedintoh\ps://mybank.com– 2)OpenstabtovulnerablesitewhichhasplantedXSS;TheXSSinjectsmaliciousiFrameintouser’ssessioninothertab:h\ps://mybank.com
– 3)SOPstopsthisa\empt(differenthostname,differentprotocol)
December2015 ©SunshineSolu@ons,LLC 5
SOPCaveat
• SOPisgreathowever,itwillNOTprotectyouagainstexternallyreferencedimages,stylesandscripts!
• ExternalscriptsareallowedbySOP!• Why?SOPseesdoesnotviewthesecomponents(js,img,css)as“data”soallowsaccesstoforeignsitesandtheirexecu@on
December2015 ©SunshineSolu@ons,LLC 6
BypassingSOP• Implementanyopera@on(e.g.,Clickbu\ons)ontheuser’sbehalf– UsingJSONp,seeBlackHatEurope2014TalkbyBenHayak
– CallBacks• Legi@matelyusedbyGoogleandotherstosharedata• Canbecometheinjec@onpointsforana\acker• Anypageonthedomainbecomesvulnerable
December2015 ©SunshineSolu@ons,LLC 7
Defenses&Countermeasures
• ContentSecurityPolicy• SecureHTTPHeaders• HTML5Whitelis@ng
December2015 ©SunshineSolu@ons,LLC 8
WhatisContentSecurityPolicy?• ContentSecurityPolicy(CSP)isawhitelistyoucandefinein
yourwebapplica@ontoauthorizetheexecu@onofscripts– DeliveredviaHTTPHeader(configurewebserverorprogramma@callyadd)
– Allowswhitelis@ngofapprovedsourcesofcontentthatbrowsermayloadincludingJavaScriptandCascadingStylesheets
– Itslikeacheap/poorman’sversionofaWebApplica@onFirewall(WAF)forinjec@on-relateda\acks
9
©SunshineSolu@ons,LLCDecember2015
WhyshouldIcareaboutContentSecurityPolicy?
• Effec@vecountermeasuretoXSSa\acks,whichusuallyleadtoCSRFa\acks
• ProtectstheDOM,preventsdataleakage,protectsagainst
AJAXa\acks• Protectsagainstexternallyreferencedimages,stylesand
scriptswhichSameOriginPolicy(SOP)doesnotdo• ProtectsagainstiFrameinjec@on(i.e.,clickjacking)
10
©SunshineSolu@ons,LLCDecember2015
CanIseeanexampleofCSP?– Example:
– ThisCSPspecificsthatonlycontentfromthiswebsiteisallowedtoexecute,includingexternallyreferencedimages,stylesandscripts
11
©SunshineSolu@ons,LLCDecember2015
Aretherecost-efficienciestobegainedbyusingCSP?
• YES!• CSPprotectsyouren@rewebapplica@onandallsubdomains(so
longasyouspecify).– Thismeansitwillprotectareasofyourwebapplica@oninadvertently
missedbyprogrammersintheirwhitelis@ngtechniques.– Itwillprotectareasofyourwebapplica@onwherevulnerabili@esmay
residethatarenotdetectedbyyoursta@ccodeanalyzer(e.g.,HPFor@fy).
– Itwillprotectareasofyourwebapplica@oninadvertentlynottestedbywebapppen-testers
• CSPprovidesmi@ga@ontechniquesthatcansavemoneyinthe
followingareas:– Pen-testremedia@oncosts,includingQAandDeploymentcosts– Sta@ccodeanalyzermi@ga@ondevelopmentcostsrelatedtoinjec@on-
typea\acks(SQLi,iFrame,clickjacking,XSS,etc.)
12
©SunshineSolu@ons,LLCDecember2015
HowdoIimplementCSP?SeveralOp@onsAvailableincludingthefollowing:1. IISConfigura@on2. ApacheConfigura@on
3. Programma@cally– AnyprogramminglanguageprovidingtheabilitytosetHTTPResponseheaderscanbeused– ExampleshownisJava:
– FullJavaServletexamplehere:h\ps://www.owasp.org/index.php/Content_Security_Policy
13
©SunshineSolu@ons,LLCDecember2015
Whatdirec@vesareavailableinCSP?
14
©SunshineSolu@ons,LLCDecember2015
IfIimplementCSP,willmywebpagecodebreak?
• AnyinlineJSorinlineCSScallswouldbebrokenunlessyouusedirec@vebutIrecommendagainstusingthedirec@vesinceitwillallowa\acker-controlledscriptstoexecuteonyourwebsite.Youcanuseanonceorhashed-valuesforinlineJSorCSSexcep@ons,ifyoulike.• Anyexis@nginlineJSorinlineCSSneedstobeexternalizedtoaJSorCSSfile
andreferencedinyourwebpagebyusingtheexplicit<script>tags.• Forexample,ifyouhaveablockofJScodeforGoogleAnaly@cs,youwould
havetocreateanexternalfileandreferenceitlikethis:– <scriptsrc="/assets/js/ga.min.js"></script>
• Also,anyinlineeventhandlerslikeonClick"doMyStuff();"havetobe
removedandreplacedwithaddEventListener()callsinstead.15
©SunshineSolu@ons,LLCDecember2015
WhatdoesCSPlooklikefromaclientbrowserperspec@ve?
16
©SunshineSolu@ons,LLCDecember2015
Whichbrowsersarecompa@blewithCSPheaders?
• Fullcompa@bilitytablehere:h\p://caniuse.com/contentsecuritypolicy
17
©SunshineSolu@ons,LLCDecember2015
CanIwatchademotoseehowCSPworks?
18
©SunshineSolu@ons,LLCDecember2015
Yes!
ArethereotherHTTPResponseHeadersavailablethatcanprotectmy
webapplica@on?• Yes!• Inaddi@ontoContent-Security-Policy,youmayaddtheseaddi@onalsecurity-
relatedHTTPResponseHeaders:– HTTPStrictTransportSecurity
• ToensurethatusersofyoursitemustalwaysuseHTTPS,addthisheader.Itwillevenworkonoldbookmarks,forcinguserstoinsteaduseHTTPS.
– HTTPPublicKeyPinning• ToensurethatonlyYOURserver’sTLSdigitalcer@ficateisauthorizedforclientbrowserstotrust,add
thisheader.Thispreventsa\acker-controlledcer@ficatesforyourserver(shouldtheCAbecompromised)frombeingacceptedbyclients.
– X-FrameOp;ons• ToensurethatnomaliciousiFramesareloadedorexecutedonyourwebsite;protectsagainst
clickjackinga\ack.– X-XSSProtec;on
• Ensurestheuseofbuilt-inbrowserprotec@onagainstXSSa\acks.Sewngsare0(disable)and1(enable)withatellingthebrowsertoblocktheexecu@onofascriptifitdetectsana\ack.
– X-Content-TypeOp;ons• Providesthedirec@vethesniffingofthemime-typeforanuploadedfile.Bynot
allowingthissnifftooccur,thismi@gatesspoofingofthecontent-typetocircumventwhitelis@ngtechniqueswithintheapplica@oncode.
19
©SunshineSolu@ons,LLCDecember2015
X-FRAMEHeaderOp@ons
• SAMEORIGIN• DENY(Recommended)• ALLOW-FROM:<explicitdomain>• h\ps://www.owasp.org/index.php/List_of_useful_HTTP_headers
• ProtectsagainstClickjacking(injec@onofiFrames)
December2015 ©SunshineSolu@ons,LLC 20
HTML5Whitelis@ng
• Neverallowclient-sidecallbackfunc@ons
• Whitelistcallbackdomains,redirectsalwaysonserver-side
December2015 ©SunshineSolu@ons,LLC 21
References• BlackHat2014Talk:SameOriginMethodExecu@on(Ben
Hayak):h\ps://www.youtube.com/watch?v=UfYfID_r7-U• Defcon21Talk:HowtouseCSPtostopXSS(KenLee):
h\ps://www.youtube.com/watch?v=BEsEIV8v2fQ
December2015 ©SunshineSolu@ons,LLC 22
