care & feeding of programmers: addressing app sec gaps...
TRANSCRIPT
![Page 1: Care & Feeding of Programmers: Addressing App Sec Gaps ..._Feeding_of_Programmers_-Addressing_App_Sec...Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny](https://reader033.vdocuments.site/reader033/viewer/2022041822/5e5eb8f8145f36600274dd2b/html5/thumbnails/1.jpg)
Care&FeedingofProgrammers:AddressingAppSecGapsusingHTTPHeaders
SunnyWear
1
©SunshineSolu@ons,LLCDecember2015
OWASPTampaChapterDecemberMee@ng
![Page 2: Care & Feeding of Programmers: Addressing App Sec Gaps ..._Feeding_of_Programmers_-Addressing_App_Sec...Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny](https://reader033.vdocuments.site/reader033/viewer/2022041822/5e5eb8f8145f36600274dd2b/html5/thumbnails/2.jpg)
AbouttheSpeaker
December2015 ©SunshineSolu@ons,LLC 2
• Informa@onSecurityArchitect• Areasofexper@se:Applica@on,NetworkandDataSecurityArchitecture
• Author–SecureCodingFieldManualavailableonAmazon• Educator/Mentor/Coach/Consultant:
• SecureCoding• Sta@cCodeAnalysis• ManualSecurityCodeReviews• SecureDesignsandArchitecturePrinciples• ProgrammerunderstandingofPenetra@onTestsResults
• Contact:@SunnyWear
![Page 3: Care & Feeding of Programmers: Addressing App Sec Gaps ..._Feeding_of_Programmers_-Addressing_App_Sec...Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny](https://reader033.vdocuments.site/reader033/viewer/2022041822/5e5eb8f8145f36600274dd2b/html5/thumbnails/3.jpg)
2013celebrityphotohack
• AppleiCloud(hackoccurringin2013)• Nakedcelebrityphotos
December2015 ©SunshineSolu@ons,LLC 3
![Page 4: Care & Feeding of Programmers: Addressing App Sec Gaps ..._Feeding_of_Programmers_-Addressing_App_Sec...Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny](https://reader033.vdocuments.site/reader033/viewer/2022041822/5e5eb8f8145f36600274dd2b/html5/thumbnails/4.jpg)
SameOriginPolicy• WhatisSOP?– WebApplica@onSecurityModel– Policyenforcedbybrowser– Constrainedtoorigin:protocol,port,hostname
December2015 ©SunshineSolu@ons,LLC 4
h\ps://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
![Page 5: Care & Feeding of Programmers: Addressing App Sec Gaps ..._Feeding_of_Programmers_-Addressing_App_Sec...Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny](https://reader033.vdocuments.site/reader033/viewer/2022041822/5e5eb8f8145f36600274dd2b/html5/thumbnails/5.jpg)
SOPProtec@on• Protectsforeignrequestsfromexecu@nginyourauthen@catedsessionaslongastheforeignrequestiscomingfromadifferentorigin.
• Example:– 1)Userloggedintoh\ps://mybank.com– 2)OpenstabtovulnerablesitewhichhasplantedXSS;TheXSSinjectsmaliciousiFrameintouser’ssessioninothertab:h\ps://mybank.com
– 3)SOPstopsthisa\empt(differenthostname,differentprotocol)
December2015 ©SunshineSolu@ons,LLC 5
![Page 6: Care & Feeding of Programmers: Addressing App Sec Gaps ..._Feeding_of_Programmers_-Addressing_App_Sec...Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny](https://reader033.vdocuments.site/reader033/viewer/2022041822/5e5eb8f8145f36600274dd2b/html5/thumbnails/6.jpg)
SOPCaveat
• SOPisgreathowever,itwillNOTprotectyouagainstexternallyreferencedimages,stylesandscripts!
• ExternalscriptsareallowedbySOP!• Why?SOPseesdoesnotviewthesecomponents(js,img,css)as“data”soallowsaccesstoforeignsitesandtheirexecu@on
December2015 ©SunshineSolu@ons,LLC 6
![Page 7: Care & Feeding of Programmers: Addressing App Sec Gaps ..._Feeding_of_Programmers_-Addressing_App_Sec...Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny](https://reader033.vdocuments.site/reader033/viewer/2022041822/5e5eb8f8145f36600274dd2b/html5/thumbnails/7.jpg)
BypassingSOP• Implementanyopera@on(e.g.,Clickbu\ons)ontheuser’sbehalf– UsingJSONp,seeBlackHatEurope2014TalkbyBenHayak
– CallBacks• Legi@matelyusedbyGoogleandotherstosharedata• Canbecometheinjec@onpointsforana\acker• Anypageonthedomainbecomesvulnerable
December2015 ©SunshineSolu@ons,LLC 7
![Page 8: Care & Feeding of Programmers: Addressing App Sec Gaps ..._Feeding_of_Programmers_-Addressing_App_Sec...Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny](https://reader033.vdocuments.site/reader033/viewer/2022041822/5e5eb8f8145f36600274dd2b/html5/thumbnails/8.jpg)
Defenses&Countermeasures
• ContentSecurityPolicy• SecureHTTPHeaders• HTML5Whitelis@ng
December2015 ©SunshineSolu@ons,LLC 8
![Page 9: Care & Feeding of Programmers: Addressing App Sec Gaps ..._Feeding_of_Programmers_-Addressing_App_Sec...Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny](https://reader033.vdocuments.site/reader033/viewer/2022041822/5e5eb8f8145f36600274dd2b/html5/thumbnails/9.jpg)
WhatisContentSecurityPolicy?• ContentSecurityPolicy(CSP)isawhitelistyoucandefinein
yourwebapplica@ontoauthorizetheexecu@onofscripts– DeliveredviaHTTPHeader(configurewebserverorprogramma@callyadd)
– Allowswhitelis@ngofapprovedsourcesofcontentthatbrowsermayloadincludingJavaScriptandCascadingStylesheets
– Itslikeacheap/poorman’sversionofaWebApplica@onFirewall(WAF)forinjec@on-relateda\acks
9
©SunshineSolu@ons,LLCDecember2015
![Page 10: Care & Feeding of Programmers: Addressing App Sec Gaps ..._Feeding_of_Programmers_-Addressing_App_Sec...Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny](https://reader033.vdocuments.site/reader033/viewer/2022041822/5e5eb8f8145f36600274dd2b/html5/thumbnails/10.jpg)
WhyshouldIcareaboutContentSecurityPolicy?
• Effec@vecountermeasuretoXSSa\acks,whichusuallyleadtoCSRFa\acks
• ProtectstheDOM,preventsdataleakage,protectsagainst
AJAXa\acks• Protectsagainstexternallyreferencedimages,stylesand
scriptswhichSameOriginPolicy(SOP)doesnotdo• ProtectsagainstiFrameinjec@on(i.e.,clickjacking)
10
©SunshineSolu@ons,LLCDecember2015
![Page 11: Care & Feeding of Programmers: Addressing App Sec Gaps ..._Feeding_of_Programmers_-Addressing_App_Sec...Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny](https://reader033.vdocuments.site/reader033/viewer/2022041822/5e5eb8f8145f36600274dd2b/html5/thumbnails/11.jpg)
CanIseeanexampleofCSP?– Example:
– ThisCSPspecificsthatonlycontentfromthiswebsiteisallowedtoexecute,includingexternallyreferencedimages,stylesandscripts
11
©SunshineSolu@ons,LLCDecember2015
![Page 12: Care & Feeding of Programmers: Addressing App Sec Gaps ..._Feeding_of_Programmers_-Addressing_App_Sec...Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny](https://reader033.vdocuments.site/reader033/viewer/2022041822/5e5eb8f8145f36600274dd2b/html5/thumbnails/12.jpg)
Aretherecost-efficienciestobegainedbyusingCSP?
• YES!• CSPprotectsyouren@rewebapplica@onandallsubdomains(so
longasyouspecify).– Thismeansitwillprotectareasofyourwebapplica@oninadvertently
missedbyprogrammersintheirwhitelis@ngtechniques.– Itwillprotectareasofyourwebapplica@onwherevulnerabili@esmay
residethatarenotdetectedbyyoursta@ccodeanalyzer(e.g.,HPFor@fy).
– Itwillprotectareasofyourwebapplica@oninadvertentlynottestedbywebapppen-testers
• CSPprovidesmi@ga@ontechniquesthatcansavemoneyinthe
followingareas:– Pen-testremedia@oncosts,includingQAandDeploymentcosts– Sta@ccodeanalyzermi@ga@ondevelopmentcostsrelatedtoinjec@on-
typea\acks(SQLi,iFrame,clickjacking,XSS,etc.)
12
©SunshineSolu@ons,LLCDecember2015
![Page 13: Care & Feeding of Programmers: Addressing App Sec Gaps ..._Feeding_of_Programmers_-Addressing_App_Sec...Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny](https://reader033.vdocuments.site/reader033/viewer/2022041822/5e5eb8f8145f36600274dd2b/html5/thumbnails/13.jpg)
HowdoIimplementCSP?SeveralOp@onsAvailableincludingthefollowing:1. IISConfigura@on2. ApacheConfigura@on
3. Programma@cally– AnyprogramminglanguageprovidingtheabilitytosetHTTPResponseheaderscanbeused– ExampleshownisJava:
– FullJavaServletexamplehere:h\ps://www.owasp.org/index.php/Content_Security_Policy
13
©SunshineSolu@ons,LLCDecember2015
![Page 14: Care & Feeding of Programmers: Addressing App Sec Gaps ..._Feeding_of_Programmers_-Addressing_App_Sec...Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny](https://reader033.vdocuments.site/reader033/viewer/2022041822/5e5eb8f8145f36600274dd2b/html5/thumbnails/14.jpg)
Whatdirec@vesareavailableinCSP?
14
©SunshineSolu@ons,LLCDecember2015
![Page 15: Care & Feeding of Programmers: Addressing App Sec Gaps ..._Feeding_of_Programmers_-Addressing_App_Sec...Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny](https://reader033.vdocuments.site/reader033/viewer/2022041822/5e5eb8f8145f36600274dd2b/html5/thumbnails/15.jpg)
IfIimplementCSP,willmywebpagecodebreak?
• AnyinlineJSorinlineCSScallswouldbebrokenunlessyouusedirec@vebutIrecommendagainstusingthedirec@vesinceitwillallowa\acker-controlledscriptstoexecuteonyourwebsite.Youcanuseanonceorhashed-valuesforinlineJSorCSSexcep@ons,ifyoulike.• Anyexis@nginlineJSorinlineCSSneedstobeexternalizedtoaJSorCSSfile
andreferencedinyourwebpagebyusingtheexplicit<script>tags.• Forexample,ifyouhaveablockofJScodeforGoogleAnaly@cs,youwould
havetocreateanexternalfileandreferenceitlikethis:– <scriptsrc="/assets/js/ga.min.js"></script>
• Also,anyinlineeventhandlerslikeonClick"doMyStuff();"havetobe
removedandreplacedwithaddEventListener()callsinstead.15
©SunshineSolu@ons,LLCDecember2015
![Page 16: Care & Feeding of Programmers: Addressing App Sec Gaps ..._Feeding_of_Programmers_-Addressing_App_Sec...Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny](https://reader033.vdocuments.site/reader033/viewer/2022041822/5e5eb8f8145f36600274dd2b/html5/thumbnails/16.jpg)
WhatdoesCSPlooklikefromaclientbrowserperspec@ve?
16
©SunshineSolu@ons,LLCDecember2015
![Page 17: Care & Feeding of Programmers: Addressing App Sec Gaps ..._Feeding_of_Programmers_-Addressing_App_Sec...Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny](https://reader033.vdocuments.site/reader033/viewer/2022041822/5e5eb8f8145f36600274dd2b/html5/thumbnails/17.jpg)
Whichbrowsersarecompa@blewithCSPheaders?
• Fullcompa@bilitytablehere:h\p://caniuse.com/contentsecuritypolicy
17
©SunshineSolu@ons,LLCDecember2015
![Page 18: Care & Feeding of Programmers: Addressing App Sec Gaps ..._Feeding_of_Programmers_-Addressing_App_Sec...Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny](https://reader033.vdocuments.site/reader033/viewer/2022041822/5e5eb8f8145f36600274dd2b/html5/thumbnails/18.jpg)
CanIwatchademotoseehowCSPworks?
18
©SunshineSolu@ons,LLCDecember2015
Yes!
![Page 19: Care & Feeding of Programmers: Addressing App Sec Gaps ..._Feeding_of_Programmers_-Addressing_App_Sec...Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny](https://reader033.vdocuments.site/reader033/viewer/2022041822/5e5eb8f8145f36600274dd2b/html5/thumbnails/19.jpg)
ArethereotherHTTPResponseHeadersavailablethatcanprotectmy
webapplica@on?• Yes!• Inaddi@ontoContent-Security-Policy,youmayaddtheseaddi@onalsecurity-
relatedHTTPResponseHeaders:– HTTPStrictTransportSecurity
• ToensurethatusersofyoursitemustalwaysuseHTTPS,addthisheader.Itwillevenworkonoldbookmarks,forcinguserstoinsteaduseHTTPS.
– HTTPPublicKeyPinning• ToensurethatonlyYOURserver’sTLSdigitalcer@ficateisauthorizedforclientbrowserstotrust,add
thisheader.Thispreventsa\acker-controlledcer@ficatesforyourserver(shouldtheCAbecompromised)frombeingacceptedbyclients.
– X-FrameOp;ons• ToensurethatnomaliciousiFramesareloadedorexecutedonyourwebsite;protectsagainst
clickjackinga\ack.– X-XSSProtec;on
• Ensurestheuseofbuilt-inbrowserprotec@onagainstXSSa\acks.Sewngsare0(disable)and1(enable)withatellingthebrowsertoblocktheexecu@onofascriptifitdetectsana\ack.
– X-Content-TypeOp;ons• Providesthedirec@vethesniffingofthemime-typeforanuploadedfile.Bynot
allowingthissnifftooccur,thismi@gatesspoofingofthecontent-typetocircumventwhitelis@ngtechniqueswithintheapplica@oncode.
19
©SunshineSolu@ons,LLCDecember2015
![Page 20: Care & Feeding of Programmers: Addressing App Sec Gaps ..._Feeding_of_Programmers_-Addressing_App_Sec...Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny](https://reader033.vdocuments.site/reader033/viewer/2022041822/5e5eb8f8145f36600274dd2b/html5/thumbnails/20.jpg)
X-FRAMEHeaderOp@ons
• SAMEORIGIN• DENY(Recommended)• ALLOW-FROM:<explicitdomain>• h\ps://www.owasp.org/index.php/List_of_useful_HTTP_headers
• ProtectsagainstClickjacking(injec@onofiFrames)
December2015 ©SunshineSolu@ons,LLC 20
![Page 21: Care & Feeding of Programmers: Addressing App Sec Gaps ..._Feeding_of_Programmers_-Addressing_App_Sec...Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny](https://reader033.vdocuments.site/reader033/viewer/2022041822/5e5eb8f8145f36600274dd2b/html5/thumbnails/21.jpg)
HTML5Whitelis@ng
• Neverallowclient-sidecallbackfunc@ons
• Whitelistcallbackdomains,redirectsalwaysonserver-side
December2015 ©SunshineSolu@ons,LLC 21
![Page 22: Care & Feeding of Programmers: Addressing App Sec Gaps ..._Feeding_of_Programmers_-Addressing_App_Sec...Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny](https://reader033.vdocuments.site/reader033/viewer/2022041822/5e5eb8f8145f36600274dd2b/html5/thumbnails/22.jpg)
References• BlackHat2014Talk:SameOriginMethodExecu@on(Ben
Hayak):h\ps://www.youtube.com/watch?v=UfYfID_r7-U• Defcon21Talk:HowtouseCSPtostopXSS(KenLee):
h\ps://www.youtube.com/watch?v=BEsEIV8v2fQ
December2015 ©SunshineSolu@ons,LLC 22