Agenda
• Quem sou eu
• Cabeçalhos de Segurança HTTP
• HTTP Strict Transport Security (HSTS)
• HTTP Public Key Pins (HPKP)
• X-Frame-Options
• X-XSS-Protection
• Content Security Policy (CSP)
• Set-Cookie Options
• X-Content-Type-Options
• Referrer-Policy
• Conclusão
• Referências
Quem sou eu
• Consultor Sênior de Segurança
• 10 anos de trabalhos voltados à segurança de aplicações
• Contribuidor OWASP (Capítulo Brasília, Top Ten Cheatsheet, OWASP Testing Guide)
• Praticante da revelação de vulnerabilidades de forma responsável (!)
• Voluntário ISC2 para questões do CISSP
• Pesquisador independente
Cabeçalhos de Segurança HTTP
• Evolução modelo de segurança
• Proteção do canal de comunicação
• Segurança do lado do cliente
• Aplicação de políticas de segurança no navegador
Requisição típica HTTP
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Mobile Safari/537.36
Host: www.exemplo.com
Accept: */*
HTTP/1.1 200 OK
Date: Fri, 17 Mar 2017 07:45:30 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 891
Content-Type: text/html
Requisição típica HTTP
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Mobile Safari/537.36
Host: www.exemplo.com
Accept: */*
HTTP/1.1 200 OK
Date: Fri, 17 Mar 2017 07:45:30 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 891
Content-Type: text/html
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
HTTP Strict Transport Security (HSTS)
Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload
Tráfego típico sítio com HTTP/HTTPS
http://www.exemplo.com
GET / HTTP/1.0
Host: www.exemplo.com
301 Moved Permantenly
Content-Length: 0
Location: https://www.exemplo.com
https://www.exemplo.com
GET / HTTP/1.0
Host: www.exemplo.com
SSLStrip
GET https://www.exemplo.com GET http://www.exemplo.com
Resposta HTMLResposta HTML modificadae em texto claro
Suporte HSTS
http://caniuse.com/#feat=stricttransportsecurity
HSTS - Considerações
- Aplicável para sites que suportam todo seu conteúdo via HTTPS
- Dificuldade de implantação L7 routing
- Lista preload SEMPRE inclui subdomínios- Remoção pode demorar meses, via atualização do browser
- Mitiga ataques SSLStrip e potencialmente, SSLStrip2 com preload + subdomains
- Proteção contra ataques MITM com Certificados inválidos
HTTP Public Key Pins (HPKP)
Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>;
Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; includeSubDomains
Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; report-uri=<reportURI>
Resposta válida cabeçalhos HPKP
HTTP/1.1 200 OK
Server: GitHub.com
Status: 200 OK
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
Public-Key-Pins: max-age=5184000; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="RRM1dGqnDFsCJXBTHky16vi1obOlCgFFn/yOhI/y+ho="; pin-sha256="k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws="; pin-sha256="K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q="; pin-sha256="IQBnNBEiFuhj+8x6X8XLgh01V9Ic5/V3IRQLNFFc7v4="; pin-sha256="iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0="; pin-sha256="LvRiGEjRqfzurezaWuj8Wie2gyHMrW5Q06LspMnox7A="; includeSubDomains
Vary: Accept-Encoding
X-Served-By: d41662224d8c44f09604b862e979767a
X-GitHub-Request-Id: B36F2320:987D:E88A2AC:5741D913
Suporte Public Key Pins
http://caniuse.com/#feat=publickeypinning
HTTP Public Key Pins - Considerações
- Requer maturidade
- Modo report-only (Public-Key-Pins-Report-Only)?
- Mitiga MITM?
- CA interna?
- Suporte Chrome/Firefox (até o momento)
Curiosidades (HSTS, HPKP, Pinning estático)
- Pinning estatícos (Chromium.org) - https://cs.chromium.org/chromium/src/net/http/transport_security_state_st
atic.json
- Google, Facebook, Twitter, Dropbox, Yahoo, Tor
- +23k domínios utilizando HSTS pre-load
- 180 domínios .br
X-Frame-Options
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM https://example.com/
Clickjacking Attack
https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
Suporte X-Frame-Options
http://caniuse.com/#feat=publickeypinning
X-Frame-Options - Considerações
- Seu site necessita ser aberto por outro em um frame?
- Não suporta mais de um domínio em allow-from
- CSP 2 frame-ancestor
- Mitiga clickjacking
Suporte X-XSS-Protection
https://developer.mozilla.org/pt-BR/docs/Web/HTTP/Headers/X-XSS-Protection
X-XSS-Protection - Considerações
- Proteção apenas contra XSS Refletido
- Não suportado pelo Firefox
- Problemas com o filtro XSS
Content Security Policy (CSP)
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
Exemplo CSPResposta https://twitter.com/
Content-Security-Policy: script-src 'nonce-7tS2MKRWrGdmy1/R72jiDQ==' https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com https://analytics.twitter.com https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com https://t.tellapart.com https://platform.twitter.com https://www.google-analytics.com 'self'; frame-ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph.facebook.com https://*.giphy.com https://*.twimg.com https://api.twitter.com https://pay.twitter.com https://analytics.twitter.com https://*.twprobe.net https://media.riffsy.com https://embed.periscope.tv https://upload.twitter.com 'self'; style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com https://5415703.fls.doubleclick.net https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s-static.ak.facebook.com https://4337974.fls.doubleclick.net 'self' https://donate.twitter.com; img-src https://graph.facebook.com https://*.giphy.com https://twitter.com https://*.twimg.com https://ad.doubleclick.net data: https://lumiere-a.akamaihd.net https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https://media.riffsy.com https://www.google.com https://stats.g.doubleclick.net https://api.mapbox.com https://www.google-analytics.com blob: 'self'; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;
Set-Cookie: fm=0; Expires=Tue, 28 Mar 2017 11:35:01 UTC; Path=/; Domain=.twitter.com; Secure; HTTPOnly
Strict-Transport-Security: max-age=631138519
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Suporte Content Security Policy (CSP)
http://caniuse.com/#feat=contentsecuritypolicy2
Content Security Policy (CSP) - considerações
- Dificuldade de implementação, remoção de scripts in line<html>
<head>
<script>var msg = ‘javascript inline’; alert(msg);</script>
</head>
<body>Ola!</body></html>
- Unsafe-inline, Unsafe-eval pode minar o esforço
- Proteção contra XSS (Reflected/Stored), mas definitiva?
- Proteção contra clickjacking
- Não suportado por todos os browsers
Set-Cookie (cookie options)
Set-Cookie: <key>=<value>; Expires=<expiryDate>; Secure; HttpOnly; SameSite=<strict/lax>
Set-Cookie (cookie options)
HttpOnly – Cookie não acessível via Javascript
Secure – Evita envio de cookie em canal não criptografado
SameSite – Previne envio do cookie em requisições cross-site
Set-Cookie (cookie options) - considerações
- Secure and HttpOnly- Proteção contra captura de cookies em texto claro
- Possível redução de impacto XSS – roubo de sessão
- SameSite – Suportado apenas pelo Chrome- Ainda em draft
- Fornece uma boa proteção contra CSRF/XSSI
- Lax – utilizado com métodos HTTP “seguros”
- Pode prejudicar navegação?
X-Content-Type-Options - considerações
- Suportado por todos os browsers populares, exceto Safari
- Mitiga ataques de MIME confusion
- Servidor web deve retornar MIME corretos para uso do cabeçalho
Referrer-Policy
Referrer-Policy: <diretiva>
Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url
Referrer-PolicyPolicy Document Navigation to Referrer
no-referrer https://example.com/page.html any domain or path no referrer
no-referrer-when-downgrade https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html
no-referrer-when-downgrade https://example.com/page.html https://mozilla.org https://example.com/page.html
no-referrer-when-downgrade https://example.com/page.html http://example.org no referrer
origin https://example.com/page.html any domain or path https://example.com/
origin-when-cross-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html
origin-when-cross-origin https://example.com/page.html https://mozilla.org https://example.com/
origin-when-cross-origin https://example.com/page.html http://example.com/page.html https://example.com/
same-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html
same-origin https://example.com/page.html https://mozilla.org no referrer
strict-origin https://example.com/page.html https://mozilla.org https://example.com/
strict-origin https://example.com/page.html http://example.org no referrer
strict-origin http://example.com/page.html any domain or path http://example.com/
strict-origin-when-cross-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html
strict-origin-when-cross-origin https://example.com/page.html https://mozilla.org https://example.com/
strict-origin-when-cross-origin https://example.com/page.html http://example.org no referrer
unsafe-url https://example.com/page.html any domain or path https://example.com/page.html
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
Suporte Referrer-Policy
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
Referrer-Policy - considerações
- Ainda em desenvolvimento
- Suporte ainda limitado (Firefox e algumas funcionalidades Chrome)
- Lida com questões de privacidadeReferer: https://github.com/irgoncalves/jwtbf
Ferramenta para testes dos cabeçalhos
https://observatory.mozilla.org/
https://securityheaders.io
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Technical_Resources
Conclusões
- Cabeçalhos de segurança podem melhorar a segurança e privacidadede seus usuários
- Fazem parte de estratégia de defesa em camadas
- Alguns apresentam armadilhas e requerem maturidade
- Requerem controles adicionais
- Níveis de suporte diferente entre navegadores
Referências
- https://tools.ietf.org/html/rfc6797
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
- https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
- https://www.owasp.org/index.php/Clickjacking
- https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
- https://scotthelme.co.uk/
- https://www.wired.com/2016/03/https-adoption-google-report/
- http://www.html5rocks.com/en/tutorials/security/content-security-policy/
- https://www.bettercap.org/blog/sslstripping-and-hsts-bypass/
- https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/45542.pdf
- https://technet.microsoft.com/library/security/2524375
- https://csp.withgoogle.com/docs/index.html
- The Tagled Web - A Guide to Security Modern Web Applications, Michael Zalewski