© Zühlke 2016

Harness the power of HTTP headers to secure your web Apps

Drag picture to placeholder or click icon to add

Slide 1

© Zühlke 2016

whoami

Daniel GartmannSenior Software Engineer @ Zuhlke Engineering LtdMy job: Software Engineering ∩ SecurityTwitter: @daniel_gartmann Email: daniel.gartmann@zuhlke.com

Slide 2

© Zühlke 2016

Agenda

• What’s wrong with the Web?• HTTP Strict Transport Security (HSTS) • HTTP Public Key Pinning (HPKP) • Content Security Policy (CSP)• Conclusion

Slide 3

© Zühlke 2016

What’s wrong with the Web?

• It’s the most popular app-delivery platform we ever had• Core communication protocols are insecure• Web security is often misunderstood

Slide 4

© Zühlke 2016

What’s wrong with the Web?

Slide 5

1) Request some resources

2) Deliver some code3) Code is executed on the fly by the browser!

Browsers Remote Code Execution engines

© Zühlke 2016

What’s wrong with the Web?

Slide 6

© Zühlke 2016

Origin matters…

What are HTTPS security guarantees?• Authenticity verifying identities• Confidentiality keeping secret• Integrity safe transport

Slide 7

© Zühlke 2016

How to get certs for free?

Slide 8https://letsencrypt.org/

© Zühlke 2016

How to automate?

Slide 9

https://certbot.eff.org/

© Zühlke 2016

How to test/debug your config?

Slide 10

https://www.ssllabs.com/ssltest/

© Zühlke 2016

HTTP Strict Transport Security (HSTS)

Mitigate following UA TLS implementation weaknesses:• [no scheme]foo.com defaults to http://foo.com and not https://foo.com

( SSL Stripping)• Possibility to click through certificate errors

(expired, wrong host, self-signed, untrusted root,…, MITM)• Allow mixed content (to some extent – active vs passive)• Cookies not subject to SOP (redirect attacks – no secure flag)

HSTS Rewrite all HTTP requests to HTTPSHSTS All certificate errors are considered fatal

Slide 11

© Zühlke 2016

Without HSTS

Slide 12

© Zühlke 2016Slide 13

© Zühlke 2016

With HSTS

Slide 14

© Zühlke 2016

How does HSTS work?

Slide 15

1) Request a resource over HTTP

2) Redirect (302) to HTTPS

5) Cached by UA

6) Subsequent requests are all secure!

3) Execute redirect to HTTPS

4) Sets HSTS header: Strict-Transport-Security: max-age=31536000

© Zühlke 2016

HTTP request on HSTS enabled website

Slide 16

2) HTTP request

4) HTTPS request

3) Local redirect (307)

5) Response

1) HSTS cached by UA

© Zühlke 2016

Secure all your subdomains (if you can!)

Slide 17

a.foo.com

foo.com

b.foo.com

Strict-Transport-Security: max-age=31536000; includeSubDomains

© Zühlke 2016

How to (partially) revoke HSTS?

Slide 18

Strict-Transport-Security: max-age=0

chrome://net-internals/#hsts

© Zühlke 2016

Trust On First Use (TOFU)

• First request is at risk• Mitigation hardcode HSTS into UAs

• https://hstspreload.appspot.com/

Slide 19

Strict-Transport-Security: max-age=10886400; includeSubDomains; preload

© Zühlke 2016

HSTS deployment best practices

Low risk approach:• Configure redirection of all HTTP traffic to HTTPS • Add HSTS header with a low max-age (e.g. 1min) value• Extend policy with includeSubDomains (if possible!) • Ensure that all works fine and increase progressively the max-age (e.g.

to 12 months?)• Submit domain to be preloaded into UAs

Slide 20

© Zühlke 2016

HTTP Strict Transport Security (HSTS)

http://caniuse.com/#search=HSTS

Slide 21

© Zühlke 2016

HTTP Public Key Pinning (HPKP)

Protect against:• Rogue Certificate Authorities (CA) – Put everyone at risk• Compromised CAs – Put everyone at risk• MITM attacks

HPKP Limit your circle your trust!

Slide 22

© Zühlke 2016

How is trust established on the Web?

Slide 23

Certificate Authority

1) Identification “Alice”

2) PublicKeyAlice

3) thumbprintAlice = Sign(Alice || PublicKeyAlice, PrivateKeyCA)

4) CertificateAlice = [Alice, PublicKeyAlice, thumbprintAlice]

[PrivateKeyAlice, PublicKeyAlice]

[PrivateKeyCA, PublicKeyCA]

Verify(Alice || PublicKeyAlice, thumbprintAlice, PublicKeyCA)

1) CertificateAlice

© Zühlke 2016

Do you trust them all?

Slide 24

© Zühlke 2016

How bulletproof is the web trust model?

• Millions of certs are issued every year• Commercial Security (CAs profit, UAs vendors marketshare) • Any CA can issue certs for any domain (without asking permission)• The security is as good as the weakest link

Slide 25

© Zühlke 2016

How does HPKP work?

Slide 26

1) HTTPS request

3) Pins cached by UA

2) Sets HPKP header

Public-Key-Pins: max-age=5184000;pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=";pin-sha256="K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q=";includeSubDomains

Next connection/handshake – UA validates the certs using the cached pins!

© Zühlke 2016

What to pin? pin = base64(sha256(SPKI))

Slide 27

© Zühlke 2016

How to pin?

Slide 28

© Zühlke 2016

Where to pin?

Slide 29

No pinning accept all certs signed by all CAs present in the trust store

Pin the root cert accept all certs signed by a given CA

Pin the intermediary cert accept all certs signed by the given intermediate cert

Pin the leaf cert accept only a single cert – your cert!

© Zühlke 2016

Report pin-validation failures

Public-Key-Pins: max-age=2592000;pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; report-uri="http://example.com/pkp-report"

Slide 30

© Zühlke 2016

Deployment without enforcement

Public-Key-Pins-Report-Only: max-age=2592000;pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; report-uri="http://example.com/pkp-report"

Slide 31

© Zühlke 2016

Awesome tools out there – use them!https://report-uri.io/

Slide 32

© Zühlke 2016

HPKP deployment best practices

Low risk approach:• Define your pins (at least 2 – pin of current cert + backup cert), max-age,

report-uri, includeSubDomains …• Deploy HPKP using report only• Ensure that all works fine and remove the “-Report-Only”

Slide 33

© Zühlke 2016

HTTP Public Key Pinning (HPKP)

http://caniuse.com/#search=HPKP Slide 34

© Zühlke 2016

Content Security Policy (CSP)

CSP gives you the power to define a policy that restricts how your web apps get executed.

Protects against:• Code injection attacks - XSS• Clickjacking• Malicious content sources• More…

Slide 35

© Zühlke 2016

How does CSP work?

Slide 36

1) Request

2) Response with CSP header Content-Security-

Policy: policy3) CSP compliant

UAenforces policy on the fly

© Zühlke 2016

How does a CSP policy look like?

Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src render.githubusercontent.com; connect-src 'self' uploads.github.com status.github.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com wss://live.github.com; font-src assets-cdn.github.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com; media-src 'none'; object-src assets-cdn.github.com; plugin-types application/x-shockwave-flash; script-src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com Slide 37

© Zühlke 2016

Whitelist trusted sources

default-src directive defines the default list of trusted sources / schemes for the app being executed by the UA.

Slide 38

Content-Security-Policy: default-src 'self' ; Same origin policyContent-Security-Policy: default-src 'none' ;Content-Security-Policy: default-src http://foo.com;Content-Security-Policy: default-src http://foo.com http://boo.com ;Content-Security-Policy: default-src * ; Please don’t do that!

© Zühlke 2016

Whitelist trusted sources

default-src applies the defined policy to following directives (that can be overwritten for more specific behaviour):• script-src <script> • connect-src XMLHttpRequest, WebSocket and

EventSource• child-src <frame> and <iframe>. • font-src @font-face• img-src images and favicons• media-src <audio> and <video> • object-src <object>, <embed> and <applet> • style-src Stylesheets

Slide 39

© Zühlke 2016

Example 1/2

Slide 40

© Zühlke 2016

Example 2/2

Slide 41

© Zühlke 2016

Why is XSS so scary?

XSS enables an attacker to execute malicious code in victims browser’s context in order to:

• Steal users credentials• Hijack user session• Steal, modify or delete user’s data• Arbitrary code execution

Slide 42

1) Link with XSS payload

2) Click the link

3) Request with XSS payload

4) XSS payload “Reflected”

5) XSS payload is executed

© Zühlke 2016

What can CSP do against XSS?Examples of malicious injected payloads:

Primary defence against XSS is to always output encode untrusted data.

Consider CSP only as an additional layer of defence against XSS Think about no/partially CSP compliant UAs.

Once CSP is enabled it prevents execution of:• Inline scripts• Inline event handlers• Inline styles• Functions that generate code out of strings

Slide 43

© Zühlke 2016

CSP prevents inline JS / Event handlers

Slide 44

Injected payload

© Zühlke 2016

CSP prevents unsafe JS functions (string code)

Slide 45

Injected payload

© Zühlke 2016

Lax CSP

Slide 46

Avoid if possible!

© Zühlke 2016

What if you badly need an inline script?

Slide 47

1) hash = base64(sha256(alert(1);))2) add it to the script-src directive

Or use: https://report-uri.io/home/hash/

© Zühlke 2016

What if you badly need an inline style?

Slide 48

1) hash = base64(sha256(body {…}))2) add it to the style-src directive

Or use: https://report-uri.io/home/hash/

© Zühlke 2016

What can CSP do against XSS?

The reflected-xss directive configures the UA built in XSS filter against reflected attacks.Possible values:• Allow - Allows reflected XSS attacks• Filter - Filter the reflected XSS attack• Block - Block reflected XSS attacks Maximum security

Does not deprecate: X-XSS-Protection: 1; mode=block headerSlide 49

Content-Security-Policy: default-src 'self' ; reflected-xss block;

© Zühlke 2016

What can CSP do against Clickjacking?

Slide 50

© Zühlke 2016

What can CSP do against Clickjacking?

Mitigation Prevent malicious websites to frame your web app

Slide 51

Content-Security-Policy: default-src 'self' ; frame-ancestors * ;Content-Security-Policy: default-src 'self' ; frame-ancestors 'self' ;Content-Security-Policy: default-src 'self' ; frame-ancestors http://foo.com;Content-Security-Policy: default-src 'self' ; frame-ancestors 'none' ; Does not deprecate: X-Frame-Options: DENY | SAMEORIGIN |

ALLOW-FROM

© Zühlke 2016

CSP Reporting

Slide 52

Content-Security-Policy: default-src 'self' ; report-uri http://foo.com ;

© Zühlke 2016

Deploying CSP without breaking things

1) Define your policy e.g default-src 'self'2) Define your monitoring endpoint e.g report-uri http://foo.com3) Deploy in report only mode

Content-Security-Policy-Report-Only: default-src 'self' ; report-uri http://foo.com;

4) Ensure that all works fine5) Deploy without “-Report-Only”

Content-Security-Policy: default-src 'self' ; report-uri http://foo.com;6) Monitor when you get attacked

Content-Security-Policy:

Slide 53

© Zühlke 2016

Content Security Policy (CSP 1.0)

Slide 54

http://caniuse.com/#search=csp

© Zühlke 2016

Content Security Policy (CSP 2.0)

Slide 55http://caniuse.com/#search=csp

© Zühlke 2016

Content Security Policy (CSP 3.0)

Slide 56https://www.w3.org/TR/CSP3/

© Zühlke 2016

Specifications

Slide 57

© Zühlke 2016

Web platform is maturing towards a secure Web Platform

• HSTS, HPKP, CSP significantly reduce the attack surface• Use them with caution – don’t DoS yourself!• CSP is less risky than HSTS, HPKP• Security for FREE!• Start using them today!

Slide 58