csp and http headers - ncdevconncdevcon.com/.../2015/csp_and_http_headers-ncdevcon... · • owasp...
TRANSCRIPT
W3C Content Security Policyand HTTP Headers for Security
David Epler Security Architect
About Me
• Application Developer originally • Contributor to Learn CF In a Week • OWASP Individual Member • OWASP Zed Attack Proxy (ZAP)
Evangelist • Security Certifications - CEH, GWAPT
About the Session• What will be covered
• HTTP Header Basics • HTTP Headers for Security
• X-Content-Type-Options • X-XSS-Protection • X-Frame-Options • Cookies
• HTTP Strict Transport Security (HSTS) • W3C Content Security Policy (CSP)
HTTP BasicsHTTP RequestGET$/$HTTP/1.1Host:$www.aboutweb.com
HTTP ResponseHTTP/1.1$200$OKDate:$Tue,$7$Apr$2015$20:21:22$GMTServer:$ApacheContentFType:$text/html$
HTTP Response Headers• Can be set by web server, web application, or
anything that interacts with HTTP response
Header$always$set$XFMork$KO
<cfheader$name=“XFMork”$value=“nanuFnanu”>
<%php$header(“XFMork:$shazbot”)$%>
Apache (requires mod_header)
ColdFusion
PHP
HTTP ResponseHTTP/1.1$200$OKDate:$Tue,$7$Apr$2015$21:22:23$GMTServer:$Apache$
XFMork:$nanuFnanuContentFType:$text/html$<html>$…$
</html>
X-Content-Type-Options• Protect against MIME type confusion
attacks • Internet Explorer 9+,
Chrome, & Safari
Internet Explorer Chrometext/css text/csstext/ecmascript text/ecmascripttext/javascript text/javascripttext/jscript text/jscriptapplication/ecmascript application/ecmascriptapplication/javascript application/javascriptapplication/x-javascript application/x-javascripttext/vbs text/javascript1.1text/vbscript text/javascript1.2text/x-javascript text/javascript1.3
text/livescript
XFContentFTypeFOptions:$nosniff
X-XSS-Protection• Configures user-agent's built in reflective
XSS protection • Internet Explorer 8+ and Chrome
Value Meaning0 Disable XSS protection 1 Enable XSS protection
1; mode=block Enable XSS protection & block content1; report=URL Report potential XSS to URL (Chrome/Webkit only)
XFXSSFProtection:$1;$mode=block
X-Frame-Options• Indicates if browser should be allowed to
render content in <frame> or <iframe> • Clickjack/UI Redress attack Value Meaning
DENY Prevents any domain from framing the contentSAMEORIGIN Only allows sites on same domain to frame the content
ALLOW-FROM URL Whitelist of URLs that are allowed to frame the content
X-Frame-Options• Browser support varies based on value
Browser DENY/SAMEORIGIN ALLOW-FROMChrome 4.1 not supportedFirefox 3.6.9 18.0
Internet Explorer 8 9Opera 10.50Safari 4 not supported
XFFrameFOptions:$SAMEORIGIN
Cookies• Important directives on cookies
• HTTPOnly • cookie is not accessible to Javascript
• Secure • sends cookie over HTTPS
SetFCookie:$JSESSIONID=4B4BE61DB23C8858560A7BC35804507F;$
Path=/;$Secure;$HttpOnly
DEMO
HTTP Strict Transport Security (HSTS)
• Instructs the browser to always use HTTPS protocol instead of HTTP • Helps prevent
• Network Attacks • Mixed Content Vulnerabilities
• HSTS does not allow a user to override the invalid certificate message
Certificate Error w/o HSTS
Certificate Error w/ HSTS
HSTS Directives
• maxFage tells user-agent how long to cache the STS setting in seconds
• includeSubDomains tells user-agent to include any subdomains
HSTS Examples
Require HTTPS for 60 seconds on domain !
Require HTTPS for 365 days on domain and all subdomains !
Remove HSTS Policy (including subdomains)
StrictFTransportFSecurity:$maxFage=60
StrictFTransportFSecurity:$maxFage=31536000;$includeSubDomains
StrictFTransportFSecurity:$maxFage=0
Handling Requests
• HTTP Requests • Should respond with HTTP Status
Code 301 and redirect to HTTPS • StrictFTransportFSecurity header
must not be included on HTTP • HTTPS Requests
• Should always respond with StrictFTransportFSecurity header
HSTS Preloading• Not part of official specification • Chrome maintains list of sites that always use
HTTPS • Used by Firefox and Safari as well
• Need to submit site to be included in preload list • https://hstspreload.appspot.com/StrictFTransportFSecurity:$
maxFage=10886400;$includeSubDomains;$preload
HSTS Browser Support
http://caniuse.com/#feat=stricttransportsecurity
DEMO
W3C Content Security Policy (CSP)
• Provides whitelist to browser for loading resources • Developed by Mozilla and 1st implemented in Firefox 4
• Experimental Headers •XFContentFSecurityFPolicy$
•XFWebKitFCSP$
• Content Security Policy 1.0W3C Candidate RecommendationNovember 15, 2012
•HTTP Header:ContentFSecurityFPolicy
ContentFSecurityFPolicyFReportFOnly
CSP 1.0 DirectivesValue Meaning
defaultFsrc default source, used for any directives that are not definedscriptFsrc sources for JavascriptobjectFsrc sources for <object>, <embed>, and <applet>styleFsrc sources for CSS stylesheetsimgFsrc sources for imagesmediaFsrc sources for HTML5 <video>, <audio>, <source>, and <track>frameFsrc sources for <frame> and <iframe>fontFsrc sources for web fonts
connectFsrc sources for XMLHttpRequest, Websockets, and EventSourcereportFuri location to send violation reportssandbox specifies sandbox policy
CSP Source ExpressionsValue Meaning* wildcard, allows all origins
‘self’ allow same origin‘none’ deny all access
www.example.com allow specific domain*.example.com allow all subdomains on a domain
https://www.example.com specific URLhttps: require httpsdata: allow data uri schemes (base64)
Special Sources•unsafeFinline$
• Allows inline content for scriptFsrc and styleFsrc
•unsafeFeval$
• Allows for unsafe dynamic evaluation of code such as Javascript eval() in scriptFsrc
CSP Examples
Allow everything from same originContentFSecurityFPolicy:$defaultFsrc$‘self’
ContentFSecurityFPolicy:defaultFsrc$‘self’;$objectFsrc$‘none’;scriptFsrc$‘self’$https://cdn.com;styleFsrc$‘self’$https://cdn.com
Relatively secure
CSP Examples
UnsafeContentFSecurityFPolicy:defaultFsrc$*;scriptFsrc$*$‘unsafeFinline’$‘unsafeFeval’; styleFsrc$*$‘unsafeFinline’
CSP Examples
TwitterContentFSecurityFPolicy:defaultFsrc$https:;$connectFsrc$https:;$fontF
src$https:$data:;$frameFsrc$https:$twitter:;$
imgFsrc$https:$data:;$mediaFsrc$https:;$objectF
src$https:;$scriptFsrc$'unsafeFinline'$'nonceF
hz5M+L2F+QfMRn8NOtP4jQ=='$'unsafeFeval'$https:;$
styleFsrc$'unsafeFinline'$https:;$reportFuri$
https://twitter.com/i/csp_report?
a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D
%3D&ro=false;
CSP 1.0 Browser Support
http://caniuse.com/#feat=contentsecuritypolicy
DEMO
CSP 1.1 and beyond• CSP 1.1 (Level 2) W3C Candidate
Recommendation February 19, 2015 • added nonce and hash to scriptFsrc and styleFsrc
• added new directives •baseFuri,$childFsrc,$formFaction,$
frameFancestors,$pluginFtypes$
• additional fields added to violation report • limited browser support
Resources• HTTP Headers
• MIME-Handling Changes in Internet Explorer • http://blogs.msdn.com/b/ie/archive/2010/10/26/mime-handling-changes-in-
internet-explorer.aspx • Controlling the XSS Filter
• http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx
• OWASP: Clickjacking Defense Cheat Sheet • https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
• OWASP: Cookie HTTPOnly • https://www.owasp.org/index.php/HttpOnly
• OWASP: Cookie Secure • https://www.owasp.org/index.php/SecureFlag
• Veracode: Guidelines for Security Headers • https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers
Resources• HTTP Strict Transport Security
• Specification • https://tools.ietf.org/html/rfc6797
• OWASP HTTP Strict Transport Security • https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
• Mozilla Developer Network • https://developer.mozilla.org/en-US/docs/Web/Security/
HTTP_strict_transport_security • HSTS Preload
• https://hstspreload.appspot.com/ • IIS Module
• http://hstsiis.codeplex.com/ • HTTP Strict Transport Security comes to Internet Explorer 11 on Windows 8.1 and
Windows 7 • http://blogs.windows.com/msedgedev/2015/06/09/http-strict-transport-security-
comes-to-internet-explorer-11-on-windows-8-1-and-windows-7/
Resources• Content Security Policy
• CSP 1.0 Candidate Recommendation • http://www.w3.org/TR/2012/CR-CSP-20121115/
• CSP 1.1 Candidate Recommendation • http://www.w3.org/TR/2015/CR-CSP2-20150219/
• OWASP Content Security Policy • https://www.owasp.org/index.php/Content_Security_Policy
• An Introduction to Content Security Policy • http://www.html5rocks.com/en/tutorials/security/content-security-policy/
• Content Security Policy Reference • http://content-security-policy.com/
• CSP Playground • http://www.cspplayground.com/