This Talk Was Brought To You By
Hosted by OWASP & the NYC Chapter
The Etsy Security Team
Wednesday, November 20, 13
What’s an Etsy?
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Security Headers?
Why Security Headers?
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Security Headers
Fundamentally, a user security issue
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Security Headers
Fundamentally, a user security issueChanges are browser-impacting
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Security Headers
Fundamentally, a user security issueChanges are browser-impactingUnfortunately, browsers != users
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Security Headers
Fundamentally, a user security issueChanges are browser-impactingUnfortunately, browsers != usersOften requires non-trivial changes
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Security Headers
Strategies for deployment
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Security Headers
Strategies for deploymentLessons learned from our bug bounty
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Overview
HTTP Strict Transport Security (HSTS)
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Overview
HTTP Strict Transport Security (HSTS)Content Security Policy (CSP)
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Overview
HTTP Strict Transport Security (HSTS)Content Security Policy (CSP)X-Frame-Options (XFO)
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Overview
HTTP Strict Transport Security (HSTS)Content Security Policy (CSP)X-Frame-Options (XFO)Miscellaneous
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
HSTS --What is it?
A guarantee to visit the url using HTTPS
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
HSTS --What is it?
A guarantee to visit the url using HTTPSYou have to have seen the site before
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
What’s the Attack?
The Classic Man-in-the-Middle Attack
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
What’s the Attack?
The Classic Man-in-the-Middle AttackLet’s just turn on TLS/SSL for everything
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
What’s the Attack?
The Classic Man-in-the-Middle AttackLet’s just turn on TLS/SSL for everythingMake HTTPS canonical for your site
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
HTTP/HTTPS Traffic
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
HTTP/HTTPS Traffic
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
HSTS Background
Infrastructure changes needed for SSL
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
HSTS Background
Infrastructure changes needed for SSLBundle HSTS as part of an SSL preference for users
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
The Old Ways
Split Architecture
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
The Old Ways
Split ArchitectureMost pages HTTP, “secure” ones HTTPS
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
The Old Ways
Split ArchitectureMost pages HTTP, “secure” ones HTTPSLoad balancers constrained rollout
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
On Load Balancers
HTTP-> HTTPS logic handled by the LB
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
On Load Balancers
HTTP-> HTTPS logic handled by the LBDifficult and slow to change
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
On Load Balancers
HTTP-> HTTPS logic handled by the LBDifficult and slow to changeBroke HTTPS plugins
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Refactoring
HTTP-> HTTPS logic handled by the app
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Refactoring
HTTP-> HTTPS logic handled by the appMake it easy to add new secure pages
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Refactoring
HTTP-> HTTPS logic handled by the appMake it easy to add new secure pagesTransparency for developers
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
How Do I HTTPSRamp it up!
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
How Do I HTTPSRamp it up!Enabled HSTS if SSL preference “on”
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
How Do I HTTPSRamp it up!Enabled HSTS if SSL preference “on”Bail-out Mechanism:
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
The HSTS Header
Enabled header when full-site SSL “on”
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
The HSTS Header
Enabled header when full-site SSL “on”
Strict-Transport-Security: max-age=631138520; includeSubDomains
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
HSTS Part 2
Strict-Transport-Security: max-age=631138520; includeSubDomains
All subdomains get HSTS that match the host
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
HSTS Part 3Note the difference: HSTS on ‘www.etsy.com’
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
HSTS Part 3Note the difference: HSTS on ‘www.etsy.com’
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
HSTS Part 3Note the difference: HSTS on ‘www.etsy.com’
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
HSTS Part 2
Check out Chrome’s HSTS settingschrome://net-internals/#hsts
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
HSTS Rollout
Implement HTTPS management on app level
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
HSTS Rollout
Implement HTTPS management on app levelRolled out to admins -> sellers -> buyers
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
HSTS Rollout
Implement HTTPS management on app levelRolled out to admins -> sellers -> buyersCode-based “SSL wrangler” in repo
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
SSL Wranglin’
Controller to handle SSL transition
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
SSL Wranglin’
Controller to handle SSL transitionSkipped for users with full-site SSL pref on
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
SSL Wranglin’
Controller to handle SSL transitionSkipped for users with full-site SSL pref onOn sign-out, set HSTS max-age=0
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Wins
Fixes on-domain mixed content
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Wins
Fixes on-domain mixed contentBrowser transparently 302 redirects
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
SSL ConcernsDo your CDNs support it?
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
SSL ConcernsDo your CDNs support it?What about 3rd party content providers?
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
SSL ConcernsDo your CDNs support it?What about 3rd party content providers?Can your servers/LBs handle it?
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Kill Mixed ContentYou still need to fix off-domain HTTP
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Kill Mixed ContentYou still need to fix off-domain HTTPBrowser mixed content warnings
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Kill Mixed ContentYou still need to fix off-domain HTTPBrowser mixed content warnings
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Mobile
HSTS supported on mobile browsers
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Mobile
HSTS supported on mobile browsersNotably absent from others
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Mobile
HSTS supported on mobile browsersNotably absent from others
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
HSTS: Be Ready
Not a crutch for fixing routing problems!
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
HSTS: Be Ready
Not a crutch for fixing routing problems!There will be outliers
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
HSTS: Be Ready
Not a crutch for fixing routing problems!There will be outliersSSL/TLS errors confuse users
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
HSTS: Be Ready
Not a crutch for fixing routing problems!There will be outliersSSL/TLS errors confuse usersHave a process for managing HSTS
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
X-Frame-Options
Problem: Clickjacking
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
X-Frame-OptionsFraming sucks, get rid of framing!
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
X-Frame-Options
How do you prevent this type of attack?
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
X-Frame-Options
How do you prevent this type of attack?<script>
if (top!=self) top.location.href=self.location.href
</script>
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
X-Frame-Options
How do you prevent this type of attack?<script>
if (top!=self) top.location.href=self.location.href
</script>
Not really a defense at all
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
How Do I Use XFO?
Figure out when you’re being framed
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
How Do I Use XFO?
Figure out when you’re being framedLog the framing attempts
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
How Do I Use XFO?
Figure out when you’re being framedLog the framing attemptsWhitelist specific framing sites (search engines)
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
How Do I Use XFO?Figure out when you’re being framedLog the framing attemptsWhitelist specific framing sites (search engines)Only allow whitelisted sites to frame
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Be Careful
Thoroughly vet your whitelist
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Be Careful
Thoroughly vet your whitelistRead about XFO’s options
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Be Careful
Thoroughly vet your whitelistRead about XFO’s optionsTest thoroughly
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Non-Whitelisted sites
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Non-Whitelisted sites
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Don’t Forget...
If you’re taking away framing, warn your users
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Don’t Forget...
If you’re taking away framing, warn your users
Whitelisting will break everyone else
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Let’s Talk CSP
Policies can grow fairly large
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Let’s Talk CSP
Policies can grow fairly large
Doesn’t like inline javascript by default
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Let’s Talk CSP
Policies can grow fairly large
Doesn’t like inline javascript by default
Where do I start?
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
CSP 1.0
Most websites have inline JS
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
CSP 1.0
Most websites have inline JS
Removing/refactoring some of it just isn’t possible
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
CSP 1.0
Most websites have inline JS
Removing/refactoring some of it just isn’t possible
FF & Chrome use unprefixed ‘Content-Security-Policy’
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
CSP 1.1
Will have browser javascript API support
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
CSP 1.1
Will have browser javascript API support
Support for inline CSP in a <meta> tag
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
CSP 1.1CSP 1.1 will allow for script-nonce and script-hash
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
CSP Lessons
CSP introduced the idea of a reporting mechanism
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
CSP Lessons
CSP introduced the idea of a reporting mechanism
Identify pages with inline scripts => smaller policy size
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
CSP Lessons
CSP introduced the idea of a reporting mechanism
Identify pages with inline scripts => smaller policy size
Log, aggregate reports to find mixed content
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
CSP Lessons
CSP introduced the idea of a reporting mechanism
Identify pages with inline scripts => smaller policy size
Log, aggregate reports to find mixed content
Some interesting results
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
How Do I Deploy CSP?
Organize and assess your existing javascript
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
How Do I Deploy CSP?
Organize and assess your existing javascript
Have specific template logic for handling javascript
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
How Do I Deploy CSP?
Organize and assess your existing javascript
Have specific template logic for handling javascript
Give devs an ‘opt-out’ mechanism for inline js
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
How Do I Deploy CSP?
Organize and assess your existing javascript
Have specific template logic for handling javascript
Give devs an ‘opt-out’ mechanism for inline js
Deploy to specific parts/subdomains of your site
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
CSP Compliance
Actively monitor the # of inline scripts you have left
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Some CSP Tools
Some tools for CSP Generation
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Some CSP Tools
Some tools for CSP Generation
http://cspisawesome.com/
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Some CSP Tools
Some tools for CSP Generation
http://cspisawesome.com/
https://github.com/Kennysan/CSPTools
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
CSP Tools
Browser proxy, automated browser, and csp parser
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
CSP Tools
Browser proxy, automated browser, and csp parser
Lets you create/test a CSP for your prod environment
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
CSP Tools
Browser proxy, automated browser, and csp parser
Lets you create/test a CSP for your prod environment
https://github.com/Kennysan/CSPTools
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
X-XSS-Protection
Originally IE XSS blocking mechanism
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
X-XSS-Protection
Originally IE XSS blocking mechanism
Looks for parameter arguments in response
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
X-XSS-Protection
Originally IE XSS blocking mechanism
Looks for parameter arguments in response
Side effect: Clients can break your javascript
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
X-XSS-Protection
X-XSS-Protection: 1; mode=block
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
X-XSS-Protection
X-XSS-Protection: 1; mode=block
Reflected XSS protection, but now...
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
X-XSS-Protection
X-XSS-Protection: 1; mode=block
Reflected XSS protection, but now...
Chrome lets you specify a report url
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
X-XSS-Protection
X-XSS-Protection: 1; mode=block
Reflected XSS protection, but now...
Chrome lets you specify a report url
Clientside protection; serverside reporting
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
XSS Logging
X-XSS-Protection: 1; mode=block; report-uri=/log.php
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
XSS Logging
X-XSS-Protection: 1; mode=block; report-uri=/log.php
Allows Chrome reflected XSS logging, ala CSP-style
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
XSS Logging
X-XSS-Protection: 1; mode=block; report-uri=/log.php
Allows Chrome reflected XSS logging, ala CSP-style
Other browsers: Implement server-side XSS-Auditor
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
XSS Logging
X-XSS-Protection: 1; mode=block; report-uri=/log.php
Allows Chrome reflected XSS logging, ala CSP-style
Other browsers: Implement server-side XSS-Auditor
Look for this functionality in CSP 1.1
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
X-Content-Type-OptionsX-Content-Type-Options: nosniff
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
X-Content-Type-OptionsX-Content-Type-Options: nosniff
Older versions of IE will guess response content-type
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
X-Content-Type-OptionsX-Content-Type-Options: nosniff
Older versions of IE will guess response content-type
Ignores Content-Type specified!
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
X-Content-Type-OptionsX-Content-Type-Options: nosniff
Older versions of IE will guess response content-type
Ignores Content-Type specified!
Example: query parameter lets you specify .html
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
X-Content-Type-OptionsX-Content-Type-Options: nosniff
Older versions of IE will guess response content-type
Ignores Content-Type specified!
Example: query parameter lets you specify .html
IE will consider the content to be text/html!
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Final Thoughts
Treat header deployment like any other code
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Final Thoughts
Treat header deployment like any other code
Be agile with header development
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Final Thoughts
Treat header deployment like any other code
Be agile with header development
Can’t deploy everywhere? Have a plan--deploy in part
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Final Thoughts
Treat header deployment like any other code
Be agile with header development
Can’t deploy everywhere? Have a plan--deploy in part
Starting with security is easier than baking it in later
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Final Thoughts
Treat header deployment like any other code
Be agile with header development
Can’t deploy everywhere? Have a plan--deploy in part
Starting with security is easier than baking it in later
Log early and often--you learn a lot
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
Thanks for Listening!@kennysan
github.com/kennysanHosted by OWASP & the NYC Chapter
Wednesday, November 20, 13