Presentation is loading. Please wait.

Presentation is loading. Please wait.

Will New HTTP headers save us? John Wilander, OWASP/Omegapoint, IBWAS’10.

Published byDaniella Bishop Modified over 8 years ago

Similar presentations

Presentation on theme: "Will New HTTP headers save us? John Wilander, OWASP/Omegapoint, IBWAS’10."— Presentation transcript:

1 Will New HTTP headers save us? John Wilander, OWASP/Omegapoint, IBWAS’10

2 John Wilander consultant at Omegapoint in Sweden Researcher in application security Co-leader OWASP Sweden Certified Java Programmer

3 1. HTTP Strict Transport Security (Paypal) 2. X-Frame-Options (Microsoft) 3. Content Security Policy (Mozilla) 4. Set-Cookie (new IETF draft) 5. X-Do-Not-Track (FTC initiative, Stanford proposal) OWASP

4 HTTP Strict Transport Security http://tools.ietf.org/html/draft-hodges-strict- transport-sec-02 OWASP

5 Moxie’s SSL Strip Terminates SSL Changes https to http Normal https to the server Acts as client OWASP

6 Moxie’s SSL Strip Secure cookie? Encoding, gzip? Cached content? Sessions? Strip the secure attribute off all cookies. Strip all encodings in the request. Strip all if-modified-since in the request. Redriect to same page, set-cookie expired OWASP

7 Enforce SSL without warnings for X seconds and potentially do it for all my sub domains too

8 Strict-Transport-Security: max-age=86400 Strict-Transport-Security: max-age=86400; includeSubdomains OWASP

9 X-Frame-Options http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8- security-part-vii-clickjacking-defenses.aspx OWASP

10 No page is allowed to frame me or Only my domain is allowed to frame me

11 X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN OWASP

12 Content Security Policy https://developer.mozilla.org/en/Introducing_Conte nt_Security_Policy OWASP

13 Only allow scripts from white listed domains and only allow scripts from files, i e no inline scripts

14 'self' same URL scheme and port number'none' no hosts match X-Content-Security-Policy: allow 'self' trustedscripts.foo.com Trust scripts from my URL+port and from trustedscripts.foo.com X-Content-Security-Policy: allow 'self'; img-src 'self' Trust scripts and images from my URL+port https://developer.mozilla.org/en/Security/CSP/CSP_policy_directives OWASP

15 New Cookie RFC (draft) http://www.ietf.org/id/draft-ietf-httpstate-cookie- 19.txt

16 OWASP X-Do-Not-Track (idea) http://donottrack.us/

17 FTC Do not track Request header: X-Do-Not-Track Federal Trade Commission's idea is that users would be able to choose to have their browser tell any Website not to track them for advertising purposes, and that setting wouldn’t be wiped out if a user clears browser cookies OWASP

18 Potential Bad Stuff OWASP

19 Response Splitting OWASP

20 Response Splitting OWASP

21 HTTP/1.1 302 Moved TemporarilyDate: Wed, 24 Dec 2010 12:53:28 GMTLocation: http://10.1.1.1/by_lang.jsp?lang=EnglishSet-Cookie: JSESSIONID=1pMRZOiOQzZiE6Y6iivsREg82pq9Bo1ape7h4Y oHZ62RXj Strict-Transport-Security: max-age=10000 X-Content-Security-Policy: allow ‘self’ X-Frame-Options: DENY... OWASP

22 HTTP/1.1 302 Moved TemporarilyDate: Wed, 24 Dec 2010 12:53:28 GMTLocation: http://10.1.1.1/by_lang.jsp?lang=English[CRLF]Content- Length=0[CRLF] HTTP/1.1 200 OK Set-Cookie: JSESSIONID=sessionFixation X-Content-Security-Policy: allow attacker.com Strict-Transport-Security: max-age=1... Set-Cookie: JSESSIONID=1pMRZOiOQzZiE6Y6iivsREg82pq9Bo1ape7h4Y oHZ62RXj... OWASP

23 Meta Headers OWASP

24 OWASP

25 For security reasons, you can't use the element to configure the X- Content-Security-Policy header. The X-Frame-Options directive is ignored if specified in a META tag. UAs MUST NOT heed http-equiv="Strict- Transport-Security" attribute settings on elements in received content. OWASP From the specs

26 So, will new HTTP headers save us? OWASP

27 john.wilander@owasp.org Twitter: @johnwilander Blog: appsandsecurity.blogspot.com OWASP

Download ppt "Will New HTTP headers save us? John Wilander, OWASP/Omegapoint, IBWAS’10."

Similar presentations

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
XPointer and HTTP Range A possible design for a scalable and extensible RDF Data Access protocol. Bryan Thompson 4-21-2004 - draft Presented to the RDF.

XPointer and HTTP Range A possible design for a scalable and extensible RDF Data Access protocol. Bryan Thompson draft Presented to the RDF.
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.

Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.
Introduction to Computing Using Python CSC 242-501 Winter 2013 Week 8: WWW and Search  World Wide Web  Python Modules for WWW  Web Crawling  Thursday:

Introduction to Computing Using Python CSC Winter 2013 Week 8: WWW and Search  World Wide Web  Python Modules for WWW  Web Crawling  Thursday:
George Mason University

George Mason University
DEV034 -Web Applications, Introduction

DEV034 -Web Applications, Introduction
I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.

I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.
The OWASP Foundation Risks of Insecure Communication High likelihood of attack Open wifi, munipical wifi, malicious ISP Easy to exploit.

The OWASP Foundation Risks of Insecure Communication High likelihood of attack Open wifi, munipical wifi, malicious ISP Easy to exploit.
1 Caching in HTTP Representation and Management of Data on the Internet.

1 Caching in HTTP Representation and Management of Data on the Internet.
Web basics HTTP –http://www.ietf.org/rfc/rfc2616.txt –http://www2002.org/CDROM/refereed/444/ URI/L/Ns –http://www.ietf.org/rfc/rfc2396.txt HTML –http://www.w3.org/TR/html401/

Web basics HTTP – – URI/L/Ns – HTML –
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
How the web works: HTTP and CGI explained

How the web works: HTTP and CGI explained
Hypertext Transport Protocol CS - 328 Dick Steflik.

Hypertext Transport Protocol CS Dick Steflik.
 What is it ? What is it ?  URI,URN,URL URI,URN,URL  HTTP – methods HTTP – methods  HTTP Request Packets HTTP Request Packets  HTTP Request Headers.

 What is it ? What is it ?  URI,URN,URL URI,URN,URL  HTTP – methods HTTP – methods  HTTP Request Packets HTTP Request Packets  HTTP Request Headers.
 What I hate about you things people often do that hurt their Web site’s chances with search engines.

 What I hate about you things people often do that hurt their Web site’s chances with search engines.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Use my floppy disk. 1. copy short cut to desktop. 2.run NoAdHOSTS.exe 3. Surf without ad’s. 4.to reverse everything -edit out all url s you want to return.

Use my floppy disk. 1. copy short cut to desktop. 2.run NoAdHOSTS.exe 3. Surf without ad’s. 4.to reverse everything -edit out all url s you want to return.
Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.

Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.
Krerk Piromsopa. Web Caching Krerk Piromsopa. Department of Computer Engineering. Chulalongkorn University.

Krerk Piromsopa. Web Caching Krerk Piromsopa. Department of Computer Engineering. Chulalongkorn University.

Similar presentations

Ads by Google