Will New HTTP headers save us? John Wilander, OWASP/Omegapoint, IBWAS’10.

Slides:



Advertisements
Similar presentations
Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Advertisements

XPointer and HTTP Range A possible design for a scalable and extensible RDF Data Access protocol. Bryan Thompson draft Presented to the RDF.
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.
Introduction to Computing Using Python CSC Winter 2013 Week 8: WWW and Search  World Wide Web  Python Modules for WWW  Web Crawling  Thursday:
George Mason University
DEV034 -Web Applications, Introduction
I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.
The OWASP Foundation Risks of Insecure Communication High likelihood of attack Open wifi, munipical wifi, malicious ISP Easy to exploit.
1 Caching in HTTP Representation and Management of Data on the Internet.
Web basics HTTP – – URI/L/Ns – HTML –
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
How the web works: HTTP and CGI explained
Hypertext Transport Protocol CS Dick Steflik.
 What is it ? What is it ?  URI,URN,URL URI,URN,URL  HTTP – methods HTTP – methods  HTTP Request Packets HTTP Request Packets  HTTP Request Headers.
 What I hate about you things people often do that hurt their Web site’s chances with search engines.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Use my floppy disk. 1. copy short cut to desktop. 2.run NoAdHOSTS.exe 3. Surf without ad’s. 4.to reverse everything -edit out all url s you want to return.
Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.
Krerk Piromsopa. Web Caching Krerk Piromsopa. Department of Computer Engineering. Chulalongkorn University.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
CP476 Internet Computing Lecture 5 : HTTP, WWW and URL 1 Lecture 5. WWW, HTTP and URL Objective: to review the concepts of WWW to understand how HTTP works.
CSE 154 LECTURE 12: COOKIES. Including files: include include("filename"); PHP include("header.html"); include("shared-code.php"); PHP inserts the entire.
Krishna Mohan Koyya Glarimy Technology Services
CSE 190: Internet E-Commerce Lecture 5. Exam Material Lectures 1-4 (Presentation Tier) –3-tier architecture –HTML –Style sheets –Javascript –DOM –HTTP.
Chapter 8 Cookies And Security JavaScript, Third Edition.
OWASP Top 10 from a developer’s perspective John Wilander, OWASP/Omegapoint, IBWAS’10.
1 Chapter 9 – Cookies, Sessions, FTP, and More spring into PHP 5 by Steven Holzner Slides were developed by Jack Davis College of Information Science.
1 Caching in HTTP Representation and Management of Data on the Internet.
COOKIES and SESSIONS. COOKIES A cookie is often used to identify a user. A cookie is a small file that the server embeds on the user's computer. Each.
Web Database Programming Week 7 Session Management & Authentication.
Cookies and Sessions IDIA 618 Fall 2014 Bridget M. Blodgett.
A Little Bit About Cookies Fort Collins, CO Copyright © XTR Systems, LLC A Little Bit About Cookies Instructor: Joseph DiVerdi, Ph.D., M.B.A.
Web Cache Consistency. “Requirements of performance, availability, and disconnected operation require us to relax the goal of semantic transparency.”
PHP Cookies. Cookies are small files that are stored in the visitor's browser. Cookies can be used to identify return visitors, keep a user logged into.
ASP. What is ASP? ASP stands for Active Server Pages ASP is a Microsoft Technology ASP is a program that runs inside IIS IIS stands for Internet Information.
1 WWW. 2 World Wide Web Major application protocol used on the Internet Simple interface Two concepts –Point –Click.
University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,
Operating Systems Lesson 12. HTTP vs HTML HTML: hypertext markup language ◦ Definitions of tags that are added to Web documents to control their appearance.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Chapter 1 Web Page Building Blocks. Elements, Attributes & Values ElementAttr 1Value 1Attr 2Value 2.
Internet and Intranet Protocols and Applications Lecture 13: Web Beyond HTTP 4/25/2000 Arthur P. Goldberg Computer Science Department New York University.
 A cookie is often used to identify a user. A cookie is a small file that the server embeds on the user's computer. Each time the same computer requests.
1 PHP HTTP After this lecture, you should be able to know: How to create and process web forms with HTML and PHP. How to create and process web forms with.
COEN 350: Network Security E-Commerce Issues. Table of Content HTTP Authentication Cookies.
Secure Socket Layer SSL and TLS. SSL Protocol Peer negotiation for algorithm support Public key encryptionPublic key encryption -based key exchange and.
The OWASP Foundation OWASP Education Computer based training The Basics Nishi Kumar IT Architect Specialist, FIS Chair, Software Security.
Cookies and Sessions in PHP. Arguments for the setcookie() Function There are several arguments you can use i.e. setcookie(‘name’, ‘value’, expiration,
Persistence Maintaining state: Queries. State is the Problem What is state? facebook status logins (which user are you?) conversations talking about what?
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
Fiddler and Your Website Robert Boedigheimer. About Me Web developer since 1995 Columnist for aspalliance.com Pluralsight Author 3 rd Degree Black Belt,
Programming for the Web Cookies & Sessions Dónal Mulligan BSc MA
CSP STS PKP ETC OMG WTF | scotthelme.co.uk Scott Helme.
CSP STS PKP SRI ETC OMG WTF | scotthelme.co.uk Scott Helme Security Researcher.
Implementing Secure HTTP Headers
Cookies Tutorial Cavisson Systems Inc..
Dr. Michael B. Jones Identity Standards Architect at Microsoft
Setting and Upload Products
Hypertext Transport Protocol
Web Caching? Web Caching:.
Cookies and Sessions in PHP
The Need For a Coherent Web Security Policy Framework
How to Check if a site's connection is secure ?
14-мавзу. Cookie, сеанс, FTP и технологиялари
What is Cookie? Cookie is small information stored in text file on user’s hard drive by web server. This information is later used by web browser to retrieve.
SEO Hand Book.
CS3220 Web and Internet Programming Cookies and Session Tracking
Cookies and Sessions.
Presentation transcript:

Will New HTTP headers save us? John Wilander, OWASP/Omegapoint, IBWAS’10

John Wilander consultant at Omegapoint in Sweden Researcher in application security Co-leader OWASP Sweden Certified Java Programmer

1. HTTP Strict Transport Security (Paypal) 2. X-Frame-Options (Microsoft) 3. Content Security Policy (Mozilla) 4. Set-Cookie (new IETF draft) 5. X-Do-Not-Track (FTC initiative, Stanford proposal) OWASP

HTTP Strict Transport Security transport-sec-02 OWASP

Moxie’s SSL Strip Terminates SSL Changes https to http Normal https to the server Acts as client OWASP

Moxie’s SSL Strip Secure cookie? Encoding, gzip? Cached content? Sessions? Strip the secure attribute off all cookies. Strip all encodings in the request. Strip all if-modified-since in the request. Redriect to same page, set-cookie expired OWASP

Enforce SSL without warnings for X seconds and potentially do it for all my sub domains too

Strict-Transport-Security: max-age=86400 Strict-Transport-Security: max-age=86400; includeSubdomains OWASP

X-Frame-Options security-part-vii-clickjacking-defenses.aspx OWASP

No page is allowed to frame me or Only my domain is allowed to frame me

X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN OWASP

Content Security Policy nt_Security_Policy OWASP

Only allow scripts from white listed domains and only allow scripts from files, i e no inline scripts

'self' same URL scheme and port number'none' no hosts match X-Content-Security-Policy: allow 'self' trustedscripts.foo.com Trust scripts from my URL+port and from trustedscripts.foo.com X-Content-Security-Policy: allow 'self'; img-src 'self' Trust scripts and images from my URL+port OWASP

New Cookie RFC (draft) 19.txt

OWASP X-Do-Not-Track (idea)

FTC Do not track Request header: X-Do-Not-Track Federal Trade Commission's idea is that users would be able to choose to have their browser tell any Website not to track them for advertising purposes, and that setting wouldn’t be wiped out if a user clears browser cookies OWASP

Potential Bad Stuff OWASP

Response Splitting OWASP

Response Splitting OWASP

HTTP/ Moved TemporarilyDate: Wed, 24 Dec :53:28 GMTLocation: JSESSIONID=1pMRZOiOQzZiE6Y6iivsREg82pq9Bo1ape7h4Y oHZ62RXj Strict-Transport-Security: max-age=10000 X-Content-Security-Policy: allow ‘self’ X-Frame-Options: DENY... OWASP

HTTP/ Moved TemporarilyDate: Wed, 24 Dec :53:28 GMTLocation: Length=0[CRLF] HTTP/ OK Set-Cookie: JSESSIONID=sessionFixation X-Content-Security-Policy: allow attacker.com Strict-Transport-Security: max-age=1... Set-Cookie: JSESSIONID=1pMRZOiOQzZiE6Y6iivsREg82pq9Bo1ape7h4Y oHZ62RXj... OWASP

Meta Headers OWASP

OWASP

For security reasons, you can't use the element to configure the X- Content-Security-Policy header. The X-Frame-Options directive is ignored if specified in a META tag. UAs MUST NOT heed http-equiv="Strict- Transport-Security" attribute settings on elements in received content. OWASP From the specs

So, will new HTTP headers save us? OWASP

Blog: appsandsecurity.blogspot.com OWASP

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.