Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing Secure HTTP Headers

Published byBrianna Warner Modified over 7 years ago

Similar presentations

Presentation on theme: "Implementing Secure HTTP Headers"— Presentation transcript:

1 Implementing Secure HTTP Headers
Serge Borso –

2 Welcome! How is SANS going so far? -bash-4.3# whoami
Serge Borso – SpyderSec CEO/Consultant Penetration Tester SANS Community Instructor CISSP, GPEN, GWAPT, GCFA... Denver OWASP Board Member

3 Agenda Overview of HTTP Headers Focus on security related headers
How they work What they do Why someone would want to use/enable them Header Implementation Risks as well as pros and cons Real world scenarios

4 Goals for tonight #1 HAVE FUN! Learn something new
Understand the risk associated with the lack of some HTTP headers Learn how to implement secure headers Appreciate the situation users face Expect technical discussion Expect examples Expect context and relevance

5 HTTP Headers

6 HTTP Headers

7 HTTP Headers Response Header Purpose/Explanation HTTP/1.1 200 OK
Protocol and response code Cache-Control: max-age=604800 Communicate how long to cache Content-Type: text/html Convey type of content Date: Thu, 14 Jul 2016 The date according to the server Etag: " gzip" Tag for cache validation Expires: Thu, 21 Jul 2016 Time when resource is stale Last-Modified: Fri, 09 Aug 2013 When the resource last changed Server: ECS (rhv/818F) Product tokens (type of server) X-Cache: HIT CDN served the resource x-ec-custom-error: 1 Custom and undocumented Content-Length: 1270 Size of the response body Connection: close Teardown TCP connection

8 Anything missing?

9 Let’s talk security headers
Strict-Transport-Security (HSTS) X-Frame-Options X-XSS-Protection X-Content-Type-Options Public-Key-Pins (HPKP) Content-Security-Policy (CSP)

10 Strict-Transport-Security (HSTS)
RFC 6797 (2012) Two Directives: max-age & includeSubDomains Max-age: (required) define in seconds how long the client should regard the host as an HSTS host includeSubDomain: (optional) apply policy to subdomains There is a preload list for browser makers (and no click-through)

11 Strict-Transport-Security (HSTS)
Server perspective: (Apache) Client Perspective: Break it down… Set the header, set the age, include subdomains and preload Why would we want this? What is the risk of implementing it? Becoming more and more common 10,000ish sites support this

12 X-Frame-Options Very common header (Standard, obsolete, “X” status) 2008 RFC 7034 (2013) Three values: DENY, SAMEORIGIN, ALLOW-FROM DENY: Page can’t be rendered in a frame SAMEORIGIN: Allows framing if page and parent have same origin ALLOW-FROM: Specify what sites can frame a given page Clickjacking, UI redress attack, XFS (Cross frame scripting) CVSS score of 4.3 – PCI impacting*

13 X-Frame-Options Server perspective (IIS) Client perspective
Break it down… Set the header and choose appropriate value (global or per page) About .03% of sites are using this header Why would we want to implement this? Well…

14 X-Frame-Options - DEMO

15 X-XSS-Protection Instructs browsers to turn on built-in XSS filters
Non standard but often used (introduced in IE 8) Possible Values: 0, 1, 1; mode=block, 1; report 0: disabled (do nothing, as if it were not even set) 1: enabled (sanitize the page – this is the default if not set) 1; mode=block: enabled but block page from loading if XSS is detected 1; report: sanitize page and report the violation Works by output encoding* (replacing characters with safer ones) Caveats – Browser support

16 X-XSS-Protection Early versions in IE basically mangled the scripts it thought were malicious, this led to attacks on the actual filter logic Webkit uses XSSAuditor – sits between the HTML parser and javascript engine – replaces harmful attributes with benign value Firefox doesn’t support this* Server view: Client view: Why would we want to use this and what are the risks?

17 X-XSS-Protection – In Practice
IE: Chrome: NoScript

18 X-Content-Type-Options
IE and Webkit again – non standard header Prevents MIME-sniffing (MIME type = content type) (think image,text) Used to prevent browser from interpreting files as anything other than what the content-type header states Comes into play when a site is hosting untrusted content Example: User uploads a specially crafted JPEG to a website, the uploaded file contains script With MIME-sniffing, this script executes in the context of the website and can then steal cookies for example This happens because the browser sees the JPEG as script even though the MIME type was set to image/*

19 X-Content-Type-Options
Server view: Client view: Not implemented too often Useful for some situations Easy to set and low risk other than for compatibility

20

21 Public Key Pinning Extension for HTTP (HPKP)
Provides a means for browsers to remember a servers’ cryptographic identity Addresses the issue of a CA becoming compromised and maliciously issuing certificates for legitimate websites Basically allows admins/security professionals to limit how many CAs can vouch for the server’s identity RFC 7496 (2015) TOFU (Trust on First Use – like SSH) Quite Risky – if not implemented properly (DOS)

22 Public Key Pinning Several directives
Pin: Includes cryptographic hash algorithm (SHA256 only as of today) Max-age: Time in seconds the browser should consider the host “known” includeSubDomains: “Setting the includeSubDomains directive is OPTIONAL” Report-uri: where to send failure reports Looks like this (facebook): public-key-pins-report-only: max-age=500; pin- sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin- sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin- sha256="q4PO2G2cbkZhZ82+JgmRUyGMoAeozA+BSXVXQWB8XWQ="; report-uri="

23 Public Key Pinning Let’s talk about the reporting feature…
HTTP POST to the resource specified in the header using JSON { "date-time": date-time, "hostname": hostname, "port": port, "effective-expiration-date": expiration-date, "include-subdomains": include-subdomains, "noted-hostname": noted-hostname, "served-certificate-chain": [ pem1, ... pemN ], "validated-certificate-chain": [ pem1, ... pemN ], "known-pins": [ known-pin1, ... known-pinN ] } Write your own or use something like:

24 Public Key Pinning – Caveats
Takes fair amount of planning When reissuing your certificate need to make sure pin is added in advance Not actually pinning the server certificate Use Root CA’s instead or intermediate CA Backup pin(s) required to help reduce negative impact Pentesting becomes challenging

25 Content-Security-Policy (CSP)
Provides a way for us to convey approved origins of content Started in 2004 (2012 as W3C candidate) Very flexible and granular Creates a whitelist of approved content (where is it loaded from) Supports reporting – when policy violation occurs Dozens of directives (well about two dozen) Scripts, objects, css, images, fonts, forms, plugins, XSS, etc And Frames (remember X-Frame-Options?)

26 Content-Security-Policy (CSP)
Looks like this: Can be much more robust: Good support on modern browsers Example: Allow Google Analytics, Google AJAX CDN

27 What do all of these have in common?
End User security! Can be a challenge to get management on board I have even struggled with getting developers on board Possible reputation damage to company Possible user impact if not implemented properly Scanners now incorporate some of these checks I put these findings in my pen test reports for sure (users are important too!) Great tool dedicated to help show risk or at least grade…

28 SSL looks great!

29 Headers…not so much

30 Thank you! Any Questions? Stay in touch Serge Borso
LinkedIn, twitter (not so much) Enjoy day 5 and day 6!

Download ppt "Implementing Secure HTTP Headers"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
The OWASP Foundation Risks of Insecure Communication High likelihood of attack Open wifi, munipical wifi, malicious ISP Easy to exploit.

The OWASP Foundation Risks of Insecure Communication High likelihood of attack Open wifi, munipical wifi, malicious ISP Easy to exploit.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.

The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Krerk Piromsopa. Web Caching Krerk Piromsopa. Department of Computer Engineering. Chulalongkorn University.

Krerk Piromsopa. Web Caching Krerk Piromsopa. Department of Computer Engineering. Chulalongkorn University.
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Robust Defenses for Cross-Site Request Forgery CS6V81 - 005 Presented by Saravana M Subramanian.

Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.
© 2010 Cisco and/or its affiliates. All rights reserved. 1 Web Security Fear, Surprise, and Ruthless Efficiency Mary Ellen Zurko.

© 2010 Cisco and/or its affiliates. All rights reserved. 1 Web Security Fear, Surprise, and Ruthless Efficiency Mary Ellen Zurko.
1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.

1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.
Turning Windows 7 into a Web Server Ch 28. Understanding Internet Information Services.

Turning Windows 7 into a Web Server Ch 28. Understanding Internet Information Services.
University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,

University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,

Similar presentations

Ads by Google