Upload
francois-marier
View
50
Download
2
Embed Size (px)
Citation preview
François Marier @fmarier
Getting Browsers to Improvethe Security of Your Webapp
externalresources
usercontent
cookies encryption
externalresources
Subresource integrity
mechanism for preventingtampering of static assets
https://ajax.googleapis.com/ajax
/libs/jquery/1.9.1/jquery.min.js
what would happen if thatserver were compromised?
Bad Things™
steal sessionsleak confidential dataredirect to phishing sitesenlist DDoS zombies
simple solution
instead of this:
<script
src=”https://ajax.googleapis.com...”>
integrity=”sha256-1z4uG/+cVbhShP...”
crossorigin=”anonymous”>
<script
src=”https://ajax.googleapis.com...”>
integrity=”sha256-1z4uG/+cVbhShP...”
crossorigin=”anonymous”>
do this:
guarantee:script won't changeor it'll be blocked
rel=”noopener”
mechanism for disabling thewindow.opener object
My Account
● Change my address● Change my billing card● Reset my password● Delete my account
● Watch some cute kittens!
My Account
● Change my address● Change my billing card● Reset my password● Delete my account
● Watch some cute kittens!
kittens!!!!!!!!
<a href=”...” target=”_blank”>
window.opener.location
window.opener.location
window.opener.location =
'http://stealmypasswd.org';
My Account
● Change my address● Change my billing card● Reset my password● Delete my account
● Watch some cute kittens!
kittens!!!!!!!!
Session Expired
Username:
Password:
Log back in!
kittens!!!!!!!!
Session Expired
Username:
Password:
Log back in!
esnowden
**********
My Account
● Change my address● Change my billing card● Reset my password● Delete my account
● Watch some cute kittens!
solutions
<a href=”...” target=”_blank”>
<a href=”...” target=”_blank” rel=”noopener”>
window.opener == null
Referrer Policy
mechanism for trimmingthe Referer header
http://example.com/search?q=serious+medical+condition
Click here for the cheapest
insurance around!
Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
Referrer-Policy: no-referrer
<meta name="referrer" content="origin">
<a href="http://example.com" referrer="origin">
Referrer-Policy: no-referrer
<meta name="referrer" content="no-referrer">
<a href="http://example.com" referrer="origin">
Referrer-Policy: no-referrer
<meta name="referrer" content="no-referrer">
<a href="http://example.com" referrerPolicy="no-referrer">
no-referrer
no-referrer-when-downgrade
same-origin
strict-origin
strict-origin-when-cross-origin
no-referrer
no-referrer-when-downgrade
same-origin
strict-origin
strict-origin-when-cross-origin
no-referrer
no-referrer-when-downgrade
same-origin
strict-origin
strict-origin-when-cross-origin
no-referrer
no-referrer-when-downgrade
same-origin
strict-origin-when-cross-origin
no-referrer
no-referrer-when-downgrade
same-origin
strict-origin-when-cross-origin
https://developer.mozilla.org/docs/Web/HTTP/Headers/Referrer-Policy
usercontent
Sandboxed iframes
mechanism for restrictingembedded documents
<iframe src=”resume.html”>
window.parent
seriousapp.com
seriousappusercontent.com
<iframe src=”resume.html” sandbox=””>
scripts
popups
forms
scripts
popups
forms
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox
X-Content-Type-Options
mechanism for disablingcontent type sniffing
Review Papers
● Witty-Title.pdf● Serious-Sounding-Topic.pdf● Series-of-buzzwords.pdf● Celebrity-Paper.pdf● Half-Ass-Paper.pdf
%PDF-1.5<html><body> <script> ... </script></body></html>
%PDF-1.5<html><body> <script> ... </script></body></html>
<form action=”review.cgi”><input type=”hidden”
name=”paper-id”value=”42”>
<input type=”hidden”name=”score”value=”100”>
</form>
X-Content-Type-Options: nosniff
Content Security Policyaka CSP
mechanism for preventing XSS
telling the browser the contentthat is allowed to load
Hi y'all<script>alert('p0wned');</script>!
Tweet!
What's on your mind?
without CSP
Hi y'all!John Doe - just moments ago
p0wnedOk
with CSP
Hi y'all!John Doe - just moments ago
Content-Security-Policy:
script-src 'self'
https://cdn.example.com
script-srcobject-srcstyle-srcimg-src
media-srcfont-src
connect-src...
script-srcobject-srcstyle-srcimg-src
media-srcfont-src
connect-src...
https://developer.mozilla.org/docs/Web/HTTP/CSP
cookies
1234
Set-Cookie: sessionid=1234
1234
1234
document.cookie
Cookie options
mechanism for restrictingthe scope of cookies
Set-Cookie: sessionid=1234;httponly
document.cookie == null
Set-Cookie: sessionid=1234;secure
1234
good, but not great
1234
Set-Cookie: sessionid=1234
1234
666
666
Cookie prefixes
mechanism for enforcingcookie restrictions
Set-Cookie: __Secure-sessionid=1234;secure
__Secure-sessionid=666
encryption
HTTPS
mechanism for securinginformation in transit
if you're not using it, now is the time to start :)
HTTPS is not enough
you need to do it properly
RC4
SHA-1
RC4
SHA-11024-bit certificates
RC4
SHA-11024-bit certificates
RC4 weak DH parameters
https://mozilla.github.io/server-side-tls/ssl-config-generator/
Strict Transport Securityaka HSTS
mechanism for preventingHTTPS to HTTP downgrades
telling the browser that your siteshould never be reached over HTTP
GET bank.com 301→
GET https://bank.com 200→
no HSTS, no sslstrip
GET bank.com → 200
no HSTS, with sslstrip
what does HSTS look like?
Strict-Transport-Security: max-age=31536000
with HSTS, with sslstrip
GET https://bank.com 200→
no HTTP traffic forsslstrip to tamper with
referrer policysubresource integrity
noopener
cookie prefixescookie options
sandboxed iframesx-content-type-optionscontent security policy
httpsstrict transport
security
Questions?
feedback:
[email protected]@fmariermozilla.dev.security
© 2017 François Marier <[email protected]>This work is licensed under aCreative Commons Attribution-ShareAlike 4.0 License.
photo credits:
explosion: https://www.flickr.com/photos/-cavin-/2313239884/kittens: https://www.flickr.com/photos/londonlooks/5693093073cookie: https://www.flickr.com/photos/amagill/34754258/