Upload
owasp
View
273
Download
3
Embed Size (px)
Citation preview
Table of Content
• HTTP Headers
• Transport Layer Security (TLS/SSL)
• HTTP Strict Transport Security
• HTTP Public Key Pinning
HTTP HEADERS
HTTP Headers
GET http://oasp-ci.cloudapp.net/oasp4j-sample/services/rest/offermanagement/v1/offer HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:37.0) Gecko/20100101 Firefox/37.0Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5X-CSRF-TOKEN: fcbfc729-15d2-4f04-8e50-082f20cb2dfbReferer: http://oasp-ci.cloudapp.net/oasp4j-sample/jsclient/Cookie: JSESSIONID=F340544E6AE9078812ECF61139D03C7BConnection: keep-aliveHost: oasp-ci.cloudapp.net
HTTP request
HTTP/1.1 200 OKDate: Sat, 11 Jul 2015 20:28:36 GMTServer: Apache-Coyote/1.1Content-Type: application/json;charset=UTF-8Keep-Alive: timeout=5, max=100Connection: Keep-Alive
[{"id":1,"modificationCounter":1,"revision":null,"name":null,"description":"Schnitzel-Menü","number":null,"mealId":1,"drinkId":10,"sideDishId":5,"state":"NORMAL","price":"6.99"},{"id":2,"modificationCounter":1, (…)
HTTP response
Facts about HTTP Headers
• Headers can be used to steer browsers (and applications) behaviour
• You can define your own headers
• If the browser does not know or support the header, it will ignore the header
• Response headers are client side controls that are implemented on the server side
Security-relevant Headers(after OWASP ASVS v3.0)• V9.4 Level 1: Cache-Control
• V10.11 Level 1: HTTP Strict Transport Security (HSTS)
• V11.4 Level 2 and V11.7 Level 1: Content Security Policy (CSP)
• V11.6 Level 1: X-Content-Type-Options, Content-Disposition
• V11.8 Level 1: X-XSS-Protection
• V10.10 Level 3: HTTP Public Key Pinning• V11.10 Level 2: X-Frame-Options (deprecated)
TRANSPORT LAYER SECURITY (TLS/SSL)
TLS/SSL
• TLS is the S in HTTPS ;)
• It gives us following things:– Confidentiality - adversary can't see unencrypted data
– Integrity - adversary can't change data undetected
– Authentication - to know which server we are connected to
Why TLS?
• Because the world is cruel
„Any unencrypted traffic, visible to an adversary, is not just an information leak, but an attack vector they can use to exploit your systems.”
Nick Weaver
• Current state of the art: encrypt everything
Need to know more?
• Advanced HTTPS Defense Strategies (Jim Manico)
• Youtube: https://www.youtube.com/watch?v=uix4f45VndQ
• Presentation: http://www.slideshare.net/proidea_conferences/jim-manico-advanced-https-defense-strategies
HTTP STRICT TRANSPORT SECURITY(HSTS)
Threats addressed by HSTS
• Passive network attackers - eavesdropping of unencrypted communication. Even more dangerous when environment allows for non-secure cookies.
• Active network attackers - TLS striping or invisible proxy relying on user to accept the flawed certificate.
• Web Site Development and Deployment Bugs -page is loading additional resources over an insecure connection (mixed content).
Without HSTS:Mixed content example
Without HSTS:Insecure redirect
With HSTS:Secure redirect
Without HSTS:Insecure choice
With HSTS:Secure… lack of other choices
HSTS Header
Strict-Transport-Security : max-
age=31536000; includeSubdomains; preload
• max-age - how long insecure requests are forbiden(in seconds)
• includeSubdomains - should sub domains be also included (optional)
• preload - allow HSTS to be hardcoded in the browsers. Solves the "trust on first use" (TOFU) problem. HSTS for a domain can be registered on hstspreload.appspot.com (optional)
What can go wrong?
• Want to go back to HTTP? No way...
• Your subdomains do not support HTTPS and you turned includeSubdomains on.
HSTS and Security Standards
• OWASP ASVS v3.0 V10.11: Verify that HTTP Strict Transport Security headers are included on all requests and for all subdomains, such as Strict-Transport-Security: max-
age=15724800; includeSubdomains
• OWASP ASVS v3.0 V10.12: Verify that production website URL has been submitted to preloaded list of Strict Transport Security domains maintained by web browser vendors.
How many sites use HSTS?
HSTS present HSTS missing
Source: https://scotthelme.co.uk/alexa-top-1-million-crawl-aug-2016/ (August 2016)
Browser support for HSTS
HSTS present HSTS missing
Source: http://caniuse.com/#feat=stricttransportsecurity
HTTP PUBLIC KEY PINNING
PKI in a nutshell
you RA (CA)
Create public/private key
Fill some data
Create and send CSR
Send signed certificate
Profit
Question: Which CA should you buy certificates from?
• Let’s encrypt – because it’s free, automated and open :)
• But honestly, it does not matter. Any CA recognized by your browser can gice you technically the same thing – signed certificate.
Question: What can happen ifa CA gets hacked?
• One could fabricate certificates for EVERY domain in the internet. (Security of the WHOLE INTERNET is in danger)
„If a company can ‚put the entire Internet at risk’ (…) the system is fundamentally flawed.”
https://news.ycombinator.com/item?id=9253676
Question: How often did CAs failin the past?
• 2011, Comodo got hacked
• 2011, Diginotar got hacked, got used to attack iranian google users, went bankrupt...
• 2013, This time: French government...
• 2013, Trustwave selling an intermediate CA cert to a private company
• 2015, MCS Holdings...
HPKP Header
Public-Key-Pins: pin-sha256=<hash1>;pin-sha256=<hash2>; max-age=2592000;report-uri=<uri>; includeSubdomains
• pin-sha256 - certificate thumbprint, can be from own certificate or any certificate in the chain or even CSR.
• max-age - how long pinned certificate must be served (in seconds).
• report-uri - report violations to this uri. Usually not the same uri as the target system.
• includeSubdomains - all subdomains must use the same pins.
Generate hashes
• For the certificate:openssl rsa -pubout -in pub.key -
outform der | openssl dgst -sha256
-binary | base64
• For the CSR:openssl req -noout -in my.csr -
pubkey | openssl rsa -pubin -
outform der | openssl dgst -sha256
-binary | base64
☠ DANGER ☠
It is very easy to get HPKP wrong. And if you do it wrong, you will run a DOS against your system.
Good practice:
• Pin at least your certificate, CSR and a backup CSR.
• If you don't ping CSRs, pin at least two certificates (one backup) and don't forget to order and activate new certificates at least max-age before they expire.
• NOTE: HPKP has the TOFU (trust on first use) problem
Good News
• There is also a Public-Key-Pins-Report-Only header, which has the same syntax as HPKP, but does only reporting. Good for testing purposes.
HPKP and Security Standards
• OWASP ASVS v3.0 V10.10: Verify that TLS certificate public key pinning is implemented with production and backup public keys.
How many sites use HPKP?
HPKP present HPKP missing
Source: https://scotthelme.co.uk/alexa-top-1-million-crawl-aug-2016/ (August 2016)
Browser support for HPKP
Source: http://caniuse.com/#feat=publickeypinning