Upload
philippe-de-ryck
View
41
Download
3
Embed Size (px)
Citation preview
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafePhilippe De Ryck
@PhilippeDeRyck https://www.websec.be
Which Scenario Would You Trust?
(a)Visit website, browse public pages
Login with username and password
Consult private information
Visit website, browse public pages
Login with username and password
Consult private information
Visit website, browse public pages
Login with username and password
Consult private information
(b)
(c)
About Me – Philippe De Ryck
3
§ Postdoctoral Researcher @ DistriNet (KU Leuven)§ PhD on client-side Web security§ Expert in the broad field of Web security§ Main author of the Primer on Client-Side Web Security
§ Running the Web Security training program§ Dissemination of knowledge and research results§ Public training courses and targeted in-house training§ Target audiences include industry and researchers
§ Part of the organizing committee of SecAppDev.org§ Week-long course focused on practical security
https://www.websec.be@PhilippeDeRyck
The Web Used to Be Server-Centric
5
With a lot of Server-Side Problems
6http://arstechnica.com/security/2015/12/hackers-actively-exploit-critical-vulnerability-in-sites-running-joomla/
With a lot of Server-Side Problems
7http://motherboard.vice.com/read/one-of-the-largest-hacks-yet-exposes-data-on-hundreds-of-thousands-of-kids
8
9
10
The Web has Become Client-Centric
11
The Network Can no Longer Be Trusted
12
Networks Are Everywhere
13
§ We happily connect to any wifi network we can find§ Without knowing who has control over the network
§ Upstream networks are easily intercepted nowadays§ Intercepting proxies at the network perimeter§ ISPs inspecting and manipulating traffic§ State agencies tapping the backbone
The Communication Channel Is Insecure
14
§ People are mainly concerned about eavesdropping attacks§ Sniffing usernames, passwords, session identifiers, …§ Demonstrated in 2010 by the Firesheep add-on
http://codebutler.com/firesheep/
The Communication Channel Is Insecure
15
§ People are mainly concerned about eavesdropping attacks§ Sniffing usernames, passwords, session identifiers, …§ Demonstrated in 2010 by the Firesheep add-on§ Generally prevented by using HTTPS for sensitive data
§ But today, active network attacks are just as easy to execute§ Man on the side attacks inject traffic into the network§ Man in the middle attacks intercept and manipulate traffic
§ Simply using HTTPS for sensitive data no longer suffices
Care to Reconsider your Previous Answer?
(a)Visit website, browse public pages
Login with username and password
Consult private information
Visit website, browse public pages
Login with username and password
Consult private information
Visit website, browse public pages
Login with username and password
Consult private information
(b)
(c)
Averting the Use of HTTPS
17
Stripping HTTPS from Login Forms
18
some-shop.com
Visit http://some-shop.com
Welcome, please log in
Login as Philippe
Welcome Philippe
Visit http://some-shop.com
Welcome, please log in
Login as Philippe
Welcome Philippe
Rewrite HTTPS
to HTTP
HTTPS Prevents Man in the Middle Attacks
19
some-shop.com
Visit https://some-shop.com
Welcome, please log in
Login as Philippe
Welcome Philippe
Visit https://some-shop.com
Welcome, please log in
Login as Philippe
Welcome Philippe
HTTPS Prevents Man in the Middle Attacks?
20http://news.netcraft.com/archives/2016/03/17/95-of-https-servers-vulnerable-to-trivial-mitm-attacks.html
Bootstrapping the HTTPS Site
21
GET http://some-shop.com
200 OK
Response page
POST http://some-shop.com
GET http://…
301 Moved
GET https://…
200 OK
Rewrite HTTPS URLs
User: philippe & pass: pazzw0rdPOST https://…
some-shop.com
SSL Stripping Is a Sneaky Attack
22
HTTP Strict Transport Security (HSTS)
23
§ Instruct the browser to only visit a site over HTTPS§ Once-enabled no HTTP requests will be sent anymore§ Prevents SSL stripping attacks§ Prevents cookie stealing over HTTP
GET https://websec.be
websec.be
200 OK
Response page
HTTP Strict Transport Security (HSTS)
24
§ HSTS is a server-driven browser-enforced security policy§ Server sends the Strict-Transport-Security response header
§ The protection is only applied for the duration of max-age§ Make sure this value covers non-frequent visitors§ The value 0 disables the HSTS policy for this particular host
• Only if received over an error-free channel
Strict-Transport-Security: max-age=31536000; includeSubdomains
4 4 7 11From version … 4.4.4 7.1
HSTS in Action
25
GET https://websec.be
websec.be
200 OK
Response pageStrict-Transport-Security: max-age=31536000;
includeSubdomains
GET https://websec.be
200 OK
Response pageStrict-Transport-Security: max-age=31536000;
includeSubdomains
www.websec.beGET https://www.websec.be
200 OK
Response pageStrict-Transport-Security: max-age=31536000;
includeSubdomains
The Bootstrapping Problem … Again
26
GET https://websec.be
websec.be
200 OK
Response pageStrict-Transport-Security: max-age=31536000;
includeSubdomains
GET https://websec.be
200 OK
Response pageStrict-Transport-Security: max-age=31536000;
includeSubdomains
www.websec.beGET https://www.websec.be
200 OK
Response pageStrict-Transport-Security: max-age=31536000;
includeSubdomains
Preloading HSTS
27
§ The bootstrapping problem is solved by a preloaded list§ Contains all sites that have explicitly subscribed to HSTS§ Distributed along with the browsers§ Available on https://hstspreload.appspot.com/
HTTPS Should Be Enabled by Default
28
§ Browser vendors are strongly pushing towards HTTPS§ Firefox marks HTTP pages with password fields as insecure§ Google uses HTTPS as a ranking signal in its search engine§ Active mixed content is blocked in modern browsers
§ Chrome and Firefox will support Secure Contexts§ A Secure Context is delivered over HTTPS, including its parents§ Powerful features will only be exposed to a Secure Context
• E.g. Geolocation, microphone and camera access, …
Hardening your HTTPS Deployment
29
§ Finetune the supported protocols and ciphers§ Disable the old and obsolete SSLv2 and SSLv3§ Avoid the use of old and weak ciphers
§ Move all your traffic to HTTPS§ Immediately redirect all HTTP traffic to HTTPS§ Prevent SSL Stripping by enabling Strict Transport Security (HSTS)
§ If you want to go all out, enable Public Key Pinning (HPKP)§ Prevents impersonation attacks with rogue but valid certificates
https://www.ssllabs.com/ssltest/
Insecure Third-Party Content Can Be Disastrous
30
Browsers Do More than Rendering HTML
31
§ Modern browsers are full-fledged application platforms§ Plenty of system features are exposed to Web applications
• Battery status, Vibration, Geolocation, Microphone & Camera, …§ ChromeOS and FirefoxOS run all applications inside a browser
§ The key enabler for all of this functionality is JavaScript§ Since its introduction in 1995, JS has finally taken over the Web§ Plugins like Flash and Silverlight are slowly fading away
§ So, how about security?§ We have the same-origin policy, but it’s 20 years old …
The Same-Origin Policy
32
http://example.com
http://example.comhttp://example.com
http://private.example.com
http://forum.example.com
http://private.example.com
SAME-ORIGIN POLICYContent retrieved from one origin can freely interact with other content from that origin, but interactions with content from other origins are restricted
ORIGINThe triple <scheme, host, port> derived from the document’s URL. For http://example.org/forum/, the origin is <http, example.org, 80>
Origins, Frames and Scripts
33
§ The browser enforces origin-based separation§ Frames have a context, a document URL and an associated context§ Scripts are loaded into the context of the including page
§ Classical trade-off between isolation and flexibility
http://example.com
http://malvertisements.com
http://example.com
Script code from http://malvertisements.com
<iframe src=“http://malvertisements.com/pwnme.html” >
<script src=“http://malvertisements.com/pwnme.js” >
The Same-Origin Policy in Practice
34
§ Most content integration is script-based§ Included directly into the application’s context§ Which makes sense for libraries, such as JQuery§ But not for standalone third-party components
§ Every included script is a security risk§ Because it has full access to your context§ So you have to trust the supplier§ And the security of their systems
https://medium.com/@FredericJacobs/the-reuters-compromise-by-the-syrian-electronic-army-6bf570e1a85b
Responsibly Including Third-Party Content
36
§ Isolate the content in a context with a different origin§ Let the Same-Origin Policy protect you§ Enable interaction by exchanging messages between contexts
§ Further restrict isolated context using the HTML5 Sandbox§ Allows you to disable certain features in a framed context§ Allows you to place your own content in a unique origin
§ Verify the integrity of content loaded from a CDN§ Enabled by the brand new Subresource Integrity specification§ Prevents malware distribution by compromising a CDN
https://blogs.dropbox.com/tech/2015/09/csp-third-party-integrations-and-privilege-separation/
With XSS, the Attacker Includes the Code for You
37
Add review
Thanks for the review!
reviews
I can really recommend product X. It is awesome!<script>alert(‘Never gonna let you down!’)</script>
Show Reviews
Reviews page
<html><body>… …</body></html>
38http://blog.detectify.com/post/39209711597/how-i-got-a-3500-usd-facebook-bug-bounty
39http://www.zdnet.com/article/ubuntu-forums-hacked-1-82m-logins-email-addresses-stolen/
Traditional XSS Defenses
40
§ The server compiles data and code into a single HTML page§ XSS causes the browser to mistake data for code§ The proper defense is context-sensitive output encoding
§ Encode for the context where the data will be used§ HTML body <h1>DATA</h1>§ HTML attributes <div id=‘DATA’>§ Stylesheet context body { background-color: DATA;}§ Script context alert(“DATA”);§ URL context <a href=“http://…?arg=DATA”>
Content Security Policy against XSS
41
<h1>You searched for<script>alert(‘XSS’);</script></h1>
XSS WITH INLINE SCRIPTS
<h1>You searched for<script src=“https://evil.com/hackme.js”></script></h1>
XSS WITH REMOTE SCRIPTS
eval('alert("Your query string was ' + unescape(document.location.search) //hello%22);alert(1+%22 + '");');
XSS WITH EVAL
The Essence of CSP
42
§ CSP reduces the harm of content injection vulnerabilities§ By telling the client where resources should be loaded from§ By disabling “dangerous features” by default§ CSP is intended as a second line of defense
§ CSP will become more important in the future§ Supporting CSP in your application may be non-trivial§ Use of inline script blocks is disallowed§ Use of eval is disallowed
Introducing CSP by Example
43
Content-Security-Policy:default-src 'self';script-src ‘self’
https://cdnjs.cloudflare.com;style-src ‘self’
https://cdnjs.cloudflare.com/…/bootstrap.min.css;
EXAMPLE POLICY
§ A policy consists of a set of directives§ Each directive controls a different kind of resource§ Policy is delivered as an HTTP header by the server
• Alternatively, the meta tag can also be used§ Compatible browsers will enforce the policy on the response
CSP is the Security Policy of the Future
44
§ CSP has been well received, and evolved quickly§ Addition of plugin types, sandbox, child contexts, form destinations§ Re-enabling inline script with support for nonces and hashes§ Deprecates X-FRAME-OPTIONS header§ Supports blocking of mixed content / upgrading insecure requests
§ CSP level 1 is widely supported by browsers§ Support for level 2 is less widespread, but improving rapidly
§ Chrome makes CSP mandatory for its components§ Browser extensions and packaged apps
CSP Violation Reports
45
§ CSP can report violations back to the resource server§ Allows for fine-tuning of the CSP policy§ Gives insights in actual attacks
§ Enabled by using the report-uri directive§ Points to a handler on the server that can process reports
Content-Security-Policy:default-src 'self'; report-uri http://some-shop.com/csp-report.cgi
EXAMPLE POLICY
The Web has Become Client-Centric
46
Progressive Web Security
47
§ Take a progressive stance towards Web security§ The Web has become client-centric, and so has Web security§ Fully protecting your applications requires the latest technologies
§ All of these security technologies require explicit action§ Training is essential to keep up to date with the latest technologies
§ Share your experiences, help others advance as well§ Set an example on how to do it right
48
I hope you learned something tonight …Now it’s up to you
Grab a copy of the slides and share with anyone you can find
Read my blog or follow me on Twitter to stay informed about web security
Level up with Web security training!
All information on https://www.websec.be
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeAcknowledgements
Icons by Visual Pharm (https://icons8.com)
Images by Unsplash (https://unsplash.com/)
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafePhilippe De Ryck
/in/philippederyck
https://www.websec.be
@PhilippeDeRyck