will new http headers save us john wilander owasp omegapoint ibwas 10
Download
Skip this Video
Download Presentation
Will New HTTP headers save us? John Wilander, OWASP/Omegapoint, IBWAS’10

Loading in 2 Seconds...

play fullscreen
1 / 27

Will New HTTP headers save us? John Wilander, OWASP/Omegapoint, IBWAS’10 - PowerPoint PPT Presentation


  • 159 Views
  • Uploaded on

Will New HTTP headers save us? John Wilander, OWASP/Omegapoint, IBWAS’10. John Wilander consultant at Omegapoint in Sweden Researcher in application security Co-leader OWASP Sweden Certified Java Programmer. HTTP Strict Transport Security (Paypal) X-Frame-Options (Microsoft)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Will New HTTP headers save us? John Wilander, OWASP/Omegapoint, IBWAS’10' - ata


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide2
John Wilanderconsultant at Omegapointin Sweden

Researcher in application security

Co-leader OWASP Sweden

Certified Java Programmer

slide3
HTTP Strict Transport Security (Paypal)
  • X-Frame-Options (Microsoft)
  • Content Security Policy (Mozilla)
  • Set-Cookie(new IETF draft)
  • X-Do-Not-Track(FTC initiative, Stanford proposal)

OWASP

http strict transport security http tools ietf org html draft hodges strict transport sec 02
HTTP Strict Transport Securityhttp://tools.ietf.org/html/draft-hodges-strict-transport-sec-02

OWASP

moxie s ssl strip
Moxie’s SSL Strip

Terminates SSL

Changes https to http

Normal https to the server

Acts as client

OWASP

moxie s ssl strip6
Moxie’s SSL Strip

Secure cookie?

Encoding, gzip?

Cached content?

Sessions?

Strip the secure attribute off all cookies.

Strip all encodings in the request.

Strip all if-modified-since in the request.

Redriect to same page, set-cookie expired

OWASP

slide7
Enforce SSL without warnings for X seconds

and

potentially do it for all my sub domains too

slide8
Strict-Transport-Security: max-age=86400

Strict-Transport-Security: max-age=86400; includeSubdomains

OWASP

slide9
X-Frame-Optionshttp://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx

OWASP

slide10
No page is allowed to frame me

or

Only my domain is allowed to frame me

slide11
X-Frame-Options: DENY

X-Frame-Options: SAMEORIGIN

OWASP

content security policy https developer mozilla org en introducing content security policy
Content Security Policyhttps://developer.mozilla.org/en/Introducing_Content_Security_Policy

OWASP

slide13
Only allow scripts from white listed domains

and

only allow scripts from files, i e no inline scripts

slide14
'self'same URL scheme and port number'none' no hosts match

X-Content-Security-Policy: allow 'self' trustedscripts.foo.com

Trust scripts from my URL+port and from trustedscripts.foo.com

X-Content-Security-Policy: allow 'self'; img-src 'self'

Trust scripts and images from my URL+port

https://developer.mozilla.org/en/Security/CSP/CSP_policy_directives

OWASP

new cookie rfc draft http www ietf org id draft ietf httpstate cookie 19 txt
New Cookie RFC (draft)http://www.ietf.org/id/draft-ietf-httpstate-cookie-19.txt

OWASP

ftc do not track
FTC Do not track

Federal Trade Commission's idea is that users would be able to choose to have their browser tell any Website not to track them for advertising purposes, and that setting wouldn’t be wiped out if a user clears browser cookies

Request header: X-Do-Not-Track

OWASP

response splitting
Response Splitting

<% response.sendRedirect("/by_lang.jsp?lang="+ request.getParameter("lang"));%>

OWASP

response splitting20
Response Splitting

<% response.sendRedirect("/by_lang.jsp?lang="+ request.getParameter("lang"));%>

OWASP

slide21
HTTP/1.1 302 Moved TemporarilyDate: Wed, 24 Dec 2010 12:53:28 GMTLocation: http://10.1.1.1/by_lang.jsp?lang=EnglishSet-Cookie: JSESSIONID=1pMRZOiOQzZiE6Y6iivsREg82pq9Bo1ape7h4YoHZ62RXj

Strict-Transport-Security: max-age=10000

X-Content-Security-Policy: allow ‘self’

X-Frame-Options: DENY ...

OWASP

slide22
HTTP/1.1 302 Moved TemporarilyDate: Wed, 24 Dec 2010 12:53:28 GMTLocation: http://10.1.1.1/by_lang.jsp?lang=English[CRLF]Content-Length=0[CRLF]HTTP/1.1 200 OK

Set-Cookie: JSESSIONID=sessionFixation

X-Content-Security-Policy: allow attacker.com

Strict-Transport-Security: max-age=1

...

Set-Cookie: JSESSIONID=1pMRZOiOQzZiE6Y6iivsREg82pq9Bo1ape7h4YoHZ62RXj ...

OWASP

from the specs
From the specs
  • For security reasons, you can't use the element to configure the X-Content-Security-Policy header.
  • The X-Frame-Options directive is ignored if specified in a META tag.
  • UAs MUST NOT heed http-equiv="Strict-Transport-Security" attribute settings on elements in received content.

OWASP

slide27
[email protected]: @johnwilander
  • Blog: appsandsecurity.blogspot.com

OWASP

ad