1 / 27

Will New HTTP headers save us? John Wilander, OWASP/Omegapoint, IBWAS’10

Will New HTTP headers save us? John Wilander, OWASP/Omegapoint, IBWAS’10. John Wilander consultant at Omegapoint in Sweden Researcher in application security Co-leader OWASP Sweden Certified Java Programmer. HTTP Strict Transport Security (Paypal) X-Frame-Options (Microsoft)

ata
Download Presentation

Will New HTTP headers save us? John Wilander, OWASP/Omegapoint, IBWAS’10

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Will New HTTP headers save us?John Wilander, OWASP/Omegapoint, IBWAS’10

  2. John Wilanderconsultant at Omegapointin Sweden Researcher in application security Co-leader OWASP Sweden Certified Java Programmer

  3. HTTP Strict Transport Security (Paypal) • X-Frame-Options (Microsoft) • Content Security Policy (Mozilla) • Set-Cookie(new IETF draft) • X-Do-Not-Track(FTC initiative, Stanford proposal) OWASP

  4. HTTP Strict Transport Securityhttp://tools.ietf.org/html/draft-hodges-strict-transport-sec-02 OWASP

  5. Moxie’s SSL Strip Terminates SSL Changes https to http Normal https to the server Acts as client OWASP

  6. Moxie’s SSL Strip Secure cookie? Encoding, gzip? Cached content? Sessions? Strip the secure attribute off all cookies. Strip all encodings in the request. Strip all if-modified-since in the request. Redriect to same page, set-cookie expired OWASP

  7. Enforce SSL without warnings for X seconds and potentially do it for all my sub domains too

  8. Strict-Transport-Security: max-age=86400 Strict-Transport-Security: max-age=86400; includeSubdomains OWASP

  9. X-Frame-Optionshttp://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspxX-Frame-Optionshttp://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx OWASP

  10. No page is allowed to frame me or Only my domain is allowed to frame me

  11. X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN OWASP

  12. Content Security Policyhttps://developer.mozilla.org/en/Introducing_Content_Security_Policy OWASP

  13. Only allow scripts from white listed domains and only allow scripts from files, i e no inline scripts

  14. 'self'same URL scheme and port number'none' no hosts match X-Content-Security-Policy: allow 'self' trustedscripts.foo.com Trust scripts from my URL+port and from trustedscripts.foo.com X-Content-Security-Policy: allow 'self'; img-src 'self' Trust scripts and images from my URL+port https://developer.mozilla.org/en/Security/CSP/CSP_policy_directives OWASP

  15. New Cookie RFC (draft)http://www.ietf.org/id/draft-ietf-httpstate-cookie-19.txt OWASP

  16. X-Do-Not-Track (idea)http://donottrack.us/ OWASP

  17. FTC Do not track Federal Trade Commission's idea is that users would be able to choose to have their browser tell any Website not to track them for advertising purposes, and that setting wouldn’t be wiped out if a user clears browser cookies Request header: X-Do-Not-Track OWASP

  18. Potential Bad Stuff OWASP

  19. Response Splitting <% response.sendRedirect("/by_lang.jsp?lang="+ request.getParameter("lang"));%> OWASP

  20. Response Splitting <% response.sendRedirect("/by_lang.jsp?lang="+ request.getParameter("lang"));%> OWASP

  21. HTTP/1.1 302 Moved TemporarilyDate: Wed, 24 Dec 2010 12:53:28 GMTLocation: http://10.1.1.1/by_lang.jsp?lang=EnglishSet-Cookie: JSESSIONID=1pMRZOiOQzZiE6Y6iivsREg82pq9Bo1ape7h4YoHZ62RXj Strict-Transport-Security: max-age=10000 X-Content-Security-Policy: allow ‘self’ X-Frame-Options: DENY <html> ... </html> OWASP

  22. HTTP/1.1 302 Moved TemporarilyDate: Wed, 24 Dec 2010 12:53:28 GMTLocation: http://10.1.1.1/by_lang.jsp?lang=English[CRLF]Content-Length=0[CRLF]HTTP/1.1 200 OK Set-Cookie: JSESSIONID=sessionFixation X-Content-Security-Policy: allow attacker.com Strict-Transport-Security: max-age=1 <html> ... </html> Set-Cookie: JSESSIONID=1pMRZOiOQzZiE6Y6iivsREg82pq9Bo1ape7h4YoHZ62RXj <html> ... </html> OWASP

  23. Meta Headers OWASP

  24. <META HTTP-EQUIV="X-Content-Security-Policy" CONTENT="allow attacker.com"> OWASP

  25. From the specs • For security reasons, you can't use the <meta> element to configure the X-Content-Security-Policy header. • The X-Frame-Options directive is ignored if specified in a META tag. • UAs MUST NOT heed http-equiv="Strict-Transport-Security" attribute settings on <meta> elements in received content. OWASP

  26. So, will new HTTP headers save us? OWASP

  27. john.wilander@owasp.orgTwitter: @johnwilander • Blog: appsandsecurity.blogspot.com OWASP

More Related