AppSec USA 2014 Denver, Colorado Security Header Injection Module (SHIM)

Transcription

1 AppSec USA 2014 Denver, Colorado Security Header Injection Module (SHIM) Inspired By: The OWASP Secure Headers Project

2 Introduction Eric Johnson Cypress Data Defense Security Consultant SANS Ins6tute Instructor DEV544: Secure Coding in.net Author Applica6on Security Product Curriculum Manager 2

3 Introduction Aaron Cure Cypress Data Defense Senior Security Consultant Security Tools Development Secure Coding Instructor Crash Test Dummy 3

4 Agenda OWASP Secure Headers Project SHIM (Security Header Injec6on Module) 4

5 OWASP Secure Headers Project GOALS Raise awareness of client- side header protec6ons Easy to add and configure Scan and report on header usage Centralized documenta6on 5

6 Current Platforms Supported SourceClear HeadLines Java hvps://github.com/sourceclear/headlines TwiVer SecureHeaders Ruby hvps://github.com/twiver/secureheaders 6

7 Demo The Problem? 7

8 SHIM Overview HTTP Module ASP.NET 4.5 Web Forms MVC Web.config op6ons 8

9 Web.config Registration Configura6on Sec6on <configsections> <section name="shim" type="cypressdefense.security.shim.configuration.shimconfiguration, CypressDefense.Security.Shim" /> </configsections> Default Configura6on <shim enabled="true"></shim> Module Registra6on <modules> <add name="shimmodule" type="cypressdefense.security.shim.module, CypressDefense.Security.Shim" /> </modules> 9

10 HTTP Headers Supported Caching Strict- Transport- Security X- XSS- Protec6on X- Frame- Op6ons X- Content- Type- Op6ons Content- Security- Policy 10

11 Caching Headers Risks A6 Sensi6ve Data Exposure Response Headers Cache-Control: no-cache, no-store, must-revalidate Expires: -1 Pragma: no-cache Instructs browsers, proxies, and servers how to handle caching and expiring cached items Image: hvp:// Caching- in- ASP- NET 11

12 Cache-Control Options Supported by HTTP/1.1 Op6ons Supported No- cache Prevents using cached documents without revalida6on No- store Prevents caching a request or response Must- revalidate Requires re- valida6on of expira6on and max- age values before using a cached item hvp:// sec14.html#sec

13 Expires Options Op6ons Supported Value DateTime a request or response expires Invalid date format (e.g. - 1) means already expired Enabled Set to false disable the header hvp:// sec14.html#sec

14 Pragma Options Similar to cache- control, HTTP/1.0 backward compa6bility Op6ons Supported No- cache Prevents using cached documents without revalida6on Enabled Set to false disable the header hvp:// sec14.html#sec

15 Caching Configuration Default Configura6on <shim> <caching enabled="true"> <cachecontrol enabled="true"> <add value="nocache"></add> <add value="nostore"></add> <add value="mustrevalidate"></add> </cachecontrol> <expires enabled="true" value="- 1"></expires> <pragma enabled="true"> <add value="nocache"></add> </pragma> </caching> </shim> 15

16 X-FRAME-OPTIONS Header Risks Clickjacking / UI Redress AVack Response Header X-Frame-Options: DENY Instructs browser to deny avempts to frame the web site Image: hvp:// content/uploads/2013/02/expired.jpg 16

17 X-FRAME-OPTIONS Options Op6ons Supported DENY Page is not allowed to be framed SAMEORIGIN Page is allowed to be framed in the same origin (e.g. same host, port, and protocol) ALLOW- FROM URI Page is allowed from be framed by the specific URI Limited browser support hvps://developer.mozilla.org/en- US/docs/Web/HTTP/X- Frame- Op6ons 17

18 X-FRAME-OPTIONS Support Browser Support Header Firefox Chrome Safari Opera IE X- FRAME- OPTIONS ALLOW- FROM URI hvps:// 18

19 X-FRAME-OPTIONS Configuration Default Configura6on <shim> <xframeoptions enabled="true" value="deny" allowfromuri=""> </xframeoptions> </shim> 19

20 Strict-Transport-Security Header 20

21 Strict-Transport-Security Header Risks A6 Sensi6ve Data Exposure Man- in- the- middle Response Header Strict-Transport-Security: max-age= Instructs browser to communicate with the web site over HTTPS HTTP requests are automa6cally redirected to HTTPS Image: hvp://sslbuddy.com/images/lock1.png 21

22 Strict-Transport-Security Options Op6ons Supported max- age Number of seconds the domain is required to use SSL 3,1536,000 = 1 year includesubdomains Op6onal parameter that requires HSTS for all subdomains Be careful with this op6on if you have a subdomain for HTTP hvps:// 22

23 Strict-Transport-Security Support Browser Support Header Firefox Chrome Safari Opera IE Strict- Transport- Security v v Internet Explorer 12 expected to support HSTS hvp://caniuse.com/#feat=stricvransportsecurity 23

24 Strict-Transport-Security Configuration Default Configura6on <shim> <stricttransportsecurity enabled="true" maxage=" " includesubdomains="true"> </stricttransportsecurity> </shim> 24

25 X-Content-Type-Options Header Risks MIME- Type Handling Vulnerabili6es Response Header X-Content-Type-Options: nosniff Instructs the browser to listen to the Content- Type header hvps:// 25

26 X-Content-Type-Options Options Op6ons Supported nosniff Prevents sniffing the response content to determine the content- type IE9 Enhancement Blocks content- type & mime- type mismatches hvp://ie.microsok.com/testdrive/ieblog/2010/oct/26_mimehandlingchangesininternetexplorer_1.png 26

27 X-Content-Type-Options Support Browser Support Header Firefox Chrome Safari Opera IE X- Content- Type- Op6ons - v v Chrome added support for this header, but it is unclear what version. hvp://blogs.msdn.com/b/ie/archive/2008/09/02/ie8- security- part- vi- beta- 2- update.aspx hvps://developer.chrome.com/extensions/hos6ng 27

28 X-Content-Type-Options Configuration Default Configura6on <shim> <xcontenttypeoptions enabled="true" value="nosniff"> </xcontenttypeoptions> </shim> 28

29 X-XSS-Protection Header 29

30 X-XSS-Protection Header Risks A3 Cross- Site Scrip6ng Response Header X-XSS-Protection: 1; mode=block Instructs the browser to filter avack or prevent page from rendering Image: hvp://blogs.msdn.com/cfs- filesystemfile.ashx/ key/communityserver- blogs- components- weblogfiles/ metablogapi/1346.image_5f00_0ed4aa71.png 30

31 X-XSS-Protection Options Op6ons Supported 0 1 Disable the XSS filter Filter XSS payload from the response mode=block Prevent page from rendering hvp://blogs.msdn.com/b/ie/archive/2008/07/02/ie8- security- part- iv- the- xss- filter.aspx 31

32 X-XSS-Protection Support Browser Support Header Firefox Chrome Safari Opera IE X- XSS- Protec6on - v v Chrome added an an6- XSS filter in v4, but it is unclear when the header support was added. hvps:// 32

33 X-XSS-Protection Configuration Default Configura6on <shim> <xxssprotection enabled="true" value="1" block="true"> </xxssprotection> </shim> 33

34 Content-Security-Policy 34

35 Content-Security-Policy Header Risks A3 Cross- Site Scrip6ng Dynamic code execu6on Loading untrusted resources Response Header Content-Security-Policy: default-src 'self'; Whitelist of external resources permived to be used by the web page 35

36 Content-Security-Policy Keywords Keywords Supported self Allow resources from the same origin none Deny all resources unsafe- inline Allow inline resources unsafe- eval Allow dynamic code execu6on data: Allows data URIs hvp:// 36

37 Content-Security-Policy Directives default- src script- src object- src style- src img- src media- src frame- src font- src connect- src report- uri 37

38 Content-Security-Policy Example Example from hvps://mobile.twiver.com Content-Security-Policy-Report-Only: default-src 'self ; font-src 'self'; frame-src img-src data:; script-src 'unsafe-inline' 'unsafe-eval'; style-src report-uri 'unsafe-inline'; 38

39 Content-Security-Policy Support Browser Support Header Firefox Chrome Safari Opera IE Content- Security- Policy v v Internet Explorer support for CSP is under development. hvp://caniuse.com/#feat=contentsecuritypolicy 39

40 Content-Security-Policy Configuration Example ASP.NET Web Forms Configura6on <shim> <contentsecuritypolicy enabled="true" reportonly="false"> <defaultsource enabled="true"> <add value="self"></add> </defaultsource> <scriptsource enabled="true" unsafeinline= true" unsafeeval="false"> <add value="self"></add> </scriptsource> <stylesource unsafeinline="true"> <add value="self"/> </stylesource> </contentsecuritypolicy> </shim> 40

41 Exclusion Lists Prevent a header from being emived on any directory or web page Supported by Caching Content- Security- Policy X- Content- Type- Op6ons X- Frame- Op6ons X- XSS- Protec6on 41

42 Exclude Lists Configuration Configura6on <shim> <caching enabled="true"> <cachecontrol enabled="true" /> <exclude> <location path="page.aspx"></location> <location path="path/page.aspx"></location> <location path="path"></location> </exclude> </caching> </shim> 42

43 Demo The SoluZon! 43

44 Future Enhancements Test/support for.net 3.5, 4.0 Support for addi6onal headers Access- Control- Allow- Origin Origin Headers Implement CSP 2.0 improvements 44

45 Project Location Source Code: h\ps://shim.codeplex.com PresentaZon & CSP Webcast h\p:// 45

46 QuesZons? 46