AppSec USA 2014 Denver, Colorado Security Header Injection Module (SHIM)

AppSec USA 2014 Denver, Colorado Security Header Injection Module (SHIM) Inspired By: The OWASP Secure Headers Project

Introduction Eric Johnson (@emjohn20) Cypress Data Defense Security Consultant SANS Ins6tute Instructor DEV544: Secure Coding in.net Author Applica6on Security Product Curriculum Manager 2

Introduction Aaron Cure (@curea) Cypress Data Defense Senior Security Consultant Security Tools Development Secure Coding Instructor Crash Test Dummy 3

Agenda OWASP Secure Headers Project SHIM (Security Header Injec6on Module) 4

OWASP Secure Headers Project GOALS Raise awareness of client- side header protec6ons Easy to add and configure Scan and report on header usage Centralized documenta6on www.owasp.org/index.php/owasp_secure_headers_project 5

Current Platforms Supported SourceClear HeadLines Java hvps://github.com/sourceclear/headlines TwiVer SecureHeaders Ruby hvps://github.com/twiver/secureheaders 6

Demo The Problem? 7

SHIM Overview HTTP Module ASP.NET 4.5 Web Forms MVC Web.config op6ons 8

Web.config Registration Configura6on Sec6on <configsections> <section name="shim" type="cypressdefense.security.shim.configuration.shimconfiguration, CypressDefense.Security.Shim" /> </configsections> Default Configura6on <shim enabled="true"></shim> Module Registra6on <modules> <add name="shimmodule" type="cypressdefense.security.shim.module, CypressDefense.Security.Shim" /> </modules> 9

HTTP Headers Supported Caching Strict- Transport- Security X- XSS- Protec6on X- Frame- Op6ons X- Content- Type- Op6ons Content- Security- Policy 10

Caching Headers Risks A6 Sensi6ve Data Exposure Response Headers Cache-Control: no-cache, no-store, must-revalidate Expires: -1 Pragma: no-cache Instructs browsers, proxies, and servers how to handle caching and expiring cached items Image: hvp://www.codeproject.com/ar6cles/29899/exploring- Caching- in- ASP- NET 11

Cache-Control Options Supported by HTTP/1.1 Op6ons Supported No- cache Prevents using cached documents without revalida6on No- store Prevents caching a request or response Must- revalidate Requires re- valida6on of expira6on and max- age values before using a cached item hvp://www.w3.org/protocols/rfc2616/rfc2616- sec14.html#sec14.9 12

Expires Options Op6ons Supported Value DateTime a request or response expires Invalid date format (e.g. - 1) means already expired Enabled Set to false disable the header hvp://www.w3.org/protocols/rfc2616/rfc2616- sec14.html#sec14.21 13

Pragma Options Similar to cache- control, HTTP/1.0 backward compa6bility Op6ons Supported No- cache Prevents using cached documents without revalida6on Enabled Set to false disable the header hvp://www.w3.org/protocols/rfc2616/rfc2616- sec14.html#sec14.32 14

Caching Configuration Default Configura6on <shim> <caching enabled="true"> <cachecontrol enabled="true"> <add value="nocache"></add> <add value="nostore"></add> <add value="mustrevalidate"></add> </cachecontrol> <expires enabled="true" value="- 1"></expires> <pragma enabled="true"> <add value="nocache"></add> </pragma> </caching> </shim> 15

X-FRAME-OPTIONS Header Risks Clickjacking / UI Redress AVack Response Header X-Frame-Options: DENY Instructs browser to deny avempts to frame the web site Image: hvp://www.macpas.com/wp- content/uploads/2013/02/expired.jpg 16

X-FRAME-OPTIONS Options Op6ons Supported DENY Page is not allowed to be framed SAMEORIGIN Page is allowed to be framed in the same origin (e.g. same host, port, and protocol) ALLOW- FROM URI Page is allowed from be framed by the specific URI Limited browser support hvps://developer.mozilla.org/en- US/docs/Web/HTTP/X- Frame- Op6ons 17

X-FRAME-OPTIONS Support Browser Support Header Firefox Chrome Safari Opera IE X- FRAME- OPTIONS 3.6.9 4.1 4.0 10.50 8.0 ALLOW- FROM URI 18.0 - - - 9.0 hvps://www.owasp.org/index.php/clickjacking_defense_cheat_sheet 18

X-FRAME-OPTIONS Configuration Default Configura6on <shim> <xframeoptions enabled="true" value="deny" allowfromuri=""> </xframeoptions> </shim> 19

Strict-Transport-Security Header 20

Strict-Transport-Security Header Risks A6 Sensi6ve Data Exposure Man- in- the- middle Response Header Strict-Transport-Security: max-age=31536000 Instructs browser to communicate with the web site over HTTPS HTTP requests are automa6cally redirected to HTTPS Image: hvp://sslbuddy.com/images/lock1.png 21

Strict-Transport-Security Options Op6ons Supported max- age Number of seconds the domain is required to use SSL 3,1536,000 = 1 year includesubdomains Op6onal parameter that requires HSTS for all subdomains Be careful with this op6on if you have a subdomain for HTTP hvps://www.owasp.org/index.php/http_strict_transport_security 22

Strict-Transport-Security Support Browser Support Header Firefox Chrome Safari Opera IE Strict- Transport- Security 31 36 7 23 v v Internet Explorer 12 expected to support HSTS hvp://caniuse.com/#feat=stricvransportsecurity 23

Strict-Transport-Security Configuration Default Configura6on <shim> <stricttransportsecurity enabled="true" maxage="31536000" includesubdomains="true"> </stricttransportsecurity> </shim> 24

X-Content-Type-Options Header Risks MIME- Type Handling Vulnerabili6es Response Header X-Content-Type-Options: nosniff Instructs the browser to listen to the Content- Type header hvps://www.owasp.org/index.php/list_of_useful_http_headers 25

X-Content-Type-Options Options Op6ons Supported nosniff Prevents sniffing the response content to determine the content- type IE9 Enhancement Blocks content- type & mime- type mismatches hvp://ie.microsok.com/testdrive/ieblog/2010/oct/26_mimehandlingchangesininternetexplorer_1.png 26

X-Content-Type-Options Support Browser Support Header Firefox Chrome Safari Opera IE X- Content- Type- Op6ons - v - - 8 v Chrome added support for this header, but it is unclear what version. hvp://blogs.msdn.com/b/ie/archive/2008/09/02/ie8- security- part- vi- beta- 2- update.aspx hvps://developer.chrome.com/extensions/hos6ng 27

X-Content-Type-Options Configuration Default Configura6on <shim> <xcontenttypeoptions enabled="true" value="nosniff"> </xcontenttypeoptions> </shim> 28

X-XSS-Protection Header 29

X-XSS-Protection Header Risks A3 Cross- Site Scrip6ng Response Header X-XSS-Protection: 1; mode=block Instructs the browser to filter avack or prevent page from rendering Image: hvp://blogs.msdn.com/cfs- filesystemfile.ashx/ key/communityserver- blogs- components- weblogfiles/00-00- 00-47- 13- metablogapi/1346.image_5f00_0ed4aa71.png 30

X-XSS-Protection Options Op6ons Supported 0 1 Disable the XSS filter Filter XSS payload from the response mode=block Prevent page from rendering hvp://blogs.msdn.com/b/ie/archive/2008/07/02/ie8- security- part- iv- the- xss- filter.aspx 31

X-XSS-Protection Support Browser Support Header Firefox Chrome Safari Opera IE X- XSS- Protec6on - v - - 8 v Chrome added an an6- XSS filter in v4, but it is unclear when the header support was added. hvps://www.owasp.org/index.php/list_of_useful_http_headers 32

X-XSS-Protection Configuration Default Configura6on <shim> <xxssprotection enabled="true" value="1" block="true"> </xxssprotection> </shim> 33

Content-Security-Policy 34

Content-Security-Policy Header Risks A3 Cross- Site Scrip6ng Dynamic code execu6on Loading untrusted resources Response Header Content-Security-Policy: default-src 'self'; Whitelist of external resources permived to be used by the web page 35

Content-Security-Policy Keywords Keywords Supported self Allow resources from the same origin none Deny all resources unsafe- inline Allow inline resources unsafe- eval Allow dynamic code execu6on data: Allows data URIs hvp://www.w3.org/tr/csp/ 36

Content-Security-Policy Directives default- src script- src object- src style- src img- src media- src frame- src font- src connect- src report- uri 37

Content-Security-Policy Example Example from hvps://mobile.twiver.com Content-Security-Policy-Report-Only: default-src 'self ; font-src 'self'; frame-src https://*.twitter.com; img-src https://*.twitter.com https://*.twimg.com https://maps.google.com data:; script-src https://*.twitter.com https://*.twimg.com https://api-secure.recaptcha.net 'unsafe-inline' 'unsafe-eval'; style-src report-uri https://*.twitter.com https://*.twimg.com https://api-secure.recaptcha.net 'unsafe-inline'; https://twitter.com/scribes/csp_report; 38

Content-Security-Policy Support Browser Support Header Firefox Chrome Safari Opera IE Content- Security- Policy 23.0+ 25+ 7.0+ 18.0+ v v Internet Explorer support for CSP is under development. hvp://caniuse.com/#feat=contentsecuritypolicy 39

Content-Security-Policy Configuration Example ASP.NET Web Forms Configura6on <shim> <contentsecuritypolicy enabled="true" reportonly="false"> <defaultsource enabled="true"> <add value="self"></add> </defaultsource> <scriptsource enabled="true" unsafeinline= true" unsafeeval="false"> <add value="self"></add> </scriptsource> <stylesource unsafeinline="true"> <add value="self"/> </stylesource> </contentsecuritypolicy> </shim> 40

Exclusion Lists Prevent a header from being emived on any directory or web page Supported by Caching Content- Security- Policy X- Content- Type- Op6ons X- Frame- Op6ons X- XSS- Protec6on 41

Exclude Lists Configuration Configura6on <shim> <caching enabled="true"> <cachecontrol enabled="true" /> <exclude> <location path="page.aspx"></location> <location path="path/page.aspx"></location> <location path="path"></location> </exclude> </caching> </shim> 42

Demo The SoluZon! 43

Future Enhancements Test/support for.net 3.5, 4.0 Support for addi6onal headers Access- Control- Allow- Origin Origin Headers Implement CSP 2.0 improvements 44

Project Location Source Code: h\ps://shim.codeplex.com PresentaZon & CSP Webcast h\p://www.cypressdefense.com 45

QuesZons? Contact Info: @emjohn20 @curea 46