The slides from an overview presentation of how the Web, and Web security, have changed in the last few years. This talk has been given at various public and private venues. Get in touch if you want to invite me to your company or tech group!
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
1. Why Traditional Web Security Technologies
no Longer Suffice to Keep You Safe
Philippe De Ryck
@PhilippeDeRyck https://www.websec.be
2. Which Scenario Would You Trust?
(a)
Visit website, browse public pages
Login with username and password
Consult private information
Visit website, browse public pages
Login with username and password
Consult private information
Visit website, browse public pages
Login with username and password
Consult private information
(b)
(c)
3. About Me – Philippe De Ryck
3
§ Postdoctoral Researcher @ DistriNet (KU Leuven)
§ PhD on client-side Web security
§ Expert in the broad field of Web security
§ Main author of the Primer on Client-Side Web Security
§ Running the Web Security training program
§ Dissemination of knowledge and research results
§ Public training courses and targeted in-house training
§ Target audiences include industry and researchers
§ Part of the organizing committee of SecAppDev.org
§ Week-long course focused on practical security
https://www.websec.be@PhilippeDeRyck
6. With a lot of Server-Side Problems
6
http://arstechnica.com/security/2015/12/hackers-actively-exploit-critical-vulnerability-in-sites-running-joomla/
7. With a lot of Server-Side Problems
7
http://motherboard.vice.com/read/one-of-the-largest-hacks-yet-exposes-data-on-hundreds-of-thousands-of-kids
13. Networks Are Everywhere
13
§ We happily connect to any wifi network we can find
§ Without knowing who has control over the network
§ Upstream networks are easily intercepted nowadays
§ Intercepting proxies at the network perimeter
§ ISPs inspecting and manipulating traffic
§ State agencies tapping the backbone
14. The Communication Channel Is Insecure
14
§ People are mainly concerned about eavesdropping attacks
§ Sniffing usernames, passwords, session identifiers, …
§ Demonstrated in 2010 by the Firesheep add-on
http://codebutler.com/firesheep/
15. The Communication Channel Is Insecure
15
§ People are mainly concerned about eavesdropping attacks
§ Sniffing usernames, passwords, session identifiers, …
§ Demonstrated in 2010 by the Firesheep add-on
§ Generally prevented by using HTTPS for sensitive data
§ But today, active network attacks are just as easy to execute
§ Man on the side attacks inject traffic into the network
§ Man in the middle attacks intercept and manipulate traffic
§ Simply using HTTPS for sensitive data no longer suffices
16. Care to Reconsider your Previous Answer?
(a)
Visit website, browse public pages
Login with username and password
Consult private information
Visit website, browse public pages
Login with username and password
Consult private information
Visit website, browse public pages
Login with username and password
Consult private information
(b)
(c)
18. Stripping HTTPS from Login Forms
18
some-shop.com
Visit http://some-shop.com
Welcome, please log in
Login as Philippe
Welcome Philippe
Visit http://some-shop.com
Welcome, please log in
Login as Philippe
Welcome Philippe
Rewrite
HTTPS
to
HTTP
19. HTTPS Prevents Man in the Middle Attacks
19
some-shop.com
Visit https://some-shop.com
Welcome, please log in
Login as Philippe
Welcome Philippe
Visit https://some-shop.com
Welcome, please log in
Login as Philippe
Welcome Philippe
20. HTTPS Prevents Man in the Middle Attacks?
20
http://news.netcraft.com/archives/2016/03/17/95-of-https-servers-vulnerable-to-trivial-mitm-attacks.html
21. Bootstrapping the HTTPS Site
21
GET http://some-shop.com
200 OK
Response page
POST http://some-shop.com
GET http://…
301 Moved
GET https://…
200 OK
Rewrite
HTTPS
URLs
User: philippe & pass: pazzw0rd
POST https://…
some-shop.com
23. HTTP Strict Transport Security (HSTS)
23
§ Instruct the browser to only visit a site over HTTPS
§ Once-enabled no HTTP requests will be sent anymore
§ Prevents SSL stripping attacks
§ Prevents cookie stealing over HTTP
GET https://websec.be
websec.be
200 OK
Response page
24. HTTP Strict Transport Security (HSTS)
24
§ HSTS is a server-driven browser-enforced security policy
§ Server sends the Strict-Transport-Security response header
§ The protection is only applied for the duration of max-age
§ Make sure this value covers non-frequent visitors
§ The value 0 disables the HSTS policy for this particular host
• Only if received over an error-free channel
Strict-Transport-Security: max-age=31536000; includeSubdomains
4 4 7 11From version … 4.4.4 7.1
25. HSTS in Action
25
GET https://websec.be
websec.be
200 OK
Response page
Strict-Transport-Security: max-age=31536000;
includeSubdomains
GET https://websec.be
200 OK
Response page
Strict-Transport-Security: max-age=31536000;
includeSubdomains
www.websec.be
GET https://www.websec.be
200 OK
Response page
Strict-Transport-Security: max-age=31536000;
includeSubdomains
26. The Bootstrapping Problem … Again
26
GET https://websec.be
websec.be
200 OK
Response page
Strict-Transport-Security: max-age=31536000;
includeSubdomains
GET https://websec.be
200 OK
Response page
Strict-Transport-Security: max-age=31536000;
includeSubdomains
www.websec.be
GET https://www.websec.be
200 OK
Response page
Strict-Transport-Security: max-age=31536000;
includeSubdomains
27. Preloading HSTS
27
§ The bootstrapping problem is solved by a preloaded list
§ Contains all sites that have explicitly subscribed to HSTS
§ Distributed along with the browsers
§ Available on https://hstspreload.appspot.com/
28. HTTPS Should Be Enabled by Default
28
§ Browser vendors are strongly pushing towards HTTPS
§ Firefox marks HTTP pages with password fields as insecure
§ Google uses HTTPS as a ranking signal in its search engine
§ Active mixed content is blocked in modern browsers
§ Chrome and Firefox will support Secure Contexts
§ A Secure Context is delivered over HTTPS, including its parents
§ Powerful features will only be exposed to a Secure Context
• E.g. Geolocation, microphone and camera access, …
29. Hardening your HTTPS Deployment
29
§ Finetune the supported protocols and ciphers
§ Disable the old and obsolete SSLv2 and SSLv3
§ Avoid the use of old and weak ciphers
§ Move all your traffic to HTTPS
§ Immediately redirect all HTTP traffic to HTTPS
§ Prevent SSL Stripping by enabling Strict Transport Security (HSTS)
§ If you want to go all out, enable Public Key Pinning (HPKP)
§ Prevents impersonation attacks with rogue but valid certificates
https://www.ssllabs.com/ssltest/
31. Browsers Do More than Rendering HTML
31
§ Modern browsers are full-fledged application platforms
§ Plenty of system features are exposed to Web applications
• Battery status, Vibration, Geolocation, Microphone & Camera, …
§ ChromeOS and FirefoxOS run all applications inside a browser
§ The key enabler for all of this functionality is JavaScript
§ Since its introduction in 1995, JS has finally taken over the Web
§ Plugins like Flash and Silverlight are slowly fading away
§ So, how about security?
§ We have the same-origin policy, but it’s 20 years old …
33. Origins, Frames and Scripts
33
§ The browser enforces origin-based separation
§ Frames have a context, a document URL and an associated context
§ Scripts are loaded into the context of the including page
§ Classical trade-off between isolation and flexibility
http://example.com
http://malvertisements.com
http://example.com
Script code from
http://malvertisements.com
<iframe src=“http://malvertisements.com/pwnme.html” >
<script src=“http://malvertisements.com/pwnme.js” >
34. The Same-Origin Policy in Practice
34
§ Most content integration is script-based
§ Included directly into the application’s context
§ Which makes sense for libraries, such as JQuery
§ But not for standalone third-party components
§ Every included script is a security risk
§ Because it has full access to your context
§ So you have to trust the supplier
§ And the security of their systems
36. Responsibly Including Third-Party Content
36
§ Isolate the content in a context with a different origin
§ Let the Same-Origin Policy protect you
§ Enable interaction by exchanging messages between contexts
§ Further restrict isolated context using the HTML5 Sandbox
§ Allows you to disable certain features in a framed context
§ Allows you to place your own content in a unique origin
§ Verify the integrity of content loaded from a CDN
§ Enabled by the brand new Subresource Integrity specification
§ Prevents malware distribution by compromising a CDN
https://blogs.dropbox.com/tech/2015/09/csp-third-party-integrations-and-privilege-separation/
37. With XSS, the Attacker Includes the Code for You
37
Add review
Thanks for the review!
reviews
I can really recommend product X. It is awesome!
<script>alert(‘Never gonna let you down!’)</script>
Show Reviews
Reviews page
<html><body>… …</body></html>
40. Traditional XSS Defenses
40
§ The server compiles data and code into a single HTML page
§ XSS causes the browser to mistake data for code
§ The proper defense is context-sensitive output encoding
§ Encode for the context where the data will be used
§ HTML body <h1>DATA</h1>
§ HTML attributes <div id=‘DATA’>
§ Stylesheet context body { background-color: DATA;}
§ Script context alert(“DATA”);
§ URL context <a href=“http://…?arg=DATA”>
41. Content Security Policy against XSS
41
<h1>You searched for<script>alert(‘XSS’);</script></h1>
XSS WITH INLINE SCRIPTS
<h1>You searched for<script src=“https://evil.com/hackme.js”></script></h1>
XSS WITH REMOTE SCRIPTS
eval('alert("Your query string was '
+ unescape(document.location.search) //hello%22);alert(1+%22
+ '");');
XSS WITH EVAL
42. The Essence of CSP
42
§ CSP reduces the harm of content injection vulnerabilities
§ By telling the client where resources should be loaded from
§ By disabling “dangerous features” by default
§ CSP is intended as a second line of defense
§ CSP will become more important in the future
§ Supporting CSP in your application may be non-trivial
§ Use of inline script blocks is disallowed
§ Use of eval is disallowed
43. Introducing CSP by Example
43
Content-Security-Policy:
default-src 'self';
script-src ‘self’
https://cdnjs.cloudflare.com;
style-src ‘self’
https://cdnjs.cloudflare.com/…/bootstrap.min.css;
EXAMPLE POLICY
§ A policy consists of a set of directives
§ Each directive controls a different kind of resource
§ Policy is delivered as an HTTP header by the server
• Alternatively, the meta tag can also be used
§ Compatible browsers will enforce the policy on the response
44. CSP is the Security Policy of the Future
44
§ CSP has been well received, and evolved quickly
§ Addition of plugin types, sandbox, child contexts, form destinations
§ Re-enabling inline script with support for nonces and hashes
§ Deprecates X-FRAME-OPTIONS header
§ Supports blocking of mixed content / upgrading insecure requests
§ CSP level 1 is widely supported by browsers
§ Support for level 2 is less widespread, but improving rapidly
§ Chrome makes CSP mandatory for its components
§ Browser extensions and packaged apps
45. CSP Violation Reports
45
§ CSP can report violations back to the resource server
§ Allows for fine-tuning of the CSP policy
§ Gives insights in actual attacks
§ Enabled by using the report-uri directive
§ Points to a handler on the server that can process reports
Content-Security-Policy:
default-src 'self';
report-uri http://some-shop.com/csp-report.cgi
EXAMPLE POLICY
47. Progressive Web Security
47
§ Take a progressive stance towards Web security
§ The Web has become client-centric, and so has Web security
§ Fully protecting your applications requires the latest technologies
§ All of these security technologies require explicit action
§ Training is essential to keep up to date with the latest technologies
§ Share your experiences, help others advance as well
§ Set an example on how to do it right
48. 48
I hope you learned something tonight …
Now it’s up to you
Grab a copy of the slides and share with anyone you can find
Read my blog or follow me on Twitter to stay informed about web security
Level up with Web security training!
All information on
https://www.websec.be
49. Why Traditional Web Security Technologies
no Longer Suffice to Keep You Safe
Acknowledgements
Icons by Visual Pharm (https://icons8.com)
Images by Unsplash (https://unsplash.com/)
50. Why Traditional Web Security Technologies
no Longer Suffice to Keep You Safe
Philippe De Ryck
philippe.deryck@cs.kuleuven.be
/in/philippederyck
https://www.websec.be
@PhilippeDeRyck