SlideShare uma empresa Scribd logo

Story of http headers

V
Vandana Verma

Story of http headers

Tecnologia
1 de 28
Story of Headers : The First Layer of Security Anupriya Srivastava (53R3N1TY)
About 53r3n1ty ● Full-stack Blockchain developer @ ● Prev. Front-end developer @ ● Lifetime security enthusiast
Find me on ● twitter.com/_53R3N1TY ● hackerone.com/53r3n1ty ● github.com/53R3N1TY ● linkedin.com/in/anupriya-srivastava-336a0871/
Why security headers are important ? To secure your client’s DOM from malicious vectors. OR To start preventing your web apps from client side.
Like a patch burger 1. Application code 2. Application configuration 3. Web server configuration 4. Application firewall 5. Dependent hosts 6. Client-side security controls 7. Logging, monitoring & alerting 8. Deceptive defence
Analysing security vectors in Single HTTP request
HTTP Response Anatomy
Status Codes : Allocated Text Status-Code defines the class of response. 1xx : Informational 2xx : Success 3xx : Redirection 4xx : Client Error 5xx : Server Error
HTTP Response ● Header ● Body
HTTP Header ● Uses browsers security features ● First Layer of defence
Header’s Coverage 1. HSTS 2. CSP 3. X-XSS-Protection 4. SOP & CORS 5. X-Frame-Option 6. HTTP Key Pinning 7. Referrer Policy 8. Feature Policy
HTTP Secure Transport Policy (HSTS) ● Strict-Transport-Security: ○ max-age=<expire-time> ○ includeSubDomain(problems) ○ Preload ● Drawback: ○ If subdomain included then your internal apps also won’t support HTTP
Content Security Policy (CSP) Content-Security-Policy: default-src 'self'; script-src (x-xss-protection) 'unsafe-inline' 'strict-dynamic' http: https: 'sha256- uxzi2OgpNXaSA/8wT6X4JDqw8Y+ODCxCwB+WsuWagBY=' ; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/ https://platform.twitter.com https://*.twimg.com https://*.disquscdn.com; img-src 'self' data: https://www.google-analytics.com/ https://syndication.twitter.com https://*.twimg.com; frame-src https://platform.twitter.com https://disqus.com/ https://player.vimeo.com https://www.youtube.com; object-src 'self'; font-src 'self' https://fonts.gstatic.com; connect-src https://links.services.disqus.com; report-uri https://websec.report-uri.io/r/default/csp/enforce
“IF CSP applied then this isn’t required. Otherwise X-XSS-Protection gives exception on inline scripts.” ● X-XSS-Protection: 0 ● X-XSS-Protection: 1 ● X-XSS-Protection: 1; mode=block ● X-XSS-Protection: 1; report=<reporting-uri> X-XSS-Protection SOP & CORS
X-Frame-Option X-Frame-Options: deny X-Frame-Options: sameorigin X-Frame-Options: allow-from https://example.com/ The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed>or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
HTTP Key Pinning ● Public-Key-Pins: ○ pin-sha256="base64+primary=="; ○ pin-sha256="base64+backup=="; ○ max-age=5184000; ○ includeSubDomains ○ Always; ● Drawback: ○ Likely to be deprecated. ○ If a hacker gets the access of your webapp, deployed his own certs and asks ransom?
Referrer Policy ● Referrer Policy: ○ "" ○ "No-referrer" ○ "No-referrer-when-downgrade" ○ "Same-origin" ○ "Origin" ○ "Strict-origin" ○ "Origin-when-cross-origin" ○ "Strict-origin-when-cross-origin" ○ "unsafe-url”
Feature Policy ● Feature-Policy: <directive> <allowlist> ● Directives: ○ Autoplay ○ Camera ○ Fullscreen ○ Geolocation ○ Musical instrument digital interface(MIDI) ○ Microphone ○ Payment ○ VR ... ● Allowlist: ○ ‘*’ ○ ‘self’ ○ ‘Src’ ○ ‘None’ ○ ‘origin(s)’
Body ● Custom code ● Custom security features
Evolution: 5 Years ago Web Layer Business Logic Data Instance
Evolution: Web Layer Business Logic Data Instance Client Logic Web | Hybrid Apps
Javascript XSS-cross site scripting CSRF-cross site request forgery SSTI-server side template injection SQLI-SQL Injection Major p1,p2 bounty is because of deprecated javascript code or unauthorized code
Cookies? ● Directives ○ Secure : Only go through TLS ○ HttpOnly : Document.cookie can’t access it (xss-protection) ○ SameSite : only available for origin domain(csrf-protection) ● Prefix: ○ __Secure- : TLS required ○ __Host- : TLS + ‘/’ path required
Recap? ● Header? ● Body? ● Cookie? ● HTTP Request-Response Cycle
Toolings Header vulnerability https://securityheaders.com Javascript Parser https://github.com/nahamsec/JSParser
Don’t Ignore Security Conclusion?
@53r3n1ty Anupriya Srivastava
Thank you

Recomendados

Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityMikal Villa
 
Xss and sql injection
Xss and sql injectionXss and sql injection
Xss and sql injectionBhuridech Sudsee
 
Xss what the heck-!
Xss what the heck-!Xss what the heck-!
Xss what the heck-!VodqaBLR
 
Secure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web ApplicationsSecure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web Applicationsn|u - The Open Security Community
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection VulnerabilitiesMindfire Solutions
 
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Krzysztof Kotowicz
 
웹 개발을 위해 꼭 알아야하는 보안 공격
웹 개발을 위해 꼭 알아야하는 보안 공격웹 개발을 위해 꼭 알아야하는 보안 공격
웹 개발을 위해 꼭 알아야하는 보안 공격선협 이
 
Http security response headers
Http security response headers Http security response headers
Http security response headers mohammadhosseinrouha
 

Recomendados

Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityMikal Villa
 
Xss and sql injection
Xss and sql injectionXss and sql injection
Xss and sql injectionBhuridech Sudsee
 
Xss what the heck-!
Xss what the heck-!Xss what the heck-!
Xss what the heck-!VodqaBLR
 
Secure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web ApplicationsSecure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web Applicationsn|u - The Open Security Community
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection VulnerabilitiesMindfire Solutions
 
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Krzysztof Kotowicz
 
웹 개발을 위해 꼭 알아야하는 보안 공격
웹 개발을 위해 꼭 알아야하는 보안 공격웹 개발을 위해 꼭 알아야하는 보안 공격
웹 개발을 위해 꼭 알아야하는 보안 공격선협 이
 
Http security response headers
Http security response headers Http security response headers
Http security response headers mohammadhosseinrouha
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingashutosh rai
 
Xss
XssXss
XssRajendra Dangwal
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Nabin Dutta
 
XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerabilitySoumyasanto Sen
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting GuideDaisuke_Dan
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsPorfirio Tramontana
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingkinish kumar
 
Sf startup-security
Sf startup-securitySf startup-security
Sf startup-securityMichael Coates
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
Web Security.pdf
Web Security.pdfWeb Security.pdf
Web Security.pdfAdityaKumar1548
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Daniel Tumser
 
Security fundamentals
Security fundamentals Security fundamentals
Security fundamentals ABDEL RAHMAN KARIM
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Pratimesh Pathak
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolArjun Jain
 
Cross site scripting
Cross site scripting Cross site scripting
Cross site scripting Bilal Mazhar MS(IS)Cyber Security II Privacy Professional
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)vinayh.vaghamshi _
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Ritesh Gupta
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site ScriptingAli Mattash
 
Understanding dom based xss
Understanding dom based xssUnderstanding dom based xss
Understanding dom based xssPotato
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsManish Shekhawat
 

Mais conteúdo relacionado

Mais procurados

Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingashutosh rai
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Nabin Dutta
 
XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerabilitySoumyasanto Sen
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting GuideDaisuke_Dan
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsPorfirio Tramontana
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingkinish kumar
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Daniel Tumser
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Pratimesh Pathak
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolArjun Jain
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Ritesh Gupta
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site ScriptingAli Mattash
 
Understanding dom based xss
Understanding dom based xssUnderstanding dom based xss
Understanding dom based xssPotato
 

Mais procurados (20)

Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Xss
XssXss
Xss
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)
 
XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerability
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web Applications
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Sf startup-security
Sf startup-securitySf startup-security
Sf startup-security
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
 
Web Security.pdf
Web Security.pdfWeb Security.pdf
Web Security.pdf
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
 
Security fundamentals
Security fundamentals Security fundamentals
Security fundamentals
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana)
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing tool
 
Cross site scripting
Cross site scripting Cross site scripting
Cross site scripting
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site Scripting
 
Understanding dom based xss
Understanding dom based xssUnderstanding dom based xss
Understanding dom based xss
 

Semelhante a Story of http headers

Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsManish Shekhawat
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...LogeekNightUkraine
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
RIA Cross Domain Policy
RIA Cross Domain PolicyRIA Cross Domain Policy
RIA Cross Domain PolicyNSConclave
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!CiNPA Security SIG
 
Web security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersWeb security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersPhú Phùng
 
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)cgmonroe
 
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Mohammed Adam
 
Securing the client side web
Securing the client side webSecuring the client side web
Securing the client side webSC5.io
 
Tuenti: Web Application Security
Tuenti: Web Application SecurityTuenti: Web Application Security
Tuenti: Web Application SecurityTuenti
 
Tuenti: Web Application Security
Tuenti: Web Application SecurityTuenti: Web Application Security
Tuenti: Web Application SecurityGuille -bisho-
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Abhishek Kumar
 

Semelhante a Story of http headers (20)

Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web Applications
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practices
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
RIA Cross Domain Policy
RIA Cross Domain PolicyRIA Cross Domain Policy
RIA Cross Domain Policy
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
 
Web security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersWeb security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsers
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
 
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Android Penetration Testing - Day 3
Android Penetration Testing - Day 3
 
Securing the client side web
Securing the client side webSecuring the client side web
Securing the client side web
 
Tuenti: Web Application Security
Tuenti: Web Application SecurityTuenti: Web Application Security
Tuenti: Web Application Security
 
Tuenti: Web Application Security
Tuenti: Web Application SecurityTuenti: Web Application Security
Tuenti: Web Application Security
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
 

Mais de Vandana Verma

Building security into the pipelines
Building security into the pipelinesBuilding security into the pipelines
Building security into the pipelinesVandana Verma
 
Applying OWASP web security testing guide (OWSTG)
Applying OWASP web security testing guide (OWSTG)Applying OWASP web security testing guide (OWSTG)
Applying OWASP web security testing guide (OWSTG)Vandana Verma
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageVandana Verma
 
SARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma SehgalSARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma SehgalVandana Verma
 
Sacon 2020 living in the world of zero trust v1.0
Sacon 2020 living in the world of zero trust v1.0Sacon 2020 living in the world of zero trust v1.0
Sacon 2020 living in the world of zero trust v1.0Vandana Verma
 
Addo 2019 vandana_dev_secops_culturalchange
Addo 2019 vandana_dev_secops_culturalchangeAddo 2019 vandana_dev_secops_culturalchange
Addo 2019 vandana_dev_secops_culturalchangeVandana Verma
 
App Sec village DevSecOps as a culture
App Sec village DevSecOps as a cultureApp Sec village DevSecOps as a culture
App Sec village DevSecOps as a cultureVandana Verma
 
Web sockets - Pentesting
Web sockets - Pentesting Web sockets - Pentesting
Web sockets - Pentesting Vandana Verma
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & complianceVandana Verma
 
Basics of Server Side Template Injection
Basics of Server Side Template InjectionBasics of Server Side Template Injection
Basics of Server Side Template InjectionVandana Verma
 
SIEM Vendor Neutrality
SIEM Vendor NeutralitySIEM Vendor Neutrality
SIEM Vendor NeutralityVandana Verma
 
Getting started with android
Getting started with androidGetting started with android
Getting started with androidVandana Verma
 
Importance of Penetration Testing
Importance of Penetration TestingImportance of Penetration Testing
Importance of Penetration TestingVandana Verma
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
 
Chariot generic presentation owaspwia_Infosecgirls
Chariot generic presentation owaspwia_InfosecgirlsChariot generic presentation owaspwia_Infosecgirls
Chariot generic presentation owaspwia_InfosecgirlsVandana Verma
 
OWASP - Dependency Check
OWASP - Dependency CheckOWASP - Dependency Check
OWASP - Dependency CheckVandana Verma
 
Incident response in Cloud
Incident response in CloudIncident response in Cloud
Incident response in CloudVandana Verma
 

Mais de Vandana Verma (18)

Building security into the pipelines
Building security into the pipelinesBuilding security into the pipelines
Building security into the pipelines
 
Applying OWASP web security testing guide (OWSTG)
Applying OWASP web security testing guide (OWSTG)Applying OWASP web security testing guide (OWSTG)
Applying OWASP web security testing guide (OWSTG)
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec Village
 
SARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma SehgalSARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma Sehgal
 
Sacon 2020 living in the world of zero trust v1.0
Sacon 2020 living in the world of zero trust v1.0Sacon 2020 living in the world of zero trust v1.0
Sacon 2020 living in the world of zero trust v1.0
 
Addo 2019 vandana_dev_secops_culturalchange
Addo 2019 vandana_dev_secops_culturalchangeAddo 2019 vandana_dev_secops_culturalchange
Addo 2019 vandana_dev_secops_culturalchange
 
App Sec village DevSecOps as a culture
App Sec village DevSecOps as a cultureApp Sec village DevSecOps as a culture
App Sec village DevSecOps as a culture
 
Oscp - Journey
Oscp - JourneyOscp - Journey
Oscp - Journey
 
Web sockets - Pentesting
Web sockets - Pentesting Web sockets - Pentesting
Web sockets - Pentesting
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & compliance
 
Basics of Server Side Template Injection
Basics of Server Side Template InjectionBasics of Server Side Template Injection
Basics of Server Side Template Injection
 
SIEM Vendor Neutrality
SIEM Vendor NeutralitySIEM Vendor Neutrality
SIEM Vendor Neutrality
 
Getting started with android
Getting started with androidGetting started with android
Getting started with android
 
Importance of Penetration Testing
Importance of Penetration TestingImportance of Penetration Testing
Importance of Penetration Testing
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
 
Chariot generic presentation owaspwia_Infosecgirls
Chariot generic presentation owaspwia_InfosecgirlsChariot generic presentation owaspwia_Infosecgirls
Chariot generic presentation owaspwia_Infosecgirls
 
OWASP - Dependency Check
OWASP - Dependency CheckOWASP - Dependency Check
OWASP - Dependency Check
 
Incident response in Cloud
Incident response in CloudIncident response in Cloud
Incident response in Cloud
 

Último

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 

Último (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 

Story of http headers

  • 1. Story of Headers : The First Layer of Security Anupriya Srivastava (53R3N1TY)
  • 2. About 53r3n1ty ● Full-stack Blockchain developer @ ● Prev. Front-end developer @ ● Lifetime security enthusiast
  • 3. Find me on ● twitter.com/_53R3N1TY ● hackerone.com/53r3n1ty ● github.com/53R3N1TY ● linkedin.com/in/anupriya-srivastava-336a0871/
  • 4. Why security headers are important ? To secure your client’s DOM from malicious vectors. OR To start preventing your web apps from client side.
  • 5. Like a patch burger 1. Application code 2. Application configuration 3. Web server configuration 4. Application firewall 5. Dependent hosts 6. Client-side security controls 7. Logging, monitoring & alerting 8. Deceptive defence
  • 6. Analysing security vectors in Single HTTP request
  • 8. Status Codes : Allocated Text Status-Code defines the class of response. 1xx : Informational 2xx : Success 3xx : Redirection 4xx : Client Error 5xx : Server Error
  • 10. HTTP Header ● Uses browsers security features ● First Layer of defence
  • 11. Header’s Coverage 1. HSTS 2. CSP 3. X-XSS-Protection 4. SOP & CORS 5. X-Frame-Option 6. HTTP Key Pinning 7. Referrer Policy 8. Feature Policy
  • 12. HTTP Secure Transport Policy (HSTS) ● Strict-Transport-Security: ○ max-age=<expire-time> ○ includeSubDomain(problems) ○ Preload ● Drawback: ○ If subdomain included then your internal apps also won’t support HTTP
  • 13. Content Security Policy (CSP) Content-Security-Policy: default-src 'self'; script-src (x-xss-protection) 'unsafe-inline' 'strict-dynamic' http: https: 'sha256- uxzi2OgpNXaSA/8wT6X4JDqw8Y+ODCxCwB+WsuWagBY=' ; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/ https://platform.twitter.com https://*.twimg.com https://*.disquscdn.com; img-src 'self' data: https://www.google-analytics.com/ https://syndication.twitter.com https://*.twimg.com; frame-src https://platform.twitter.com https://disqus.com/ https://player.vimeo.com https://www.youtube.com; object-src 'self'; font-src 'self' https://fonts.gstatic.com; connect-src https://links.services.disqus.com; report-uri https://websec.report-uri.io/r/default/csp/enforce
  • 14. “IF CSP applied then this isn’t required. Otherwise X-XSS-Protection gives exception on inline scripts.” ● X-XSS-Protection: 0 ● X-XSS-Protection: 1 ● X-XSS-Protection: 1; mode=block ● X-XSS-Protection: 1; report=<reporting-uri> X-XSS-Protection SOP & CORS
  • 15. X-Frame-Option X-Frame-Options: deny X-Frame-Options: sameorigin X-Frame-Options: allow-from https://example.com/ The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed>or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
  • 16. HTTP Key Pinning ● Public-Key-Pins: ○ pin-sha256="base64+primary=="; ○ pin-sha256="base64+backup=="; ○ max-age=5184000; ○ includeSubDomains ○ Always; ● Drawback: ○ Likely to be deprecated. ○ If a hacker gets the access of your webapp, deployed his own certs and asks ransom?
  • 17. Referrer Policy ● Referrer Policy: ○ "" ○ "No-referrer" ○ "No-referrer-when-downgrade" ○ "Same-origin" ○ "Origin" ○ "Strict-origin" ○ "Origin-when-cross-origin" ○ "Strict-origin-when-cross-origin" ○ "unsafe-url”
  • 18. Feature Policy ● Feature-Policy: <directive> <allowlist> ● Directives: ○ Autoplay ○ Camera ○ Fullscreen ○ Geolocation ○ Musical instrument digital interface(MIDI) ○ Microphone ○ Payment ○ VR ... ● Allowlist: ○ ‘*’ ○ ‘self’ ○ ‘Src’ ○ ‘None’ ○ ‘origin(s)’
  • 19. Body ● Custom code ● Custom security features
  • 20. Evolution: 5 Years ago Web Layer Business Logic Data Instance
  • 21. Evolution: Web Layer Business Logic Data Instance Client Logic Web | Hybrid Apps
  • 22. Javascript XSS-cross site scripting CSRF-cross site request forgery SSTI-server side template injection SQLI-SQL Injection Major p1,p2 bounty is because of deprecated javascript code or unauthorized code
  • 23. Cookies? ● Directives ○ Secure : Only go through TLS ○ HttpOnly : Document.cookie can’t access it (xss-protection) ○ SameSite : only available for origin domain(csrf-protection) ● Prefix: ○ __Secure- : TLS required ○ __Host- : TLS + ‘/’ path required
  • 24. Recap? ● Header? ● Body? ● Cookie? ● HTTP Request-Response Cycle