Web Application Security Headers (Part 2)

Marek Puchalskimarek.puchalski@capgemini.com

marek.puchalski@owasp.org

https://marek.puchal.ski

Table of Content

• HTTP Headers

• Transport Layer Security (TLS/SSL)

• HTTP Strict Transport Security

• HTTP Public Key Pinning

HTTP HEADERS

HTTP Headers

GET http://oasp-ci.cloudapp.net/oasp4j-sample/services/rest/offermanagement/v1/offer HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:37.0) Gecko/20100101 Firefox/37.0Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5X-CSRF-TOKEN: fcbfc729-15d2-4f04-8e50-082f20cb2dfbReferer: http://oasp-ci.cloudapp.net/oasp4j-sample/jsclient/Cookie: JSESSIONID=F340544E6AE9078812ECF61139D03C7BConnection: keep-aliveHost: oasp-ci.cloudapp.net

HTTP request

HTTP/1.1 200 OKDate: Sat, 11 Jul 2015 20:28:36 GMTServer: Apache-Coyote/1.1Content-Type: application/json;charset=UTF-8Keep-Alive: timeout=5, max=100Connection: Keep-Alive

[{"id":1,"modificationCounter":1,"revision":null,"name":null,"description":"Schnitzel-Menü","number":null,"mealId":1,"drinkId":10,"sideDishId":5,"state":"NORMAL","price":"6.99"},{"id":2,"modificationCounter":1, (…)

HTTP response

Facts about HTTP Headers

• Headers can be used to steer browsers (and applications) behaviour

• You can define your own headers

• If the browser does not know or support the header, it will ignore the header

• Response headers are client side controls that are implemented on the server side

Security-relevant Headers(after OWASP ASVS v3.0)• V9.4 Level 1: Cache-Control

• V10.11 Level 1: HTTP Strict Transport Security (HSTS)

• V11.4 Level 2 and V11.7 Level 1: Content Security Policy (CSP)

• V11.6 Level 1: X-Content-Type-Options, Content-Disposition

• V11.8 Level 1: X-XSS-Protection

• V10.10 Level 3: HTTP Public Key Pinning• V11.10 Level 2: X-Frame-Options (deprecated)

TRANSPORT LAYER SECURITY (TLS/SSL)

TLS/SSL

• TLS is the S in HTTPS ;)

• It gives us following things:– Confidentiality - adversary can't see unencrypted data

– Integrity - adversary can't change data undetected

– Authentication - to know which server we are connected to

Why TLS?

• Because the world is cruel

„Any unencrypted traffic, visible to an adversary, is not just an information leak, but an attack vector they can use to exploit your systems.”

Nick Weaver

• Current state of the art: encrypt everything

Need to know more?

• Advanced HTTPS Defense Strategies (Jim Manico)

• Youtube: https://www.youtube.com/watch?v=uix4f45VndQ

• Presentation: http://www.slideshare.net/proidea_conferences/jim-manico-advanced-https-defense-strategies

HTTP STRICT TRANSPORT SECURITY(HSTS)

Threats addressed by HSTS

• Passive network attackers - eavesdropping of unencrypted communication. Even more dangerous when environment allows for non-secure cookies.

• Active network attackers - TLS striping or invisible proxy relying on user to accept the flawed certificate.

• Web Site Development and Deployment Bugs -page is loading additional resources over an insecure connection (mixed content).

Without HSTS:Mixed content example

Without HSTS:Insecure redirect

With HSTS:Secure redirect

Without HSTS:Insecure choice

With HSTS:Secure… lack of other choices

HSTS Header

Strict-Transport-Security : max-

age=31536000; includeSubdomains; preload

• max-age - how long insecure requests are forbiden(in seconds)

• includeSubdomains - should sub domains be also included (optional)

• preload - allow HSTS to be hardcoded in the browsers. Solves the "trust on first use" (TOFU) problem. HSTS for a domain can be registered on hstspreload.appspot.com (optional)

What can go wrong?

• Want to go back to HTTP? No way...

• Your subdomains do not support HTTPS and you turned includeSubdomains on.

HSTS and Security Standards

• OWASP ASVS v3.0 V10.11: Verify that HTTP Strict Transport Security headers are included on all requests and for all subdomains, such as Strict-Transport-Security: max-

age=15724800; includeSubdomains

• OWASP ASVS v3.0 V10.12: Verify that production website URL has been submitted to preloaded list of Strict Transport Security domains maintained by web browser vendors.

How many sites use HSTS?

HSTS present HSTS missing

Source: https://scotthelme.co.uk/alexa-top-1-million-crawl-aug-2016/ (August 2016)

Browser support for HSTS

HSTS present HSTS missing

Source: http://caniuse.com/#feat=stricttransportsecurity

Enforce HSTS (and HPKP)in Chrome

chrome://net-internals/#hsts

HTTP PUBLIC KEY PINNING

PKI in a nutshell

you RA (CA)

Create public/private key

Fill some data

Create and send CSR

Send signed certificate

Profit

Question: Which CA should you buy certificates from?

• Let’s encrypt – because it’s free, automated and open :)

• But honestly, it does not matter. Any CA recognized by your browser can gice you technically the same thing – signed certificate.

Question: What can happen ifa CA gets hacked?

• One could fabricate certificates for EVERY domain in the internet. (Security of the WHOLE INTERNET is in danger)

„If a company can ‚put the entire Internet at risk’ (…) the system is fundamentally flawed.”

https://news.ycombinator.com/item?id=9253676

Question: How often did CAs failin the past?

• 2011, Comodo got hacked

• 2011, Diginotar got hacked, got used to attack iranian google users, went bankrupt...

• 2013, This time: French government...

• 2013, Trustwave selling an intermediate CA cert to a private company

• 2015, MCS Holdings...

HPKP Header

Public-Key-Pins: pin-sha256=<hash1>;pin-sha256=<hash2>; max-age=2592000;report-uri=<uri>; includeSubdomains

• pin-sha256 - certificate thumbprint, can be from own certificate or any certificate in the chain or even CSR.

• max-age - how long pinned certificate must be served (in seconds).

• report-uri - report violations to this uri. Usually not the same uri as the target system.

• includeSubdomains - all subdomains must use the same pins.

Generate hashes

• For the certificate:openssl rsa -pubout -in pub.key -

outform der | openssl dgst -sha256

-binary | base64

• For the CSR:openssl req -noout -in my.csr -

pubkey | openssl rsa -pubin -

outform der | openssl dgst -sha256

-binary | base64

☠ DANGER ☠

It is very easy to get HPKP wrong. And if you do it wrong, you will run a DOS against your system.

Good practice:

• Pin at least your certificate, CSR and a backup CSR.

• If you don't ping CSRs, pin at least two certificates (one backup) and don't forget to order and activate new certificates at least max-age before they expire.

• NOTE: HPKP has the TOFU (trust on first use) problem

Good News

• There is also a Public-Key-Pins-Report-Only header, which has the same syntax as HPKP, but does only reporting. Good for testing purposes.

HPKP and Security Standards

• OWASP ASVS v3.0 V10.10: Verify that TLS certificate public key pinning is implemented with production and backup public keys.

How many sites use HPKP?

HPKP present HPKP missing

Source: https://scotthelme.co.uk/alexa-top-1-million-crawl-aug-2016/ (August 2016)

Browser support for HPKP

Source: http://caniuse.com/#feat=publickeypinning

QUESTIONS?

marek.puchalski@capgemini.com

marek.puchalski@owasp.org