Experiential Learning Workshop on Web Security Basics · • SSL certificate management • HTTPS...
Transcript of Experiential Learning Workshop on Web Security Basics · • SSL certificate management • HTTPS...
Experiential Learning Workshop on
Web Security Basics
July 18, 2018
Dr. Ram P Rustagi Professor, CSE Dept
KSIT, Bangalore [email protected]
+91-8970000559
Experiential Learnaing ; Web Security Basics RPR
Resources & Acknowledgements
• Resources– https://rprustagi.com/ELNT/Experiential-Learning.html
– Articles in ACCS Journal• https://acc.digital/experiential-learning-of-
networking-technologies-4/•www.github.com/rprustagi
– https://www.rprustagi.com/workshops/ieee/nita• Slides
– https://www.rprustagi.com/workshops/programs• Example web pages, and programs
!2Experiential Learning - Basics of Web Security RPR
Day 2:Understanding Web Security• Overview of HTTP/HTTPS• SSL certificate management• HTTPS deployment challenges• HO1: Deploying SSL, click thru browser
warnings• HTTP mixed content, lock icons• HO2: Using mixed content • MITM challenges, and ARP spoofing• MITM with browser and information stealing• HO3: Implementing MITM with sslstrip• Understanding HSTS protocol, CSP• HO4: implementing CSP and HSTS• Summary
!3Experiential Learning - Basics of Web Security RPR
Experimental Setup-1
!4Experiential Learnaing ; Web Security Basics
S1
Ha: 10.1.1.1/24 Hb: 10.1.1.2/24
1 2 2
3
Internet
RPR
Experimental Setup-2
!5Experiential Learnaing ; Web Security Basics
S1Ha: 10.1.1.1/24
Hb: 10.1.1.2/24
1 2 2
Hc: 10.1.1.3/24
3
Internet
RPR
Day 1:Understanding Network Layer• Overview• Networking tools: wireshark, nc, wget, ssh• Review of IP and TCP headers• HO1: wireshark, IP and TCP headers• Routing & Forwarding, Subnetting, Unicast/BCast• HO2: Routing, subnetting, traceroute analysis • IP fragmentation, PMTU discovery• Understanding ICMP, NAT• HO3: ICMP errors: Fragmentation, TTL expiry• Unerstanding ARP, Proxy ARP, DHCP, GARP• HO4: Static ARP, Proxy ARP, GARP• Summary
!6Experiential Learnaing ; Web Security Basics RPR
Day 2:Understanding Web Security• Overview of HTTP/HTTPS• SSL certificate management• HTTPS deployment challenges• HO1: Deploying SSL, click thru browser
warnings• HTTP mixed content, lock icons• HO2: Using mixed content • MITM challenges, and ARP spoofing• MITM with browser and information stealing• HO3: Implementing MITM with sslstrip• Understanding HSTS protocol, CSP• HO4: implementing CSP and HSTS• Summary
!7Experiential Learning - Basics of Web Security RPR
HTTPS Protocol
• Secure web communication requirement– Authentication– Confidentiality– Data Integrity
• Authentication– Client authentication by server by many means
• Credentials, biometric, OTP(SMS), …• Certificate based (not prevalent)
– Server authentication by client• Client are not tech savvy• Browser should do automatically and seamlessly
!8Experiential Learning - Basics of Web Security RPR
Web Communication Security
• Confidentiality– Communication free from snooping– Responsibility assumed to lie with web application– Client takes it for granted.
• Integrity– Communication safe from alteration– Responsibility with web application
• Security– To be intrinsic to browser and web application– Practically impossible to educate all end users.
!9Experiential Learning - Basics of Web Security RPR
Day 2:Understanding Web Security• Overview of HTTP/HTTPS• SSL certificate management• HTTPS deployment challenges• HO1: Deploying SSL, click thru browser
warnings• HTTP mixed content, lock icons• HO2: Using mixed content • MITM challenges, and ARP spoofing• MITM with browser and information stealing• HO3: Implementing MITM with sslstrip• Understanding HSTS protocol, CSP• HO4: implementing CSP and HSTS• Summary
!10Experiential Learning - Basics of Web Security RPR
HTTPS Authentication• Server provides website certificate, having
– Website name e.g. mywww.com– Certificate validity period (typically 1 year)– Public key of certificate issuing authority
• Authentication mechanisms– Browser checks for all 3 pieces of information– Any violatation flags a warning
• User has to click-thru to proceed• Examples:
– https://172.217.166.100 #google – https://myweb.com #google IP in /etc/hosts – https://mywww.com #self signed certificate
!11Experiential Learning - Basics of Web Security RPR
HTTPS Communication
• Data confidentiality:– Using SSL protocol, browser sets up a common
encryption key with the web server– This encryption key is used to encrypt/decrypt
data exchanged between browser and web server• Certificate authorities
– Browser is configured with large number of certificate authorities.
– Accepts certificate only from these, e.g.• Amazon, Entrust, Geotrust, GoDaddy, Thawte,
Verisign
!12Experiential Learning - Basics of Web Security RPR
HTTPS Communication
• SSL procotol supports client certificates– Rarely seen in practice– When used, may not require credentials based
mechanism• Wireshark supports session decryption
– Provided session key is known or– Private key of certificate autority is known
• Possible for self signed certificates
!13Experiential Learning - Basics of Web Security RPR
SSL Certificates
• General Process– Create a private and public key for owned website– Generate a Certificate Signing Request (CSR).– Send CSR to a certificate issuing authority(CA)– Pay the money for certificate– CA will verify the request, website ownership
details etc.– CA will issue the certificate– Install the certificate on the web server
!14Experiential Learning - Basics of Web Security RPR
SSL Certificates
• Certificate types– DV (Domain Validation) - the basic type
• Webserver authentication and encryption only– OV (Organization Validation) certificate
• Verifies the actual business that is requesting• Organization name is listed in the certificate
– Extended Validation (EV)• Provides a green address bar in the browser• Requires stronger authentication process to
confirm the identity of business
!15Experiential Learning - Basics of Web Security RPR
Day 2:Understanding Web Security• Overview of HTTP/HTTPS• SSL certificate management• HTTPS deployment challenges• HO1: Deploying SSL, click thru browser
warnings• HTTP mixed content, lock icons• HO2: Using mixed content • MITM challenges, and ARP spoofing• MITM with browser and information stealing• HO3: Implementing MITM with sslstrip• Understanding HSTS protocol, CSP• HO4: implementing CSP and HSTS• Summary
!16Experiential Learning - Basics of Web Security RPR
HTTPS and Proxy Setup
• HTTPS deployment challenges with proxy and network that requires authentication❖ The network site hijacks the URL
❖ e.g. public hotspots, colleges ❖ Redirects to authentication URL ❖ On successful authentication, user is
permitted access ❖ This setup does not work with HTTPS
❖ On hijack of HTTPS traffic, ❖ Browser throws warning
!17Experiential Learning - Basics of Web Security RPR
Experiential Learnaing ; Web Security Basics
HTTPS Deployment
• Can a single (same) certificate be installed on multiple servers
• Need to deploy a wild card certificate for subdomains vs individual subdomain certificate
• Can the server be forced to use only HTTPS and disable HTTP
• How does cacheing works with HTTPS– Especially for public cache?
• Reverse Proxy (LB) and web servers• L7 load balancing• Migrating entire content to HTTPS
!18RPR
Day 2:Understanding Web Security• Overview of HTTP/HTTPS• SSL certificate management• HTTPS deployment challenges• HO1: Deploying SSL, click thru browser
warnings• HTTP mixed content, lock icons• HO2: Using mixed content • MITM challenges, and ARP spoofing• MITM with browser and information stealing• HO3: Implementing MITM with sslstrip• Understanding HSTS protocol, CSP• HO4: implementing CSP and HSTS• Summary
!19Experiential Learning - Basics of Web Security RPR
Experiential Learnaing ; Web Security Basics
Hands On 1: SSL Enabled Website
• Generate an SSL certificate for 1 day• Install the SSL certificate on web server.• Access the web pages using HTTPS and analyze the
warning.• Accept the certificate exception in browser• Re-access the web page with HTTPS.• Change the system date to few days (i.e. before the
start date certificate validity period e.g. today)• Access web page with HTTPS and analyze• With with a different name (or IP Address) and
analyze
!20RPR
Day 2:Understanding Web Security• Overview of HTTP/HTTPS• SSL certificate management• HTTPS deployment challenges• HO1: Deploying SSL, click thru browser
warnings• HTTP mixed content, lock icons• HO2: Using mixed content • MITM challenges, and ARP spoofing• MITM with browser and information stealing• HO3: Implementing MITM with sslstrip• Understanding HSTS protocol, CSP• HO4: implementing CSP and HSTS• Summary
!21Experiential Learning - Basics of Web Security RPR
Example Resources
• Create your own content or download from following URLs https://rprustagi.com/workshops/web/pure.html https://rprustagi.com/workshops/web/mixed.html https://rprustagi.com/workshops/web/mixed-active.html https://rprustagi.com/js/mywww.js
!22Experiential Learning - Basics of Web Security RPR
Mixed Content Webpage
!23Experiential Learning - Basics of Web Security RPR
Secure, No Mixed Content
Potentially Unsecure, Passive Content is not blocked
Potentially Unsecure, Active Content is not blocked
Pure Content
<body> <h2>Img01 with inherited security</h2> <h2>Img02 with insecure access.</h2> <img src="//rprustagi.com/img/img-01.jpg" alt="Img 01"> <img src="//rprustagi.com/img/img-02.jpg" alt="Img 02"> </body>
!24Experiential Learning - Basics of Web Security RPR
Mixed Content
<body> <h2>Img01 with inherited security</h2> <h2>Img02 with insecure access.</h2> <img src="//rprustagi.com/img/img-01.jpg" alt="Img 01"> <img src=“http://rprustagi.com/img/img-02.jpg" alt="Img 02"> </body>
!25Experiential Learning - Basics of Web Security RPR
Active Mixed Content<body> <script src="http://rprustagi.com/js/mywww.js"> </script> <h1>Mixed Content Demonstration</h2> <button type="button" onclick=“hello()” > insecure access </button> <h2>Image 02 with insecure security access.</h2> <img src="//rprustagi.com/img/img-02.jpg" alt="Img 01”> </body>
!26Experiential Learning - Basics of Web Security RPR
Active Mixed Content - javascript
url=“http://rprustagi.com/js/mywww.js">
function hello() { alert("Hello"); }
!27Experiential Learning - Basics of Web Security RPR
Insecure Password Field in Form
• Quite often, web developers use form tag – <input type=“password” …> in the form.
• When this form is accessed with HTTP, it becomes in secure access.
• Browsers are by default configured to throw a warning when password field is submitted on HTTP.
!28Experiential Learning - Basics of Web Security RPR
Experiential Learnaing ; Web Security Basics
AICTE Insecure Access: Firefox
!29RPR
Experiential Learnaing ; Web Security Basics
AICTE Insecure Access: Chrome
!30RPR
Experiential Learnaing ; Web Security Basics
AICTE Web Portal: No HTTPS
!31RPR
Day 2:Understanding Web Security• Overview of HTTP/HTTPS• SSL certificate management• HTTPS deployment challenges• HO1: Deploying SSL, click thru browser
warnings• HTTP mixed content, lock icons• HO2: Using mixed content • MITM challenges, and ARP spoofing• HO3: Implementing MITM with sslstrip• Understanding HSTS protocol• Understanding CSP• HO4: implementing CSP and HSTS• Summary
!32Experiential Learning - Basics of Web Security RPR
Setup Requirement
!33Experiential Learning - Basics of Web Security RPR
Hands-On 2• Create two web pages
– one with mixed passive content– other with mixed active content.
• Deploy these web pages on your web server deployed with SSL certificate (self signed)
• Import the certificate into browser storage• Access (Firefox) these URLs with HTTP• Access (Firefox) these URLs with HTTPS.
– Analyze the difference • Create a simple web form with password field.• Access the web form using HTTP i.e. no HTTPS.
!34Experiential Learning - Basics of Web Security RPR
Day 2:Understanding Web Security• Overview of HTTP/HTTPS• SSL certificate management• HTTPS deployment challenges• HO1: Deploying SSL, click thru browser
warnings• HTTP mixed content, lock icons• HO2: Using mixed content • MITM challenges, and ARP spoofing• MITM with browser and information stealing• HO3: Implementing MITM with sslstrip• Understanding HSTS protocol, CSP• HO4: implementing CSP and HSTS• Summary
!35Experiential Learning - Basics of Web Security RPR
ARP - Address Resolution Protocol
• Packet delivery to a host requires two addresses
• Logical address - IP Address• Physical address - MAC address
• Need to find mapping from logical to physical• ARP is used - RFC 826
!36Experiential Learning - Network Layer RPR
Fig Src: Forouzan - Data Communication and Networking, SIE
ARP - 4 cases
!37Experiential Learning - Network Layer RPRSrc: Forouzan
ARP
• ARP Request and Reply– ARP Request is broadcast– ARP Reply is Unicast
• Other forms of ARP– Proxy ARP (RFC 1027)– Reverse ARP (RFC 903)– Gratuitous ARP
!38Experiential Learning - Network Layer RPR
Proxy ARP
• Router (Proxy ARP Server) replied to all requests
• Used when– splitting a network w/o changing hosts netmask– Taking care of statically configured m/c– Mobile IP
!39Experiential Learning - Network Layer RPR
Src: Forouzan
Reverse ARP
• Reverse ARP (RARP)– RFC 903– Used for diskless stations– Organization does not have enough IP Address– Target as MAC Bcast does not cross the router– Needs one RARP server for each subnet
• BOOTP– Improvement over RARP– Has a relay agent to forward across network– has static mapping of MAC to IP
• manageability issues• DHCP - replaces BOOTP
!40Experiential Learning - Network Layer RPR
Gratuitous ARP
• Ref: http://wiki.wireshark.org/Gratuitous_ARP
• Gratuitous ARP Request– both src and dstn IP is set to that of m/c – dstn MAC is broadcast i.e. ff:ff:ff:ff:ff:ff – Ordinarily, no reply will occur normally
• if a m/c exists, it may respond
• Gratuitous ARP Reply– a reply to which no request has occurred
•
!41Experiential Learning - Network Layer RPR
Gratuitous ARP
• Why Gratuitous ARP– help detect IP conflicts
• if a m/c receives G-ARP req which is its own, implies IP conflict
– helps in updating other m/cs ARP tables• used in clustering solutions, when IP is moved
– helps inform the switch to update its port table– each time an i/f comes up (after down), sends G-ARP
• Practice: use send_arp or arpspoof(dsniff package) to perform gratuitous arp
!42Experiential Learning - Network Layer RPR
DHCP: Dynamic Host Configuration Protocol• goal: allow host to dynamically obtain its IP address
from network server when it joins network• renew its lease after lease expiry
• preferably gets the same address• client can reuse its address• support for mobile users who want to join • guarantee one address will be assigned to only one• retain DHCP client address across reboots
• not guaranteed• retain DHCP client configs across server reboots• must coexist with statically assigned addresses• interoperate with BOOTP relay agents
!43Experiential Learning - Network Layer RPR
DHCP: Dynamic Host Configuration Protocol
• DHCP overview:– an extension of BOOTP mechanism– host broadcasts “DHCP discover” msg– DHCP server responds with “DHCP offer”
• more than one server can make the offer• client can choose which server to use
– host requests IP address: “DHCP request” msg– DHCP server sends address: “DHCP ack” msg– Renewal happens with DHCP request/ack– On completion, client sends DHCP release
• practically not seen
!44Experiential Learning - Network Layer RPR
DHCP: more than IP addresses• DHCP can return more than just allocated IP
address on subnet:• address of first-hop router for client• name and IP address of DNS sever• network mask (indicating network versus host
portion of address)
!45Experiential Learning - Network Layer RPR
Day 2:Understanding Web Security• Overview of HTTP/HTTPS• SSL certificate management• HTTPS deployment challenges• HO1: Deploying SSL, click thru browser
warnings• HTTP mixed content, lock icons• HO2: Using mixed content • MITM challenges, and ARP spoofing• MITM with browser and information stealing• HO3: Implementing MITM with sslstrip• Understanding HSTS protocol, CSP• HO4: implementing CSP and HSTS• Summary
!46Experiential Learning - Basics of Web Security RPR
What is MITM Attack• An attack where the attacker secretly captures
• Possibly alters the communication between two parties
• While parties believe that they are directly communicating with each other
!47Experiential Learning - Basics of Web Security RPR
Typical E-commerce Traffic
!48Experiential Learning - Basics of Web Security RPR
User
• Typical Usage: User enters ecomm.site • Gets the web page displayed • Proceeds with transaction
Typical E-commerce Traffic Setup
!49Experiential Learning - Basics of Web Security RPR
User-A
User-X
AP/Router
ecomm.site
User-A 1. http://ecomm.site
2. 302 Redirect to https://ecomm.site3. New request to https://ecomm.site
4. Setup of HTTPS Session
5. Secure Data Exchange
1.
2.3..
4, & 5.
ecomm.site
Typical E-commerce Traffic with MITM
!50Experiential Learning - Basics of Web Security RPR
• Typical Usage: User enters ecomm.site • MITM attacker hijacks the URLs and changes n/w settings • All the back and forth traffic goes via attackr. • Gets the web page displayed • Proceeds with transaction
MITM with ARP Spoofing
• Objective:When A & C communicate, B can snoop❖ Use ARP Spoofing to fool A & C go via B❖ Attacker machine
❖ Become a router to forward traffic❖ Run tcpdump to capture traffic
❖ Why ARP Spoofing works?
!51Experiential Learning - Basics of Web Security RPR
172.25.4.x 172.25.4.y 172.25.4.z
A CB
LAN
MITM Attack❖ Convert B into a router
❖ sudo sysctl -w net.ipv4.ip_forward=1 ❖ Insstall ARP Sniffer on B
❖ sudo apt install dsniff ❖ Issue ARP Spoof command on B for A & C
❖ arpspoof -i <i/f> -t <Address of A> -r <Address of C>
❖ Run wireshark on B for IP address of A & C❖ capture filter: host <A> or host <C>
❖ Let A & C chat (nc)❖ Run wireshark on B (between A and C)
!52Experiential Learning - Basics of Web Security RPR
Day 2:Understanding Web Security• Overview of HTTP/HTTPS• SSL certificate management• HTTPS deployment challenges• HO1: Deploying SSL, click thru browser
warnings• HTTP mixed content, lock icons• HO2: Using mixed content • MITM challenges, and ARP spoofing• MITM with browser and information stealing• HO3: Implementing MITM with sslstrip• Understanding HSTS protocol, CSP• HO4: implementing CSP and HSTS• Summary
!53Experiential Learning - Basics of Web Security RPR
User-A
User-X
AP/Router
ecomm.site
User-A 1. http://ecomm.site
3. 302 Redirect to https://ecomm.site
4. New request to https://ecomm.site
5. Setup of HTTPS Session
6b Secure Data Exchange with eavesdropping
1.
2.3.
6a
ecomm.site
4.
56b
User-X (MITM Attacker)
2. http://ecomm.site
6a. HTTP Response & Data Exchange
Typical E-commerce Traffic w/ MITM
54Experiential Learning - Basics of Web Security RPR
Traffic Flow with MITM Attacker
• Step 0: Attacker sets up the hostile environment❖ Using ARP Spoofing, and
❖ Open src package dsniff❖ Makes silent ARP changes in victim m/c❖ Makes silent ARP changes in local router❖ All traffic between user and router goes via
attacker❖ Using SSLStrip
❖ sudo apt install sslstrip ❖ Open src package sslstrip❖ Converts HTTPS urls to HTTP and vice versa
!55Experiential Learning - Basics of Web Security RPR
Traffic Flow with MITM Attacker
• Step 1: User types ecomm.site in browser• Step 2: HTTP packets instead of going to local router,
are delivered to attacker’s system.❖ Pkt still has Src IP of victim, and dst IP of ecomm
• Step 3: Attacker forwards the request via local router to ecomm.site (becomes initiator)
• Step 4: ecomm server sends redirect to using https• Step 5: local router sends HTTP Response (IP
packet) to attacker instead of victim❖ Pkt has Src IP of ecomm, and dest IP of victim
❖ Step 6: Attacker initiates HTTPS request to ecomm❖ Step 7: ecomm site responds with web page
!56Experiential Learning - Basics of Web Security RPR
Traffic Flow with MITM Attacker❖ Step 8: Attacker manipulates web page
❖ Replaces all references to HTTPS with HTTP❖ SSLStrip does it automatically
❖ Step 9: Victim sees the same look and feel as before.❖ Does not notice that it is not HTTPS
❖ Step 10: Victim enters credentials and sends❖ Step 11: The HTTP packet with credentials is
delivered to attacker ❖ Attacker records the information (e.g.tcpdump)❖ Forwards the response on HTTPS to ecomm
❖ Summary: ecomm site believes everything is HTTPS which is true. Victim is unaware of data stealth.
!57Experiential Learning - Basics of Web Security RPR
Why MITM Works?
• User does not enter HTTPS with URL. It just types ecomm.site
• A typical user is not aware that any credential information should be entered ❖ Only if there is Green lock symbol before URL
❖ User has no knowledge of how L3 and L2 of networking works.❖ Has no means of verifying that data is not going to
local router but to an attacker.❖ Any IT dept (of organization) is typically short-
staff and believes that no attacks happening internally.
!58Experiential Learning - Basics of Web Security RPR
Web Scenarios for MITM
• Plaintext HTTP mechanism❖ Simple ARPSpoofing is good enough
❖ HTTPS access with HTTP redirection from HTTP❖ SSLStrip is helpful for attacker
❖ Using HSTS❖ First time usage is hackable.
!59Experiential Learning - Basics of Web Security RPR
Avoiding MITM Attacks?
• Sol 1: Educate the user❖ User must enter HTTPS before the URL
❖ Practically not possible to educate billion users❖ Sol 2: Enforce the browser vendors to intiate all
traffic with HTTPS❖ Proxies won’t work❖ URL hijack for auth won’t work❖ Note: Chrome marks site is not secure
❖ Sol 3: Empowering IT❖ IT dept runs MITM tools, ❖ Detects any MITM activities❖ Challenges: Typical IT is not capable
!60Experiential Learning - Basics of Web Security RPR
Avoiding MITM Attacks?
• Sol 4: A responsible website responds only to HTTPS❖ Does not respond to HTTP❖ Challenge: User stills enters HTTP
❖ It will lose business when user does not see response
❖ Entity does not want to lose business.❖ Sol 5: Make ARP entries static in router and
victim m/c❖ Challenge: Practically impossible❖ User needs to understand how ARP works.
!61Experiential Learning - Basics of Web Security RPR
Day 2:Understanding Web Security• Overview of HTTP/HTTPS• SSL certificate management• HTTPS deployment challenges• HO1: Deploying SSL, click thru browser
warnings• HTTP mixed content, lock icons• HO2: Using mixed content • MITM challenges, and ARP spoofing• MITM with browser and information stealing• HO3: Implementing MITM with sslstrip• Understanding HSTS protocol, CSP• HO4: implementing CSP and HSTS• Summary
!62Experiential Learning - Basics of Web Security RPR
Hands-On 3• Implement ARP Spoofing
– Run ARP Spoofing command on X (Attacker)• Spoof MAC address MACA on B to MACX on B• Spoof MAC address MACB on A to MACX on A
– Convert X into a router– Initiate chat between A and B.– Snoop on chat communication between A and B
and see the data of chat communication on X
!63Experiential Learning - Basics of Web Security RPR
Day 2:Understanding Web Security• Overview of HTTP/HTTPS• SSL certificate management• HTTPS deployment challenges• HO1: Deploying SSL, click thru browser
warnings• HTTP mixed content, lock icons• HO2: Using mixed content • MITM challenges, and ARP spoofing• MITM with browser and information stealing• HO3: Implementing MITM with sslstrip• Understanding HSTS protocol, CSP• HO4: implementing CSP and HSTS• Summary
!64Experiential Learning - Basics of Web Security RPR
HTTP Strict Transport Security❖ HSTS: https://tools.ietf.org/html/rfc6797
❖ A mechanism incorporated by the web server❖ Instructs browser to always initiate requests with
HTTPS❖ Even if user enters http://<website>
❖ Ensures that once a browser receives HSTS header Strict-Transport-Security: max-age=31536000; includeSubDomains
❖ Browser initiates HTTPS always❖ Most useful in public places
❖ Airport, cafes, Malls, Railway stations etc.
!65Experiential Learning - Basics of Web Security RPR
HSTS Deployment
• Prominent sites that use HSTS– Facebook, Amazon, Twitter– Google ??– Airtel (with max-age=0)
• Sites that that are yet to implement HSTS– Ecommerce sites: Flipkart, – Banks e.g. SBI, ICICI Bank, HDFC– Academic institutes: VTU Karnataka, IISc
!66Experiential Learning - Basics of Web Security RPR
Inadequacies of HSTS Mechanism
• When user visits website first time, and website responds with HSTS header❖ The MITM attacker can still manipulate the
response and remove HSTS header.❖ User is subject to attack on first time access.
!67Experiential Learning - Basics of Web Security RPR
HTTP Headers for Secure Web
• Avoiding XSS❖ use Secure; HttpOnly in Set-Cookie ❖ X-XSS-Protection: 1
❖ Avoid guessing by a browser❖ X-Content-Type: nosniff ❖ Uses content only when Content-Type is
provided❖ Use Content-Security-Policy
❖ https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
❖
!68Experiential Learning - Basics of Web Security RPR
Content Security Policy (CSP)
• Common form of attack on websites– Interaction with user where some input is taken
• e.g. blog comments, social media sites, forms etc.– User input injects malicious content
• results in website hacking, stealing of user info etc.• CSP: An approach to prevent such attacks
– Implemented via HTTP headers– Tells browser which content can be dangerous
and should be block based on origin of content• e.g. scripts, CSS, images etc.
!69Experiential Learning - Basics of Web Security RPR
CSP Examples• Header set Content-Security-Policy – “default-src ‘none’; script-src ‘self’; img-src ‘self’; style-src ‘self’”
• Blocks contents from any other site than self – script-src self https://code.jquery.com; • Allows content from self and one more
website, and no other –Upgrade-Insecure-Requests •Browser access all links with HTTPS
!70Experiential Learning - Basics of Web Security RPR
Day 2:Understanding Web Security• Overview of HTTP/HTTPS• SSL certificate management• HTTPS deployment challenges• HO1: Deploying SSL, click thru browser
warnings• HTTP mixed content, lock icons• HO2: Using mixed content • MITM challenges, and ARP spoofing• MITM with browser and information stealing• HO3: Implementing MITM with sslstrip• Understanding HSTS protocol, CSP• HO4: implementing CSP and HSTS• Summary
!71Experiential Learning - Basics of Web Security RPR
Hands-On 4• Implement HSTS
– Configure a web server to support HSTS– When done for site with self signed certificate, it
is unlikely to be ignored.– Use browser developer tools or (wget) to verify
that HSTS header comes in the response.– Identify websites that have implemented HSTS e.g.
amazon.com• Access these websites with HTTP and verify that
access is made with HTTPS and not with HTTP.
!72Experiential Learning - Basics of Web Security RPR
Exploration Exercises
• Implement sslstrip and see if you can capture your team mate credentials when s/he accesses http://flipkart.com, or any other ecommerce website.
• Implement CSP for following type of contents– images– scripts– stylesheets (css)
• Implement ICMP errors: ICMP Redirect, PMTU Discovery, TTL Expired, Fragmentation.
• Implement Proxy ARP and Gratuituous ARP
!73Experiential Learning - Basics of Web Security RPR
Day 2:Understanding Web Security• Overview of HTTP/HTTPS• SSL certificate management• HTTPS deployment challenges• HO1: Deploying SSL, click thru browser
warnings• HTTP mixed content, lock icons• HO2: Using mixed content • MITM challenges, and ARP spoofing• MITM with browser and information stealing• HO3: Implementing MITM with sslstrip• Understanding HSTS protocol, CSP• HO4: implementing CSP and HSTS• Summary
!74Experiential Learning - Basics of Web Security RPR
Experiential Learnaing ; Web Security Basics
Summary
• HTTPS overview• SSL certificate• Mixed content• MITM attack• ARP spoofing• MITM for browser with sslstrip• HSTS protocol• CSP• Secure HTTP headers
!75RPR
Thank You
!76Experiential Learnaing ; Web Security Basics RPR