Securing The Client Side WebHTTPS, CSP, and Sandboxes 15.1.2015

Hello World!

Niklas LindgrenSpecialist

Email: niklas@sc5.io

Twitter: @nikcorg

Psst! Not a security specialist

Do you trust me?

● can I be sure I know who I’m talking to?● can I be sure no one is eavesdropping?● can I be sure messages aren’t tampered with during

transit?

Man in the Middle

WWW

Switch Gateway

Normal traffic flow

WWW

Switch Gateway

Traffic Flow in a Man-in-the-Middle Attack

HTTPS (HTTP + SSL/TLS)

● ensures you know who you are talking to● ensures delivered content is unmodified in transit● eliminates man-in-the-middle attacks● use HTTP only for redirecting to HTTPS● enables using secure cookies● Google rewards SSL protected websites

○ http://googlewebmastercentral.blogspot.fi/2014/08/https-as-ranking-signal.html

● performance hit is negligible○ https://IsTLSFastYet.com/

Certificate Shopping

● https://www.startssl.com/○ from 0 USD and up

● https://sslmate.com/○ from ~15 USD / year○ buy and renew from the command line

● https://letsencrypt.org/○ free service○ coming summer 2015

● HTTP to HTTPS redirect is done client side● ensures no network connection is unencrypted HTTP● if a secure connection cannot be established, the

connection is blocked● fixes SSL stripping man-in-the-middle

HTTP Strict Transport Security (HSTS)

WWW

SSL Stripping Man in the Middle Attack

Plain text HTTP Encrypted HTTPS

Browser Support

Strict-Transport-Security:

max-age=123456789;

includeSubDomains

● max-age defines the expiry time in seconds● includeSubDomains declares the policy should be

enforced on the declaring host and all its subdomains

Howto

Caveats

● first ever connection could still be over HTTP, leaving a window for a SSL stripping man-in-the-middle attack

HTTP Public Key Pinning (HPKP)

● prevents certificate forgery

Browser Support

Public-Key-Pins: pin-sha256="<hash>="; max-age=<secs>; includeSubDomains

● pin-sha256 is the key hash (can have multiple) ● max-age defines the expiry time in seconds● includeSubDomains declares the policy should be

enforced on the declaring host and all its subdomains

Howto

● unless you have a backup certificate and you have to revoke your primary certificate, your site will be unreachable

● first ever connection could still be over HTTP, leaving a window for a SSL stripping man-in-the-middle attack

Caveats

● sites can be added to HSTS Preload lists included in the browser application

● solves the initial non-HTTPS connection problem● doesn’t scale● in Chrome you can verify, add and delete sites

manually via chrome://net-internals/#hsts

HSTS Preloading

Howto

Strict-Transport-Security:

max-age=123456789;

includeSubDomains;

preload

● add preload to your existing HSTS policy and submit your site via https://hstspreload.appspot.com/

● NB! Only for Chrome, but Firefox & Safari supposedly include Chrome’s preload list at least partially

Recap

● use HTTPS● use HSTS● consider HPKP● consider including your app on a HSTS preload list

Content Security Policy (CSP)

● mitigates XSS attacks○ If script is inject into your application, it’s no longer your

application -- Brad Hill, PayPal● white list origins that are considered good sources● separate lists for different media● provides policy violation reports● not a replacement for other counter measures, but a

great supplement

Browser Support

● no inline Styles● no inline JavaScript, including inline event handlers ● no eval● setTimeout/setInterval won’t accept strings as first

param, only functions

Caveats

● media-src○ video/audio

● object-src○ plugins

● sandbox○ sandboxes the document

● style-src○ stylesheets

● script-src○ javascript

● report-uri○ violation reports

Directives

● default-src○ catch all

● connect-src○ XHR / WebSocket /

EventSource● font-src

○ fonts● frame-src

○ iframes● img-src

○ images

Origins

● ‘none’ (nothing matches)● ‘self’ (matches own origin, not subdomains)● ‘unsafe-inline’ (allow inline script and style)● ‘unsafe-eval’ (allow eval’ed script)● data:, blob:● scheme://host:port/path● *, *.mycdn.com (wildcards)

Howto

● transmitted as a HTTP header● semicolon delimited list of directives● directive has space delimited list of origins

Content-Security-Policy(-Report-Only):

default-src ‘self’;

script-src ‘none’;

default-src

● default-src ‘none’○ disallow any non-whitelisted sources

● default-src ‘self’○ allow all connections to the host documents origin

● default-src https○ allow any connections, as long they’re HTTPS

● default-src *○ allow everything that doesn’t have its own directive

● script-src ‘self’○ only scripts from own origin is allowed (excludes subdomains)

● script-src ‘unsafe-inline’○ allow inline scripts

● script-src ‘unsafe-eval’○ allow eval’ed scripts

● script-src blob:○ allow blobs as script source, useful for inlined web workers

● script-src www.google-analytics.com○ allow scripts coming from www.google-analytics.com

script-src

report-uri

{

"csp-report": {

"document-uri": "http://example.org/page.html",

"referrer": "http://evil.example.com/haxor.html",

"blocked-uri": "http://evil.example.com/image.png",

"violated-directive": "default-src 'self'",

"original-policy":

"default-src 'self';

report-uri http://example.org/csp-report.cgi"

}

}

● level 2 (formerly 1.1) is a work in progress○ Last Call Working Draft since 3.7.2014○ http://www.w3.org/TR/CSP2/

● available in Chrome behind flags

CSP Level 2

script-srcContent-Security-Policy: script-src ‘nonce-12345’;

<script nonce=”12345”>alert(“Hello”)</script>

Content-Security-Policy: script-src

‘sha256-<base64 encoded hash>’;

<script>alert(“Hello”);</script>

child-src

● allowed sources for worker contexts● allowed sources for child browsing contexts● deprecates frame-src

form-action

● limit where forms can be submitted to using the form’s action attribute

● does not fall back to default-src must be explicitly defined

referrer

● allows fine grained control on the referrer header sent when leaving the site

● available settings are: ○ none (never send referrer)○ none-when-downgrade (never send when https -> http)○ origin (send origin only)○ origin-when-cross-origin (origin only to cross origin

destinations)○ unsafe-url (business as usual)

plugin-types

● list of allowed mime types handles by plugins ● deprecates object-src

Sandboxes

<iframe sandbox />

● unique origin ● will never match any origin, including its own● secure by default (least privilege)● switch features on as needed● messaging can be used for transport between host

and sandbox● Chrome, Firefox, Safari, Opera, IE10

Browser Support

Capabilities you can enable

● allow-forms● allow-popups● allow-pointer-lock● allow-same-origin● allow-scripts● allow-top-navigation

● object is not allowed in sandboxed iframes, i.e. no flash, so applicability for e.g. ads is limited

● iframes within sandboxed iframes cannot be seamless

● sandboxed iframes with allow-same-origin, who share the origin with host document, can remove the sandbox attribute

Caveats

Use Cases

● load 3rd party widgets in sandboxes

<iframe src=”http://twitter.com/widget”sandbox=”allow-same-origin allow-popups allow-scripts”

/>

● sandbox your own code that would violate your CSP○ message passing via postMessage is still possible○ see HTML5Rocks introduction for demo○ http://www.html5rocks.com/en/tutorials/security/sandboxed-

iframes/#safely-sandboxing-eval

● the whole document is treated as though it was loaded inside a sandboxed iframe

● no plugins● no seamless iframes

Sandbox directive in CSP

X-XSS-Protection

● from our friends at Microsoft● XSS protection through heuristics● first appeared in IE8

○ very buggy implementation○ awarded a PWNIE award in 2010

X-XSS-Protection: 0 // OFF

X-XSS-Protection: 1 // ON

// Block connection if filter matches

X-XSS-Protection: 1; mode=block

X-Frame-Options

● prevents clickjacking and framesniffing

X-Frame-Options: DENY

X-Frame-Options: SAMEORIGIN

X-Frame-Options: ALLOW-FROM origin

X-Content-Type-Options

● forbids the browser to perform mime type sniffing● prevents evaluating scripts and stylesheets delivered

with incorrect mime type headers● must be sent with the resource being downloaded● IE >= 9

X-Content-Type-Options: noSniff

X-Download-Options

● prevents the browser displaying downloaded content, i.e. force save

● must be sent with the resource being downloaded● IE only

X-Download-Options: noOpen

Tools

● CSP Builder https://cspbuilder.info○ compiles a CSP policy based on violation reports

● Helmet (Express/Connect)○ CSP (1.0 only) and some other

● Zend Framework 2.3 has built in CSP support● Nelmio Security Bundle (Symfony)● Content-Security-Policy plugin for WordPress (sadly

outdated)

Thank you@nikcorg

Links● https://hstspreload.appspot.com/● https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List● https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning● http://caniuse.com/#feat=contentsecuritypolicy● http://caniuse.com/#feat=iframe-sandbox● http://caniuse.com/#feat=stricttransportsecurity● https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning#Browser_compatibility● http://www.html5rocks.com/en/tutorials/security/transport-layer-security/● http://www.html5rocks.com/en/tutorials/security/content-security-policy/● http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/● http://content-security-policy.com/● https://blog.twitter.com/2011/improving-browser-security-csp● https://docs.angularjs.org/api/ng/directive/ngCsp● http://www.dotnetnoob.com/2012/09/security-through-http-response-headers.html● http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx● https://w3c.github.io/webappsec/specs/content-security-policy/#changes-from-level-1● https://wiki.mozilla.org/Security/Server_Side_TLS● https://scotthelme.co.uk/hsts-the-missing-link-in-tls/● https://www.chromium.org/hsts● http://www.cspplayground.com/