Cabeçalhos de Segurança HTTP - Confraria...

Cabeçalhos de SegurançaHTTP

Ismael Gonçalves

Mar/2017

https://sharingsec.blogspot.com

Agenda

• Quem sou eu

• Cabeçalhos de Segurança HTTP

• HTTP Strict Transport Security (HSTS)

• HTTP Public Key Pins (HPKP)

• X-Frame-Options

• X-XSS-Protection

• Content Security Policy (CSP)

• Set-Cookie Options

• X-Content-Type-Options

• Referrer-Policy

• Conclusão

• Referências

Quem sou eu

• Consultor Sênior de Segurança

• 10 anos de trabalhos voltados à segurança de aplicações

• Contribuidor OWASP (Capítulo Brasília, Top Ten Cheatsheet, OWASP Testing Guide)

• Praticante da revelação de vulnerabilidades de forma responsável (!)

• Voluntário ISC2 para questões do CISSP

• Pesquisador independente

Cabeçalhos de Segurança HTTP

• Evolução modelo de segurança

• Proteção do canal de comunicação

• Segurança do lado do cliente

• Aplicação de políticas de segurança no navegador

Requisição típica HTTP

GET / HTTP/1.1

User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Mobile Safari/537.36

Host: www.exemplo.com

Accept: */*

HTTP/1.1 200 OK

Date: Fri, 17 Mar 2017 07:45:30 GMT

Server: Apache/2.2.8 (Ubuntu) DAV/2

X-Powered-By: PHP/5.2.4-2ubuntu5.10

Content-Length: 891

Content-Type: text/html

Requisição típica HTTP

GET / HTTP/1.1

User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Mobile Safari/537.36


Accept: */*

HTTP/1.1 200 OK

Date: Fri, 17 Mar 2017 07:45:30 GMT

Server: Apache/2.2.8 (Ubuntu) DAV/2

X-Powered-By: PHP/5.2.4-2ubuntu5.10

Content-Length: 891

Content-Type: text/html

X-Frame-Options: DENY

Strict-Transport-Security: max-age=31536000; includeSubdomains; preload

HTTP Strict Transport Security (HSTS)

Strict-Transport-Security: max-age=<expire-time>

Strict-Transport-Security: max-age=<expire-time>; includeSubDomains

Strict-Transport-Security: max-age=<expire-time>; preload

Tráfego típico sítio com HTTP/HTTPS

http://www.exemplo.com

GET / HTTP/1.0


301 Moved Permantenly

Content-Length: 0

Location: https://www.exemplo.com

https://www.exemplo.com

GET / HTTP/1.0


SSLStrip

GET https://www.exemplo.com GET http://www.exemplo.com

Resposta HTMLResposta HTML modificadae em texto claro

Suporte HSTS

http://caniuse.com/#feat=stricttransportsecurity

http://caniuse.com/#feat=stricttransportsecurity

HSTS – debaixo dos panos

HSTS - Considerações

- Aplicável para sites que suportam todo seu conteúdo via HTTPS

- Dificuldade de implantação L7 routing

- Lista preload SEMPRE inclui subdomínios- Remoção pode demorar meses, via atualização do browser

- Mitiga ataques SSLStrip e potencialmente, SSLStrip2 com preload + subdomains

- Proteção contra ataques MITM com Certificados inválidos

HTTP Public Key Pins (HPKP)

Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>;

Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; includeSubDomains

Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; report-uri=<reportURI>

Resposta válida cabeçalhos HPKP

HTTP/1.1 200 OK

Server: GitHub.com

Status: 200 OK

Strict-Transport-Security: max-age=31536000; includeSubdomains; preload

Public-Key-Pins: max-age=5184000; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="RRM1dGqnDFsCJXBTHky16vi1obOlCgFFn/yOhI/y+ho="; pin-sha256="k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws="; pin-sha256="K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q="; pin-sha256="IQBnNBEiFuhj+8x6X8XLgh01V9Ic5/V3IRQLNFFc7v4="; pin-sha256="iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0="; pin-sha256="LvRiGEjRqfzurezaWuj8Wie2gyHMrW5Q06LspMnox7A="; includeSubDomains

Vary: Accept-Encoding

X-Served-By: d41662224d8c44f09604b862e979767a

X-GitHub-Request-Id: B36F2320:987D:E88A2AC:5741D913

Suporte Public Key Pins

http://caniuse.com/#feat=publickeypinning


HTTP Public Key Pins - Considerações

- Requer maturidade

- Modo report-only (Public-Key-Pins-Report-Only)?

- Mitiga MITM?

- CA interna?

- Suporte Chrome/Firefox (até o momento)

Curiosidades (HSTS, HPKP, Pinning estático)

- Pinning estatícos (Chromium.org) - https://cs.chromium.org/chromium/src/net/http/transport_security_state_st

atic.json

- Google, Facebook, Twitter, Dropbox, Yahoo, Tor

- +23k domínios utilizando HSTS pre-load

- 180 domínios .br

https://cs.chromium.org/chromium/src/net/http/transport_security_state_static.json

X-Frame-Options

X-Frame-Options: DENY

X-Frame-Options: SAMEORIGIN

X-Frame-Options: ALLOW-FROM https://example.com/

Clickjacking Attack

https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)

https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)

Suporte X-Frame-Options



X-Frame-Options - Considerações

- Seu site necessita ser aberto por outro em um frame?

- Não suporta mais de um domínio em allow-from

- CSP 2 frame-ancestor

- Mitiga clickjacking

X-XSS-Protection

X-XSS-Protection: 0

X-XSS-Protection: 1

X-XSS-Protection: 1; mode=block

Cross-Site-Scritping (XSS) Attack

Suporte X-XSS-Protection

https://developer.mozilla.org/pt-BR/docs/Web/HTTP/Headers/X-XSS-Protection

https://developer.mozilla.org/pt-BR/docs/Web/HTTP/Headers/X-XSS-Protection

X-XSS-Protection - Considerações

- Proteção apenas contra XSS Refletido

- Não suportado pelo Firefox

- Problemas com o filtro XSS

Content Security Policy (CSP)

Content-Security-Policy: <policy>; <policy>

Content Security Policy (CSP)

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Exemplo CSPResposta https://twitter.com/

Content-Security-Policy: script-src 'nonce-7tS2MKRWrGdmy1/R72jiDQ==' https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com https://analytics.twitter.com https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com https://t.tellapart.com https://platform.twitter.com https://www.google-analytics.com 'self'; frame-ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph.facebook.com https://*.giphy.com https://*.twimg.com https://api.twitter.com https://pay.twitter.com https://analytics.twitter.com https://*.twprobe.net https://media.riffsy.com https://embed.periscope.tv https://upload.twitter.com 'self'; style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com https://5415703.fls.doubleclick.net https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s-static.ak.facebook.com https://4337974.fls.doubleclick.net 'self' https://donate.twitter.com; img-src https://graph.facebook.com https://*.giphy.com https://twitter.com https://*.twimg.com https://ad.doubleclick.net data: https://lumiere-a.akamaihd.net https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https://media.riffsy.com https://www.google.com https://stats.g.doubleclick.net https://api.mapbox.com https://www.google-analytics.com blob: 'self'; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;

Set-Cookie: fm=0; Expires=Tue, 28 Mar 2017 11:35:01 UTC; Path=/; Domain=.twitter.com; Secure; HTTPOnly

Strict-Transport-Security: max-age=631138519

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

https://twitter.com/

Suporte Content Security Policy (CSP)

http://caniuse.com/#feat=contentsecuritypolicy2

http://caniuse.com/#feat=contentsecuritypolicy2

Content Security Policy (CSP) - considerações

- Dificuldade de implementação, remoção de scripts in line<html>

<head>

<script>var msg = ‘javascript inline’; alert(msg);</script>

</head>

<body>Ola!</body></html>

- Unsafe-inline, Unsafe-eval pode minar o esforço

- Proteção contra XSS (Reflected/Stored), mas definitiva?

- Proteção contra clickjacking

- Não suportado por todos os browsers

Set-Cookie (cookie options)

Set-Cookie: <key>=<value>; Expires=<expiryDate>; Secure; HttpOnly; SameSite=<strict/lax>

Set-Cookie (cookie options)

HttpOnly – Cookie não acessível via Javascript

Secure – Evita envio de cookie em canal não criptografado

SameSite – Previne envio do cookie em requisições cross-site

Set-Cookie (cookie options) - considerações

- Secure and HttpOnly- Proteção contra captura de cookies em texto claro

- Possível redução de impacto XSS – roubo de sessão

- SameSite – Suportado apenas pelo Chrome- Ainda em draft

- Fornece uma boa proteção contra CSRF/XSSI

- Lax – utilizado com métodos HTTP “seguros”

- Pode prejudicar navegação?

X-Content-Type-Options

X-Content-Type-Options: nosniff;

X-Content-Type-Options - considerações

- Suportado por todos os browsers populares, exceto Safari

- Mitiga ataques de MIME confusion

- Servidor web deve retornar MIME corretos para uso do cabeçalho

Referrer-Policy

Referrer-Policy: <diretiva>

Referrer-Policy: no-referrer

Referrer-Policy: no-referrer-when-downgrade

Referrer-Policy: origin

Referrer-Policy: origin-when-cross-origin

Referrer-Policy: same-origin

Referrer-Policy: strict-origin

Referrer-Policy: strict-origin-when-cross-origin

Referrer-Policy: unsafe-url

Referrer-PolicyPolicy Document Navigation to Referrer

no-referrer https://example.com/page.html any domain or path no referrer

no-referrer-when-downgrade https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html

no-referrer-when-downgrade https://example.com/page.html https://mozilla.org https://example.com/page.html

no-referrer-when-downgrade https://example.com/page.html http://example.org no referrer

origin https://example.com/page.html any domain or path https://example.com/

origin-when-cross-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html

origin-when-cross-origin https://example.com/page.html https://mozilla.org https://example.com/

origin-when-cross-origin https://example.com/page.html http://example.com/page.html https://example.com/

same-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html

same-origin https://example.com/page.html https://mozilla.org no referrer

strict-origin https://example.com/page.html https://mozilla.org https://example.com/

strict-origin https://example.com/page.html http://example.org no referrer

strict-origin http://example.com/page.html any domain or path http://example.com/

strict-origin-when-cross-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html

strict-origin-when-cross-origin https://example.com/page.html https://mozilla.org https://example.com/

strict-origin-when-cross-origin https://example.com/page.html http://example.org no referrer

unsafe-url https://example.com/page.html any domain or path https://example.com/page.html

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy


Suporte Referrer-Policy



Referrer-Policy - considerações

- Ainda em desenvolvimento

- Suporte ainda limitado (Firefox e algumas funcionalidades Chrome)

- Lida com questões de privacidadeReferer: https://github.com/irgoncalves/jwtbf

Ferramenta para testes dos cabeçalhos

https://observatory.mozilla.org/

https://securityheaders.io

https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Technical_Resources

https://securityheaders.io/

https://securityheaders.io/

https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Technical_Resources

Conclusões

- Cabeçalhos de segurança podem melhorar a segurança e privacidadede seus usuários

- Fazem parte de estratégia de defesa em camadas

- Alguns apresentam armadilhas e requerem maturidade

- Requerem controles adicionais

- Níveis de suporte diferente entre navegadores

Referências

- https://tools.ietf.org/html/rfc6797

- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers

- https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

- https://www.owasp.org/index.php/Clickjacking

- https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

- https://scotthelme.co.uk/

- https://www.wired.com/2016/03/https-adoption-google-report/

- http://www.html5rocks.com/en/tutorials/security/content-security-policy/

- https://www.bettercap.org/blog/sslstripping-and-hsts-bypass/

- https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/45542.pdf

- https://technet.microsoft.com/library/security/2524375

- https://csp.withgoogle.com/docs/index.html

- The Tagled Web - A Guide to Security Modern Web Applications, Michael Zalewski

Cabeçalhos de Segurança HTTP - Confraria...

Documents

Transcript of Cabeçalhos de Segurança HTTP - Confraria...