Cabeçalhos de Segurança HTTP
- 2. Agenda
• Quem sou eu
• Cabeçalhos de Segurança HTTP
• HTTP Strict Transport Security (HSTS)
• HTTP Public Key Pins (HPKP)
• X-Frame-Options
• X-XSS-Protection
• Content Security Policy (CSP)
• Set-Cookie Options
• X-Content-Type-Options
• Referrer-Policy
• Conclusão
• Referências
- 3. Quem sou eu
• Consultor Sênior de Segurança
• 10 anos de trabalhos voltados à segurança de aplicações (codificação,
defesa, ataque)
• Contribuidor OWASP (Capítulo Brasília, Top Ten Cheatsheet, OWASP
Testing Guide)
• Praticante da revelação de vulnerabilidades de forma responsável
• Voluntário ISC2 para questões do CISSP
• Pesquisador independente
- 4. Cabeçalhos de Segurança HTTP
• Evolução modelo de segurança
• Proteção do canal de comunicação
• Segurança do lado do cliente
• Aplicação de políticas de segurança no navegador
- 5. Requisição típica HTTP
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/57.0.2987.110 Mobile Safari/537.36
Host: www.exemplo.com
Accept: */*
HTTP/1.1 200 OK
Date: Fri, 17 Mar 2017 07:45:30 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 891
Content-Type: text/html
- 6. Requisição típica HTTP
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/57.0.2987.110 Mobile Safari/537.36
Host: www.exemplo.com
Accept: */*
HTTP/1.1 200 OK
Date: Fri, 17 Mar 2017 07:45:30 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 891
Content-Type: text/html
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
- 7. HTTP Strict Transport Security (HSTS)
Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload
- 8. Tráfego típico sítio com HTTP/HTTPS
http://www.exemplo.com
GET / HTTP/1.0
Host: www.exemplo.com
301 Moved Permantenly
Content-Length: 0
Location: https://www.exemplo.com
https://www.exemplo.com
GET / HTTP/1.0
Host: www.exemplo.com
- 12. HSTS - Considerações
- Aplicável para sites que suportam todo seu conteúdo via HTTPS
- Dificuldade de implantação L7 routing
- Lista preload SEMPRE inclui subdomínios
- Remoção pode demorar meses, via atualização do browser
- Mitiga ataques SSLStrip e potencialmente, SSLStrip2 com preload +
subdomains
- Proteção contra ataques MITM com Certificados inválidos
- 13. HTTP Public Key Pins (HPKP)
Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>;
Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>;
includeSubDomains
Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>;
report-uri=<reportURI>
- 14. Resposta válida cabeçalhos HPKP
HTTP/1.1 200 OK
Server: GitHub.com
Status: 200 OK
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
Public-Key-Pins: max-age=5184000; pin-
sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-
sha256="RRM1dGqnDFsCJXBTHky16vi1obOlCgFFn/yOhI/y+ho="; pin-
sha256="k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws="; pin-
sha256="K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q="; pin-
sha256="IQBnNBEiFuhj+8x6X8XLgh01V9Ic5/V3IRQLNFFc7v4="; pin-
sha256="iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0="; pin-
sha256="LvRiGEjRqfzurezaWuj8Wie2gyHMrW5Q06LspMnox7A="; includeSubDomains
Vary: Accept-Encoding
X-Served-By: d41662224d8c44f09604b862e979767a
X-GitHub-Request-Id: B36F2320:987D:E88A2AC:5741D913
- 16. HTTP Public Key Pins - Considerações
- Requer maturidade
- Modo report-only (Public-Key-Pins-Report-Only)?
- Mitiga MITM?
- CA interna?
- Suporte Chrome/Firefox (até o momento)
- 17. Curiosidades (HSTS, HPKP, Pinning estático)
- Pinning estatícos (Chromium.org)
- https://cs.chromium.org/chromium/src/net/http/transport_security_state_st
atic.json
- Google, Facebook, Twitter, Dropbox, Yahoo, Tor
- +23k domínios utilizando HSTS pre-load
- 180 domínios .br
- 21. X-Frame-Options - Considerações
- Seu site necessita ser aberto por outro em um frame?
- Não suporta mais de um domínio em allow-from
- CSP 2 frame-ancestor
- Mitiga clickjacking
- 27. Content Security Policy (CSP)
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
- 28. Exemplo CSP
Resposta https://twitter.com/
Content-Security-Policy: script-src 'nonce-7tS2MKRWrGdmy1/R72jiDQ==' https://connect.facebook.net https://cm.g.doubleclick.net
https://ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com
https://api.twitter.com https://analytics.twitter.com https://publish.twitter.com https://ton.twitter.com
https://syndication.twitter.com https://www.google.com https://t.tellapart.com https://platform.twitter.com https://www.google-
analytics.com 'self'; frame-ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com
https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com
https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph.facebook.com https://*.giphy.com
https://*.twimg.com https://api.twitter.com https://pay.twitter.com https://analytics.twitter.com https://*.twprobe.net
https://media.riffsy.com https://embed.periscope.tv https://upload.twitter.com 'self'; style-src https://fonts.googleapis.com
https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline'
https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com
https://pbs.twimg.com; default-src 'self'; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com
https://5415703.fls.doubleclick.net https://player.vimeo.com https://pay.twitter.com https://www.facebook.com
https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com
https://platform.twitter.com https://upload.twitter.com https://s-static.ak.facebook.com https://4337974.fls.doubleclick.net 'self'
https://donate.twitter.com; img-src https://graph.facebook.com https://*.giphy.com https://twitter.com https://*.twimg.com
https://ad.doubleclick.net data: https://lumiere-a.akamaihd.net https://fbcdn-profile-a.akamaihd.net https://www.facebook.com
https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https://media.riffsy.com https://www.google.com
https://stats.g.doubleclick.net https://api.mapbox.com https://www.google-analytics.com blob: 'self'; report-uri
https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;
Set-Cookie: fm=0; Expires=Tue, 28 Mar 2017 11:35:01 UTC; Path=/; Domain=.twitter.com; Secure; HTTPOnly
Strict-Transport-Security: max-age=631138519
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
- 30. Content Security Policy (CSP) - considerações
- Dificuldade de implementação, remoção de scripts in line
<html>
<head>
<script>var msg = ‘javascript inline’; alert(msg);</script>
</head>
<body>Ola!</body></html>
- Unsafe-inline, Unsafe-eval pode minar o esforço
- Proteção contra XSS (Reflected/Stored), mas definitiva?
- Proteção contra clickjacking
- Não suportado por todos os browsers
- 32. Set-Cookie (cookie options)
HttpOnly – Cookie não acessível via Javascript
Secure – Evita envio de cookie em canal não criptografado
SameSite – Previne envio do cookie em requisições cross-site
- 34. Set-Cookie (cookie options) - considerações
- Secure and HttpOnly
- Proteção contra captura de cookies em texto claro
- Possível redução de impacto XSS – roubo de sessão
- SameSite – Suportado apenas pelo Chrome
- Ainda em draft
- Fornece uma boa proteção contra CSRF/XSSI
- Lax – utilizado com métodos HTTP “seguros”
- Pode prejudicar navegação?
- 36. X-Content-Type-Options - considerações
- Suportado por todos os browsers populares, exceto Safari
- Mitiga ataques de MIME confusion
- Servidor web deve retornar MIME corretos para uso do cabeçalho
- 38. Referrer-Policy
Policy Document Navigation to Referrer
no-referrer https://example.com/page.html any domain or path no referrer
no-referrer-when-downgrade https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html
no-referrer-when-downgrade https://example.com/page.html https://mozilla.org https://example.com/page.html
no-referrer-when-downgrade https://example.com/page.html http://example.org no referrer
origin https://example.com/page.html any domain or path https://example.com/
origin-when-cross-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html
origin-when-cross-origin https://example.com/page.html https://mozilla.org https://example.com/
origin-when-cross-origin https://example.com/page.html http://example.com/page.html https://example.com/
same-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html
same-origin https://example.com/page.html https://mozilla.org no referrer
strict-origin https://example.com/page.html https://mozilla.org https://example.com/
strict-origin https://example.com/page.html http://example.org no referrer
strict-origin http://example.com/page.html any domain or path http://example.com/
strict-origin-when-cross-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html
strict-origin-when-cross-origin https://example.com/page.html https://mozilla.org https://example.com/
strict-origin-when-cross-origin https://example.com/page.html http://example.org no referrer
unsafe-url https://example.com/page.html any domain or path https://example.com/page.html
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
- 40. Referrer-Policy - considerações
- Ainda em desenvolvimento
- Suporte ainda limitado (Firefox e algumas funcionalidades Chrome)
- Lida com questões de privacidade
Referer: https://github.com/irgoncalves/jwtbf
- 41. Ferramenta para testes dos cabeçalhos
https://observatory.mozilla.org/
https://securityheaders.io
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#t
ab=Technical_Resources
- 42. Conclusões
- Cabeçalhos de segurança podem melhorar a segurança e privacidade
de seus usuários
- Fazem parte de estratégia de defesa em camadas
- Alguns apresentam armadilhas e requerem maturidade
- Requerem controles adicionais
- Níveis de suporte diferente entre navegadores
- 43. Referências
- https://tools.ietf.org/html/rfc6797
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
- https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
- https://www.owasp.org/index.php/Clickjacking
- https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
- https://scotthelme.co.uk/
- https://www.wired.com/2016/03/https-adoption-google-report/
- http://www.html5rocks.com/en/tutorials/security/content-security-policy/
- https://www.bettercap.org/blog/sslstripping-and-hsts-bypass/
- https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/45542.pdf
- https://technet.microsoft.com/library/security/2524375
- https://csp.withgoogle.com/docs/index.html
- The Tagled Web - A Guide to Security Modern Web Applications, Michael Zalewski