Cabeçalhos de Segurança HTTP
•
0 likes•74 views
Estes slides fazem parte da minha apresentação na conferência Confraria0day em Marçod de 2017. É uma introdução aos vários cabeçalhos de segurança HTTP. Cobre HSTS, HPKP, X-Frame-Options, Content Security Policy, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy e Set-Cookie options.
Report
Share
Cabeçalhos de Segurança HTTP
- 1. Cabeçalhos de Segurança HTTP Ismael Gonçalves Mar/2017 https://sharingsec.blogspot.com
- 2. Agenda • Quem sou eu • Cabeçalhos de Segurança HTTP • HTTP Strict Transport Security (HSTS) • HTTP Public Key Pins (HPKP) • X-Frame-Options • X-XSS-Protection • Content Security Policy (CSP) • Set-Cookie Options • X-Content-Type-Options • Referrer-Policy • Conclusão • Referências
- 3. Quem sou eu • Consultor Sênior de Segurança • 10 anos de trabalhos voltados à segurança de aplicações (codificação, defesa, ataque) • Contribuidor OWASP (Capítulo Brasília, Top Ten Cheatsheet, OWASP Testing Guide) • Praticante da revelação de vulnerabilidades de forma responsável • Voluntário ISC2 para questões do CISSP • Pesquisador independente
- 4. Cabeçalhos de Segurança HTTP • Evolução modelo de segurança • Proteção do canal de comunicação • Segurança do lado do cliente • Aplicação de políticas de segurança no navegador
- 5. Requisição típica HTTP GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Mobile Safari/537.36 Host: www.exemplo.com Accept: */* HTTP/1.1 200 OK Date: Fri, 17 Mar 2017 07:45:30 GMT Server: Apache/2.2.8 (Ubuntu) DAV/2 X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 891 Content-Type: text/html
- 6. Requisição típica HTTP GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Mobile Safari/537.36 Host: www.exemplo.com Accept: */* HTTP/1.1 200 OK Date: Fri, 17 Mar 2017 07:45:30 GMT Server: Apache/2.2.8 (Ubuntu) DAV/2 X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 891 Content-Type: text/html X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
- 7. HTTP Strict Transport Security (HSTS) Strict-Transport-Security: max-age=<expire-time> Strict-Transport-Security: max-age=<expire-time>; includeSubDomains Strict-Transport-Security: max-age=<expire-time>; preload
- 8. Tráfego típico sítio com HTTP/HTTPS http://www.exemplo.com GET / HTTP/1.0 Host: www.exemplo.com 301 Moved Permantenly Content-Length: 0 Location: https://www.exemplo.com https://www.exemplo.com GET / HTTP/1.0 Host: www.exemplo.com
- 9. SSLStrip GET https://www.exemplo.comGET http://www.exemplo.com Resposta HTMLResposta HTML modificada e em texto claro
- 11. HSTS – debaixo dos panos
- 12. HSTS - Considerações - Aplicável para sites que suportam todo seu conteúdo via HTTPS - Dificuldade de implantação L7 routing - Lista preload SEMPRE inclui subdomínios - Remoção pode demorar meses, via atualização do browser - Mitiga ataques SSLStrip e potencialmente, SSLStrip2 com preload + subdomains - Proteção contra ataques MITM com Certificados inválidos
- 13. HTTP Public Key Pins (HPKP) Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; includeSubDomains Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; report-uri=<reportURI>
- 14. Resposta válida cabeçalhos HPKP HTTP/1.1 200 OK Server: GitHub.com Status: 200 OK Strict-Transport-Security: max-age=31536000; includeSubdomains; preload Public-Key-Pins: max-age=5184000; pin- sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin- sha256="RRM1dGqnDFsCJXBTHky16vi1obOlCgFFn/yOhI/y+ho="; pin- sha256="k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws="; pin- sha256="K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q="; pin- sha256="IQBnNBEiFuhj+8x6X8XLgh01V9Ic5/V3IRQLNFFc7v4="; pin- sha256="iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0="; pin- sha256="LvRiGEjRqfzurezaWuj8Wie2gyHMrW5Q06LspMnox7A="; includeSubDomains Vary: Accept-Encoding X-Served-By: d41662224d8c44f09604b862e979767a X-GitHub-Request-Id: B36F2320:987D:E88A2AC:5741D913
- 15. Suporte Public Key Pins http://caniuse.com/#feat=publickeypinning
- 16. HTTP Public Key Pins - Considerações - Requer maturidade - Modo report-only (Public-Key-Pins-Report-Only)? - Mitiga MITM? - CA interna? - Suporte Chrome/Firefox (até o momento)
- 17. Curiosidades (HSTS, HPKP, Pinning estático) - Pinning estatícos (Chromium.org) - https://cs.chromium.org/chromium/src/net/http/transport_security_state_st atic.json - Google, Facebook, Twitter, Dropbox, Yahoo, Tor - +23k domínios utilizando HSTS pre-load - 180 domínios .br
- 18. X-Frame-Options X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM https://example.com/
- 21. X-Frame-Options - Considerações - Seu site necessita ser aberto por outro em um frame? - Não suporta mais de um domínio em allow-from - CSP 2 frame-ancestor - Mitiga clickjacking
- 24. Suporte X-XSS-Protection https://developer.mozilla.org/pt-BR/docs/Web/HTTP/Headers/X-XSS-Protection
- 25. X-XSS-Protection - Considerações - Proteção apenas contra XSS Refletido - Não suportado pelo Firefox - Problemas com o filtro XSS
- 26. Content Security Policy (CSP) Content-Security-Policy: <policy>; <policy>
- 27. Content Security Policy (CSP) https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
- 28. Exemplo CSP Resposta https://twitter.com/ Content-Security-Policy: script-src 'nonce-7tS2MKRWrGdmy1/R72jiDQ==' https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com https://analytics.twitter.com https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com https://t.tellapart.com https://platform.twitter.com https://www.google- analytics.com 'self'; frame-ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph.facebook.com https://*.giphy.com https://*.twimg.com https://api.twitter.com https://pay.twitter.com https://analytics.twitter.com https://*.twprobe.net https://media.riffsy.com https://embed.periscope.tv https://upload.twitter.com 'self'; style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com https://5415703.fls.doubleclick.net https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s-static.ak.facebook.com https://4337974.fls.doubleclick.net 'self' https://donate.twitter.com; img-src https://graph.facebook.com https://*.giphy.com https://twitter.com https://*.twimg.com https://ad.doubleclick.net data: https://lumiere-a.akamaihd.net https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https://media.riffsy.com https://www.google.com https://stats.g.doubleclick.net https://api.mapbox.com https://www.google-analytics.com blob: 'self'; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false; Set-Cookie: fm=0; Expires=Tue, 28 Mar 2017 11:35:01 UTC; Path=/; Domain=.twitter.com; Secure; HTTPOnly Strict-Transport-Security: max-age=631138519 X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block
- 29. Suporte Content Security Policy (CSP) http://caniuse.com/#feat=contentsecuritypolicy2
- 30. Content Security Policy (CSP) - considerações - Dificuldade de implementação, remoção de scripts in line <html> <head> <script>var msg = ‘javascript inline’; alert(msg);</script> </head> <body>Ola!</body></html> - Unsafe-inline, Unsafe-eval pode minar o esforço - Proteção contra XSS (Reflected/Stored), mas definitiva? - Proteção contra clickjacking - Não suportado por todos os browsers
- 31. Set-Cookie (cookie options) Set-Cookie: <key>=<value>; Expires=<expiryDate>; Secure; HttpOnly; SameSite=<strict/lax>
- 32. Set-Cookie (cookie options) HttpOnly – Cookie não acessível via Javascript Secure – Evita envio de cookie em canal não criptografado SameSite – Previne envio do cookie em requisições cross-site
- 33. CSRF
- 34. Set-Cookie (cookie options) - considerações - Secure and HttpOnly - Proteção contra captura de cookies em texto claro - Possível redução de impacto XSS – roubo de sessão - SameSite – Suportado apenas pelo Chrome - Ainda em draft - Fornece uma boa proteção contra CSRF/XSSI - Lax – utilizado com métodos HTTP “seguros” - Pode prejudicar navegação?
- 36. X-Content-Type-Options - considerações - Suportado por todos os browsers populares, exceto Safari - Mitiga ataques de MIME confusion - Servidor web deve retornar MIME corretos para uso do cabeçalho
- 37. Referrer-Policy Referrer-Policy: <diretiva> Referrer-Policy: no-referrer Referrer-Policy: no-referrer-when-downgrade Referrer-Policy: origin Referrer-Policy: origin-when-cross-origin Referrer-Policy: same-origin Referrer-Policy: strict-origin Referrer-Policy: strict-origin-when-cross-origin Referrer-Policy: unsafe-url
- 38. Referrer-Policy Policy Document Navigation to Referrer no-referrer https://example.com/page.html any domain or path no referrer no-referrer-when-downgrade https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html no-referrer-when-downgrade https://example.com/page.html https://mozilla.org https://example.com/page.html no-referrer-when-downgrade https://example.com/page.html http://example.org no referrer origin https://example.com/page.html any domain or path https://example.com/ origin-when-cross-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html origin-when-cross-origin https://example.com/page.html https://mozilla.org https://example.com/ origin-when-cross-origin https://example.com/page.html http://example.com/page.html https://example.com/ same-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html same-origin https://example.com/page.html https://mozilla.org no referrer strict-origin https://example.com/page.html https://mozilla.org https://example.com/ strict-origin https://example.com/page.html http://example.org no referrer strict-origin http://example.com/page.html any domain or path http://example.com/ strict-origin-when-cross-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html strict-origin-when-cross-origin https://example.com/page.html https://mozilla.org https://example.com/ strict-origin-when-cross-origin https://example.com/page.html http://example.org no referrer unsafe-url https://example.com/page.html any domain or path https://example.com/page.html https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
- 39. Suporte Referrer-Policy https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
- 40. Referrer-Policy - considerações - Ainda em desenvolvimento - Suporte ainda limitado (Firefox e algumas funcionalidades Chrome) - Lida com questões de privacidade Referer: https://github.com/irgoncalves/jwtbf
- 41. Ferramenta para testes dos cabeçalhos https://observatory.mozilla.org/ https://securityheaders.io https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#t ab=Technical_Resources
- 42. Conclusões - Cabeçalhos de segurança podem melhorar a segurança e privacidade de seus usuários - Fazem parte de estratégia de defesa em camadas - Alguns apresentam armadilhas e requerem maturidade - Requerem controles adicionais - Níveis de suporte diferente entre navegadores
- 43. Referências - https://tools.ietf.org/html/rfc6797 - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers - https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) - https://www.owasp.org/index.php/Clickjacking - https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) - https://scotthelme.co.uk/ - https://www.wired.com/2016/03/https-adoption-google-report/ - http://www.html5rocks.com/en/tutorials/security/content-security-policy/ - https://www.bettercap.org/blog/sslstripping-and-hsts-bypass/ - https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/45542.pdf - https://technet.microsoft.com/library/security/2524375 - https://csp.withgoogle.com/docs/index.html - The Tagled Web - A Guide to Security Modern Web Applications, Michael Zalewski