Web Security "Course"

- XSS, Clickjacking, Phising, MITM

Risks

XSS

Clickjacking

Phising

Man in the Middle Attack

Text

Defenses

  • Sanitation, Escaping
  • Security Headers:
    • Content-Security Policy (CSP)
    • HTTP Strict Transport Security (HSTS)

    • HTTP Public Key Pinning (HPKP)

    • X-Content-Type-Options

    • X-Frame-Options

    • X-XSS-Protection

    • Referrer Policy

  • Subresource Integrity (SRI)

Sanitation, Escaping

Escaping must be context sensitive!

Security Headers

Content-Security-Policy:
    default-src 'none';
    base-uri 'self';
    block-all-mixed-content;
    child-src render.githubusercontent.com;
    connect-src 'self' uploads.github.com status.github.com;
    font-src assets-cdn.github.com;
    form-action 'self' github.com gist.github.com;
    frame-ancestors 'none';
    img-src 'self' data: assets-cdn.github.com *.githubusercontent.com;
    media-src 'none';
    script-src assets-cdn.github.com;
    style-src 'unsafe-inline' assets-cdn.github.com
Content-Security-Policy:
    object-src 'none';
    script-src 'nonce-$random' 'strict-dynamic'
               'unsafe-inline' 'unsafe-eval' https: http:;
    report-uri https://yourreportingendpoint;

Content-Security Policy

Strict-Transport-Security: max-age=31536000; includeSubdomains; preload

HTTP Strict Transport Security

  • Serve a valid certificate.
  • Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.
  • Serve all subdomains over HTTPS.
    • In particular, you must support HTTPS for the www subdomain if a DNS record for that subdomain exists.
  • Serve an HSTS header on the base domain for HTTPS requests:
    • The max-age must be at least eighteen weeks (10886400 seconds).
    • The includeSubDomains directive must be specified.
    • The preload directive must be specified.
    • If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS header (rather than the page it redirects to).
Public-Key-Pins:
    pin-sha256='X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg=';
    pin-sha256='MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec=';
    pin-sha256='isi41AizREkLvvft0IRW4u3XMFR2Yg7bvrF7padyCJg=';
    includeSubdomains;
    max-age=2592000

HTTP Public Key Pinning

X-Content-Type-Options: nosniff

X-Content-Type-Options

X-Frame-Options: SAMEORIGIN

X-Frame-Options

X-Xss-Protection: 1; mode=block

X-XSS-Protection

Referrer-Policy: Referrer-Policy: origin-when-cross-origin

Referrer Policy

SRI

References

  • https://www.owasp.org/index.php/Top_10_2013-Top_10
  • https://securityheaders.com
  • https://report-uri.io/home/tools/
  • https://www.troyhunt.com/owasp-top-10-for-net-developers-part-2/
  • https://robinlinus.github.io/socialmedia-leak/
  • https://www.troyhunt.com/clickjack-attack-hidden-threat-right-in/
  • http://twig.sensiolabs.org/doc/2.x/filters/escape.html
  • https://www.websec.be/blog/cspstrictdynamic/
  • https://www.troyhunt.com/introducing-you-to-browser-security/
  • https://scotthelme.co.uk/hardening-your-http-response-headers/
  • https://scotthelme.co.uk/hsts-preloading/
  • https://scotthelme.co.uk/hpkp-http-public-key-pinning/
  • https://scotthelme.co.uk/a-new-security-header-referrer-policy/
  • https://www.troyhunt.com/protecting-your-embedded-content-with-subresource-integrity-sri/
  • https://githubengineering.com/githubs-post-csp-journey/

Web Security "Course" I.

By Máté Kocsis

Web Security "Course" I.

  • 841