securing web applications

75
Securing Web Applications Eric Lawrence Program Manager Microsoft Corporation

Upload: goodfriday

Post on 16-Jan-2015

2.849 views

Category:

Technology


3 download

DESCRIPTION

Learn how to take advantage of browser security improvements to help protect your Web applications and visitors.

TRANSCRIPT

Page 1: Securing Web Applications

Securing Web Applications

Eric LawrenceProgram ManagerMicrosoft Corporation

Page 2: Securing Web Applications

Are we finished yet?

Page 3: Securing Web Applications

IE 7 significantly reduced attack surface against the browser and local machine…

Page 4: Securing Web Applications

…but Social Engineering and exploitation of add-ons continues to grow.WebApp attacks (CSRF, XSS, ClickJacking, splitting) may be the next big vector.And the next generation of attackers is coming out of grade school.

Page 5: Securing Web Applications

Worst of all, it turns out that crime does pay after all.

Page 6: Securing Web Applications

Why is browser security so elusive?

Page 7: Securing Web Applications
Page 8: Securing Web Applications

The security architecture

of the current web platform was largely

an afterthought.

Page 9: Securing Web Applications

Maybe there’s a shortcut?

Page 10: Securing Web Applications

We could block nearly 100% of exploits by removing one

component from the system…

Page 11: Securing Web Applications
Page 12: Securing Web Applications

Or, we could block a majority of exploits by removing a

different component from the system…

Page 13: Securing Web Applications
Page 14: Securing Web Applications

So, if we re-architect everything, or get rid of the users, or get rid of the network, then security might be easy.

FAIL

Page 15: Securing Web Applications

Making the correct tradeoffs is hard.

Page 16: Securing Web Applications

IE8 Security Vision

IE8 is the most secure browser by default.

Security Feature ImprovementsCreate security features that address the top vulnerabilities today and in the future

Secure FeaturesReduce attack surface of existing code by closing legacy holesApply security-focused rigors against new code

Provide Security and CompatibilityUsers understand that improved security is a reason to upgrade

Page 17: Securing Web Applications

Social Engineering

Web App Vulnerabilitie

s

Browser & Add-on

Vulnerabilities

Address the evolving threat landscape

IE8 Security Investments

Page 18: Securing Web Applications

QuestionWhat’s the best way to develop secure, performant, and reliable C/C++ code?

Page 19: Securing Web Applications

Answer

Don’t.

Page 20: Securing Web Applications

Non-Binary Extensibility

Page 21: Securing Web Applications

Accelerators

Non-Binary Extensibility

Page 22: Securing Web Applications

WebSlices

Non-Binary Extensibility

Page 23: Securing Web Applications

Visual Search Suggestions

Non-Binary Extensibility

Page 24: Securing Web Applications

Lots of other investments

DOM StorageConnectivity Events

Per-site ActiveXApplication protocol prompting

Protected ModeDEP/NX on-by-defaultASLR, SAFESEH, GS, etc

Page 25: Securing Web Applications

The Weakest Link

Page 26: Securing Web Applications

Sometimes, threats are obvious…

Page 27: Securing Web Applications

…but bad guys are getting smarter…

Page 28: Securing Web Applications

Fake codecs and add-ons

Page 29: Securing Web Applications

Fake antivirus scanners & utilities

Page 30: Securing Web Applications
Page 31: Securing Web Applications
Page 32: Securing Web Applications

A more effective warning?

Page 33: Securing Web Applications

SmartScreen Download Block

Page 34: Securing Web Applications

SmartScreen Block Page

Page 35: Securing Web Applications

Domain Highlighting

Page 36: Securing Web Applications

HTTPS - Extended Validation• Supported by all major browsers: IE7, Firefox, Opera,

Chrome, and Safari. • Over 10,000 sites with extended validation

certificates.

Page 37: Securing Web Applications

HTTPS Mistakes

Page 38: Securing Web Applications

Insecure Login Form

Page 39: Securing Web Applications

Certificate Mismatch

Page 40: Securing Web Applications

Mixed Content - Prompt

Page 41: Securing Web Applications

Mixed Content Blocked

Page 42: Securing Web Applications

Mixed Content shown – No lock

Page 43: Securing Web Applications

Mixed Content - Troubleshooting

Page 44: Securing Web Applications

Preventing XSS

Page 45: Securing Web Applications

XSS Threats

Steal cookiesLog keystrokesDeface sitesMisuse credentialsPort-scan the IntranetLaunch CSRFSteal browser historyAbuse browser/AX vulnerabilitiesEvade phishing filtersCircumvent HTTPSetc…

Researcher Bryan Sullivan: “XSS is the new buffer overflow.”

Page 46: Securing Web Applications

XSS Statistics

XSS70%

Info Leakage

4%

Content Spoofing

6%

SQL Leakage

5%

Predictable Resource

Location 5%

HTTP Re-

sponse Splitting

5%

Other 6%

Source: WhiteHat Security, August 2008

Page 47: Securing Web Applications

IE8 XSS Filter

Demo

Page 48: Securing Web Applications

Comprehensive XSS Protection

Disable US-ASCII codepageDisable sniffing of UTF-7 codepageFix other codepage-related bugsDisable CSS expression() in IE8 Standards modeOffer script-sanitization functions for sites building mashups

Page 49: Securing Web Applications

Securing Mashups

Page 50: Securing Web Applications

How are mashups built today?

Cross-domain script inclusionIFRAMEs

Page 51: Securing Web Applications

XDomainRequest

Enables web developers to more securely communicate between domainsProvides a mechanism to establish trust between domains through an explicit acknowledgement of cross domain accessAccess-Control-Allow-Origin syntax standardized

Page 52: Securing Web Applications

HTML5 postMessage()

Enables two domains to establish a trust relationship to exchange object messagesProvides a web developer a more secure mechanism to build cross-domain communicationPart of the HTML5 specification; supported by all latest-version browsers.

Page 53: Securing Web Applications

postMessage – Sending

// Find target framevar oFrame =document.getElementsByTagName('iframe')[0]; 

// postMessage will only deliver the 'Hello’// message if the frame is currently // at the expected target siteoFrame.contentWindow.postMessage('Hello',      'http://recipient.example.com');

Page 54: Securing Web Applications

postMessage – Listening

// Listen for the event. For non-IE, use// addEventListener instead.

document.attachEvent('onmessage',function(e){    if (e.domain == 'expected.com') {      // e.data contains the string

// We can use it here. But how?  } });

Page 55: Securing Web Applications

JavaScript Object Notation

{"Weather": {   "City": "Seattle",   "Zip": 98052,   "Forecast": {     "Today": "Sunny",      "Tonight": "Dark",     "Tomorrow": "Sunny"   } }}

Page 56: Securing Web Applications

JavaScript Object Notation

JSON.stringify()JSON.parse()

Based on ECMAScript 3.1; natively supported by Firefox 3.5 and IE8.

Page 57: Securing Web Applications

Native JSON Support

JSON.stringify()JSON.parse()

Based on ECMAScript 3.1; natively supported by Firefox 3.5 and IE8.

Page 58: Securing Web Applications

window.toStaticHTML()Client-side string sanitization, based on

the Microsoft Anti-XSS Library.

window.toStaticHTML("This is some <b>HTML</b> with embedded script following... <script> alert('bang!'); </script>!“);

returns:

This is some <b>HTML</b> with embedded script following... !

Page 59: Securing Web Applications

Putting it all together…

if (window.XDomainRequest){          var xdr = new XDomainRequest();

  xdr.onload = function(){    var objWeather = JSON.parse(xdr.responseText);

    var oSpan = window.document.getElementById("spnWeather");    oSpan.innerHTML = window.toStaticHTML("Tonight it will be <b>" + objWeather.Weather.Forecast.Tonight + "</b> in <u>" + objWeather.Weather.City + "</u>.");            }; 

  xdr.open("POST", "http://evil.example.com/getweather.aspx");  xdr.send("98052");  }

Page 60: Securing Web Applications

Best Practices• Filter content using the

Microsoft Anti-Cross Site Scripting Library.

• Use JSON, toStaticHTML for local content sanitization

• Specify encoding using in the Content-Type header:Content-Type: text/html; charset=UTF-8

• Use XDomainRequest and postMessage() rather than using <SCRIPT SRC=>

• Use HTTPOnly cookiesSet-Cookie: secret=value; httponly

Page 61: Securing Web Applications

ClickJacking

Demo

Page 62: Securing Web Applications

Hosting unsafe files

Page 63: Securing Web Applications

MIME-SniffingNo upsniff from image/*X-Content-Type-Options: nosniffOption to force file save:Content-Disposition: attachment;filename=“file.htm”;

X-Download-Options: NoOpen

Page 64: Securing Web Applications

Privacy

Page 65: Securing Web Applications

File Upload Control

Text input control now read-only

Server no longer gets full filename:

Content-Disposition: form-data; name="file1"; filename="File.zip“

Local JavaScript sees a fixed path for compatibility:

file1.value == “C:\fakepath\File.zip”

Page 66: Securing Web Applications

Enhanced Cleanup

Page 67: Securing Web Applications

InPrivate™ Browsing Shared PC privacy

Browsing leaves no tracks locally (cookies, DOMStorage, cache, history, etc)

InPrivate™ FilteringAwareness and control of web profile aggregation

Assess, on an ongoing basis, user exposure to third-party content.Helps to prevent information disclosure by automatically blocking high-frequency third-party content from sites users visit.

InPrivate™

Page 68: Securing Web Applications

InPrivate™ Browsing

Bonus: Helps mitigate CSS “Visited Links” History theft vector

Page 69: Securing Web Applications

Background on 3rd Party Aggregation

Over time, users’ history and profiles can be surreptitiously aggregated

Any third-party content can be used like a tracking cookieThere is little end-user notification or control todaySyndicated photos, weather, stocks, news articles; local analytics, etc….

Unclear accountability with third party security & privacy policies

User Visits Unique Sites

3 41

2 5

1

6 7 81

Contoso.com Tailspin.comWoodgrovebank.comExample.com Farbrican.comSouthridge1-1.com Litware-final.comadventureworks.com

Prosware-sol.com3rd party Syndicator

Web server

Page 70: Securing Web Applications

WatcherPassive Security Auditor

announcing

http://websecuritytool.codeplex.com/

Page 71: Securing Web Applications

Creating a great experience on Digg with IE8C22F - Coming up next, in this room  IE8 in the real world – C23FToday @ 4:15 PM-5:30 PMSan Polo 3501 (this room)

Building high performance web applications and sites – T53FTomorrow @ 2:00 PM-3:15 PMSan Polo 3504

Upcoming IE8 talks

Page 72: Securing Web Applications

Open today until 9:00pm Open tomorrow 9:00am – 3:15pm

Located upstairs in Marcello 4406

IE8 Compat Lab

Page 73: Securing Web Applications

[email protected]’Il be in the IE8 Compat Lab until 6pm (Marcello 4406)

Please fill out your evaluation forms! T54F

Questions?

Page 74: Securing Web Applications

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Page 75: Securing Web Applications