The following notes cover the Play by Play Modern Web Security Patterns, given by Troy Hunt and Lars Klint.
Free crypto mining anyone?
The course begins with the showing of an exploit that had installed a crypto mining script on several sites that used the service of browsealoud. Browsealoud hosts their service as a script that you can embed in your, and it enables your website to be accessible. They were not aware of the attack, and all clients that used their service were now having their users start crypto mining in their browsers.
Subresource Integrity (SRI)
One way to help protect users using your scripts is to use Subresource Integrity. SRI uses an attribute on the script tag: “integrity,” where you supply the hash for the script you are using. The token prevents a modified version of that script file from being loaded on the user’s machine when the downloaded script file’s hash does not match the one you have listed.
If your site uses an external provider for scripts that it needs to run, you must use SRI for that resource.
Some things to look out for:
- If an external provider or your script does not have versioning, using the hash will not be an available option, since your script file may change causing the token to break.
- Recommend that you put in versioning and provide the hash to your clients so they can protect their customers/users.
- Not all browser support this, as of this writing looks like IE/Edge/Safari are the only ones that do not support this feature.
You can use Fiddler to test for this type of attack and verify that it is working by modifying the source of the file using it as a proxy.
Cross-Origin Protection of XSS
The Content Security Policy(CSP) response header is a header tag that defines where content is allowed to come from when loading your site. You can configure the policy for your website as a metatag for redundancy. You want to be specific and only list the places that you want to provide content from, do not add a wild card and allow everything.
When you have a case where you can not get a hash for the script files you use, you can list the host of that script as an allowed provider for content.
Example of HTTP header with policy:
Content-Security-Policy: default-src ‘self’; img-src *; media-src media1.com media2.com; script-src userscripts.example.com
Reporting Content Security Policy
You want to be notified when your site has a violation, so that you can resolve the issue, to do this you will add a report-uri to the content policy that the browser will then send the violation report to the configured URI.
Example of HTTP header with reporting enabled:
Content-Security-Policy: default-src ‘self’; report-uri http://reportcollector.example.com/collector.cgi
If you do not want to worry about how the browser will treat the CSP, not all browsers behave the same, you can enable report only, and the site will load normally but also will send you a summary of any violations. To do this, you would use the HTTP header: Content-Security-Policy-Report-Only.
Example of Content-Security-Policy-Report-Only
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/
Troy mentioned a script he has that allows him to set these values in meta tags, and then it will send reports to the URI you have in your configuration. I have not found this script and will need to search his site for it so that I can use it.
The good news, it looks like all major browsers support the report only CPA.
A tool that can be good to use for modeling what sites you need to white list is Microsoft’s Threat Modeling Tool. You can diagram where you are expecting content to be from, and as you get any reports make updates so you can have a visual guide to your sites external dependencies.
Browser Defense for Cross-Site Scripting
Browsers also have another defensive measure that can be enabled to help protect the user, and that is the X-XSS-Protection response header. This header will tell the browser how you want to treat your site when a potential attack has compromised your site’s content.
Configuration
X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=
This header attribute is not supported in Firefox and is interpreted differently between browsers. (Irony the site I reference for details on this does support it)
Don’t rely on the browser side only, define your protection on the server as well in the provided content to the client’s browser. (Need to search out any specific Server Side resources to help protect users)
Improving and Testing HTTPs
We have the responsibility to protect our users against malicious intent from our web site/app. To do this, we should have all pages that accept data from the user secured by HTTPs at a minimum, securing your whole website with HTTPs is better. An example of some pages to protect with HTTPs:
- Login Pages
- Any page the user would supply data
Chrome incognito enforces security notification more aggressively and will show your site insecure if it has any form input and is not using HTTPs.
badssl.com gives examples of wrong configurations of SSL.
content-security-policy (CSP) with the value of upgrade-insecure-requests
will block all content that is not hosted over SSL.
content-security-policy-report-only will not block content but send a report of all content that is not secure. Use this option to be made aware of any assets that are not secure and secure them.
HPKP Public Key Pinning
HPKP was designed to stop the man in the middle attacks, by providing a public key for decrypting your site content. Setting an HPKP has proved to be challenging to get right and very easy to break since the key is on the client’s browser and if you change your public-key, then the client will not be able to decrypt your site’s content.
This level of encryption protection is not needed unless your site is considered a high-value target since these are very hard to get.
CAA
CAA uses a DNS entry to secure your site’s content and is easier to set up, add the entry to your DNS. This solution is more favorable than HPKP since it is one central place to update, plus it also does most of what HPKP without the risk.
You can use DNSspy.io(DNSspy.io) to inspect your DNS entries.
SSL labs to test your sites security report and review for changes that you need to make to make it more secure.
All security measure listed here are not necessary for site-hosted content but are a minimum for external sources.
Security Headers used to give you a report of your sites security headers.
Observatory.mozilla.org is another tool that can be used to give you a report of your site’s security.
Troy Hunt has an article on how he secured his site with CSP: My Blog Now Has a Content Security Policy – Here’s How I’ve Done It
Improving Communication
An issue we have with the web is there is no clear way to help notify the site owner of any problems that we discover with their site. Troy has proposed a security standard to be located at .well-known/security.txt
The content of this file contains, at a minimum:
Contact: email/Twitter
Encryption:
You can build a security text file quickly via securitytxt.org