![How to manage cross-origin access?
APACHE example:
Restrict access to certain URIs - Apache examples
RewriteRule ^/api(.*).json$ /api$1.json [CORS=True]
Header set Access-Control-Allow-Origin "*" env=CORS
Header set Access-Control-Allow-Methods "GET" env=CORS
PHP example:
<?php // We'll be granting access to only the arunranga.com domain
// which we think is safe to access this resource as application/xml
if($_SERVER['HTTP_ORIGIN'] == "http://arunranga.com")
{
header('Access-Control-Allow-Origin: http://arunranga.com');
header('Content-type: application/xml');
readfile('arunerDotNetResource.xml'); }
[…]
//ELSE ERROR](https://image.slidesharecdn.com/cm2securecodetraining1daydataprotection-180716092420/85/Cm2-secure-code_training_1day_data_protection-19-320.jpg)
Cm2 secure code_training_1day_data_protection
- 1. SECURE CODE TRAINING DATA PROTECTION DAVID CERVIGNI IT SECURITY CONSULTANT AND PCI CODE REVIEWER
- 2. What? Data Classification: • Non sensitive/Public • Personally identifiable information (PII), or sensitive personal information (SPI) • Secret: financial statements, CC, passwords… • Technical: java stack-traces, source code, component versions… When? How? Data at rest: • Encryption (full device vs data encryption) Data in transit: • Encrypted protocols • HTTP Headers configurations
- 3. What benefits do HTTPS provide? • Confidentiality: Spy cannot view your data • Integrity: Spy cannot change your data • Authenticity: Server you are visiting is the right one • High performance! HTTPS configuration best practices https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet https://www.ssllabs.com/projects/best-practices/ Encrypting data in Transit
- 4. • HSTS (Strict Transport Security) http://www.youtube.com/watch?v=zEV3HOuM_Vw • Forward Secrecy https://whispersystems.org/blog/asynchronous-security/ • Certificate Creation Transparency http://certificate-transparency.org • Certificate Pinning https://www.owasp.org/index.php/Pinning_Cheat_Sheet • Browser Certificate Pruning Encrypting data in Transit
- 5. Encrypting data in Transit : HSTS (Strict Transport Security) • Forces browser to only make HTTPS connection to server • Must be initially delivered over a HTTPS connection • Current HSTS Chrome preload list http://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json • If you own a site that you would like to see included in the preloaded Chromium HSTS list, start sending the HSTS header and then contact: https://hstspreload.appspot.com/ • A site is included in the Firefox preload list if the following hold: It is in the Chromium list (with force-https). It sends an HSTS header. The max-age sent is at least 10886400 (18 weeks). http://dev.chromium.org/sts
- 6. • What is Pinning ? Pinning is a key continuity scheme Detect when an imposter with a fake but CA validated certificate attempts to act like the real server • 2 Types of pinning Carry around a copy of the server's public key; Great if you are distributing a dedicated client-server application since you know the server's certificate or public key in advance • Note of the server's public key on first use Trust-on-First-Use (TOFU) pinning Useful when no a priori knowledge exists, such as SSH or a Browser Encrypting data in Transit : Certificate Pinning https://www.owasp.org/index.php/Pinning_Cheat_Sheet
- 7. Encrypting data in Transit : Browser-Based TOFU Pinning https://www.owasp.org/index.php/Pinning_Cheat_Sheet • Browser-Based TOFU Pinning : Trust on First Use • HTTP Public Key Pinning IETF Draft http://tools.ietf.org/html/draft-ietf-websec-key-pinning-11 • Freezes the certificate by pushing a fingerprint of (parts of) the certificate chain to the browser • Example: Public-Key-Pins: pin-sha1="4n972HfV354KP560yw4uqe/baXc="; pin-sha1="qvTGHdzF6KLavt4PO0gs2a6pQ00="; pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; max-age=10000; includeSubDomains
- 8. Encrypting data in Transit : Pinning in Play (Chrome) https://www.owasp.org/index.php/Pinning_Cheat_Sheet
- 9. Encrypting data in Transit : Forward Secrecy • If you use older SSL ciphers, every time anyone makes a SSL connection to your server, that message is encrypted with (basically) the same private server key • Perfect forward secrecy: Peers in a conversation instead negotiate secrets through an ephemeral (temporary) key exchange • With PFS, recording ciphertext traffic doesn't help an attacker even if the private server key is stolen! https://whispersystems.org/blog/asynchronous-security/
- 10. In information security, computer science, and other fields, the principle of least privilege (also known as the principle of minimal privilege or the principle of least authority) requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose. Principle: Least Privilege For example: • OS users (technical) • Directory permissions • restrict users to only the functionality, data and system information that is required to perform their tasks
- 11. Encrypt highly sensitive stored information, like authentication verification data, even on the server side. Always use well vetted algorithms, follow the company approved "Cryptographic Practices”. Do not store passwords, connection strings or other sensitive information in clear text or in any non-cryptographically secure manner on the client side. This includes embedding in insecure formats like: MS viewstate, Adobe flash, serialized java classes or compiled code. Encryption of data at rest
- 12. You do not store passwords Evolution of password “non-storage”: I. Hashes password II. Salted Hashed passwords III. Adaptive one-way function (bcrypt, Argon2…) …how to store passwords?
- 13. ...and technical information. • Protect server-side source-code from being downloaded by a user • Remove comments in user accessible production code that may reveal backend system or other sensitive information • Remove unnecessary application and system documentation as this can reveal useful information to attackers NOTE: this is not security by obscurity antipattern Protect source-code…
- 14. • Do not include sensitive information in HTTP GET request parameters. This includes jsessoinId parameters and others: In web.xml (Tomcat 7): <session-config> <tracking-mode>COOKIE</tracking-mode> </session-config> Or programmatically, you can use: servletContext.setSessionTrackingModes (EnumSet.of(SessionTrackingMode.COOKIE)); Avoid data leakage - 1
- 15. • Disable auto complete features on forms expected to contain sensitive information, including authentication. <INPUT TYPE="password" AUTOCOMPLETE="off"> • Disable client side caching on pages containing sensitive information. Cache- Control: no-store, may be used in conjunction with the HTTP header control "Pragma: no-cache", which is less effective, but is HTTP/1.0 backward compatible. Cache-Control: no-cache, no-store and Pragma: no-cache, Expires: 0 • Disable unnecessary iframe support with header: X-Frame-Options: SAMEORIGIN Avoid data leakage - 2
- 16. • The application should support the removal of sensitive data when that data is no longer required. (e.g. personal information or certain financial data). • Implement appropriate access controls for sensitive data stored on the server. This includes cached data, temporary files and data that should be accessible only by specific system users. Avoid data leakage - 3
- 17. Enforcing (and avoiding) Same-Origin Policy * More info: https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
- 18. How to manage cross-origin access? 1. To prevent cross-origin access, check for an unguessable token in the request, known as a Cross- Site Request Forgery (CSRF) token. You must prevent cross-origin reads of pages that know this token. 1. To prevent cross-origin reads of a resource, ensure that it is not embeddable (X-Frame-Options: SAMEORIGIN). It is often necessary to prevent embedding, because embedding a resource always leaks some information about it. 2. To prevent cross-origin embedding, ensure that your resource can not be interpreted as one of the embeddable formats(<script src="..."></script>, CSS with <link rel="stylesheet”, <img Plug-ins with <object>, <embed> and <applet>). BUT The browser does not respect the Content-Type in most cases. For example if you point a <script> tag at an HTML document, the browser will try to parse the HTML as JavaScript.
- 19. How to manage cross-origin access? APACHE example: Restrict access to certain URIs - Apache examples RewriteRule ^/api(.*).json$ /api$1.json [CORS=True] Header set Access-Control-Allow-Origin "*" env=CORS Header set Access-Control-Allow-Methods "GET" env=CORS PHP example: <?php // We'll be granting access to only the arunranga.com domain // which we think is safe to access this resource as application/xml if($_SERVER['HTTP_ORIGIN'] == "http://arunranga.com") { header('Access-Control-Allow-Origin: http://arunranga.com'); header('Content-type: application/xml'); readfile('arunerDotNetResource.xml'); } […] //ELSE ERROR
- 20. SECURE CODE TRAINING INTENSIVE COURSE DAVID CERVIGNI IT SECURITY CONSULTANT AND PCI CODE REVIEWER