The banking industry is grappling with the problem of malware infections in
clients. The exploitation of web vulnerabilities in a bank’s website can expose
online monetary transactions to fraud. Vulnerabilities such as Cross-Site
Scripting (XSS), clickjacking, MIME sniffing and Cross-Site Request Forgery
(CSRF) allow information in one session to be stolen from another. However,
browser security can play a critical role in preventing successful exploitation.
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
The State of Declarative Security in HTTP Response Headers - Bank Study
1. FEATURE
The state of HTTP
declarative security
in online banking Aditya Sood Richard Enbody
websites
Aditya Sood and Richard Enbody, Michigan State University
The banking industry is grappling with the problem of malware infections in and trusted environment for transac-
clients. The exploitation of web vulnerabilities in a bank’s website can expose tions. The aim of this study is to gauge
online monetary transactions to fraud. Vulnerabilities such as Cross-Site the deployment of declarative security in
Scripting (XSS), clickjacking, MIME sniffing and Cross-Site Request Forgery the real world, and in banking in partic-
(CSRF) allow information in one session to be stolen from another. However,
ular. Since declarative security is relative-
browser security can play a critical role in preventing successful exploitation.
ly new, one would not expect widespread
adoption. This study reflects the current
To this end, new and flexible protection The initial HTTP declarative response state of security in online banking with
features have been introduced in the headers are X-XSS-Protection, X-Frame- respect to declarative security.
form of declarative security in HTTP Options, X-Content-Type-Options,
response headers. These protection X-Download-Options and X-Content- Declarative security and
mechanisms are based on the concept Security-Policy. Strict-Transport-Security
of providing explicit security parameters can also be considered in this category,
threat model
that can be used to compel browsers to but it has a different naming convention. The HTTP header protections target
perform specific security functions. Declarative security in HTTP response specific attack vectors. These types of
Declarative security obliges a devel- headers has been introduced to make the protection are a set of opt-in security
oper to specially configure the appli- browsers more proactive and intelligent mechanisms addressing a specific threat
cation that sends HTTP response in dealing with the manipulative content landscape. These attacks include click-
headers so that, on receiving them, that is a result of the exploitation of web jacking, MIME sniffing, manipulating
browsers trigger security protections. vulnerabilities. file downloads, CSRF and XSS vari-
These declarative security parameters This research is based on an analysis of ants that have proven to be difficult
can also be specified in the web server the traffic flow of major bank websites to handle in real time. Each technique
configuration file. The result is that in order to understand how declara- includes an HTTP header that has to
declarative security can be considered tive security is being deployed in online be declared by the developer on the web
as a portable and flexible defence. No banking. Banking websites were selected server as well as the security actions that
protection method is foolproof, but from a list of the world’s top 40-plus saf- the browser triggers on the client side.
for implementing generic protection, est banks of 2010 as provided by Global Once a specific HTTP header is detect-
HTTP declarative response headers Finance.1 The ranking is based on the ed, the browser is supposed to execute
yield promising results. In addition, long-term credit and the total assets of the required security mechanisms. Of
this concept is gaining traction as it has the banks. Basically, it determines the course, this protection strategy fails if
been adopted by Microsoft and Mozilla solvency and the relative credit-wor- the HTTP headers are not defined. As
in order to strengthen the security of thiness of the bank. We start with the a result, control lies in the ability and
their browsers. assumption that the efficacy of security expertise of the developers and admin-
Declarative HTTP response head- practices is directly proportional to the istrators to use these protection headers
ers are not a part of the HTTP 1.0/1.1 bank’s assets. Banks with greater assets as a part of their applications. Let us
specification. However, they are compat- tend to have more rigorous security take a look at specific headers and how
ible with HTTP and work efficiently. mechanisms in order to provide a safe they work.
11
July 2011 Computer Fraud & Security
2. FEATURE
actually clicking on a hidden link. This this option for a full domain because
X-Frame-Options
HTTP response header can prevent it can deny frames that load legitimate
The X-Frame-Options HTTP response the malicious framing of a legitimate websites. However, it is a good practice
header is used to control the framing of website. The DENY parameter compels to implement X-Frame-Options in
a web page by a third-party website or browsers to prevent rendering of the application code to apply an extra layer
a malicious domain.2,3 Generally, click- website in a frame (irrespective of par- of security in the critical web pages.
jacking and auto-framing techniques ent frame), whereas the SAMEORIGIN A website might use frame-busting or
are used to conduct stealth attacks by parameter allows the framing of web frame-killing code such as:
concealing part of the user interface in pages on the same domain but restricts
the browser.4,5,6 The framing of a web- the framing of a website from the third- <script type=“text/
site plays a critical role in a successful party parent frames. The header also javascript”>
clickjacking attack in conjunction with requires secure frame communication if(top != self)
CSRF attacks.7 Users believe that they to preserve integrity.8 In a real-time top.location.
are clicking on a legitimate link, but are environment, it is not feasible to apply replace(location);</
script>
…or…
<script>if(top.
location !=
location)
top.location =self.
location;</script>
X-XSS-Protection
The X-XSS-Protection HTTP
response header has been implement-
ed by Microsoft to sanitise reflective
XSS attacks.9,10 Once a browser such
as Internet Explorer receives this
header it enables the XSS filter which
prevents the rendering of content
explicitly. Further, another HTTP
response header has been released by
Mozilla, named X-Content-Security-
Policy, that works in a similar fashion
to avoid rendering of malicious con-
tent in the Mozilla browser.11 These
HTTP declarative security headers are
used to lower the risk of XSS attacks.
However, some problems have been
witnessed in the X-XSS-Protection
header. 12
X-Content-Type-Options
An attacker can inject code based on the
content type set by the server. Browsers
follow the content-type parameter in
order to render the content of the page
Figure 1: Applied declarative security as HTTP response headers in the world’s top 43 popular banks.
correctly. They have to ensure that
12
Computer Fraud & Security July 2011
3. FEATURE
content is rendered according to the data
type set by the server. Browsers should
not sniff out any other content type that
is not specified by the server. Hence,
the browser has to avoid sniffing MIME
content that is not appropriate. Basically,
the X-Content-Type-Options header can
be used to prevent malicious rendering
of content inside files by only allowing
the parameter specified in the content-
type HTTP response header.13,14
X-Download-Options
As we know, browsers such as Internet
Explorer provide an inbuilt functional-
ity to open files directly on the domain
when a download dialogue box is initi-
ated. The X-Download-Options param-
eter is provided by Microsoft in order
to combat attacks that occur from the
direct opening of files in the domain.15
Figure 2: An iframe injected into a vulnerable bank website.
This HTTP response header forces IE
to modify the user interface download
dialog box, removing the open button Testing of attacks. The objective of this testing is
(specifying a no-open value in the head- to check whether the critical web pages
er). This prevents the user from opening The motivation behind this experiment (configuration pages and web pages with
malicious files that might run content was to test the acceptability of new authentication) in the banks’ websites are
directly on the domain. protection features in an industry most implementing declarative security.
susceptible to exploitation on the web.
During the course of the experiment,
Strict-Transport-Security it’s possible to judge how well the top
Methodology
Strict-Transport-Security is a declara- banks are deploying this HTTP declara- In order to perform analytical tests, a list
tive header that is used by websites to tive security. In general, a robust security of the top banks of 2010, as defined by
force browsers to send all types of data solution is comprised of a collaborative Global Finance, was selected. The banks
over HTTPS.15,16 A number of websites implementation of client and server secu- were chosen from around the world based
use both HTTP and HTTPS interfaces rity. HTTP declarative security provides on their financial ratings. This choice was
to set sessions. It is considered as a risk an efficient way to provide some control made as the security of those banks that
because an attacker can inject malicious of browsers in order to avoid a number attract the top ratings is critical for safe
traffic to trick browsers in order to steal
cookies if this parameter is deployed in
all the communication processes under
HTTPS. This should not be confused
with the ‘secure’ parameter because it
is only defined for exchanging cookies
over HTTPS, whereas Strict-Transport-
Security applies to the overall communi-
cation. In general, X-Frame-Options and
X-XSS-Protection have been used collabo-
ratively to reduce the intensity of attacks.
However, other response headers are used
Figure 3: XSS exploited in a bank’s website in spite of Internet Explorer XSS filter.
in specific applications and web servers.
13
July 2011 Computer Fraud & Security
4. FEATURE
The outcome of this experiment is
entirely based on the detection of differ-
ent HTTP declarative security response
headers. The research also covered all
the sub-domains that are the subset of
the main bank domains. The tests didn’t
take into consideration different types of
attacks such as HTTP response splitting,
which alters the state of HTTP response
headers. Something close to 7,786 web
pages were analysed, including support-
ing resources that are present in the dif-
ferent bank domains. Overall, the experi-
ment was conducted on close to 200
bank websites, although this article only
covers the results of the top banks.
Results
Some interesting results arose during
the course of this study. At the time of
running these tests, not a single bank
website out of the top 50 banks is using
declarative security in HTTP response
headers. It seems that the declarative
security model has not been accepted by
the online banking industry. Figure 1
Figure 4: XSS exploited in a bank’s website in spite of Google Chrome XSS Auditor. shows the results of this experiment. The
NH parameter suggests that no server
monetary transactions. The largest used the Firefox add-on HttpFox, header was received in the response.
banks tend to be the preferred choice which is an HTTP traffic analyser Some of the banks did not send a
of the attackers. for scrutinising the state of different ‘server:’ header in the responses and one
The testing involved Perl-based HTTP headers.17 Other standard traf- of them used explicit names. The CDC,
HTTP response enumeration scripts fic monitoring tools such as Wireshark BBVA, OCBC and DB banks did not
which sent a crafted HTTP request to and Netmon by Microsoft were used disclose the ‘server:’ header in HTTP
the web server and detected required for packet dissection analysis. The tests responses. Barclays bank alternatively
HTTP declarative security response were conducted in Internet Explorer, changed the server header with ‘Red’,
headers. In addition to this, the tests Firefox and Google Chrome. ‘Blue’, ‘Green’ and ‘Black’ values on con-
secutive requests. During the research, a
number of vulnerabilities were spotted in
this set of banks. These were reported to
the administrators of the banks’ websites.
For completeness, the research
included some tests to show that attacks
are indeed possible. Figure 2 shows an
iframe injection attack in one bank web-
site that does not use X-Frame-Options.
Since most of the browsers implement
protection mechanisms based on declara-
tive security, almost all browsers were
tested in order to execute XSS. Apart
Figure 5: XSS – Content-Rendering scripting attack.
from this, a lot of XSS injections were
14
Computer Fraud & Security July 2011
5. FEATURE
evident in the banks’ websites. Most of in HTTP response headers can be con- frame-busting-and-click-jacking-ui-
the reflective XSS attacks were rendered sidered as an additional defence, even redressing>.
successfully by the browsers having if proprietary web security solutions are 4. Hansen, R; Grossman, J.
XSS filters. Figure 3 shows a successful deployed, because it triggers the security ‘Clickjacking’. Ha.ckers, 15 Sep
XSS attack in Internet Explorer con- element in browsers. The online banking 2009. Accessed June 2011. <http://
ducted in one of the vulnerable bank industry should implement these protec- ha.ckers.org/blog/20080915/click-
websites. Figure 4 shows the successful tions as opt-in security to thwart generic jacking>.
XSS bypass in Google Chrome version targeted attacks. 5. Stone, Paul. ‘Next Generation
10.0.648.127. The examples discussed Clickjacking Attacks’. BlackHat
in this section show the ineffectiveness About the authors Conference, 14 Apr 2010. Accessed
of client-side XSS filters in a number Aditya K Sood is a security researcher, con- June 2011. <https://media.blackhat.
of browsers. However, continuous sultant and PhD candidate at Michigan com/bh-eu-10/presentations/Stone/
research and development is resulting State University. He has worked in the BlackHat-EU-2010-Stone-Next-
in more secure client-side XSS filtering. security domain for Armorize, COSEINC Generation-Clickjacking-slides.
For generic XSS vulnerabilities, these and KPMG and founded SecNiche Security. pdf>.
filters provide appropriate protections He has been an active speaker at confer- 6. Balduzzi, M; Egele, M; Kirda, E;
by default, as well as offering some secu- ences such as RSA, Toorcon, Hacker Halted, Balzarotti, D; Kruegel, C. ‘A solution for
rity with declarative security in HTTP TRISC, EuSecwest, XCON, OWASP the automated detection of clickjacking
response headers. AppSec, CERT-IN and has written content attacks’. In ASI-ACCS’10, 2010.
XSS attacks are versatile in nature. Even for HITB Ezine, ISSA, ISACA, Elsevier, 7. Barth, A; Jackson, C; Mitchell, JC.
with the presence of filters, it is often easy Hakin9 and Usenix Login. ‘Robust defenses for cross-site request
to bypass them. However, in certain cases Dr Richard Enbody is an Associate forgery’. In proceedings of 15th
the declarative security headers used to Professor in the Department of Computer ACM Conference on Computer and
control XSS fail. In addition to this, it’s Science and Engineering, Michigan State CommunicationsSecurity
also notable that it was possible to manip- University. He joined the faculty in 1987 (CCS 2008), 2008.
ulate the content-type of the required after earning his PhD in Computer Science 8. Barth, A; Jackson, C; Mitchell.
page to conduct the attack. In this attack, from the University of Minnesota. His ‘Securing frame communication in
it was possible to render a malicious PDF research interests are in computer security, browsers’. Communications of the
in one of the vulnerable bank domains computer architecture, web-based distance ACM(CACM 2009), 2009.
which executed the script. On testing, it education and parallel processing. He has 9. ‘Event 1046 – Cross-Site Scripting
was found that the domain was not con- two patents pending on hardware buffer- Filter’. MSDN. <http://msdn.
figured to send X-Content-Type-Options. overflow protection, which will prevent most microsoft.com/en-us/library/
Figure 5 shows a successful content-type computer worms and viruses. He recently co- dd565647%28v=vs.85%29.aspx>.
manipulation attack by exploiting the RFI authored a CS1 Python book, The Practice 10. ‘IE8 Security Part IV: The XSS
vulnerability in one of the bank websites. of Computing using Python. Filter’. IEBlog, 2 Jul 2008. Accessed
This experiment shows the state of declar- June 2011. <http://blogs.msdn.
ative security in bank websites. References com/b/ie/archive/2008/07/02/ie8-
1. ‘World’s 50 Safest Banks 2010’. security-part-iv-the-xss-filter.aspx>.
Global Finance, 2 Sep 2010. 11. Secure Content Policy. Mozilla
Conclusion Accessed June 2011. <http://www. Developer Network. 21 May 2010.
This was a survey of the deployment of gfmag.com/tools/best-banks/10533- Accessed June 2011. <https://wiki.
HTTP declarative security in the world’s worlds-50-safest-banks-2010.html> mozilla.org/Security/CSP/Spec>.
top banks. After analysing domains 2. Lam, Jason. ‘Adoption of x-frame- 12. Coates, Michael. ‘IE8 XSS Filter
and sub domains, it was found that, at options header’. SANS AppSec Blog, Bug’. 20 Nov 2009. Accessed June
the time of conducting these tests, not 15 Oct 2009. Accessed June 2011. 2011. <http://michael-coates.blogspot.
a single bank website shows the use of <http://blogs.sans.org/appsecstreet- com/2009/11/ie8-xss-filter-bug.html>.
declarative security in the HTTP response fighter/2009/10/15/adoption-of-x- 13. ‘HOWTO protect against mali-
headers. Hence, the results show that frame-options-header/>. cious images and other non-
exploitation of security flaws can be 3. ‘Preventing Framebusting and HTML content’. Google Code.
reduced to some extent using declarative Clickjacking’. Coderrr, 13 Feb 2009. Restricted access. <http://code.
security because it forces the browser to Accessed 2011. <http://coderrr.word- google.com/p/doctype/wiki/
enforce protection. Declarative security press.com/2009/02/13/preventing- ArticleContentSniffing>.
15
July 2011 Computer Fraud & Security
6. FEATURE
14. ‘IE8 Security Part VI: Beta 2 Update’. 16. ‘Strict Transport Security’. W3C Resources
IEBlog, 3 Sep 2008. Accessed June Open Specification, 18 Dec 2009.
2011. <http://blogs.msdn.com/b/ie/ Accessed June 2011. <http://lists. • ‘IE8 Security Part V:
archive/2008/09/02/ie8-security-part- w3.org/Archives/Public/www- Comprehensive Protection’. IEBlog,
vi-beta-2-update.aspx>. archive/2009Dec/att-0048/draft-hodg- 2 Jul 2008. Accessed June 2011.
15. Jackson, C; Barth, A. ‘ForceHTTPS: es-strict-transport-sec-06.plain.html>. <http://blogs.msdn.com/b/ie/
Protecting High-Security Web Sites 17. HttpFox browser add-on. Mozilla. archive/2008/07/02/ie8-security-
from Network Attacks’. In proceedings Accessed June 2011. <https://addons. part-v-comprehensive-protection.
of the 17th International World Wide mozilla.org/en-us/firefox/addon/http- aspx>.
Web Conference (WWW 2008). fox/>.
Security in the value
chain
Simon Walker, Quantainia Simon Walker
Stephen Bonner, Barclay’s Bank’s CISO, recently likened technology controls to literate that needs to be globally acces-
the railings around a balcony – they allow you to get closer to the edge without sible, you’re mapping quite neatly onto
falling off. Indeed, risk analysis of information assets is not wholly unlike buy- the demographic that is often keenest to
ing and selling houses. It is a complex process, there are lots of hoops to jump attempt breaking technology.
through, and there is a number of pitfalls.
Neither of these are particularly abstruse
One of the most common errors is to ensure that products and services deliver facts, so what can have gone wrong?
base actions on superficially attractive but on their promised value; it prevents nasty,
practically inadequate information – for expensive surprises; and it is the basis for
example, overestimating the value of the sound decision-making. Perhaps most
Sony’s value chain
property you’re trying to sell, or under- importantly, it may be what stops your Initial suggestions from Sony that the
estimating how painful a big mortgage chief executive having to make embarrass- incident was orchestrated by ‘hacktivist’
might become. Skimping on research will ing public statements about subjects he group Anonymous have since been dis-
almost certainly result in pain later on. doesn’t really understand. missed by the group itself. Anonymous
You might be tempted to base decisions was quick to issue a denial of this accusa-
on a convenient pipedream – ‘my small tion. This seems to have been an attempt
house is worth at least £1m. Buyers will
The PlayStation Network by Sony to excuse the incident and is in
be queuing up. Never mind the leaking The recent high-profile hacking of the any case an irrelevance: the root causes of
roof. Or the illegal extension. And I won’t Sony PlayStation Network (PSN) has the incident were endemic, not a result of
spend money on a lick of paint, or the provided some invaluable lessons for us the actions of external influences.
railings on the balcony.’ But this fantasy all. The PSN service has a clear customer The ‘value chain’ is a model that
will rarely survive contact with reality. proposition. Its prime attractions rest in describes the activities of a firm within
So it is with the risk assessment of the open architecture and ready supply a specific industry, and consists of both
information assets. Just like property of downloadable games to purchase. Ease primary and support activities. In Sony’s
deals, the security assessor is likely to be of access to services tends to mean quick case the former would include research,
part of a chain. A common pitfall is for authentication and seamless payment, development, manufacture, marketing
senior leadership to skip over security risk which also means that user details, includ- and sales, and after-sales service. Support
assessment activity because the results are ing card details, are stored somewhere activities would traditionally include
difficult to interpret, or merely politically easily accessible. Where you have such organisational infrastructure elements –
inconvenient. A classic example here is data stored, you have a cluster of informa- the internal IT, HR and other functions
penetration testing. Effective security risk tion assets and hence you have something that span the primary productive ones.
assessment, on the other hand, makes worth stealing. Also, if you’re releasing a Each element has costs, and adds
sense on a number of levels: it helps product for the young and technology- (or subtracts) value from the end result.
16
Computer Fraud & Security July 2011