5. Facts about HTTP Headers
• Headers can be used to steer browsers (and
applications) behaviour
• You can define your own headers
• If the browser does not know or support the
header, it will ignore the header
• Response headers are client side controls that
are implemented on the server side
8. Clickjacking
• Tricking the user into
clicking something
different, then what the
user perceives
• Demo time (Source code:
https://github.com/
marpuch/Java-Sec-
Examples )
9. X-Frame-Options
• Steers whether or not the browser is allowed
to render the page in an <frame> or
<iframe> tag
• Mitigates the clickjacking threat
• Example: X-Frame-Options : DENY
10. X-Frame-Options - Parameters
• DENY - The page can never be displayed in a
frame
• SAMEORIGIN - The page can only be framed
by pages with the same origin.
• ALLOW-FROM <uri> - The page can only be
framed by the followingURIs.
11. X-Frame-Options - Compatibility
• Parameters DENY and SAMEORIGIN are
supported by all major browsers
• Some major browser (e.g. Chrome v47) does
not support ALLOW-FROM uri
• Browsers compatibility can be checked here:
http://erlend.oftedal.no/blog/tools/xframeop
tions/
12. X-Frame-Options - Implementation
• Tomcat users - activate the
httpHeaderSecurity filter in the file
TOMCAT_HOME/conf/web.xml
• Spring MVC users - look here
• ...
14. How many sites use X-Frame-
Options?
Source scotthelme.co.uk
15. Content Security Policy (CSP)
• CSP defines the sources (of images, scripts,
styles, media, fonts, …) the site can access
• Quite big and powerful
• Current version 2.0, version 3.0 in progress
• Addresses not only clickjacking, but also cross-
site vulnerabilities
• Enforces coding rules on developers (yes, can
be painful for the dev team)
16. Using CSP
• Header syntax:
Content-Security-Policy: <directive1>
<source1.1> <source1.2> <source1.3>;
<directive 2> <source2.1> <source2.2>; …
• You can define CSP also over the meta tag on
the HTML page like this:
<meta http-equiv="Content-Security-Policy"
content="directive source1 source2">
19. Clickjacking mitigation with CSP
• Does the same as X-Frame-Options:
Content-Security-Policy: frame-
ancestor 'none'; …
• Defines allowed sources for frame and
iframe:
Content-Security-Policy: child-src
'none'; …
20. CSP 2.0 browser support
• NOTE: Clickjacking protection is part of the
CSP 2.0 specification (see caniuse.com)
22. Cross-Site Scripting (XSS)
• XSS happen, when you let the user inject their
code to the page content
• But really, how dangerous can this be? :>
23. Types of XSS
• Stored
out.writeln(„Reflected XSS: ” + note.getContent());
• Reflected
out.writeln(„Reflected XSS: ”+request.getParameter(„hacked”));
Browser Server DB
Browser Server
24. Types of XSS
• DOM-Based
<script>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.l
ength));
</script>
http://www.vulnerable.site/welcome.html?name=<script>alert(1)</script>
Browser
25. X-XSS-Protection
• Header designed for IE8 and later, supported
by Chrome and Safari
• Offers reflected XSS protection
• Turned on by default
• Syntax:
X-XSS-Protection: 0 // turn off
X-XSS-Protection: 1 // turn on, sanitize
X-XSS-Protection: 1; mode=block // turn on, block
27. CSP VS XSS
• How to prevent the
exploitation even when
the website is vulnerable
• Demo time (Source code:
https://github.com/
marpuch/Java-Sec-
Examples )
30. CSP - Implementation
• You want your developer team to be aware of
CSP to detect problems early
• It is better to turn this feature on in your
software stack (then e.g. web server), but be
aware – it is somehow still a new feature:
“Spring Security does not provide support for this [CSP] as the specification is not
released and it is quite a bit more complicated. However, you could use the static
headers feature to implement this. To stay up to date with this issue and to see how you
can implement it with Spring Security refer to SEC-2342”
32. Better CSP utilization, CSP testing
• Be aware, that you can run CSP in the report-
only mode by setting the –Report-only
flag or by using the Content-Security-
Policy-Report-Only header
• You can use both Content-Security-
Policy and Content-Security-
Policy-Report-Only header to enforce
CSP rules and to test stricter ones
33. Read more about CSP
• https://scotthelme.co.uk/csp-cheat-sheet/
• https://report-uri.io/home/generate
• https://cspbuilder.info/static/#/main/
34. Read even more about CSP 2.0 in
Sekurak offline 2
http://sekurak.pl/sekurak-offline-2/