A guide to HTTP security headers for better web browser security – 10 minute mail

Happy Safer Internet Day! We teamed up with anti-malware company Malwarebytes to provide web browser security tips for both workplace Internet users and web developers. If you’re an employee looking for best practices for web browsing at work, visit the Malwarebytes blog for their post on How to browse the Internet safely at work. If you’re looking for HTTP-header tips, let’s get to it.

As a website owner or web developer you can control which HTTP-headers your web server should send. The purpose of this article is to shine some light on the different response HTTP-headers that a web server can include in a request, and what impact they have on security for the web browser. Web developers can implement the following to make the user experience more secure:

X-Content-Options

The X-Content-Options header can only have one directive and that is nosniff. This header will tell the web browser that the MIME (indicated via the Content-Type header) for the requested content should be followed.

In the above image, we see a request to /uploads/not-an-image.png and because the server did not provide any Content-Type header which should indicate what the MIME of the document is, the web browser tried to guess based on the content. The content is HTML with Javascript in it and the browser, therefore, interpreted the content as such.

In the above image, we see the same request but the server included an X-Content-Type-Options header which told the web browser that it should not do a MIME sniffing on the document. In this case, the web browser user could be saved against an XSS attack.  

X-XSS-Protection

This header tells the web browser that the built-in XSS protection should be enabled. In most modern web browsers, the XSS filter is enabled by default, but due to the headers ability to be disabled, enabled or enabled and block, the whole request it is still important to use depending on the website’s use case. The recommended value is 1; mode=block which means that the XSS filter should be enabled and the whole request will be blocked. Note that this is the default behaviour in Google Chrome even if the header is not explicitly set.

In the above image, we see that a request where malicious content is reflected in the document is blocked by Chrome.  

If the server, for some reason, sets the X-XSS-Protection header to 0 this will disable the XSS Auditor. As a result, we see that the reflected malicious content was rendered.  

If the server sets the X-XSS-Protection header to 1, the document will be loaded but the malicious content will just be removed and blocked (the red part). Other “non-malicious” content will not be blocked.

Note that the XSS Auditor is not a bulletproof XSS protection as there have been several bypasses, so it’s not recommended to rely on it.

Set-Cookie

The Set-Cookie header does exactly what it says; it sets a cookie. The header has a few attributes to keep in mind if the web application uses HTTP cookies for authentication.

HttpOnly: The HttpOnly attributes tells the web browser that the cookie should only be accessible through the HTTP request header, this means that the cookie can’t be accessed via Javascript. This attribute is very important to include because otherwise an XSS can be exploited to read the cookie and send it to the attacker who can then take over the session completely.

Secure: This attribute tells the web browser that the cookie should only be transmitted via a secure connection (valid HTTPS usually). This could protect a user if an attacker is listening in on the network to steal cookies.

SameSite: The SameSite attribute is rather new and provides excellent protection against CSRF attacks. If a cookie uses the SameSite attribute, the web browser will make sure that the request made with the cookie came from the origin that sat the cookie

__Host-and __Secure: cookie name prefix – This is not an attribute but a prefix for the cookie name. The reason why it is a prefix and not attribute is that if you change the cookie name, you will have to change the backend in order to accept the new cookie name. The benefit is that an attacker can’t add or remove attributes such as Secure or Path as they are required with a __Host- or __Secure- prefix.

To conclude: a perfect cookie should look something like:

Set-Cookie: __Host-user=admin; SameSite=Lax; Secure; Path=/; HttpOnly

Clear-Site-Data

The Clear-Site-Data is a new header with limited browser support, but can be useful on many web applications. The header has the ability to tell the web browser that cache, storage and cookies should be deleted for the origin that sent the header. One use case could be once a user logs out.

Referrer-Policy

Web servers previously defined the referrer policy via Content-Security-Policy but this has now been moved to a separate header. This header simply tells the web browser what the Referer header should include depending on the context. Web applications have a tendency to rely on the information in the Referer header, often in order to store data, for example validating that the request came from a specific URL or origin. Because of this, it is not uncommon for the web browser to include sensitive data in the URL.

This could also be a way to increase the integrity for the users of the website. For example, if a user reads a news article about cats and the article has a link to a cat shelter website, that website will see that the web browser came from that article.

Note for onion domains: a strict referrer-policy should be used in order to not share data across “dark web” and “clear net”.

Different directives can be used, read more about them on MDN.

Content-Security-Policy (CSP)

Content-Security-Policy is the most abstract header which makes it possible to fine-tune how different resources should be handled by the web browser. If configured correctly it can limit the attack surface greatly. It requires a higher understanding of the web application in order to utilize a policy that is both strict and does not block resources that it should not.

Google has a tool which makes it possible to evaluate a CSP in order to determine if it can be considered safe or not.

What about regular browser users?

As a browser user, there are steps you can take to make sure your web browsing at home and at work is a secure experience. Our friends at Malwarebytes have gathered their recommendations for the second part of this web browser blog series called, How to browse the internet safely at work.

How can Disposable mail help:

As a web developer you can follow this guide to add secure headers, and for those who like automation, you can use an automated scanner like Disposable mail to check your web applications for vulnerabilities and whether HTTP-headers are missing. Implementing these headers can prevent XSS attacks and lessen the opportunities for black hat hackers to listen in on user traffic. Why not give it a try? Get your free scan here and see whether you are missing any HTTP-headers in your web server.

Disposable mail is automated web application scanner checking for 1000+ known vulnerabilities including OWASP Top 10 and SSRF. Start your Disposable mail free trial today to see whether your applications are missing HTTP headers and more.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Karim Rahal: Security Features of Firefox – 10 minute mail

Karim Rahal, Disposable mail Crowdsource hacker, is a 17-year-old web-hacker who has been hacking for the greater part of his teenager years. At age 13, he started to responsibly disclose vulnerabilities—and he even blogged about one he found in Spotify! Karim still makes time for bug bounty programs, despite school.

We asked Karim to tell us why Firefox is the best choice from a white hat hacker’s point-of-view. In this blog he looks at a containers extension, research on tracker protection, and breach alert system. Here are the 3 browser features that are important to anyone concerned about privacy and security:

Karim tells us why he choose firefox


Browsers, being in the background—or foreground, actually—of every Internet activity, ought to be secure. They carry every piece of information we transmit over the web. And, in the market of desktop browsers, one security-driven
transmitter dominates: Mozilla Firefox. Still, how can Firefox be helpful to those cautious of security and privacy issues? To determine that, we must look at which of its security features can be useful.

A containers extension that minimizes exploits

The Firefox Multi-Account Containers extension lets you carve out a separate box for each of your online lives. In other words, you can create containers and assign tabs to them. The containers can’t communicate browser data to each other and are isolated.

The extension gives some much-needed privacy. Identity-based tracking (mostly done by social media companies) is restricted. With a container that isn’t logged into Google, the company has a harder time linking your searches to your Google account. In addition, advertisers are limited in their ability to follow you around. Your cookies don’t translate from one container to another. 

To illustrate, here is the same website in two different containers:

But Firefox Multi-Account Containers doesn’t only cage containers to keep them from tracking you. It also adds a layer of security over them. 

To understand how it does that, we must consider default browser behavior. Normally, browsers deal with cookie transmission in a straight-forward manner. When a website is requested, its cookies are sent in the HTTP request.

However, with the extension, there’s a catch: Firefox can’t forward cookies between containers. Each container is like its own browser, only seeing the cookies it has. Thus, some attack vectors are minimized/invalidated: CSRF, CORS misconfiguration, clickjacking, and many [2].

CSRF (cross-site request forgery) is a vulnerability that exploits default cookie transmission. Precisely, it is where an attacker sends HTTP requests on your behalf through a crafted webpage. Websites protect against this by checking for a unique token in the submitted request (one that isn’t just in the browser cookies). Yet, in many cases, websites don’t implement the check, or don’t have it for all necessary endpoints. 

Still, Firefox Multi-Account Containers allows you to disconnect the components necessary for this attack. The vulnerable website can be authenticated in a container different than the attacker’s webpage. With that set-up, the malicious actor can only send requests to an unauthenticated version of the targeted site.

Like CSRF, a misconfigured Access-Control-Allow-Origin header exploit also depends on cookie transfer. In short, the CORS (cross-origin resource sharing) response header tells the browser which origin should have access to a resource. In some cases, it can be poorly implemented, enabling an unintended and potentially malicious origin to view the resource. 

However, provided that the authenticated website instance and the attack website are in separate containers, the exploit is ineffective (in the same way as CSRF).

Please keep in mind that some edge-cases do exist to this container-dependent security. In particular, the defense is ineffective if the malicious site appears in the same container as the website it targets. The scenario is plausible since redirects inherit the container of the referrer site. 

The extension is available on Firefox’s add-on store. Upon configuration, it is recommended to have something similar to the following:

Be careful of enabling the “Always open in X” feature. It automatically forces the website to open in a single container. In attacks like GET-based CSRF, this behavior can redirect the exploit to the sensitive container.

Even in the unlikely event that the “Always open in X” feature does add some security benefit, it can be bypassed. Its URL matching is very conservative. If you enable the option for https://example.com, it will not be on for the subdomains, including https://www.example.com.

It is worth noting that, if you don’t specify a container, a default one spawns. Whenever you go to visit a website, hold the “new tab” button ( + ) to choose the appropriate container:

Enhanced Tracking Protection – does it work?

The browser also has a solution against trackers: Firefox Enhanced Tracking Protection.

According to Disconnect (the company which provides Firefox with a trackers blacklist), a tracker is a service that logs and stores data on a user’s activity [3].

Generally, advertisers and social media organizations embed cookies into websites to track your behavior online. In addition, they can use necessary information shared by your browser (such as your user-agent) to create a digital fingerprint of you.

To combat that, Firefox has implemented built-in protection. By default, it blocks known trackers (and ads) in private windows and third-party tracking cookies along with crypto-miners in all windows. In addition, to shield your normal browsing, Firefox allows you to set your content blocking to strict, stopping trackers, third-party cookies, crypto-miners, and finger-printers.

In 2017, a Mozilla study tested the feature against Alexa’s top 200 news sites. It found that “Tracking Protection blocks at least one unsafe element on 99% of the sites tested … 11 tracking elements in 50% of the sites and, in an extreme case, 150 tracking elements”[4]. However, these numbers don’t represent the actual number of trackers on the websites. Tracking scripts, when not blocked, usually unfold their own set of scripts, just like Russian dolls.

Testing tracking protection with my own study

To measure the true amount of tracking activity on Alexa’s top 200 news sites, I ran my own study[5]. First, I collected requests from each website for 2 minutes. Then, I ran the collected links against Firefox’s block-list. The following results were obtained:

  • 95% of the sites sent at-least 10 tracker requests
  • 50% sent at-least 242 (206 unique)
  • 30% sent at-least 477 (408 unique)
  • The biggest offender was an American daily newspaper with 6539 (2884 unique) requests!

I also tested for finger-printers and crypto-miners. Fortunately, none of the sites contained crypto-miners.

  • of the sites sent at-least 8 (7 unique) finger-printer requests
  • 30% sent at-least 27 (26 unique)
  • Again, the same American newspaper took the lead with 446 (197 unique) requests.

Could I get pwned?

By sheer numbers, though, trackers aren’t the worst threat. On Have I Been Pwned, 8.2 billion records of breached accounts exist[6]. That is, companies were hacked, and your data got leaked.

Nevertheless, Firefox is trying to minimize the issue. Using the Have I Been Pwned API, the browser has made a breach alert system: Firefox Monitor. When you visit a previously compromised website, it informs you:

The feature can also notify you of any future breaches. By giving Firefox Monitor your email, you can be sure to know when your information gets exposed. Also, Firefox is planning to check the credentials in its password manager, Firefox Lockwise.

Such features are of great benefit to those who re-use passwords. However, it is highly recommend to use a password manager and not to re-use passwords. Playing cat-and-mouse with hackers isn’t ideal.  

Conclusion

Undoubtedly, Mozilla Firefox boasts an impressive set of features. Firefox Multi-Account Containers separates your online life. The Enhanced Tracking Protection helps you against trackers. And, finally, Firefox Monitor keeps your credentials in check. Firefox can be a valuable addition to your security hygiene.

While these features are helpful, you have to take part in ensuring your security.

Regardless of what browser you use, some security practices should be followed:

  • Always update your services.
  • Use a password manager.
  • Enable two-factor authentication (2FA).
  • Be vigilant (don’t click random links, watch out for phishing attempts, etc.).

Notable Firefox Add-ons

  • To dynamically block trackers (on top of Firefox’s list): Privacy Badger
  • To force HTTPS on all websites: HTTPS Everywhere
  • To block JavaScript and shield from XSS (cross-site scripting): NoScript

References

[1]: https://github.com/mozilla/multi-account-containers/blob/master/README.md
[2]: https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers
[3]: https://disconnect.me/trackerprotection
[4]: https://blog.mozilla.org/firefox/files/2017/09/tracking-protection-test.pdf
[6]: https://haveibeenpwned.com

Notes [5]:

I ran the study using the Puppeteer library. 

The static 2 minute wait started after the website was ready and sent no requests for 500 ms—requests made before the wait were still collected.

To verify that the websites didn’t block my experiment, I took screenshots. Two websites did consistently block my attempts and were thus excluded from the study: www.bloomberg.com and www.fark.com.

I made sure to account for the Firefox whitelist. In addition, I filtered out requests sent to the same origin.

A few false-positives may exist because the Firefox blacklist contains the tracker hosts without specific directories.

For those interested, my list of collected URLs (from the first step) can be found here. To get the Firefox blacklists and whitelists, run shavar-list-creation with the production configuration and then parse the log files. Trackers are found in the following lists: social-track-digest256, ads-track-digest256, content-track-digest256, analytics-track-digest256, and base-track-digest256. The whitelisted tracker entities are in mozstd-trackwhite-digest256, finger-printers are in base-fingerprinting-track-digest256, and cryptominers are in base-cryptomining-track-digest256.


Written by:

Karim Rahal
Bug Bounty Hunter

Twitter: @karimpwnz
Blog: https://karimrahal.com/

 

At Disposable mail we collaborate with white hat hackers like Karim to crowdsource security research from the forefront of the industry, so you can check for the latest common vulnerabilities and exploits. Our testbed has 1500+ security modules including the OWASP Top 10, cors misconfigurations and even stateless tests submitted by the Disposable mail Crowdsource community. Sign up today for a 14-day free trial.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Cybersecurity Awareness Month – 5 tips for safe browsing – 10 minute mail

October is Cyber Security Awareness month, and a good time for organizations and anyone who uses the Internet (yes that means everyone) to review security best practices, for a safer user experience. Based on the current state of the Internet, here are our best tips for a better online browsing experience, for website guardians and end users.

October is Cyber Security Awareness Month

1. Trust only HTTPS

While a few years back it was still widely debated whether HTTPS was really needed, encryption certificates and HTTPS are more widely adopted today since they can now be obtained for free by providers like Let’s Encrypt. Even Google has gotten involved with HTTPS-advocacy by flagging sites still on HTTP only as “Not Secure”, which can impact the user experience and even affect your Google SEO ranking. 

And we agree with Google for flagging unencrypted websites (those in HTTP) as insecure. Why? Without the “S”, everything that goes to-and-from between the website backend and client is trivially readable by anyone sitting conveniently in between the traffic, which means that HTTP could expose users of a website to a variety of attacks. This includes an attacker listening to the network traffic in the same network or visit a website that’s been tampered with. For example, if the user connects to a WiFi hotspot controlled by a malicious attacker, they have the opportunity to insert malicious code or modify the content that the user sees on the website.

However, HTTPS is not the silver bullet to determine whether the website is absolutely secure or not. As we mentioned in the beginning, HTTPS certificates are easy to obtain for any kind of website, whether it’s used for hosting a legitimate e-commerce platform or a phishing website. And even encryption won’t protect your users from Javascript-related vulnerabilities such as Cross-site Scripting (XSS)

2. Double check the sender

Have you ever received an unusual email that’s made your blood pressure rise? Have you noticed weird transactions or activity on a personal account that’s prompted you to quickly log in to verify that everything is okay? These are some of the tactics that attackers use to get your attention and coerce you into clicking a convenient, yet cryptic looking, link, which leads you to fake login pages that are actually controlled by the attacker.

Phishing emails may look quite realistic, but there’s something off with them. For example, Apple would never send you an email from domain called tepindaupmi[.]com. 

Phishing Email example apple id

Image: Example of a phishing e-mail

Another way is to use email spoofing, which is caused by misconfigured email servers in the wild. This means that attackers can spoof the sender address, giving the phishing email even more legitimacy by making it appear it actually came from a trusted domain or trusted person.

If you’re an administrator of an organization, it is highly encouraged to configure a SPF, alongside with DKIM and DMARC to prevent your domain from being used as a camouflage for phishing campaigns. We’ve previously covered this with some internal research on misconfigured email servers from top domains and it’s still a relevant issue today. 

Also, it should be noted that the attackers have discovered that in addition to phishing emails, people tend to be more susceptible to attacks delivered over unconventional mediums, such as text messages, according to Verizon’s Data Breach Investigations

3. Disable Javascript

Javascript is a widely used interpreted programming language, which allows the creation of dynamic web pages and interactive functionalities. Interpreted programming language simply means that it does not have to be compiled before execution, thus allowing it to be interpreted by web browsers. But this also comes with a lot of security issues, because Javascript can access HTML building block elements that create the overall structure for the website, called the Document Object Model (DOM). However, this also means that in case of a Javascript-related vulnerability, an attacker can supply scripts that can be executed within the user’s browser. 

Javascript related issues include Cross-site Scripting (XSS) vulnerabilities. You can read more about different kinds of XSS vulnerabilities.

Because Javascript tampers with data on the client-side, you can disable or limit execution of Javascript on your browser. For Google Chrome, you can specifically block sites and for Firefox, you can download for example this browser plugin. It should be noted that blocking all Javascript will most likely limit your Internet browsing experience, because some websites offer only partial support for Javascript-free HTML version. This means that some websites may not allow you to log in or the website layout can seem odd.

Go ahead and try it– disable Javascript on your browser and see what happens when you browse the Internet. 

Disable Javascript in Google Chrome

Image: Google Chrome settings to blacklist or whitelist for domains where Javascript can be loaded

Again, this is not a one-size-fits-all solution, and any Javascript related vulnerabilities should be remediated and fixed by the website’s owner. Even black/white-listing specific domains will do you no good where javascript is persistent on the website and is therefore executed within that specific domain’s context and you have not blocked that domain. 

4. Keep passwords and secrets, secret

Passwords. No matter who you are, if you’re an internet-goer, a developer or an administrator, storage and handling of passwords has been an issue ever since they were first introduced as a method of authentication. 

So just to recap, a good password is one that is only known by you, is unique to each service, and is long enough to withstand a guessing or brute-forcing attack. Also, Multi-Factor Authentication (MFA) should be enabled whenever a service supports it. 

For secrets such as API keys and tokens, the secure storage becomes a little bit trickier as they need to be available to services and systems that use them. However, one definite no-go is storing them in the source code, as the source code is often copied to less secure locations and can be compromised. Secrets should always be kept clear of your version control.

5. Always ask yourself – why?

Whenever online, it is always good to take a breather and analyse the website you’re using, the message you received, and change your password by logging in to the service in question by typing out their URL manually in your browser. 

Also messages and content that makes you feel like you need to act fast can be a sign that something is wrong. Attackers want to make you feel like you’re in a hurry, because that’s when you’re more prone to accidentally click on the links which you shouldn’t open. So next time you’re about to click a link in an email, however over it first to see the source and then manually type it or find it via search. It’s a bit more work, but can save you from giving up your credentials.

And to continue in the spirit of Cybersecurity Awareness Month, share these tips with your colleagues, to encourage best security practices in the workplace and across the Internet in general.


Written by:
Laura Kankaala
Security Researcher, Disposable mail

Disposable mail is an automated web application scanner that checks your web apps for 1500+ known vulnerabilities. By collaborating with our community of ethical hackers, we’ve developed a test bed with vulnerabilities beyond the OWASP Top 10 including misconfigured SPF records and HTTPS implementation. Check the security status of your web apps with Disposable mail today. Get started your 14-day free trial.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.