This HTTP Header is a feature added by MSIE8 to force it to restrict some XSS vectors that can be disabled by the user. Generally you can add it into your webserver configuration.
X-XSS-Protection: 1; mode=block
REFERENCES:
Tag: security
crossdomain.xml
Adobe FlashPlayer 7 added several security features. I first became aware of this one as I saw a large number of HTTP 404 errors for a file named ‘crossdomain.xml’ in my webserver logs. (see also clientaccesspolicy.xml)
If you use flash on your website, I’d suggest adding an appropriate copy of this file to limit your exposure to some potential security issues.
Restricted domains
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.example.com" />
<allow-access-from domain="example.com" />
</cross-domain-policy>
Open to all domains (not recommended, but fully backward compatible)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"/>
<allow-access-from domain="*"/>
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>
REFERENCES:
Cloudflare CDN (Content Delivery Network)
Best practices for web applications often call for the use of a CDN. Those of you that have worked with YSlow! are likely very accustomed to seeing warnings for this reason. I’ve found that CloudFlare is very easy to setup, and for basic services costs absolutely nothing. In addition to the obvious performance advantages of using a CDN to offload much of your network traffic, it also has the advantage of improved security.
CDN’s work by caching a copy of your static content at several locations around the world, making it closer and faster for your users.
Implementation takes only minutes as it requires that you:
- create a (free) account,
- retrieve your existing DNS values from your current provider,
- determine direct vs. CDN “cloud” routing for each subdomain,
- change your DNS records to point to the CloudFlare DNS servers
Some additional advantages I’ve seen since implementing:
- Site remains available in limited capability to users during server outages or upgrades.
- Simplified network configuration as all requests can be sent outside of the LAN for users local to the servers
- IPv6 dual-stack support
REFERENCES:
X-Content-Type-Options: nosniff
To prevent XSS/CSRF exploits in MSIE8 and newer, it’s often best to close as many attack vectors as possible. An easy one to implement is an HTTP Header to prevent MSIE from “sniffing” the content to change it when incorrect.
Example: we would not want an HTML page intentionally served with ‘text/plain’ to be rendered as HTML.
X-Content-Type-Options: nosniff
Content-Type: text/plain
This could be added programatically to pages in your application, via a servlet or servlet filter or added to the httpd.conf file.
Apache2 example: httpd.conf
<IfModule headers_module>
Header set X-Content-Type-Options nosniff
</IfModule>
REFERENCES:
- http://htaccess.wordpress.com/2009/09/22/x-content-type-options-nosniff-header/
- http://blog.fox-it.com/2012/05/08/mime-sniffing-feature-or-vulnerability/
- http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx
- http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
- http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
Cross-browser Copy To Clipboard Functionality
Due to various security models, it can be difficult to create a simple way to copy data from a browser application into the OS’es “clipboard” with simple javascript. There are several libraries out there to assist in making this work across various platforms, most utilize Flash.
Here are a few notable methods:
Linux/Windows file cleanup
If you make heavy (or even typical) use of your computer, you’ll often notice that it just doesn’t seem as fast as it once was. For a slight increase in performance, disk space and to generally remove some of the ‘temporary’ files/cruft that are routinely written to disk you have a few options.
Here are a few of my current favorites for doing ‘Spring Cleaning’ on my computers… BleachBit and CCleaner
BleachBit is available on all major platforms (Windows, OS/X, Linux).
HTTP Session Hijacking (Firesheep)
This topic, and Firefox add-on have received a lot of press lately, as such I figured that I’d capture some comments on the topic. HTTP Session hijacking is nothing new, anyone with the ability to monitor your non-secured network traffic can do this with little effort… what’s happened here is that there are now some really simple to use tools to do the job.
In the past, someone would have to passively monitor your network traffic with a tool like WireShark, and all they’d really have to do is wait for you to access a website to watch the ‘HTTP Cookies’ (or even a URL that contains a ‘session id’). With that information, they simply need to use the same value that you do to essentially take over your session and your current state. Banks are particularly at risk for this, but in most cases they use HTTPS/SSL for all secure data including logins. Social websites such as Facebook and even GMail, often default to non-secure logins to maximize their server and network performance.
Best defense here… never use non-secure login forms, especially when using a public wireless (or wired) network.
Interesting enough, there’s now a Firefox add-on that monitors for usage of Firesheep on the network, unfortunately neither of these currently work in Linux… links below!
Flash Cookies / Website Storage
If you’ve been online at all in the last decade, you’ve heard of the “dangers” of HTTP Cookies. More nefarious and harder to remove are Flash Cookies as they are handled by a plugin/extension/addon to the browser and exist outside of the normal security settings.
To see or delete Flash data, you’ve got to visit the following URL:
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html
You will probably be suprised to see many of the sites listed, as Flash is often being used to present you with ads in addition to the interactive elements that you might expect.
REFERENCES:
Hard drive forensics
This one is quite eye-opening. I recently suffered a hard-drive failure and was unable to boot either operating system in a multi-boot environment. The only item not backed up was a large number of photos and movies that I had accumulated and intended to burn to a CD/DVD. Using a ‘Live’ Ubuntu CD, I was able to use the Foremost program to analyze the drive media and locate all JPG and MPG files and copy them to a ‘safe’ location.
What’s frightening here is that these files are not located by their filenames, but by their contents… largely the first few bytes of the file itself when stored on disk. In my experience, Foremost was easily able to parse NTFS and EXT4 partitions.
Word to the wise… this is only possible if you do not use encryption to obscure the data on the drive itself. I’d personally recommend enabling the options provided by your operating system itself if you store sensitive data. Alternately, software like TrueCrypt can be used to hide specific assets.
Happy Recovery!
Linux kernel updates without reboot
Here’s another great reason to use Linux over Windows. Ksplice Uptrack provides for runtime patching of the Linux kernel without rebooting of the machine. This has great advantages where you need to maintain the security of a server but have limited opportunites to reboot due to SLA’s (Service Level Agreements). Ubuntu Linux was the first supported operating system, other variants are now available too, though often for a fee.