Stuart Blackler

.Net Software Engineer

© Stuart Blackler 2013

Enabling HTTP Strict Transport Security (HSTS) via ASP.Net MVC ActionFilter's

After reading Troy Hunt's free ebook on the OWASP Top 10 for .Net Developers, I discovered an additional mechanism to help developers secure their websites. That mechanism is HTTP Strict Transport Security.

HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers. The specification has been released and published end of 2012 as RFC 6797. Source

There are three main categories of attacks that are addressed in this specification: Passive Network Attacks, Active Network Attacks and Web Site Development & Deployment Bugs. These are present in RFC 6797 - Section 2.3.1 but are re-produced here.

Passive Network Attacks

When a user browses the web on a local wireless network (e.g., an 802.11-based wireless local area network) a nearby attacker can possibly eavesdrop on the user's unencrypted Internet Protocol-based connections, such as HTTP, regardless of whether or not the local wireless network itself is secured [BeckTews09]. Freely available wireless sniffing toolkits (e.g., [Aircrack-ng]) enable such passive eavesdropping attacks, even if the local wireless network is operating in a secure fashion. A passive network attacker using such tools can steal session identifiers/cookies and hijack the user's web session(s) by obtaining cookies containing authentication credentials [ForceHTTPS]. For example, there exist widely available tools, such as Firesheep (a web browser extension) [Firesheep], that enable their wielder to obtain other local users' session cookies for various web applications.

To mitigate such threats, some web sites support, but usually do not force, access using end-to-end secure transport -- e.g., signaled through URIs constructed with the "https" scheme [RFC2818]. This can lead users to believe that accessing such services using secure transport protects them from passive network attackers. Unfortunately, this is often not the case in real-world deployments, as session identifiers are often stored in non-Secure cookies to permit interoperability with versions of the service offered over insecure transport ("Secure cookies" are those cookies containing the "Secure" attribute [RFC6265]). For example, if the session identifier for a web site (an email service, say) is stored in a non-Secure cookie, it permits an attacker to hijack the user's session if the user's UA makes a single insecure HTTP request to the site.

Active Network Attacks

A determined attacker can mount an active attack, either by impersonating a user's DNS server or, in a wireless network, by spoofing network frames or offering a similarly named evil twin access point. If the user is behind a wireless home router, an attacker can attempt to reconfigure the router using default passwords and other vulnerabilities. Some sites, such as banks, rely on end-to-end secure transport to protect themselves and their users from such active attackers. Unfortunately, browsers allow their users to easily opt out of these protections in order to be usable for sites that incorrectly deploy secure transport, for example by generating and self-signing their own certificates (without also distributing their certification authority (CA) certificate to their users' browsers).

Website Development & Deployment Bugs

The security of an otherwise uniformly secure site (i.e., all of its content is materialized via "https" URIs) can be compromised completely by an active attacker exploiting a simple mistake, such as the loading of a cascading style sheet or a SWF (Shockwave Flash) movie over an insecure connection (both cascading style sheets and SWF movies can script the embedding page, to the surprise of many web developers, plus some browsers do not issue so-called "mixed content warnings" when SWF files are embedded via insecure connections). Even if the site's developers carefully scrutinize their login page for "mixed content", a single insecure embedding anywhere on the overall site compromises the security of their login page because an attacker can script (i.e., control) the login page by injecting code (e.g., a script) into another, insecurely loaded, site page.

NOTE: "Mixed content" as used above (see also Section 5.3 in [W3C.REC-wsc-ui-20100812]) refers to the notion termed "mixed security context" in this specification and should not be confused with the same "mixed content" term used in the context of markup languages such as XML and HTML.

Implementation Details

Implementing the HSTS from the web server is simply a case of having the site running over HTTPS and appending a single header onto the response. The header required is:

Strict-Transport-Security: max-age=300

Alternatively, if you wish the security to cover all sub-domains of your site, then the header is:

Strict-Transport-Security: max-age=300; includeSubDomains

Where 300 is, replace with the duration in seconds.

Implementing HSTS as an action filter

The implementation that I provide below SHOULD be used alongside the RequireHttpsAttribute in order to have the specification fully implemented. The reason is that the header will only be sent over a secure connection, if not already present. Furthermore, the RequireHttpsAttribute already takes care of the redirection to a secure connection, so this is not something that I have to worry about implementing correctly.

Browser support

  • Chromium and Google Chrome since version 4.0.211.0
  • Firefox since version 4; with Firefox 17, Mozilla integrates a list of websites supporting HSTS
  • Opera since version 12
  • Safari as of OS X Mavericks -Internet Explorer does not support HSTS, but is expected to support it in the next major release after IE 11
Comments

SAP Business One V9 Version Strings

Today I had to figure out what the current version of SAP Business One is. In order to do this, I looked at the table SFMD inside of SBO-Common and found the following results:

Version |   Patch Level
-----------------------
900046  |   00
900052  |   01
900053  |   01 Hotfix 1
900055  |   03
900056  |   04
900058  |   06
900059  |   07
900060  |   08
902000  |   09
902001  |   09 Hotfix 1
902002  |   10

Note: I added the Hotfix 1 to clarify. I believe these are correct, I can't find a definitive source to verify these results.

Then in order to check the target databases version, I ran the following against the target database:

SELECT [Version] FROM [CINF]

There might be a better way of doing this. This article proposes a single solution. If you have an alternative solution, please notify me through social media or the comments below.

Comments

Developer Links (Feb 2014)

Here are the things that I have found most interesting during the last month (It's late as I've been on holiday)

Code

Html/Css/Javascript

Projects/Frameworks

Mobile

Other

SQL

Web

Comments

Post Archive

12 Jan 2014
Adding to Technorati

11 Jan 2014
Website Optimisation 2014

05 Jan 2014
Developer Links (Jan 2014)

04 Jan 2014
2014 - A year ahead

23 Nov 2013
HTML 5 API's 3/5 - Drag and Drop API (Exam 70-480 Prep)

23 Nov 2013
Codename RyuJit - The future of JIT compilation on .Net

10 Nov 2013
HTML 5 API's 2/5 - Geolocation API (Exam 70-480 Prep)

09 Nov 2013
Nokia Lumnia 1020 First Impressions

05 Nov 2013
HTML 5 API's 1/5 - History API (Exam 70-480 Prep)

10 Jun 2013
Becoming A Microsoft Certified Professional

30 May 2013
Correctly Raising Events in C#

06 May 2013
Using IDisposible correctly

11 Mar 2013
Semaphore vs SemaphoreSlim - A performance benchmark

11 Mar 2013
Introducing BMark Version 0.1 - A .Net Micro-Benchmarking package

07 Mar 2013
Implementing The Observer Pattern

25 Jan 2013
System Databases and Backups

13 Dec 2012
SQL Server - Notes on SARGability

13 Dec 2012
DELETE vs TRUNCATE

30 Nov 2012
SQL Joins for Beginners

29 Nov 2012
Website Update - Almost there now

18 Nov 2012
Website Update

15 Jun 2012
Tempdb Health Check Queries

30 May 2012
SQL SERVER Fix - Token-based server access validation failed with an infrastructure error

22 May 2012
SQL Server 2012 - Training and Update Kit Freebies

06 Apr 2012
Indexing SQL Server - Clustered Indexes

29 Mar 2012
Reflection vs Caching

25 Mar 2012
Resetting the Windows Search service to default using Powershell

08 Mar 2012
Quick SQL Server research notes

08 Mar 2012
MVC 4.0: Bundling and Minification Bug

18 Feb 2012
Introduction to Functional Programming

18 Feb 2012
Basic Programming in Haskell

30 Dec 2011
Flicker Free Forms and ListViews in .Net

01 Dec 2011
Extension Methods In .Net

15 Nov 2011
Using XML in SQL Server 2008

12 Nov 2011
Asynchronous File IO in .Net

01 Nov 2011
Protect Files and Folders Using HttpHandlers in ASP.NET