CheatSheetSeries
CheatSheetSeries copied to clipboard
Update: HTTP_Headers_Cheat_Sheet
What is missing or needs to be updated?
My colleague Polčák and I have been conducting research on Network Error Logging (NEL) and its (in)security aspects. Please refer to https://arxiv.org/pdf/2305.05343.pdf (accepted for publication at SECRYPT'23).
For a quick introduction to NEL, please visit https://dcreager.net/nel/intro/.
From an OWASP perspective, only the part of the article addressing the installation of a long-term tracker in case of a MitM position or the ability to influence content on a server portion is relevant. An example from our university: I have the ability to manipulate the content of https://www.fit.vutbr.cz/~ijerabek/, including HTTP headers. If I correctly send NEL-related headers, I will receive information about all visitors' movements on my website section, as well as on all other pages within the domain www.fit.vutbr.cz, potentially including subdomains.
In the article, we propose a simple prevention measure: if a web server does not send its own NEL headers, sending an NEL policy with a zero validity period will remove any previously installed policies (if they have reached the browser). In my example, this would mean that during the first visit to https://www.fit.vutbr.cz outside of /~ijerabek/, the attacker-inserted policy would be deleted, and the attacker would not receive reports of the user's further activity on this website.
We believe that it would be beneficial to add a short description of NEL header in HTTP Headers cheat sheet and add the recommendation with default zero validity policy that we came up with.
How should this be resolved?
update: cheatsheets/HTTP_Headers_Cheat_Sheet.md
Add a short description of NEL header and add the recommendation to prevent the described attacks behavior by setting the default policy with 0 time policy.