Monday, February 20, 2017

Australian Banks Security (HTTP headers edition) - Feb 2017

Back in 2015 I wrote 2 blog posts where I examined the security posture of the major Australian banks. I have only focused on two aspects - HTTP security headers (the presence or absence of particular headers) and the login forms (password lengths, autocomplete etc). On one hand, this is not an in-depth research and it is certainly not a vulnerability assessment that I am sure all these banks regularly go through. On the other hand, it is a great indication if bank's development and security teams follow modern security practices and put enough effort into their online security. This may serve as an indirect indication of the overall security state of affairs in a given organisation.

I was curious to see if there were any changes (for better or for worse) during these last 2 years. HTTP security headers have really become mainstream and I expected the adoption rates to be higher.


Image source:

Scott Helme continued to evolve his great Security Headers web site that I used during my previous analysis. Similar to the Qualys SSL Server Test tool, he has added an overall rating, which I will add as a new column. Another nice addition is a new check for the Referrer Policy headers. If you haven't done it yet, make sure you go to Scott's site to check HTTP headers emitted by your web site. Let me know if you need any help understanding or addressing any of the highlighted issues.

Let's see what Australian banks do in regards to HTTP security headers in February 2017


SecurityHeaders rating

C Yes No No Yes, DENY Yes Yes No No No
Bank West 4

C Yes Yes No Yes, SAMEORIGIN Yes No No Yes No
Beyond 3

E Yes No No Yes, SAMEORIGIN No No No No No
ING Direct 3

E Yes No No Yes, SAMEORIGIN No No No No No
St George 3

E Yes No No Yes, SAMEORIGIN No No No No No
Bendigo Bank 2

E No No No Yes, SAMEORIGIN No Yes No No No
Teachers Mutual 2

E Yes No No No No No No No No
CUA 1.5 E Yes No No No No No Yes, CUA Server No No
Commonwealth Bank 1 E Yes No No Present but incorrect syntax ALLOW-FROM No No Yes,
Apache/2.4.6 (Red Hat) OpenSSL 1.0.1e-fips
No No
Newcastle Permanent 1

F No No No Yes, SAMEORIGIN No No No No No
People's Choice Credit Union 1

F No No No Yes, SAMEORIGIN No No No No No
P&N 1

F No No No Yes, SAMEORIGIN No No No No No
Suncorp 1

F No No No Yes, SAMEORIGIN No No No No No
Westpac 1

F No No No Yes, SAMEORIGIN No No No No No
AMP 0.5 F No No No Yes, SAMEORIGIN No No Yes, IBM_HTTP_Server No No
ANZ 0.5

F No No No Yes, SAMEORIGIN No No Yes, Apache No No
Bankmecu -> BankAust 0 F No No No No No No No No No
Greater 0 F No No No No No No No No No
Heritage 0 F No No No No No No No No No
Macquarie 0 F No No No No No No No No No
Bank of Queensland -2 F No No No No No No No Yes, ASP.NET Yes, 2.0.50727

Key findings

  • Significant improvements over the last 2 years
    • Only 1 bank is in the negative territory (previously 7)
    • 7 banks have a score of 2 or above (previously only 1)
  • Better adoption of security headers (group 1) by the banks.
    • X-Frame-Options is the most popular header. 13 out of 21 banks (62%) have adopted it (previously only 4). I guess more security professionals recognise clickjacking being a real weakness.
    • Great to see 8 banks out of 21 (38%) using HSTS (previously only 2)
    • But not everyone who emits the HSTS header includes subdomains (includeSubDomains)
    • And even less number of banks use the "preload" directive (which is a required step for HSTS preloading) - only CBA
  • Content-Security-Policy is still not getting any traction. Only one bank - Bank West - has implemented CSP. CSP is a poweful defence-in-depth measure to prevent cross site scripting attacks, clickjacking and some other types of attacks.
  • The situation with the group 2 headers is even better. Many banks that were in the second half of the table lifted their game and removed these unnecessary headers. Only 6 banks out of 21 still need to fix this issue (previously 12).
  • There is still a long way to go.
    • No one uses public-key-pins
    • Only 2 banks serve the X-Xss-Protection header. This is the simplest and essentially zero risk header to implement!
    • Only 2 banks use the X-Content-Type-Options header (previously none). This is another extremely simple header to implement.
    • Understandably no one uses the Referrer Policy headers yet.

Additional comments

BankAust redirects from home page to a non-secure page. Why? Please fix this.

CBA made a mistake in X-Frame-Options ALLOW-FROM syntax. There is no need for the equal sign there.

Previous winner Bank West was the only bank that has managed to get a lower score. One point was deducted for the presence of the X-Powered-By header. It's a simple mistake to make. It usually "returns" after a .Net patch installation.

We have a new leader. Congratulations to the IMB bank. They made a massive jump (+5.5 points) fixing all of the issues and introducing many of the recommended HTTP security headers. Well done!

No comments:

Post a Comment