Saturday, May 9, 2015

Aussie banks security (HTTP headers edition)

Introduction

Troy Hunt has recently published a blog post, where he analysed a current state of affairs with regards to SSL/TLS support and (in)secure configurations in the Australian banking industry. This is an interesting overview and a great mechanism for raising awareness, which (judging by the updates) has already prompted some banks to make changes and improve their ratings.

I was curious - how would the situation with SSL correlate with another publicly available piece of information - HTTP headers (especially the security related subset). These headers could provide some valuable insights (although in my view in general the impact of SSL misconfiguration could be bigger compared to the presence/absence of a particular header).

So I performed a mini-research, focusing on the same set of Australian banks. I used https://securityheaders.io to simplify the collection of all headers. The headers I was interested in were (group 1):
  • Strict-Transport-Security
  • Content-Security-Policy
  • Public-Key-Pins
  • X-Frame-Options
  • X-Xss-Protection
  • X-Content-Type-Options

When I started analysing captured results I decided to add the following headers into the mix (group 2):
  • Server
  • X-Powered-By
  • X-AspNet-Version

Surprisingly, I haven't observed the 3rd "usual suspect" - x-aspnetmvc-version. Perhaps banks haven't upgraded their web applications to the MVC versions yet?
Also worth mentioning that X-AspNet-Version will only be emitted by the ASP.Net powered application - i.e. this header won't be relevant for other platforms.
All results have been collected in early May 2015 - the situation may have changed since then. It will be interesting to perform periodic checks to observe the dynamics.

Methodology

Once the raw data were captured in a table I started thinking how I could rank these findings. Here's a set of rules I came up with (I'd be very keen to hear suggestions for improvement):

  • The initial state - everyone starts with 0 (zero) points - neutral state 
  • If Strict-Transport-Security is present - add 2 points. HSTS is too good to be ranked equally with the other headers
  • If any other header from group 1 is present - add 1 point for each header
  • If "Server" header is present
    • Deduct 1 point if a full/non-obfuscated name is found (marked red in the table below)
    • Otherwise deduct 0.5 points (e.g. "CUA Server" doesn't disclose much and is much more benign compared to "Microsoft-IIS/7.5" - marked as orange)
  • If "X-Powered-By" header is present
    • Deduct 1 point if a well-known framework is disclosed
    • Otherwise deduct 0.5 points (marked as orange)
  • If "X-AspNet-Version" header is present - deduct 1 point
  • I took a sum for each bank and listed it as a "Score"
  • Then I assigned banks to the corresponding groups based on that score
    • Green: greater than 0
    • Yellow: 0
    • Orange: -0.5
    • Red: less than -0.5

Results


Bank Score
Strict-Transport-Security
Content-Security-Policy
Public-Key-Pins
X-Frame-Options
X-Xss-Protection
X-Content-Type-Options
Server
X-Powered-By
X-AspNet-Version
Bank West 5 Yes Yes No Yes, SAMEORIGIN Yes No No No No
CUA 1.5 Yes No No No No No Yes, CUA Server No No
Commonwealth Bank 1 Yes No No No No No Yes,
Apache/2.2.3 (Red Hat)
No No
ING Direct 1 No No No Yes, SAMEORIGIN No No No No No
AMP 0.5 No No No Yes, SAMEORIGIN No No Yes, IBM_HTTP_Server No No
St George 0.5 No No No Yes, SAMEORIGIN No No Yes, Apache No No
Bankmecu 0 No No No No No No No No No
Bendigo Bank 0 No No No No No No No No No
Beyond 0 No No No No No No No No No
Greater 0 No No No No No No No No No
Heritage 0 No No No No No No No No No
Macquarie 0 No No No No No No No No No
People's Choice Credit Union 0 No No No No No No No No No
Suncorp 0 No No No Yes, SAMEORIGIN No No No Yes, ASP.NET No
IMB -0.5 No No No No No No Yes,
Sandstone Framework
No No
Westpac -0.5 No No No No No No No Yes, Servlet/3.0 No
Newcastle Permanent -1 No No No No No No No Yes, ASP.NET No
ANZ -2 No No No No No No Yes,
Microsoft-IIS/6.0
Yes, ASP.NET No
Bank of Queensland -2 No No No No No No No Yes, ASP.NET Yes, 2.0.50727
P&N -2 No No No No No No Yes,
Microsoft-IIS/7.5
Yes, ASP.NET No
Teachers Mutual -3 No No No No No No Yes,
Microsoft-IIS/8.0
Yes, ASP.NET Yes, 4.0.30319

Update 1 - 14 June 2015: Bank West has addressed a few issues and contacted me to update the results. A quick check revealed a massive improvement - going from a "-2" score all the way to the top of the leaderboard! Congratulations to the team - thank you for taking time to improve your ranking.
This also gave me an opportunity to review the situation with the other banks from this list. Newcastle Permanent dropped 1 point down for the presence of the X-Powered-By header. ANZ did the same for the Server header (IIS 6, really???). Heritage went 1 point up (removed Server header)

Key findings

  • Only Strict-Transport-Security and X-Frame-Options security headers have been observed in the wild
  • Surprisingly - clear lack of wider adoption of security headers (group 1) by the banks.
    • Only 2 banks out of 21 use HSTS - kudos to CUA and Commonwealth Bank;
    • Only 4 banks  use X-Frame-Options
  • The situation with the group 2 headers was better, most of the banks had none of them. Some banks had several Asp.Net related headers (which took them to the bottom of the list). This situation is especially surprising given how easy it is to remove these headers.
  • Weak correlation between SSL and HTTP headers results
    • ING Direct is the only bank that has managed to reach the top (green) categories in both tests
And the last point that I would like make - some headers (which are not directly related to security per se) might still leak some useful to the attackers information. This includes:
  • Set-Cookie: f5_cspm=[skipped]; - indicates presence of an F5 appliance
  • Set-Cookie: citrix_ns_id=[skipped] - indicates presence of a Citrix Netscaler appliance
  • Set-Cookie: ASP.NET_SessionId=[skipped]; path=/; HttpOnly - indicates an ASP.Net application even if all other headers (from group 2) have been removed
To summarise - it is a bit disappointing that we don't see a wider adoption of the HTTP security headers by the Australian banking industry. Some of these headers are trivial to implement (e.g. X-Frame-Options) and yet they provide a valuable protection layer.

I would like to encourage everyone reading this blog to get a better understanding of what all of these headers do and to start implementing at least some of these headers on your own web sites. This will make Internet as a whole more secure.

2 comments:

  1. Hi Dmitry,

    Are you able to run your test again and update result for Bankwest?

    URL is https://ibs.bankwest.com.au/bwlogin/rib.aspx

    ReplyDelete
    Replies
    1. Hi Noli,

      Well done guys - massive improvement. BankWest is now at the top of the leaderboard (with a fairly big margin). Also judging by your high score in Troy's SSL test I can clearly see that you do care about security.

      Thank you,
      Dmitry

      Delete