Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Rails Security in the Wild - Chicago Ruby

Matt Konda
December 04, 2012
Programming
3
590

Rails Security in the Wild - Chicago Ruby

Discussion of important security issues developers in Rails are advised to be aware of.

Matt Konda

December 04, 2012
Tweet

More Decks by Matt Konda

See All by Matt Konda
Glue Intro
mkonda
0
130
Automate All of the Things
mkonda
0
190
Building Rugged Software in a DevOps World
mkonda
0
100
What is Rugged all about?
mkonda
1
82
Real World Security Testing
mkonda
1
100
Security Automation Pipeline
mkonda
1
190
Security Automation Workshop
mkonda
0
55
Rationalizing Security
mkonda
0
60
Application Security Landscape
mkonda
0
89

Other Decks in Programming

See All in Programming
Remix on Hono on Cloudflare Workers
yusukebe
1
300
Outline View in SwiftUI
1024jp
1
330
AI時代におけるSRE、
あるいはエンジニアの生存戦略
pyama86
6
1.2k
PHP でアセンブリ言語のように書く技術
memory1994
PRO
1
170
Jakarta EE meets AI
ivargrimstad
0
220
AWS Lambdaから始まった
Serverlessの「熱」とキャリアパス / It started with AWS Lambda Serverless “fever” and career path
seike460
PRO
1
260
Nurturing OpenJDK distribution: Eclipse Temurin Success History and plan
ivargrimstad
0
960
みんなでプロポーザルを書いてみた
yuriko1211
0
280
EMになってからチームの成果を最大化するために取り組んだこと/ Maximize team performance as EM
nashiusagi
0
100
CSC509 Lecture 09
javiergs
PRO
0
140
watsonx.ai Dojo #4 生成AIを使ったアプリ開発、応用編
oniak3ibm
PRO
1
140
Macとオーディオ再生 2024/11/02
yusukeito
0
370

Featured

See All Featured
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
370
The Cult of Friendly URLs
andyhume
78
6k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
38
1.8k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k
Side Projects
sachag
452
42k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Rails Girls Zürich Keynote
gr2m
94
13k
Statistics for Hackers
jakevdp
796
220k
Making Projects Easy
brettharned
115
5.9k
RailsConf 2023
tenderlove
29
900
Raft: Consensus for Rubyists
vanstee
136
6.6k
For a Future-Friendly Web
brad_frost
175
9.4k

Transcript

  1. Rail in the Wild Chicago Ruby Edition Security Tuesday, December

    4, 12

  2. Thanks Tuesday, December 4, 12

  3. Builde vs. Breake Security Agenda: Tuesday, December 4, 12

  4. Builde Breake Chicago Ruby Edition vs. Tuesday, December 4, 12

  5. Matt Konda Builde Tuesday, December 4, 12

  6. Jon Claudius Breaker Tuesday, December 4, 12

  7. QUICK POLL Builder Breaker ~ OR ~ Tuesday, December 4,

    12

  8. Audience Member 1 Vote & Drink! Question & Debate Tuesday,

    December 4, 12

  9. BUILDER’S CONCERNS Dates Features Functional Quality Tuesday, December 4, 12

  10. BREAKER’S CONCERNS LOL’s! VULNS! Compromise! Tuesday, December 4, 12

  11. Let’ get in the m d Tuesday, December 4, 12

  12. “….developers will never learn, never improve because they are repeating

    the same mistakes over and over again” Breaker Tuesday, December 4, 12

  13. “…only good at ranting. Zero contribs, and almost zero constructive

    feedbacks but bashing” Builde Response Tuesday, December 4, 12

  14. QUICK POLL Who is familiar with OWASP? Tuesday, December 4,

    12

  15. “If you are a developer and don’t know who OWASP

    is at this point, it’s because you’ve chosen not to.” reaker Tuesday, December 4, 12

  16. “Problem. Infosec pros, pentesters, etc. are more interested in #appsec

    than programmers. How to change that? < will not change” uilde Tuesday, December 4, 12

  17. Tuesday, December 4, 12

  18. SECURE MAKES ME THE CLOUD Tuesday, December 4, 12

  19. Customers Don’t Ask For Security Tuesday, December 4, 12

  20. SLOW POLL Who typically has: 1. Pen test 2. Static

    analysis 3. App Scan 4. Secure Code Review 5. Secure Development Training Tuesday, December 4, 12

  21. BREACHES are CHEAPER than SECURE CODING Tuesday, December 4, 12

  22. Agile Hurts Security Tuesday, December 4, 12

  23. A PENTEST VALIDATES SECURITY Tuesday, December 4, 12

  24. A PENTEST VALIDATES SECURITY Tuesday, December 4, 12

  25. 3rd Party Libraries are Secure Tuesday, December 4, 12

  26. QUICK POLL How many people NEVER work with sensitive data?

    Tuesday, December 4, 12

  27. Security Tuesday, December 4, 12

  28. Jon Claudius Breaker @claudijd Tuesday, December 4, 12

  29. Matt Konda Builde @mkonda Tuesday, December 4, 12

  30. Hat tip: @todb (Todd Beardsley) Ruby Security Projects Tuesday, December

    4, 12

  31. #25 SQL Injection Apr 30, 2007 Episode #204 – Mar

    08, 2010 – 31 comments XSS Protection in Rails 3 #178 7 Security Tips Sep 07, 2009 Episode #26 – Mar 08, 2012 – 23 comments Hackers Love Mass Assignment (revised) Episode #27 – May 04, 2007 – 15 comments Cross Site Scripting Episode #26 – May 02, 2007 – 32 comments Hackers Love Mass Assignment Episode #20 – Apr 18, 2007 – 22 comments Restricting Access Episode #352 – May 23, 2012 – 15 comments Securing an API Episode #356 – Jun 08, 2012 – 23 comments Dangers of Session Hijacking History Lesson Tuesday, December 4, 12

  32. YOU? Tuesday, December 4, 12

  33. Session Tuesday, December 4, 12

  34. Burp Demo http://localhost:3001/ Tuesday, December 4, 12

  35. Other Problems •Cookie Store •Sensitive data in session •API Tuesday,

    December 4, 12

  36. In ApplicationController: def restrict_access_by_token_to_worker() token = request.env["HTTP_AUTHORIZATION"] if token ==

    nil authenticate_user! else key = ApiKey.find_by_token(token) if key != nil and key.worker == true return true else puts "Invalid token" return false end end end In command controller: before_filter :authenticate_user!, :except => [:show] In show method: worker = restrict_access_by_token_to_worker Tuesday, December 4, 12

  37. Injection http://localhost:3012/ Tuesday, December 4, 12

  38. Command Injection • Vulnerability Focused on Server • Attacker piggybacks

    on variable input that is passed down to a command line call. • Most easily demonstrated like so… http://example.com/page.php?id=123;ifconfig Tuesday, December 4, 12

  39. • Lis$ng  a  file  or  showing  the  IP  configura$on  can

     be  used   to  demonstrate  app  vulnerability. Command Injection Tuesday, December 4, 12

  40. • Demo • “Pop  a  shell”  via  command  injec$on  vulnerability

     in  Rails  App Command Injection Tuesday, December 4, 12

  41. SQL Injection 1 @project = Project.find(params[:id]) 2 @projects = Project.find(:all,

    :conditions=>"id LIKE #{params[:id]}") 3 @project = Project.find(:all, :conditions=> ["id LIKE ?", "%#{params[:query]}%&"] ) http://localhost:3002/projects/-1%20or%20name%20= %20name Tuesday, December 4, 12

  42. Rails SQL Injection Workarounds ----------- This issue can be mitigated

    by casting the parameter to an expected value. For example, change this: Post.where(:id => params[:id]).all to this: Post.where(:id => params[:id].to_s).all CVE-2012-2661 Tuesday, December 4, 12

  43. Rails Unsafe Query Generation unless params[:token].nil? user = User.find_by_token(params[:token]) <---

    HERE user.reset_password! end Workarounds ----------- This problem can be mitigated by testing for `[nil]`. For example: unless params[:token].nil? || params[:token] == [nil] user = User.find_by_token(params[:token]) user.reset_password! end Another possible workaround is to cast to a known type and test against that type. unless params[:token].to_s.empty? user = User.find_by_token(params[:token]) user.reset_password! end CVE-2012-2660 Tuesday, December 4, 12

  44. Forceful Browsing Tuesday, December 4, 12

  45. Demo Tuesday, December 4, 12

  46. Before and After def destroy @service_request = ServiceRequest.find(params[:id]) @service_request.destroy respond_to

    do |format| format.html { redirect_to service_requests_url } format.json { head :no_content } end end def show @service_request = ServiceRequest.find(params[:id]) respond_to do |format| format.html # show.html.erb format.json { render json: @service_request } end end Tuesday, December 4, 12

  47. Magic def user_can_access_service_request(service_request) sr_key = service_request.api_key keys = get_api_keys keys.each

    do |key| if (key == sr_key) return true end end return false end Tuesday, December 4, 12

  48. After def destroy @service_request = ServiceRequest.find(params[:id]) if (user_can_access_service_request(@service_request)) @service_request.destroy end

    respond_to do |format| format.html { redirect_to service_requests_url } format.json { head :no_content } end end def show @service_request = ServiceRequest.find(params[:id]) respond_to do |format| if (user_can_access_service_request(@service_request)) format.html # show.html.erb format.json { render json: @service_request } else @service_request = ServiceRequest.new @service_request.errors.add(:base, "You do not have access to this object.") flash[:error] = "Unable to access specified instance." format.html { render action: "new" } format.json { render json: @service_request.errors, status: :unprocessable_entit end end end Tuesday, December 4, 12

  49. XSS http://localhost:3011/ Tuesday, December 4, 12

  50. Cross-site Scripting (XSS) • Alert  boxes  are  an  easy  proof

     of  concept  to   demonstrate  applica$on  vulnerability. • Real attackers use JavaScript for evil Tuesday, December 4, 12

  51. Cross-site Scripting (XSS) • Demo • Steal Facebook Credentials via

    Persistent XSS Vulnerability in Rails App Tuesday, December 4, 12

  52. Cross-site Scripting (XSS) • Vulnerability  Focused  on  Client  Browsers •

    AHacker  convinces  user  to  click  a  link,  Javascript   is  executed  in  target  browser. • Most  easily  demonstrated  like  so… • hHp://example.com/page?id=<script>alert(‘xss’)</ script> Tuesday, December 4, 12

  53. Common Issues Tuesday, December 4, 12

  54. Static Analysis Tuesday, December 4, 12

  55. Business Logic Tuesday, December 4, 12

  56. Manager approves timesheet. Manager cannot approve own timesheet. Tuesday, December

    4, 12

  57. Tuesday, December 4, 12

  58. Signed integer. -6 = 64.1 Trillion Tuesday, December 4, 12

  59. Mass Assignment Tuesday, December 4, 12

  60. curl -d "user[name]=hacker&user[admin]=1&user[comment_id s][]=1&user[comment_ids]=2" http://localhost:3000/users/create curl -d "user[name]=hacker&user[admin]=1" http://localhost:3000/Users/ Mass

    Assignment Example from RailsCasts #26: Hackers Love Mass Assignment Tuesday, December 4, 12

  61. curl -d "user[name]=hacker&user[admin]=1&user[comment_id s][]=1&user[comment_ids]=2" http://localhost:3000/users/create curl -d "user[name]=hacker&user[admin]=1" http://localhost:3000/Users/ Answer:

    attr_accessible Mass Assignment Example from RailsCasts #26: Hackers Love Mass Assignment Tuesday, December 4, 12

  62. Password Complexity Tuesday, December 4, 12

  63. File Path Traversal Tuesday, December 4, 12

  64. File Upload Tuesday, December 4, 12

  65. Third Party Libraries Tuesday, December 4, 12

  66. Use SSL Tuesday, December 4, 12

  67. Anyone? Tuesday, December 4, 12

  68. Top 10 • A1: Injection • A2: Cross-Site Scripting (XSS)

    • A3: Broken Authentication and Session Management • A4: Insecure Direct Object References • A5: Cross-Site Request Forgery (CSRF) • A6: Security Misconfiguration • A7: Insecure Cryptographic Storage • A8: Failure to Restrict URL Access • A9: Insufficient Transport Layer Protection • A10: Unvalidated Redirects and Forwards Tuesday, December 4, 12

  69. Top 10 A1: Injection • A2: Cross-Site Scripting (XSS) •

    A3: Broken Authentication and Session Management • A4: Insecure Direct Object References • A5: Cross-Site Request Forgery (CSRF) • A6: Security Misconfiguration • A7: Insecure Cryptographic Storage • A8: Failure to Restrict URL Access • A9: Insufficient Transport Layer Protection • A10: Unvalidated Redirects and Forwards Tuesday, December 4, 12

  70. Security in the SDLC Requirements Design Coding Testing Maintenance Waterfall

    Model Tuesday, December 4, 12

  71. Security in the SDLC Requirements Design Coding Testing Maintenance Waterfall

    Model Tuesday, December 4, 12

  72. Security in the SDLC Requirements Design Coding Testing Agile Model

    Quantum: Story Tuesday, December 4, 12

  73. Security in the SDLC Requirements Design Coding Testing Agile Model

    Quantum: Story Static Analysis Code Review Pen Test Architecture Security Requirements Security in the Story Threat Model Security Training Scanners Change Mgmt More ... Tuesday, December 4, 12

  74. Resources OWASP • Code Review Guide • Legal Language •

    Cheat Sheets • Top 10 • Tools (ZAP) Tools Attack Proxy (Burp, ZAP) Static Analysis (Brakeman) Web App Scan (Arachni) Code Review (Barkeep) Bad Code (Intentional) https://github.com/claudijd/xss https://github.com/claudijd/command_injection https://github.com/Jemurai/triage Tuesday, December 4, 12

  75. @claudijd @mkonda Tuesday, December 4, 12

  76. Now let’s talk: . We’ll buy for the first 5

    people that find problems and verify with us. VERY LIMITED TIME OFFER. Tuesday, December 4, 12

  77. What would be helpful? Tuesday, December 4, 12

  78. Thanks Tuesday, December 4, 12