Upgrade to Pro — share decks privately, control downloads, hide ads and more …

WindyCityRails: Insecure Expectations

Matt Konda
September 12, 2013

WindyCityRails: Insecure Expectations

A talk about how to use testing frameworks to test for security issues in code.

Matt Konda

September 12, 2013
Tweet

More Decks by Matt Konda

Other Decks in Programming

Transcript

  1. demo cucumber --name "person is restricted from putting input into

    a field that will be executed by the system"
  2. root cause def destroy @project = Project.find(params[:id]) name = @project.name

    `rm /tmp/#{name}.log` @project.destroy respond_to do |format| format.html { redirect_to projects_url } format.json { head :no_content } end end
  3. Feature: person is restricted from accessing project they do not

    own Scenario: person accesses a project that is not theirs Given a new project created by a user When a different person attempts to access the project Then the system should prevent access
  4. Given(/^a new project created by a user$/) do uuid =

    SecureRandom.uuid @user1 = "fb_user_1_#{uuid}@jemurai.com" register_as_user(@user1, "password") new_project("Insecure Direct Object Reference #{uuid}", "Forceful Browsing Desc") @url = current_url end When(/^a different person attempts to access the project$/) do logout(@user1) uuid = SecureRandom.uuid @user2 = "fb_user_2_#{uuid}@jemurai.com" register_as_user(@user2, "password") end Then(/^the system should prevent access$/) do visit @url expect(page).not_to have_content "Forceful Browsing Desc" end
  5. handy http://localhost:3000/projects?name=%27A%27%29%20or%201=1%20-- def index email = current_user.email ! conditions =

    "owner LIKE '#{email}'" ! if params[:name] ! ! conditions = "name like #{params[:name]} " + conditions ! end ! @projects = Project.find(:all, :conditions=>conditions) ! respond_to do |format| format.html # index.html.erb format.json { render json: @projects } end end SELECT "projects".* FROM "projects" WHERE (name like 'A') or 1=1 -- owner LIKE '[email protected]') For illustration
  6. Feature: user is prevented from putting XSS in project form

    fields ! A user wants to be sure that others users can't put XSS in the projects pages ! in order to ensure that their sessions and information are safe. ! ! @javascript ! Scenario Outline: xss attempt ! ! Given the field is "<fieldname>" ! ! When the value is "<value>" ! ! Then the field result should be "<result>" ! ! ! ! Scenarios: xss in fields ! ! ! | fieldname | value | result | ! ! ! | project[name] | ProjectName | noxss | ! ! ! | project[name] | ProjectName <script>alert('project[name]- >xss');</script> | xss | ! ! ! | project[description] | ProjectDescription <script>alert('project[description]->xss');</script> | noxss | ! ! ! ! ! !
  7. new_project("XSS Name #{@field} #{uniq}","XSS Desc #{@field}"+ uniq) click_link 'Edit' fill_in

    @field, :with => @value click_button "Update Project" if @result == "xss" # This should have xss in it...did it stick? alerted = false begin page.driver.browser.switch_to.alert.accept alerted = true rescue end if alerted fail("XSS Used to create Popup in #{@field} with #{@value}") else puts "Good news, no xss where expected." end else expect(page).to have_content @value end
  8. Feature: user is protected from malicious content and having their

    page framed ! A user wants to be sure that effective browser protections are enabled ! in order to ensure that their information is safe. ! ! @javascript ! Scenario Outline: check for secure headers attempt ! ! Given a new project created by a user ! ! And the page is "<page>" ! ! When the header is "<header>" ! ! Then the header value should be "<result>" ! ! ! ! Scenarios: headers in pages ! ! ! | page | header | result | ! ! ! | projects/ | X-Frame-Options | DENY | ! ! ! | projects/ | X-XSS-Protection | 1 |
  9. cookies = Capybara.current_session.driver.browser.manage.all_cookies csrf_token = Capybara.current_session.driver.browser.find_element(:xpath, "// meta[@name='csrf-token']").attribute('content'); # Switch

    mode to net::http uri = URI.parse(url) http = Net::HTTP.new(uri.host, uri.port) http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Post.new(uri.request_uri) request['Cookie'] = cookies request.set_form_data( { "_method" => "put", "authenticity_token" => "#{csrf_token}", "project[name]"=> "header updated and verified", "commit"=>"Update Project" }) response = http.request(request) ... if response[@header] == @result #pass else fail("Header #{@header} not set to #{@result} as expected. Instead was #{response[@header]}.") end
  10. current Tests • Injection / Sql Injection • Cross Site

    Scripting • Mass Assignment • Cross Site Request Forgery • Secure Headers • Sensitive Data Exposure (Session Cookie)
  11. features • person is restricted from putting input into a

    field that will be executed by the system • user is prevented from putting XSS in project form fields • user should not be able to set fields not shown in the form • user should not be able to submit forms in anothers session • user is protected from malicious content and having their page framed • users favorite album is in cookie
  12. simplified Steps • injection: inject commands into fields and detect

    functions being called. • XSS: inject scripts into fields and detect that alerts are thrown • Mass assignment: set raw form data with net::http and send it to see how the server responds • csrf: alter csrf token and send otherwise valid request • headers: interact with system and verify that headers are being set • Sensitive Data: open session cookie and inspect
  13. Thanks! Justin Collins @presidentbeef Jeff Jarmoc @jjarmoc Ben Toews @mastahyeti

    Neil Matatall @ndm Aaron Bedra @abedra Jon Claudius @claudijd Chris Oliver @excid3 Chris Hildebrand @ckhrysze Jon Rose Brett Hardin @miscsecurity Elizabeth Hendrickson @testobsessed
  14. References • https://github.com/Jemurai/triage • https://bitbucket.org/mkonda/swtf/ • http://speakerdeck.com/mkonda • http://brakemanscanner.org •

    http://rails-sqli.org • https://github.com/twitter/secureheaders • http://testobsessed.com/wp-content/uploads/2011/04/ testheuristicscheatsheetv1.pdf • https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet