Rails' Insecure Defaults

Transcript

1. Rails’ Insecure Defaults Bryan Helmkamp @brynary

2. None

3. Insecure by default is insecure.

4. @brynary True or false? “Rails is secure by default.”

5. @brynary Rails’ Secure Defaults • SQL Generation (SQLi) • Cross-site

   Request forgery (CSRF) • HTML Sanitization (XSS)

6. Let’s Talk About Insecure Defaults

7. Warm Ups

8. @brynary Verbose Server Header Still risky in master

9. @brynary HTTP/1.1 200 OK Last-Modified: Sun, 10 Mar 2013 18:32:18

   GMT Content-Type: text/html Content-Length: 5906 Server: WEBrick/1.3.1 (Ruby/1.9.3/2012-04-20) Date: Tue, 12 Mar 2013 18:08:41 GMT Connection: Keep-Alive

10. @brynary HTTP/1.1 200 OK Last-Modified: Sun, 10 Mar 2013 18:32:18

    GMT Content-Type: text/html Content-Length: 5906 Server: WEBrick/1.3.1 (Ruby/1.9.3/2012-04-20) Date: Tue, 12 Mar 2013 18:08:41 GMT Connection: Keep-Alive

11. @brynary HTTP/1.1 200 OK Last-Modified: Sun, 10 Mar 2013 18:32:18

    GMT Content-Type: text/html Content-Length: 5906 Server: WEBrick/1.3.1 (Ruby/1.9.3/2012-04-20) Date: Tue, 12 Mar 2013 18:08:41 GMT Connection: Keep-Alive

12. @brynary 2012-04-20 == p194

13. @brynary Who cares? • Exposes Ruby patchlevel • Spray and

    prey scanners • Tailor attack payload • Avoid setting off any alerts

14. @brynary Best Practice • Avoid WEBrick in production • Use

    Passenger, Unicorn, Thin or Puma • Heroku users: WEBrick is the default

15. @brynary Proposed Fix • Rails configures WEBrick to use a

    less verbose Server header

16. @brynary Binds to 0.0.0.0 Still risky in master

17. @brynary Who cares? • Production data loaded onto laptop •

    San. Francisco. Coffee. Shops. • IP forgery

18. @brynary Best Practice • Use -b option to bind to

    127.0.0.1 • Avoid loading real data into development environments • If you must, delete it as soon as you’re done

19. @brynary Proposed Fix • Change default configuration to bind to

    127.0.0.1 only

20. @brynary Logging SQL Values Still risky in master

21. @brynary Started POST "/users" for 127.0.0.1 at 2013-03-12 14:26:28 -0400

    Processing by UsersController#create as HTML Parameters: {"utf8"=>"✓œ“", "authenticity_token"=>"...", "user"=>{"name"=>"Name", "password"=>"[FILTERED]"}, "commit"=>"Create User"} (0.1ms) begin transaction SQL (7.2ms) INSERT INTO "users" ("created_at", "name", "password_digest", "updated_at") VALUES (?, ?, ?, ?) [["created_at", Tue, 12 Mar 2013 18:26:28 UTC +00:00], ["name", "Name"], ["password_digest", "$2a$10$r/ XGSY9zJr62IpedC1m4Jes8slRRNn8tkikn5.0kE2izKNMlPsqvC"], ["updated_at", Tue, 12 Mar 2013 18:26:28 UTC +00:00]] (1.1ms) commit transaction Redirected to http://localhost:3000/users/1 Completed 302 Found in 91ms (ActiveRecord: 8.8ms)

22. @brynary Started POST "/users" for 127.0.0.1 at 2013-03-12 14:26:28 -0400

    Processing by UsersController#create as HTML Parameters: {"utf8"=>"✓œ“", "authenticity_token"=>"...", "user"=>{"name"=>"Name", "password"=>"[FILTERED]"}, "commit"=>"Create User"} (0.1ms) begin transaction SQL (7.2ms) INSERT INTO "users" ("created_at", "name", "password_digest", "updated_at") VALUES (?, ?, ?, ?) [["created_at", Tue, 12 Mar 2013 18:26:28 UTC +00:00], ["name", "Name"], ["password_digest", "$2a$10$r/ XGSY9zJr62IpedC1m4Jes8slRRNn8tkikn5.0kE2izKNMlPsqvC"], ["updated_at", Tue, 12 Mar 2013 18:26:28 UTC +00:00]] (1.1ms) commit transaction Redirected to http://localhost:3000/users/1 Completed 302 Found in 91ms (ActiveRecord: 8.8ms)

23. @brynary Started POST "/users" for 127.0.0.1 at 2013-03-12 14:26:28 -0400

    Processing by UsersController#create as HTML Parameters: {"utf8"=>"✓œ“", "authenticity_token"=>"...", "user"=>{"name"=>"Name", "password"=>"[FILTERED]"}, "commit"=>"Create User"} (0.1ms) begin transaction SQL (7.2ms) INSERT INTO "users" ("created_at", "name", "password_digest", "updated_at") VALUES (?, ?, ?, ?) [["created_at", Tue, 12 Mar 2013 18:26:28 UTC +00:00], ["name", "Name"], ["password_digest", "$2a$10$r/ XGSY9zJr62IpedC1m4Jes8slRRNn8tkikn5.0kE2izKNMlPsqvC"], ["updated_at", Tue, 12 Mar 2013 18:26:28 UTC +00:00]] (1.1ms) commit transaction Redirected to http://localhost:3000/users/1 Completed 302 Found in 91ms (ActiveRecord: 8.8ms)

24. @brynary Started POST "/users" for 127.0.0.1 at 2013-03-12 14:26:28 -0400

    Processing by UsersController#create as HTML Parameters: {"utf8"=>"✓œ“", "authenticity_token"=>"...", "user"=>{"name"=>"Name", "password"=>"[FILTERED]"}, "commit"=>"Create User"} (0.1ms) begin transaction SQL (7.2ms) INSERT INTO "users" ("created_at", "name", "password_digest", "updated_at") VALUES (?, ?, ?, ?) [["created_at", Tue, 12 Mar 2013 18:26:28 UTC +00:00], ["name", "Name"], ["password_digest", "$2a$10$r/ XGSY9zJr62IpedC1m4Jes8slRRNn8tkikn5.0kE2izKNMlPsqvC"], ["updated_at", Tue, 12 Mar 2013 18:26:28 UTC +00:00]] (1.1ms) commit transaction Redirected to http://localhost:3000/users/1 Completed 302 Found in 91ms (ActiveRecord: 8.8ms)

25. @brynary Started POST "/users" for 127.0.0.1 at 2013-03-12 14:26:28 -0400

    Processing by UsersController#create as HTML Parameters: {"utf8"=>"✓œ“", "authenticity_token"=>"...", "user"=>{"name"=>"Name", "password"=>"[FILTERED]"}, "commit"=>"Create User"} (0.1ms) begin transaction SQL (7.2ms) INSERT INTO "users" ("created_at", "name", "password_digest", "updated_at") VALUES (?, ?, ?, ?) [["created_at", Tue, 12 Mar 2013 18:26:28 UTC +00:00], ["name", "Name"], ["password_digest", "$2a$10$r/ XGSY9zJr62IpedC1m4Jes8slRRNn8tkikn5.0kE2izKNMlPsqvC"], ["updated_at", Tue, 12 Mar 2013 18:26:28 UTC +00:00]] (1.1ms) commit transaction Redirected to http://localhost:3000/users/1 Completed 302 Found in 91ms (ActiveRecord: 8.8ms)

26. @brynary Who cares? • Database gets sensitive values, like params

    • filtered_params_logging doesn’t apply • Production log level turned up to debug

27. @brynary Best Practice • Be aware of what you’re logging

    in production • If you must increase the log level temporarily, remove that data when it’s no longer needed

28. @brynary Possible Solutions • Introduce config.filter_logs and filter SQL values

    when possible • Redact entire SQL statement if it contains any references to filtered fields

29. Risky Business

30. @brynary Versioned Secret Tokens Still risky in master

31. @brynary Who cares? • Secret token == application root key

    • Encryption is only as good as key management

32. @brynary Best Practice • Use a different secret token in

    production • Inject secrets in ENV vars (Heroku, envdir) • Or symlink secret_token.rb on deploy

33. @brynary Proposed Fix • Minimum: Git-ignore secret_token.rb in generated app

    skeleton • Better: Introduce a “secret store” to solve this problem for the Rails ecosystem

34. @brynary Offsite redirect_to Still risky in master

35. @brynary class SignupsController < ApplicationController def create # ... if

    params[:destination].present? redirect_to params[:destination] else redirect_to dashboard_path end end end

36. @brynary Who cares? • Phishing • Send user to malicious

    site • Looks like you sent them there • OWASP Top 10 Critical Web Application Security Risks #A10

37. @brynary Best Practice • When passing a hash to redirect_to

    use the “only_path: true” option • When passing a string, extract the path via URI.parse

38. @brynary Proposed Fix • Rails should only allow redirects within

    the same domain by default • Add an “external: true” option to opt-in to unsafe behavior

39. @brynary #link_to with JavaScript Still risky in master

40. @brynary <%= link_to "View public site", user.public_site_url %> <a href="javascript:alert(&#x27;hi&#x27;)">View

    public site</a> becomes

41. @brynary Who cares? • Not immediately obvious you can put

    JavaScript in there • Cross-site scripting (XSS) risk

42. @brynary Best Practice • Don’t allow unsafe input to control

    HREFs • Run the input through URI.parse and sanity check protocol and host

43. @brynary Proposed Fix • Rails should only allow http://, https://

    and mailto: HREFs by default • Developers can opt-in to risky behavior with a new option

44. @brynary SQL Injection Still risky in master

45. Rails is not a SQLi silver bullet

46. #pluck

47. @brynary params[:column] = "password FROM users--" Order.pluck(params[:column]) SELECT password FROM

    users-- FROM "orders" becomes

48. @brynary becomes params[:column] = "age) FROM users WHERE name =

    'Bob';" Order.calculate(:sum, params[:column]) SELECT SUM(age) FROM users WHERE name = 'Bob';) AS sum_id FROM "orders"

49. Affected APIs • #calculate • #delete_all • #destroy_all • #exists?

    • #find • :from • :group • :having • .pluck • .order • .reorder • etc. @brynary

50. @brynary http://rails-sqli.org

51. @brynary Who cares? • You. It’s SQL injection. :) •

    Not obvious which APIs are vulnerable • Some APIs violate Principle of Least Surprise and Least Privilege

52. @brynary Best Practices • Understand which APIs are dangerous •

    Use the safest AR API possible for your operations • Whitelisted expected inputs (e.g. column names)

53. @brynary Proposed Fix • Only permit SQL fragments where they

    are commonly used • Avoid attribute names that imply safety improperly • Provide alternative, more-risky APIs for less common cases

54. @brynary YAML Serialization Still risky in master

55. @brynary class User < ActiveRecord::Base # ... serialize :preferences store

    :theme, accessors: [ :color, :bgcolor ] end

56. @brynary YAML is #eval in disguise Lesson learned on January

    8th, 2013. Never forget.

57. @brynary It’s fucking #eval

58. @brynary Would you store Ruby in your database and #eval

    it?

59. @brynary Who cares? • Looks safe to the untrained eye

    • Obvious today, but what about someone who learns Rails tomorrow? • Springboard database injection into full scale site ownage • Least Privilege violation

60. @brynary Best Practices • Use JSON serialization instead of YAML

    for #serialize and #store • Be cautious of storing YAML-encoded data in queues, caches, etc. • (Note: Ruby marshal-ed data has the same problems as YAML)

61. @brynary Proposed Fix • Change the default serialization format from

    YAML to JSON • Provide YAML behavior as an option or extract into a Gem

62. @brynary Wrapping Up

63. @brynary Thank You @brynary https://codeclimate.com

64. @brynary One More Thing

65. @brynary http://RailsSecurity.com