OWASP Chicago - Ruby on Rails Pitfalls

Transcript

1. OWASP Chicago - January 10, 2013

2. Matt Konda (@mkonda) ž  Veteran Agile Software Builder ž  Founder

   of Jemurai

3. Jonathan Claudius (@claudijd) ž  SpiderLabs Vulnerability Researcher ž  Ruby Developer

4. Thanks!

5. Agenda ž  Background ž  Pitfall Examples —  XSS —  Mass

   Assignment —  SQLi —  /dev/random ž  Tools to Help
6. None

7. Why are we doing this? ž  Rails is a popular

   and interesting platform in much need of security attention. ž  At a recent ChicagoRuby Meetup, 2 of 97 attendees had ever heard of OWASP. We want to change that. We want you to help.
8. None

9. Rails Background ž  Favors convention over configuration ž  Leverages dynamic

   Ruby language features ž  Makes development process fast and simple ž  Default restful interface and xml + json API's ž  Very healthy library ecosystem ž  Popular with developers for prototyping and rapid small team application development ž  Also used for large scale applications

10. Rails Background (Security) ž  Session ž  CSRF ž  XSS ž 

    SQLi http://guides.rubyonrails.org/security.html

11. Rails Background The same thing that makes it easy to

    use and powerful, makes it a rich target.

12. Rails Background

13. Pitfalls

14. None

15. XSS ž  Rails 2.x need to escape text. ž  Rails

    3.x should escape everything. ž  Rails 2.x need to escape text. ž  Rails 3.x should escape everything. ž  However, in the case where a programmer wants to store unescaped input this can be bypassed. Happens all the time.

16. XSS – Example CKEditor ž  CKEditor setup: —  Application.js — 

    Form page —  Controller: No change. Show view however:

17. Doh!

18. XSS Example

19. Solution ž  Remove rich text … ž  Use sanitization ž 

    Still need to be sort of heavy handed, probably would need to disallow <img/>. http://apidock.com/rails/ActionView/Helpers/SanitizeHelper/sanitize
20. None

21. Mass Assignment ž  A feature in Rails that allows record

    creation from values in a hash. ž  Made famous by Egor Homahov —  Demonstrated rails vulnerability by exploiting GitHub, which runs on rails, to make a commit to the rails source code.

22. Mass Assignment ž  User model ž  Schema

23. Mass Assignment Example ž  Normal Example ž  Exploit Example Reference:

    http://railscasts.com/episodes/26-hackers-love-mass-assignment

24. Mass Assignment Fix ž  Before ž  After Reference: http://railscasts.com/episodes/26-hackers-love-mass-assignment

25. None

26. SQL Injection

27. SQL Injection ž  Recently been a topic of interest for

    the Rails community —  CVE-2012-2661 (6 months ago) —  CVE-2012-5664 (< 2 weeks ago) ž  Both are deficiencies in framework provided protections.

28. CVE-2012-2661 (May 31, 2012) ž  Code like this: ž  Can

    be manipulated to make params[:id] look like a hash. ž  Solution: Update to Rails: 3.2.4, 3.1.5, 3.0.13 or cast: http://seclists.org/oss-sec/2012/q2/448

29. CVE-2012-5664 (Jan 2, 2013) ž  Code like this: ž  Can

    be manipulated to process input as options to query. ž  Solution: Update to Rails 3.2.10, 3.1.9, 3.0.18 or cast: https://groups.google.com/forum/#!topic/rubyonrails-security/DCNTNp_qjFM

30. CVE-2013-0155 (Jan 8, 2013) ž  Code like this: —  find_by_*

    —  Model.where(:name => params[:name]) ž  Can be made to bypass a query where clause by sending an empty hash in params[:name] ž  Variant of CVE-2012-2660 CVE-2012-2694 ž  Solution: Update to Rails: 3.2.11, 3.1.10, 3.0.19 or cast to string. https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/t1WFuuQyavI

31. CVE-2013-0156 (Jan 8, 2013) ž  Any code that accepts XML

    params. (All) ž  Create symbols. Parse YAML. Basically remote code execution. Not SQLi but exascerbates other SQLi vulns due to symbol manipulation. ž  Solution: Update to Rails 3.2.11, 3.1.10, 3.0.19, 2.3.15, disable XML / YAML interfaces or disable capabilities within XML parsing. https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ https://gist.github.com/4499206 - postmodern RCE

32. Credit to: Nicolas Blanco slainer68: @joernchen @charliesome > http://i.imgur.com/tij2x.jpg

33. Time out for tenderlovemaking ž  Aaron Patterson might have had

    a bad week. We don't wish that on anyone. ž  He in turn wants to thank these folks: “Ben Murphy, Magnus Holm, Felix Wilhelm, Darcy Laycock, Jonathan Rudenberg, Bryan Helmkamp, Benoist Claassen and Charlie Somerville for reporting the issue to us and working with us to ensure the fixes worked.”

34. Commonalities between SQLi and Mass Assignment issues?

35. None

36. Session Management ž  By default, Rails uses a cookie based

    session. —  People put all kinds of things in the session. —  They never expire. Easy to replay after logout. ž  Open source apps sometimes use public secret for signing cookies. ž  Recommendations —  Use the database based session and expire them. —  Update your secret and keep it secret.

37. CSRF ž  Need to ensure that controllers protect from forgery:

    ž  Can sometimes find this disabled for API methods – as for show method below.

38. Grab Bag ž  Forceful Browsing ž  Writing an API ž 

    Password Complexity ž  Filter Logs ž  Secure Cookies ž  File Upload ž  3rd Party Dependencies ž  Routes ž  Sensitive Files
39. None

40. Rails Casts ž  Some Episodes on Rails Security —  #20

    – Restricting Access —  #25 – SQL Injection —  #27 – Cross-site Scripting —  #26 – Hackers Love Mass Assignment —  #178 – Security Tips —  #204 – XSS Protection in Rails 3 —  #352 – Securing an API —  #356 – Dangers of Session Hijacking http://railscasts.com/

41. Brakeman ž  A static analysis security vulnerability scanner for Ruby

    on Rails applications. —  https://github.com/presidentbeef/brakeman ž  Demo —  Identify vulnerabilities in Rails Apps

42. Rails Console

43. ChicagoRuby ž  Chicago has an awesome Ruby community. ž  12/4/2012

    we presented to ChicagoRuby on Rails Security. We were fortunate to receive a favorable response and lots of interesting follow up conversations. ž  2/13/2013 we have been invited back to do a Ruby “Hack Night” where we'll have folks run brakeman and fix security problems. We would LOVE to have you come help us!

44. Thank you!