Rails Security in the Wild - Chicago Ruby

Transcript

1. Rail in the Wild Chicago Ruby Edition Security Tuesday, December

   4, 12

2. Chicago Ruby Edition Builde vs. Breake Security Tuesday, December 4,

   12

3. Builde Breake Chicago Ruby Edition vs. Tuesday, December 4, 12

4. Matt Konda Builde Tuesday, December 4, 12

5. Jon Claudius Breaker Tuesday, December 4, 12

6. QUICK POLL Builder Breaker ~ OR ~ Tuesday, December 4,

   12

7. Audience Member 1 Vote & Drink! Question & Debate Tuesday,

   December 4, 12

8. BUILDER’S CONCERNS Dates Features Functional Quality Tuesday, December 4, 12

9. BREAKER’S CONCERNS LOL’s! VULNS! Compromise! Tuesday, December 4, 12

10. Let’ get in the m d Tuesday, December 4, 12

11. “….developers will never learn, never improve because they are repeating

    the same mistakes over and over again” Breaker Tuesday, December 4, 12

12. “…only good at ranting. Zero contribs, and almost zero constructive

    feedbacks but bashing” Builde Response Tuesday, December 4, 12

13. QUICK POLL Who is familiar with OWASP? Tuesday, December 4,

    12

14. “If you are a developer and don’t know who OWASP

    is at this point, it’s because you’ve chosen not to.” reaker Tuesday, December 4, 12

15. “Problem. Infosec pros, pentesters, etc. are more interested in #appsec

    than programmers. How to change that? < will not change” uilde Tuesday, December 4, 12

16. Tuesday, December 4, 12

17. SECURE MAKES ME THE CLOUD Tuesday, December 4, 12

18. Customers Don’t Ask For Security Tuesday, December 4, 12

19. SLOW POLL Who typically has: 1. Pen test 2. Static

    analysis 3. App Scan 4. Secure Code Review 5. Secure Development Training Tuesday, December 4, 12

20. BREACHES are CHEAPER than SECURE CODING Tuesday, December 4, 12

21. Agile Hurts Security Tuesday, December 4, 12

22. A PENTEST VALIDATES SECURITY Tuesday, December 4, 12

23. A PENTEST VALIDATES SECURITY Tuesday, December 4, 12

24. 3rd Party Libraries are Secure Tuesday, December 4, 12

25. QUICK POLL How many people NEVER work with sensitive data?

    Tuesday, December 4, 12

26. Security Tuesday, December 4, 12

27. Jon Claudius Breaker @claudijd Tuesday, December 4, 12

28. Matt Konda Builde @mkonda Tuesday, December 4, 12

29. Hat tip: @todb (Todd Beardsley) Tuesday, December 4, 12

30. #25 SQL Injection Apr 30, 2007 Episode #204 – Mar

    08, 2010 – 31 comments XSS Protection in Rails 3 #178 7 Security Tips Sep 07, 2009 Episode #26 – Mar 08, 2012 – 23 comments Hackers Love Mass Assignment (revised) Episode #27 – May 04, 2007 – 15 comments Cross Site Scripting Episode #26 – May 02, 2007 – 32 comments Hackers Love Mass Assignment Episode #20 – Apr 18, 2007 – 22 comments Restricting Access Episode #352 – May 23, 2012 – 15 comments Securing an API Episode #356 – Jun 08, 2012 – 23 comments Dangers of Session Hijacking Tuesday, December 4, 12

31. Session Tuesday, December 4, 12

32. Burp Demo http://localhost:3001/ Tuesday, December 4, 12

33. Other Problems •Cookie Store •Sensitive data in session •API Tuesday,

    December 4, 12

34. In ApplicationController: def restrict_access_by_token_to_worker() token = request.env["HTTP_AUTHORIZATION"] if token ==

    nil authenticate_user! else key = ApiKey.find_by_token(token) if key != nil and key.worker == true return true else puts "Invalid token" return false end end end In command controller: before_filter :authenticate_user!, :except => [:show] In show method: worker = restrict_access_by_token_to_worker Tuesday, December 4, 12

35. Injection http://localhost:3012/ Tuesday, December 4, 12

36. Command Injection • Vulnerability Focused on Server • Attacker piggybacks

    on variable input that is passed down to a command line call. • Most easily demonstrated like so… http://example.com/page.php?id=123;ifconfig Tuesday, December 4, 12

37. Command Injection • Lis$ng  a  file  or  showing  the  IP

     configura$on  can  be  used   to  demonstrate  app  vulnerability. Tuesday, December 4, 12

38. Command Injection • Demo • “Pop  a  shell”  via  command

     injec$on  vulnerability  in  Rails  App Tuesday, December 4, 12

39. Tuesday, December 4, 12

40. SQL Injection 1 @project = Project.find(params[:id]) 2 @projects = Project.find(:all,

    :conditions=>"id LIKE #{params[:id]}") 3 @project = Project.find(:all, :conditions=> ["id LIKE ?", "%#{params[:query]}%&"] ) http://localhost:3002/projects/-1%20or%20name%20= %20name Tuesday, December 4, 12

41. Forceful Browsing Tuesday, December 4, 12

42. Demo Tuesday, December 4, 12

43. Before and After def destroy @service_request = ServiceRequest.find(params[:id]) @service_request.destroy respond_to

    do |format| format.html { redirect_to service_requests_url } format.json { head :no_content } end end def show @service_request = ServiceRequest.find(params[:id]) respond_to do |format| format.html # show.html.erb format.json { render json: @service_request } end end Tuesday, December 4, 12

44. Magic def user_can_access_service_request(service_request) sr_key = service_request.api_key keys = get_api_keys keys.each

    do |key| if (key == sr_key) return true end end return false end Tuesday, December 4, 12

45. After def destroy @service_request = ServiceRequest.find(params[:id]) if (user_can_access_service_request(@service_request)) @service_request.destroy end

    respond_to do |format| format.html { redirect_to service_requests_url } format.json { head :no_content } end end def show @service_request = ServiceRequest.find(params[:id]) respond_to do |format| if (user_can_access_service_request(@service_request)) format.html # show.html.erb format.json { render json: @service_request } else @service_request = ServiceRequest.new @service_request.errors.add(:base, "You do not have access to this object.") flash[:error] = "Unable to access specified instance." format.html { render action: "new" } format.json { render json: @service_request.errors, status: :unprocessable_entit end end end Tuesday, December 4, 12

46. XSS http://localhost:3011/ Tuesday, December 4, 12

47. Cross-site Scripting (XSS) • Alert  boxes  are  an  easy  proof

     of  concept  to   demonstrate  applica$on  vulnerability. • Real attackers use JavaScript for evil Tuesday, December 4, 12

48. Cross-site Scripting (XSS) • Demo • Steal Facebook Credentials via

    Persistent XSS Vulnerability in Rails App Tuesday, December 4, 12

49. Cross-site Scripting (XSS) • Vulnerability  Focused  on  Client  Browsers •

    AHacker  convinces  user  to  click  a  link,  Javascript   is  executed  in  target  browser. • Most  easily  demonstrated  like  so… • hHp://example.com/page?id=<script>alert(‘xss’)</ script> Tuesday, December 4, 12

50. Common Issues Tuesday, December 4, 12

51. Business Logic Tuesday, December 4, 12

52. Manager approves timesheet. Manager cannot approve own timesheet. Tuesday, December

    4, 12

53. Tuesday, December 4, 12

54. Signed integer. -6 = 64.1 Trillion Tuesday, December 4, 12

55. Mass Assignment Tuesday, December 4, 12

56. Password Complexity Tuesday, December 4, 12

57. File Path Traversal Tuesday, December 4, 12

58. File Upload Tuesday, December 4, 12

59. Third Party Libraries Tuesday, December 4, 12

60. Use SSL Tuesday, December 4, 12

61. Anyone? Tuesday, December 4, 12

62. Top 10 • A1: Injection • A2: Cross-Site Scripting (XSS)

    • A3: Broken Authentication and Session Management • A4: Insecure Direct Object References • A5: Cross-Site Request Forgery (CSRF) • A6: Security Misconfiguration • A7: Insecure Cryptographic Storage • A8: Failure to Restrict URL Access • A9: Insufficient Transport Layer Protection • A10: Unvalidated Redirects and Forwards Tuesday, December 4, 12

63. Top 10 A1: Injection • A2: Cross-Site Scripting (XSS) •

    A3: Broken Authentication and Session Management • A4: Insecure Direct Object References • A5: Cross-Site Request Forgery (CSRF) • A6: Security Misconfiguration • A7: Insecure Cryptographic Storage • A8: Failure to Restrict URL Access • A9: Insufficient Transport Layer Protection • A10: Unvalidated Redirects and Forwards Tuesday, December 4, 12

64. Resources OWASP • Code Review Guide • Legal Language •

    Cheat Sheets • Top 10 • Tools (ZAP) Tools Attack Proxy (Burp, ZAP) Static Analysis (Brakeman) Web App Scan (Arachni) Code Review (Barkeep) https://github.com/claudijd/xss https://github.com/claudijd/command_injection Tuesday, December 4, 12

65. Now let’s talk: . We’ll buy for the first 5

    people that find problems and verify with us. Tuesday, December 4, 12

66. Rails Goat Apps Tuesday, December 4, 12

67. What would be helpful? Tuesday, December 4, 12

68. Thanks Tuesday, December 4, 12