Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security is Broken: Understanding Common Vulnerabilities

Eileen M. Uchitelle
March 21, 2016
Technology
1
140

Security is Broken: Understanding Common Vulnerabilities

Mountain West Ruby Conference

Eileen M. Uchitelle

March 21, 2016
Tweet

More Decks by Eileen M. Uchitelle

See All by Eileen M. Uchitelle
Exit(ing) through the YJIT
eileencodes
1
220
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
24
5.1k
Improving CVAR Performance in Ruby 3.1
eileencodes
0
570
Upgrading GitHub from Ruby 2.6 to 2.7
eileencodes
1
2.7k
Technically, a talk | Ruby Day 2020
eileencodes
1
100
Technically, a talk | Brighton Ruby 2020
eileencodes
2
73
Technically, a talk | RailsConf 2020
eileencodes
0
72
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
121
29k
Ruby on Ice 2019: The Past, Present and Future of Rails at GitHub
eileencodes
5
1.3k

Other Decks in Technology

See All in Technology
Cloudflare 基本のキ
katzueno
0
160
Autonomous Database - Dedicated 技術詳細 / adb-d_technical_detail_jp
oracle4engineer
PRO
1
2.5k
未来の開発者へ負債を残さないために取り組んだこと
hayatokudou
0
300
ChatGPT(GPT-4版)でIoTやってみた / IoTLT vol.97
you
0
190
Privacy Techによる新しいデータ活用の形
line_developers
PRO
1
230
AstroNvim を使おう!
ybrliiu
0
200
安全にプロセスを停止するためにシグナル制御を学ぼう!
yamamotohiroya
0
230
また(CDK界隈の)世界を縮めてしまった
bun913
0
600
IoTによるGPS等の位置情報活用 基礎知識
soracom
PRO
0
230
マルチベンダに対応したネットワークコントローラを OSS として公開している話 (NTT Tech Conference 2023)
motok1
3
450
PHPマジックメソッドクイズ!/PHP Magic Method Quiz
ykanoh
0
260
軽率に休学したら Babylon.js×WebARで 夢を3つ叶えてた / my dreams with babylon.js and WebAR
drumath2237
0
140

Featured

See All Featured
How to train your dragon (web standard)
notwaldorf
66
4.4k
GraphQLの誤解/rethinking-graphql
sonatard
39
8k
Debugging Ruby Performance
tmm1
67
11k
Rebuilding a faster, lazier Slack
samanthasiow
70
7.6k
Web development in the modern age
philhawksworth
197
9.6k
Happy Clients
brianwarren
90
5.9k
Docker and Python
trallard
30
2k
Building Flexible Design Systems
yeseniaperezcruz
314
35k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
224
50k
A designer walks into a library…
pauljervisheath
199
16k
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.4k
The Language of Interfaces
destraynor
149
21k

Transcript

  1. SECURITY IS BROKEN
    Understanding Common Vulnerabilities

    View Slide

  2. EILEEN M UCHITELLE
    Security, Performance, & Infrastructure
    at Basecamp
    ! eileencodes.com
    " @eileencodes
    # @eileencodes
    ! speakerdeck.com/eileencodes

    View Slide

  3. View Slide

  4. View Slide

  5. OPEN SOURCE
    Rails Committers
    Rails Security

    View Slide

  6. View Slide

  7. View Slide

  8. How is security
    broken?

    View Slide

  9. • Impossible to test for all possible
    vulnerabilities
    How is security broken?

    View Slide

  10. • Impossible to test for all possible
    vulnerabilities
    • Hackers are always one step ahead
    How is security broken?

    View Slide

  11. • Impossible to test for all possible
    vulnerabilities
    • Hackers are always one step ahead
    • Patching one vulnerability can lead to
    exposing new ones
    How is security broken?

    View Slide

  12. How did we get
    here?

    View Slide

  13. • Failed to enforce web standards
    How did we get here?

    View Slide

  14. vs.

    View Slide

  15. View Slide

  16. • Failed to enforce web standards
    • Failed to implement a definition of
    security
    How did we get here?

    View Slide

  17. ...completely failed to come up with
    even the most rudimentary usable
    frameworks for understanding the
    security of modern software.
    – Michal Zalewski, The Tangled Web

    View Slide

  18. • Failed to enforce web standards
    • Failed to implement a definition of
    security
    • Too few people understand the
    vulnerabilities
    How did we get here?

    View Slide

  19. View Slide

  20. CSRF

    View Slide

  21. CSRF
    Cross-Site Request Forgery

    View Slide

  22. EXPLOITING CSRF

    View Slide

  23. View Slide


  24. Name

    Email

    Website



    View Slide

  25. View Slide

  26. Looks the same, different URL

    View Slide



  27. Name

    Email

    Website




    View Slide


  28. Name

    Email

    Website



    Attackers email

    View Slide



  29. Name

    Email

    Website




    Auto-submit form

    View Slide



  30. Name

    Email

    Website




    Auto-submit form
    to victim site

    View Slide

  31. Attacker’s email

    View Slide

  32. How dangerous are
    CSRF attacks?

    View Slide

  33. How to mitigate
    CSRF?

    View Slide

  34. • Use built-in framework CSRF protection
    How to mitigate CSRF?

    View Slide

  35. View Slide

  36. class ApplicationController < ActionController::Base
    protect_from_forgery with: :exception
    end

    View Slide


  37. name=authenticity_token" />
    Name

    Email

    Website



    CSRF protection

    View Slide

  38. Caveat:
    CSRF protection in Rails is
    order-dependent

    View Slide

  39. class ApplicationController < ActionController::Base
    before_action :authenticate
    protect_from_forgery with: :exception,
    if: -> { authenticate_method.web? }
    end

    View Slide

  40. class ApplicationController < ActionController::Base
    before_action :authenticate
    protect_from_forgery with: :exception,
    if: -> { authenticate_method.web? }
    end
    class OtherController < ApplicationController
    skip_before_action :authenticate
    before_action :authenticate_method, only: :create
    end

    View Slide

  41. class ApplicationController < ActionController::Base
    before_action :authenticate
    protect_from_forgery with: :exception,
    if: -> { authenticate_method.web? }
    end
    class OtherController < ActionController::Base
    skip_before_action :authenticate
    before_action :authenticate_method, only: :create
    protect_from_forgery with: :exception,
    if: -> { authenticate_method.web? }
    end

    View Slide

  42. View Slide

  43. • Use built-in framework CSRF protection
    • Rails 5 supports per-form tokens
    How to mitigate CSRF?

    View Slide

  44. • Use built-in framework CSRF protection
    • Rails 5 supports per-form tokens
    • Refresh tokens with the session / don’t
    reuse tokens
    How to mitigate CSRF?

    View Slide

  45. class SessionsController < ApplicationController
    def destroy
    sign_out
    reset_session
    redirect_to sign_in_url
    end
    end
    Refreshes
    Authenticity Token

    View Slide

  46. • Use built-in framework CSRF protection
    • Rails 5 supports per-form tokens
    • Refresh tokens with the session / don’t
    reuse tokens
    • Mitigate XSS attacks
    How to mitigate CSRF?

    View Slide

  47. XSS

    View Slide

  48. XSS
    Cross-Site Scripting

    View Slide

  49. EXPLOITING STORED
    XSS

    View Slide

  50. View Slide

  51. View Slide

  52. Escaped HTML

    View Slide

  53. Profile


    Name:



    Email:



    Website:


    |

    View Slide

  54. Profile


    Name:



    Email:



    Website:


    |

    View Slide

  55. Unescaped HTML

    View Slide

  56. JavaScript Scheme

    View Slide

  57. View Slide

  58. javascript://example.com/%0Aalert(1)

    View Slide

  59. example.com/%0Aalert(1)
    JavaScript Scheme
    javascript://

    View Slide

  60. javascript://example.com/%0Aalert(1)
    URL
    example.com

    View Slide

  61. Percent encoded “line feed”
    javascript://example.com/%0Aalert(1)
    %0A

    View Slide

  62. JavaScript Alert
    javascript://example.com/%0Aalert(1)
    alert(1)

    View Slide

  63. How dangerous are
    XSS attacks?

    View Slide

  64. How to mitigate
    XSS?

    View Slide

  65. • Always escape user-provided data
    How to mitigate XSS?

    View Slide

  66. Profile


    Name:



    Email:



    Website:


    |

    Don’t do this

    View Slide

  67. View Slide

  68. • Don’t HTML escape user-provided data
    • Sanitize user-provided data
    How to mitigate XSS?

    View Slide

  69. Profile


    Name:



    Email:



    Website:


    |

    Will strip out unwanted
    tags and attributes

    View Slide

  70. • Don’t HTML escape user-provided data
    • Sanitize user-provided data
    • Validate user-provided data
    How to mitigate XSS?

    View Slide

  71. class User < ActiveRecord::Base
    WHITELISTED_URI_SCHEMES = %w( http https )
    validate :check_uri_scheme
    private
    def check_uri_scheme
    begin
    uri = URI.parse(website)
    unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase)
    errors.add :website, 'is not an allowed URI scheme'
    end
    rescue URI::InvalidURIError
    errors .add :website, 'is not a valid URI'
    end
    end
    end

    View Slide

  72. class User < ActiveRecord::Base
    WHITELISTED_URI_SCHEMES = %w( http https )
    validate :check_uri_scheme
    private
    def check_uri_scheme
    begin
    uri = URI.parse(website)
    unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase)
    errors.add :website, 'is not an allowed URI scheme'
    end
    rescue URI::InvalidURIError
    errors .add :website, 'is not a valid URI'
    end
    end
    end

    View Slide

  73. class User < ActiveRecord::Base
    WHITELISTED_URI_SCHEMES = %w( http https )
    validate :check_uri_scheme
    private
    def check_uri_scheme
    begin
    uri = URI.parse(website)
    unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase)
    errors.add :website, 'is not an allowed URI scheme'
    end
    rescue URI::InvalidURIError
    errors .add :website, 'is not a valid URI'
    end
    end
    end

    View Slide

  74. XXE

    View Slide

  75. XXE
    XML eXternal Entity Attack

    View Slide




  76. ]>

    Groceries
    Take Arya to the vet
    &ext1;
    Pick up beer
    Get car oil changed

    View Slide




  77. ]>

    Groceries
    Take Arya to the vet
    &ext1;
    Pick up beer
    Get car oil changed

    Entity reference

    View Slide


  78. Book flight to Salt Lake City
    Finish Security is Broken Talk

    View Slide



  79. Groceries
    Take Arya to the vet
    Book flight to Salt Lake City
    Finish Security is Broken Talk
    Pick up beer
    Get car oil changed

    View Slide

  80. EXPLOITING XXE
    with cURL

    View Slide

  81. class UsersController < ApplicationController
    def create
    @user = User.new(user_params)
    respond_to do |format|
    if @user.save
    format.html { redirect_to @user }
    format.xml { render :xml => @user.to_xml }
    else
    format.html { render :new }
    format.xml { render xml: @user.errors.to_xml }
    end
    end
    end
    end

    View Slide

  82. class UsersController < ApplicationController
    def create
    @user = User.new(user_params)
    respond_to do |format|
    if @user.save
    format.html { redirect_to @user }
    format.xml { render :xml => @user.to_xml }
    else
    format.html { render :new }
    format.xml { render xml: @user.errors.to_xml }
    end
    end
    end
    end
    XML

    View Slide


  83. config/secrets.yml">
    ]>

    &name;

    View Slide


  84. config/secrets.yml">
    ]>

    &name;

    Requested file

    View Slide


  85. config/secrets.yml">
    ]>

    &name;

    Entity

    View Slide

  86. curl -X 'POST'
    -H 'Content-Type: application/xml'
    -d @xxe.xml
    http://vulnerablesite.com/users.xml
    POST request to
    users create

    View Slide

  87. curl -X 'POST'
    -H 'Content-Type: application/xml'
    -d @xxe.xml
    http://vulnerablesite.com/users.xml
    Payload

    View Slide

  88. curl -X 'POST'
    -H 'Content-Type: application/xml'
    -d @xxe.xml
    http://vulnerablesite.com/users.xml


    ...
    production:
    secret_key_base:
    271a389cf7bf7b4ff18af3e809241603802b5ff1617b5432a41ff0f99d5
    f29c897db7f07a9cebd9e3a3535301720c0b19ac4eb82afa505ed229c40
    00e166a9a5
    ...


    User’s Name

    View Slide

  89. View Slide

  90. How dangerous are
    XXE attacks?

    View Slide

  91. View Slide

  92. How to mitigate
    XXE?

    View Slide

  93. • Don’t parse XML
    How to mitigate XXE?

    View Slide

  94. Don’t parse XML

    View Slide

  95. • Don’t parse XML
    • Don’t use parsers that allow entity
    replacement (LibXML)
    How to mitigate XXE?

    View Slide

  96. >> LibXML::XML.default_substitute_entities
    >> true

    View Slide

  97. • Don’t parse XML
    • Don’t use parsers that allow entity
    replacement (LibXML)
    • Whitelist known entities
    How to mitigate XXE?

    View Slide

  98. Investigate vulnerabilities & patches
    SECURITY

    View Slide

  99. owasp.org

    View Slide

  100. Resilience & empowerment
    SECURITY

    View Slide

  101. View Slide

  102. GitHub

    eileencodes/security_examples

    View Slide

  103. Awareness of vulnerabilities
    SECURITY

    View Slide

  104. View Slide

  105. To the future

    View Slide

  106. EILEEN M UCHITELLE
    Security, Performance, & Infrastructure
    at Basecamp
    ! eileencodes.com
    " @eileencodes
    # @eileencodes
    ! speakerdeck.com/eileencodes

    View Slide