$30 off During Our Annual Pro Sale. View Details »

Security is Broken: Understanding Common Vulnerabilities

Eileen M. Uchitelle
May 24, 2016
Technology
1
250

Security is Broken: Understanding Common Vulnerabilities

The Internet is built on technology that was never meant to work together. Basic features in seemingly simple and innocuous technologies, such as XML, resulted in these technologies being insecure. In this session we'll talk about how attackers exploit well known vulnerabilities like XSS, XXE, and CSRF and how to make more secure software by avoiding similar decisions that resulted in these exploits.

Eileen M. Uchitelle

May 24, 2016
Tweet

More Decks by Eileen M. Uchitelle

See All by Eileen M. Uchitelle
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
1
890
[Brighton Ruby 2023] The Magic of Rails
eileencodes
4
510
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
6
7.3k
Exit(ing) through the YJIT
eileencodes
1
380
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
26
5.7k
Improving CVAR Performance in Ruby 3.1
eileencodes
0
680
Upgrading GitHub from Ruby 2.6 to 2.7
eileencodes
1
3.1k
Technically, a talk | Ruby Day 2020
eileencodes
1
150
Technically, a talk | Brighton Ruby 2020
eileencodes
2
110

Other Decks in Technology

See All in Technology
ミチビク株式会社エンジニアカンパニーデック
knsg16
0
2.2k
Kaggle Tokyo Meetup2023 CommonLit Solutionの紹介と考え方 - Fulltrain戦略と(Seed/Model)Ensembleの可視化 -
chumajin
2
1.1k
開発生産性向上へのコミットについて理解してもらうためのスライドテンプレートを作った話
ouchi2501
0
240
なぜ
リアーキテクティング専任チームを作ったのか
kei_s
PRO
2
1k
エンタープライズSaaSへの挑戦〜顧客の事業を成長させるプロダクトマネジメントとは?〜 / pmconf2023
route06
2
870
論文紹介: Improving Implicit Feedback-Based Recommendation through Multi-Behavior Alignment(Xin Xin et al., 2023)
hakubishin3
0
180
⾃律的な開発チームを⽀えるためのSLO運⽤
sansantech
PRO
5
880
APIテスト導入から2年。アジャイルな組織で見えてきたmabl活用の道
bengo4com
0
1.9k
AWS Security Hubを有効化したけど見てない人に向けたDevSecOpsの実現方法 / #kayac_andpad_event
muziyoshiz
0
180
走馬灯のIaCは考えておいて
nwiizo
6
3.6k
Building smarter apps with machine learning, from magic to reality
picardparis
4
3.7k
実装がすべてではない、開発者の周りから考える Web プロダクトセキュリティ
oldbigbuddha
1
230

Featured

See All Featured
The Pragmatic Product Professional
lauravandoore
23
5.4k
Automating Front-end Workflow
addyosmani
1354
200k
[RailsConf 2023] Rails as a piece of cake
palkan
17
3.2k
Rails Girls Zürich Keynote
gr2m
90
12k
The Language of Interfaces
destraynor
149
22k
How GitHub (no longer) Works
holman
299
140k
What's new in Ruby 2.0
geeforr
336
30k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
13
5.9k
Three Pipe Problems
jasonvnalue
89
9.3k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
185
15k
Imperfection Machines: The Place of Print at Facebook
scottboms
257
12k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
5
740

Transcript

  1. SECURITY IS BROKEN
    Understanding Common Vulnerabilities

    View Slide

  2. EILEEN M. UCHITELLE
    Security, Infrastructure & Performance
    Team at Basecamp
    ! eileencodes.com
    " @eileencodes
    # @eileencodes
    ! speakerdeck.com/eileencodes

    View Slide

  3. OPEN SOURCE
    Rails Committers
    Rails Security

    View Slide

  4. View Slide

  5. View Slide

  6. How is security
    broken?

    View Slide

  7. • Impossible to test for all possible
    vulnerabilities
    How is security broken?

    View Slide

  8. • Impossible to test for all possible
    vulnerabilities
    • Hackers are always one step ahead
    How is security broken?

    View Slide

  9. • Impossible to test for all possible
    vulnerabilities
    • Hackers are always one step ahead
    • Patching one vulnerability can lead to
    exposing new ones
    How is security broken?

    View Slide

  10. How did we get
    here?

    View Slide

  11. • Failed to enforce web standards
    How did we get here?

    View Slide

  12. vs.

    View Slide

  13. View Slide

  14. • Failed to enforce web standards
    • Failed to implement a definition of
    security
    How did we get here?

    View Slide

  15. “...completely failed to come up with
    even the most rudimentary usable
    frameworks for understanding the
    security of modern software.”
    – Michal Zalewski, The Tangled Web

    View Slide

  16. • Failed to enforce web standards
    • Failed to implement a definition of
    security
    • Too few people understand the
    vulnerabilities
    How did we get here?

    View Slide

  17. View Slide

  18. CSRF

    View Slide

  19. CSRF
    Cross-Site Request Forgery

    View Slide

  20. EXPLOITING CSRF

    View Slide

  21. View Slide


  22. Name

    Email

    Website



    View Slide

  23. View Slide

  24. Looks the same, different URL

    View Slide



  25. Name

    Email

    Website




    View Slide


  26. Name

    Email

    Website



    Attackers email

    View Slide



  27. Name

    Email

    Website




    Auto-submit form

    View Slide



  28. Name

    Email

    Website




    Auto-submit form
    to victim site

    View Slide

  29. Attacker’s email

    View Slide

  30. How dangerous are
    CSRF attacks?

    View Slide

  31. How to mitigate
    CSRF?

    View Slide

  32. • Use built-in framework CSRF protection
    How to mitigate CSRF?

    View Slide

  33. View Slide

  34. class ApplicationController < ActionController::Base
    protect_from_forgery with: :exception
    end

    View Slide


  35. name=authenticity_token" />
    Name

    Email

    Website



    CSRF protection

    View Slide

  36. Caveat:
    CSRF protection in Rails is
    order-dependent

    View Slide

  37. class ApplicationController < ActionController::Base
    before_action :authenticate
    protect_from_forgery with: :exception,
    if: -> { authenticate_method.web? }
    end

    View Slide

  38. class ApplicationController < ActionController::Base
    before_action :authenticate
    protect_from_forgery with: :exception,
    if: -> { authenticate_method.web? }
    end
    Conditional
    authentication

    View Slide

  39. class ApplicationController < ActionController::Base
    before_action :authenticate
    protect_from_forgery with: :exception,
    if: -> { authenticate_method.web? }
    end
    class OtherController < ApplicationController
    skip_before_action :authenticate
    before_action :authenticate_method, only: :create
    end

    View Slide

  40. class ApplicationController < ActionController::Base
    before_action :authenticate
    protect_from_forgery with: :exception,
    if: -> { authenticate_method.web? }
    end
    class OtherController < ApplicationController
    skip_before_action :authenticate
    before_action :authenticate_method, only: :create
    end
    Skip auth callback

    View Slide

  41. class ApplicationController < ActionController::Base
    before_action :authenticate
    protect_from_forgery with: :exception,
    if: -> { authenticate_method.web? }
    end
    class OtherController < ActionController::Base
    skip_before_action :authenticate
    before_action :authenticate_method, only: :create
    protect_from_forgery with: :exception,
    if: -> { authenticate_method.web? }
    end

    View Slide

  42. View Slide

  43. • Use built-in framework CSRF protection
    • Rails 5 supports per-form tokens
    How to mitigate CSRF?

    View Slide

  44. • Use built-in framework CSRF protection
    • Rails 5 supports per-form tokens
    • Refresh tokens with the session / don’t
    reuse tokens
    How to mitigate CSRF?

    View Slide

  45. class SessionsController < ApplicationController
    def destroy
    sign_out
    reset_session
    redirect_to sign_in_url
    end
    end
    Refreshes
    Authenticity Token

    View Slide

  46. • Use built-in framework CSRF protection
    • Rails 5 supports per-form tokens
    • Refresh tokens with the session / don’t
    reuse tokens
    • Mitigate XSS attacks
    How to mitigate CSRF?

    View Slide

  47. XSS

    View Slide

  48. XSS
    Cross-Site Scripting

    View Slide

  49. EXPLOITING STORED
    XSS

    View Slide

  50. View Slide

  51. View Slide

  52. Escaped HTML

    View Slide

  53. Profile
    <%= notice %>

    Name:
    <%= @user.name %>


    Email:
    <%= @user.email %>


    Website:
    <%= link_to('website', @user.website) %>

    <%= link_to 'Edit', edit_user_path(@user) %> |
    <%= link_to 'Back', users_path %>

    View Slide

  54. Profile
    <%= notice %>

    Name:
    <%= (@user.name).html_safe %>


    Email:
    <%= @user.email %>


    Website:
    <%= link_to('website', @user.website) %>

    <%= link_to 'Edit', edit_user_path(@user) %> |
    <%= link_to 'Back', users_path %>
    automatic protection. Let’s say for some reason you wanted to allow the user to dress up their name by adding html tags. To

    View Slide

  55. Unescaped HTML

    View Slide

  56. JavaScript Scheme

    View Slide

  57. View Slide

  58. javascript://example.com/%0Aalert(1)

    View Slide

  59. example.com/%0Aalert(1)
    JavaScript Scheme
    javascript://

    View Slide

  60. javascript://example.com/%0Aalert(1)
    URL
    example.com

    View Slide

  61. Percent encoded “line feed”
    javascript://example.com/%0Aalert(1)
    %0A

    View Slide

  62. JavaScript Alert
    javascript://example.com/%0Aalert(1)
    alert(1)

    View Slide

  63. How dangerous are
    XSS attacks?

    View Slide

  64. How to mitigate
    XSS?

    View Slide

  65. • Always escape user-provided data
    How to mitigate XSS?

    View Slide

  66. Profile
    <%= notice %>

    Name:
    <%= (@user.name).html_safe %>


    Email:
    <%= @user.email %>


    Website:
    <%= link_to('website', @user.website) %>

    <%= link_to 'Edit', edit_user_path(@user) %> |
    <%= link_to 'Back', users_path %>
    Don’t do this

    View Slide

  67. View Slide

  68. • Don’t HTML escape user-provided data
    • Sanitize user-provided data
    How to mitigate XSS?

    View Slide

  69. Profile
    <%= notice %>

    Name:
    <%= sanitize(@user.name) %>


    Email:
    <%= @user.email %>


    Website:
    <%= link_to('website', @user.website) %>

    <%= link_to 'Edit', edit_user_path(@user) %> |
    <%= link_to 'Back', users_path %>
    Will strip out unwanted
    tags and attributes

    View Slide

  70. • Don’t HTML escape user-provided data
    • Sanitize user-provided data
    • Validate user-provided data
    How to mitigate XSS?

    View Slide

  71. class User < ActiveRecord::Base
    WHITELISTED_URI_SCHEMES = %w( http https )
    validate :check_uri_scheme
    private
    def check_uri_scheme
    begin
    uri = URI.parse(website)
    unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase)
    errors.add :website, 'is not an allowed URI scheme'
    end
    rescue URI::InvalidURIError
    errors .add :website, 'is not a valid URI'
    end
    end
    end

    View Slide

  72. class User < ActiveRecord::Base
    WHITELISTED_URI_SCHEMES = %w( http https )
    validate :check_uri_scheme
    private
    def check_uri_scheme
    begin
    uri = URI.parse(website)
    unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase)
    errors.add :website, 'is not an allowed URI scheme'
    end
    rescue URI::InvalidURIError
    errors .add :website, 'is not a valid URI'
    end
    end
    end

    View Slide

  73. class User < ActiveRecord::Base
    WHITELISTED_URI_SCHEMES = %w( http https )
    validate :check_uri_scheme
    private
    def check_uri_scheme
    begin
    uri = URI.parse(website)
    unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase)
    errors.add :website, 'is not an allowed URI scheme'
    end
    rescue URI::InvalidURIError
    errors .add :website, 'is not a valid URI'
    end
    end
    end

    View Slide

  74. XXE

    View Slide

  75. XXE
    XML eXternal Entity Attack

    View Slide



  76. ]>

    Groceries
    Take Arya to the vet
    &ext1;
    Do laundry
    Get car oil changed

    View Slide



  77. ]>

    Groceries
    Take Arya to the vet
    &ext1;
    Do laundry
    Get car oil changed

    Entity reference

    View Slide


  78. Book flight to San Francisco
    Finish Security Talk

    View Slide



  79. Groceries
    Take Arya to the vet
    Book flight to San Francisco
    Finish Security Talk
    Pick up beer
    Do laundry

    View Slide

  80. EXPLOITING XXE

    View Slide

  81. class UsersController < ApplicationController
    def create
    @user = User.new(user_params)
    respond_to do |format|
    if @user.save
    format.html { redirect_to @user }
    format.xml { render :xml => @user.to_xml }
    else
    format.html { render :new }
    format.xml { render xml: @user.errors.to_xml }
    end
    end
    end
    end

    View Slide

  82. class UsersController < ApplicationController
    def create
    @user = User.new(user_params)
    respond_to do |format|
    if @user.save
    format.html { redirect_to @user }
    format.xml { render :xml => @user.to_xml }
    else
    format.html { render :new }
    format.xml { render xml: @user.errors.to_xml }
    end
    end
    end
    end
    XML

    View Slide

  83. config/secrets.yml">
    ]>

    &name;

    View Slide

  84. config/secrets.yml">
    ]>

    &name;

    Requested file

    View Slide

  85. config/secrets.yml">
    ]>

    &name;

    Entity reference

    View Slide

  86. curl -X 'POST'
    -H 'Content-Type: application/xml'
    -d @xxe.xml
    http://vulnerablesite.com/users.xml
    POST request to
    users create

    View Slide

  87. curl -X 'POST'
    -H 'Content-Type: application/xml'
    -d @xxe.xml
    http://vulnerablesite.com/users.xml
    Payload

    View Slide

  88. curl -X 'POST'
    -H 'Content-Type: application/xml'
    -d @xxe.xml
    http://vulnerablesite.com/users.xml


    ...
    production:
    secret_key_base:
    271a389cf7bf7b4ff18af3e809241603802b5ff1617b5432a41ff0f99d5
    f29c897db7f07a9cebd9e3a3535301720c0b19ac4eb82afa505ed229c40
    00e166a9a5
    ...


    User’s Name

    View Slide

  89. View Slide

  90. How dangerous are
    XXE attacks?

    View Slide

  91. View Slide

  92. How to mitigate
    XXE?

    View Slide

  93. • Don’t parse XML
    How to mitigate XXE?

    View Slide

  94. Don’t parse XML

    View Slide

  95. • Don’t parse XML
    • Don’t use parsers that allow entity
    replacement (LibXML)
    How to mitigate XXE?

    View Slide

  96. >> LibXML::XML.default_substitute_entities
    >> true

    View Slide

  97. • Don’t parse XML
    • Don’t use parsers that allow entity
    replacement (LibXML)
    • Whitelist known entities
    How to mitigate XXE?

    View Slide

  98. Investigate vulnerabilities & patches
    SECURITY

    View Slide

  99. GitHub

    eileencodes/security_examples

    View Slide

  100. owasp.org

    View Slide

  101. View Slide

  102. Brakeman

    View Slide

  103. Resilience & empowerment
    SECURITY

    View Slide

  104. View Slide

  105. Awareness of vulnerabilities
    SECURITY

    View Slide

  106. View Slide

  107. To the future

    View Slide

  108. EILEEN M. UCHITELLE
    Security, Infrastructure & Performance
    Team at Basecamp
    ! eileencodes.com
    " @eileencodes
    # @eileencodes
    ! speakerdeck.com/eileencodes

    View Slide