Tweet
Tweet

Slide 1

Slide 1 text

SECURITY IS BROKEN Understanding Common Vulnerabilities

Slide 2

Slide 2 text

EILEEN M. UCHITELLE Security, Infrastructure & Performance Team at Basecamp ! eileencodes.com " @eileencodes # @eileencodes ! speakerdeck.com/eileencodes

Slide 3

Slide 3 text

OPEN SOURCE Rails Committers Rails Security

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

How is security broken?

Slide 7

Slide 7 text

• Impossible to test for all possible vulnerabilities How is security broken?

Slide 8

Slide 8 text

• Impossible to test for all possible vulnerabilities • Hackers are always one step ahead How is security broken?

Slide 9

Slide 9 text

• Impossible to test for all possible vulnerabilities • Hackers are always one step ahead • Patching one vulnerability can lead to exposing new ones How is security broken?

Slide 10

Slide 10 text

How did we get here?

Slide 11

Slide 11 text

• Failed to enforce web standards How did we get here?

Slide 12

Slide 12 text

vs.

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

• Failed to enforce web standards • Failed to implement a definition of security How did we get here?

Slide 15

Slide 15 text

“...completely failed to come up with even the most rudimentary usable frameworks for understanding the security of modern software.” – Michal Zalewski, The Tangled Web

Slide 16

Slide 16 text

• Failed to enforce web standards • Failed to implement a definition of security • Too few people understand the vulnerabilities How did we get here?

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

CSRF

Slide 19

Slide 19 text

CSRF Cross-Site Request Forgery

Slide 20

Slide 20 text

EXPLOITING CSRF

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

Name Email Website

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

Looks the same, different URL

Slide 25

Slide 25 text

Name Email Website

Slide 26

Slide 26 text

Name Email Website Attackers email

Slide 27

Slide 27 text

Name Email Website Auto-submit form

Slide 28

Slide 28 text

Name Email Website Auto-submit form to victim site

Slide 29

Slide 29 text

Attacker’s email

Slide 30

Slide 30 text

How dangerous are CSRF attacks?

Slide 31

Slide 31 text

How to mitigate CSRF?

Slide 32

Slide 32 text

• Use built-in framework CSRF protection How to mitigate CSRF?

Slide 33

Slide 33 text

No content

Slide 34

Slide 34 text

class ApplicationController < ActionController::Base protect_from_forgery with: :exception end

Slide 35

Slide 35 text

Name Email Website CSRF protection

Slide 36

Slide 36 text

Caveat: CSRF protection in Rails is order-dependent

Slide 37

Slide 37 text

class ApplicationController < ActionController::Base before_action :authenticate protect_from_forgery with: :exception, if: -> { authenticate_method.web? } end

Slide 38

Slide 38 text

class ApplicationController < ActionController::Base before_action :authenticate protect_from_forgery with: :exception, if: -> { authenticate_method.web? } end Conditional authentication

Slide 39

Slide 39 text

class ApplicationController < ActionController::Base before_action :authenticate protect_from_forgery with: :exception, if: -> { authenticate_method.web? } end class OtherController < ApplicationController skip_before_action :authenticate before_action :authenticate_method, only: :create end

Slide 40

Slide 40 text

class ApplicationController < ActionController::Base before_action :authenticate protect_from_forgery with: :exception, if: -> { authenticate_method.web? } end class OtherController < ApplicationController skip_before_action :authenticate before_action :authenticate_method, only: :create end Skip auth callback

Slide 41

Slide 41 text

class ApplicationController < ActionController::Base before_action :authenticate protect_from_forgery with: :exception, if: -> { authenticate_method.web? } end class OtherController < ActionController::Base skip_before_action :authenticate before_action :authenticate_method, only: :create protect_from_forgery with: :exception, if: -> { authenticate_method.web? } end

Slide 42

Slide 42 text

No content

Slide 43

Slide 43 text

• Use built-in framework CSRF protection • Rails 5 supports per-form tokens How to mitigate CSRF?

Slide 44

Slide 44 text

• Use built-in framework CSRF protection • Rails 5 supports per-form tokens • Refresh tokens with the session / don’t reuse tokens How to mitigate CSRF?

Slide 45

Slide 45 text

class SessionsController < ApplicationController def destroy sign_out reset_session redirect_to sign_in_url end end Refreshes Authenticity Token

Slide 46

Slide 46 text

• Use built-in framework CSRF protection • Rails 5 supports per-form tokens • Refresh tokens with the session / don’t reuse tokens • Mitigate XSS attacks How to mitigate CSRF?

Slide 47

Slide 47 text

XSS

Slide 48

Slide 48 text

XSS Cross-Site Scripting

Slide 49

Slide 49 text

EXPLOITING STORED XSS

Slide 50

Slide 50 text

No content

Slide 51

Slide 51 text

No content

Slide 52

Slide 52 text

Escaped HTML

Slide 53

Slide 53 text

Profile

<%= notice %>

Name: <%= @user.name %>

Email: <%= @user.email %>

Website: <%= link_to('website', @user.website) %>

<%= link_to 'Edit', edit_user_path(@user) %> | <%= link_to 'Back', users_path %>

Slide 54

Slide 54 text

Profile

<%= notice %>

Name: <%= (@user.name).html_safe %>

Email: <%= @user.email %>

Website: <%= link_to('website', @user.website) %>

<%= link_to 'Edit', edit_user_path(@user) %> | <%= link_to 'Back', users_path %> automatic protection. Let’s say for some reason you wanted to allow the user to dress up their name by adding html tags. To

Slide 55

Slide 55 text

Unescaped HTML

Slide 56

Slide 56 text

JavaScript Scheme

Slide 57

Slide 57 text

No content

Slide 58

Slide 58 text

javascript://example.com/%0Aalert(1)

Slide 59

Slide 59 text

example.com/%0Aalert(1) JavaScript Scheme javascript://

Slide 60

Slide 60 text

javascript://example.com/%0Aalert(1) URL example.com

Slide 61

Slide 61 text

Percent encoded “line feed” javascript://example.com/%0Aalert(1) %0A

Slide 62

Slide 62 text

JavaScript Alert javascript://example.com/%0Aalert(1) alert(1)

Slide 63

Slide 63 text

How dangerous are XSS attacks?

Slide 64

Slide 64 text

How to mitigate XSS?

Slide 65

Slide 65 text

• Always escape user-provided data How to mitigate XSS?

Slide 66

Slide 66 text

Profile

<%= notice %>

Name: <%= (@user.name).html_safe %>

Email: <%= @user.email %>

Website: <%= link_to('website', @user.website) %>

<%= link_to 'Edit', edit_user_path(@user) %> | <%= link_to 'Back', users_path %> Don’t do this

Slide 67

Slide 67 text

No content

Slide 68

Slide 68 text

• Don’t HTML escape user-provided data • Sanitize user-provided data How to mitigate XSS?

Slide 69

Slide 69 text

Profile

<%= notice %>

Name: <%= sanitize(@user.name) %>

Email: <%= @user.email %>

Website: <%= link_to('website', @user.website) %>

<%= link_to 'Edit', edit_user_path(@user) %> | <%= link_to 'Back', users_path %> Will strip out unwanted tags and attributes

Slide 70

Slide 70 text

• Don’t HTML escape user-provided data • Sanitize user-provided data • Validate user-provided data How to mitigate XSS?

Slide 71

Slide 71 text

class User < ActiveRecord::Base WHITELISTED_URI_SCHEMES = %w( http https ) validate :check_uri_scheme private def check_uri_scheme begin uri = URI.parse(website) unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase) errors.add :website, 'is not an allowed URI scheme' end rescue URI::InvalidURIError errors .add :website, 'is not a valid URI' end end end

Slide 72

Slide 72 text

class User < ActiveRecord::Base WHITELISTED_URI_SCHEMES = %w( http https ) validate :check_uri_scheme private def check_uri_scheme begin uri = URI.parse(website) unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase) errors.add :website, 'is not an allowed URI scheme' end rescue URI::InvalidURIError errors .add :website, 'is not a valid URI' end end end

Slide 73

Slide 73 text

class User < ActiveRecord::Base WHITELISTED_URI_SCHEMES = %w( http https ) validate :check_uri_scheme private def check_uri_scheme begin uri = URI.parse(website) unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase) errors.add :website, 'is not an allowed URI scheme' end rescue URI::InvalidURIError errors .add :website, 'is not a valid URI' end end end

Slide 74

Slide 74 text

XXE

Slide 75

Slide 75 text

XXE XML eXternal Entity Attack

Slide 76

Slide 76 text

]> Groceries Take Arya to the vet &ext1; Do laundry Get car oil changed

Slide 77

Slide 77 text

]> Groceries Take Arya to the vet &ext1; Do laundry Get car oil changed Entity reference

Slide 78

Slide 78 text

Book flight to San Francisco Finish Security Talk

Slide 79

Slide 79 text

Groceries Take Arya to the vet Book flight to San Francisco Finish Security Talk Pick up beer Do laundry

Slide 80

Slide 80 text

EXPLOITING XXE

Slide 81

Slide 81 text

class UsersController < ApplicationController def create @user = User.new(user_params) respond_to do |format| if @user.save format.html { redirect_to @user } format.xml { render :xml => @user.to_xml } else format.html { render :new } format.xml { render xml: @user.errors.to_xml } end end end end

Slide 82

Slide 82 text

class UsersController < ApplicationController def create @user = User.new(user_params) respond_to do |format| if @user.save format.html { redirect_to @user } format.xml { render :xml => @user.to_xml } else format.html { render :new } format.xml { render xml: @user.errors.to_xml } end end end end XML

Slide 83

Slide 83 text

]> &name;

Slide 84

Slide 84 text

]> &name; Requested file

Slide 85

Slide 85 text

]> &name; Entity reference

Slide 86

Slide 86 text

curl -X 'POST' -H 'Content-Type: application/xml' -d @xxe.xml http://vulnerablesite.com/users.xml POST request to users create

Slide 87

Slide 87 text

curl -X 'POST' -H 'Content-Type: application/xml' -d @xxe.xml http://vulnerablesite.com/users.xml Payload

Slide 88

Slide 88 text

curl -X 'POST' -H 'Content-Type: application/xml' -d @xxe.xml http://vulnerablesite.com/users.xml ... production: secret_key_base: 271a389cf7bf7b4ff18af3e809241603802b5ff1617b5432a41ff0f99d5 f29c897db7f07a9cebd9e3a3535301720c0b19ac4eb82afa505ed229c40 00e166a9a5 ... User’s Name

Slide 89

Slide 89 text

No content

Slide 90

Slide 90 text

How dangerous are XXE attacks?

Slide 91

Slide 91 text

No content

Slide 92

Slide 92 text

How to mitigate XXE?

Slide 93

Slide 93 text

• Don’t parse XML How to mitigate XXE?

Slide 94

Slide 94 text

Don’t parse XML

Slide 95

Slide 95 text

• Don’t parse XML • Don’t use parsers that allow entity replacement (LibXML) How to mitigate XXE?

Slide 96

Slide 96 text

>> LibXML::XML.default_substitute_entities >> true

Slide 97

Slide 97 text

• Don’t parse XML • Don’t use parsers that allow entity replacement (LibXML) • Whitelist known entities How to mitigate XXE?

Slide 98

Slide 98 text

Investigate vulnerabilities & patches SECURITY

Slide 99

Slide 99 text

GitHub
 eileencodes/security_examples

Slide 100

Slide 100 text

owasp.org

Slide 101

Slide 101 text

No content

Slide 102

Slide 102 text

Brakeman

Slide 103

Slide 103 text

Resilience & empowerment SECURITY

Slide 104

Slide 104 text

No content

Slide 105

Slide 105 text

Awareness of vulnerabilities SECURITY

Slide 106

Slide 106 text

No content

Slide 107

Slide 107 text

To the future

Slide 108

Slide 108 text

EILEEN M. UCHITELLE Security, Infrastructure & Performance Team at Basecamp ! eileencodes.com " @eileencodes # @eileencodes ! speakerdeck.com/eileencodes