Tweet
Tweet

Slide 1

Slide 1 text

SOFTWARE ischief

Slide 2

Slide 2 text

a short DEMO

Slide 3

Slide 3 text

OUR PLATFORM a short DEMO on * well, i’m demoing on staging so i don’t screw with customer data, but this definitely exists on production

Slide 4

Slide 4 text

OUR PLATFORM PRODUCTION a short DEMO on * well, i’m demoing on staging so i don’t screw with customer data, but this definitely exists on production *

Slide 5

Slide 5 text

OUR PLATFORM PRODUCTION a short DEMO on YES,THIS IS FOR REAL * well, i’m demoing on staging so i don’t screw with customer data, but this definitely exists on production *

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

HACKER think LIKE A INJECTION block URL FORGERY CROSS-SITE REQUEST prevent

Slide 8

Slide 8 text

HACKER think LIKE A

Slide 9

Slide 9 text

HACKER think LIKE A assume all users are malicious

Slide 10

Slide 10 text

HACKER think LIKE A assume all users are malicious this is the INTERNET after all.

Slide 11

Slide 11 text

HACKER think LIKE A assume all users are malicious this is the INTERNET after all. people on the internet are not nice.

Slide 12

Slide 12 text

HACKER think LIKE A know their methods

Slide 13

Slide 13 text

HACKER think LIKE A know their attack vectors

Slide 14

Slide 14 text

HACKER think LIKE A design security in layers

Slide 15

Slide 15 text

HACKER think LIKE A design security in layers this could have been just an injection bug. one customer would have to attack another customer.

Slide 16

Slide 16 text

HACKER think LIKE A design security in layers this could have been just an injection bug. one customer would have to attack another customer. or, this could have been just a CSRF bug. an attacker would have to target a user’s specific ad.

Slide 17

Slide 17 text

HACKER think LIKE A design security in layers this could have been just an injection bug. one customer would have to attack another customer. or, this could have been just a CSRF bug. an attacker would have to target a user’s specific ad. the combination lets third parties attack our customers.

Slide 18

Slide 18 text

HACKER think LIKE A design security in layers this could have been just an injection bug. one customer would have to attack another customer. or, this could have been just a CSRF bug. an attacker would have to target a user’s specific ad. the combination lets third parties attack our customers. that’s significantly worse.

Slide 19

Slide 19 text

INJECTION URL

Slide 20

Slide 20 text

server sends a form to the client INJECTION URL client submits form back to server

Slide 21

Slide 21 text

server sends a form to the client INJECTION URL client submits form back to server client edits the HTML source

Slide 22

Slide 22 text

server sends a form to the client INJECTION URL client submits form back to server client edits the HTML source

Slide 23

Slide 23 text

what if the :id is an external post id? are you verifying that it exists on the resource that you authorized? what if the :id is passed to a gem? an api? are you assuming that the api or gem is handling authorization for you? is it? INJECTION URL

Slide 24

Slide 24 text

INJECTION URL meanwhile, inside a Rails Engine...

Slide 25

Slide 25 text

FORGERY CROSS-SITE REQUEST

Slide 26

Slide 26 text

STEP 1: log in to a website FORGERY CROSS-SITE REQUEST

Slide 27

Slide 27 text

STEP 1: log in to a website STEP 2: visit a malicious site FORGERY CROSS-SITE REQUEST

Slide 28

Slide 28 text

FORGERY CROSS-SITE REQUEST what if that form submits hidden fields to a different server? is your SRMA session cookie still valid?

Slide 29

Slide 29 text

FORGERY CROSS-SITE REQUEST GOOD NEWSRails protects you from this automatically! ERROR: Can't verify CSRF token authenticity

Slide 30

Slide 30 text

FORGERY CROSS-SITE REQUEST 1. A secret form_autheticity_token is added to all forms in your application. 2. That token matches a key in your application session cookie. 3. If a form submission comes in without a valid token, it is rejected.

Slide 31

Slide 31 text

FORGERY CROSS-SITE REQUEST GOOD NEWSRails protects you from this automatically! BAD NEWS You can shoot. yourself in the foot.

Slide 32

Slide 32 text

FORGERY CROSS-SITE REQUEST

Slide 33

Slide 33 text

FORGERY CROSS-SITE REQUEST GET requests are not protected! Don’t use GET requests for actions that modify data. Don’t use match to define routes, because it accepts both POST and GET requests.

Slide 34

Slide 34 text

FORGERY CROSS-SITE REQUEST GET requests are not protected! Don’t use GET requests for actions that modify data. Don’t use match to define routes, because it accepts both POST and GET requests.

Slide 35

Slide 35 text

FORGERY CROSS-SITE REQUEST GET requests are not protected! Don’t use GET requests for actions that modify data. Don’t use match to define routes, because it accepts both POST and GET requests.

Slide 36

Slide 36 text

FORGERY CROSS-SITE REQUEST the cause...

Slide 37

Slide 37 text

No content

Slide 38

Slide 38 text

HACKER think LIKE A INJECTION block URL FORGERY CROSS-SITE REQUEST prevent

Slide 39

Slide 39 text

SOFTWARE ischief Q + A