OWASP Chicago - January 10, 2013 

Matt Konda (@mkonda) ž  Veteran Agile Software Builder ž  Founder of Jemurai 

Jonathan Claudius (@claudijd) ž  SpiderLabs Vulnerability Researcher ž  Ruby Developer 

Thanks! 

Agenda ž  Background ž  Pitfall Examples —  XSS —  Mass Assignment —  SQLi —  /dev/random ž  Tools to Help 

No content

Why are we doing this? ž  Rails is a popular and interesting platform in much need of security attention. ž  At a recent ChicagoRuby Meetup, 2 of 97 attendees had ever heard of OWASP. We want to change that. We want you to help. 

No content

Rails Background ž  Favors convention over configuration ž  Leverages dynamic Ruby language features ž  Makes development process fast and simple ž  Default restful interface and xml + json API's ž  Very healthy library ecosystem ž  Popular with developers for prototyping and rapid small team application development ž  Also used for large scale applications 

Rails Background (Security) ž  Session ž  CSRF ž  XSS ž  SQLi http://guides.rubyonrails.org/security.html 

Rails Background The same thing that makes it easy to use and powerful, makes it a rich target. 

Rails Background 

Pitfalls 

No content

XSS ž  Rails 2.x need to escape text. ž  Rails 3.x should escape everything. ž  Rails 2.x need to escape text. ž  Rails 3.x should escape everything. ž  However, in the case where a programmer wants to store unescaped input this can be bypassed. Happens all the time. 

XSS – Example CKEditor ž  CKEditor setup: —  Application.js —  Form page —  Controller: No change. Show view however: 

Doh! 

XSS Example 

Solution ž  Remove rich text … ž  Use sanitization ž  Still need to be sort of heavy handed, probably would need to disallow . http://apidock.com/rails/ActionView/Helpers/SanitizeHelper/sanitize 

No content

Mass Assignment ž  A feature in Rails that allows record creation from values in a hash. ž  Made famous by Egor Homahov —  Demonstrated rails vulnerability by exploiting GitHub, which runs on rails, to make a commit to the rails source code. 

Mass Assignment ž  User model ž  Schema 

Mass Assignment Example ž  Normal Example ž  Exploit Example Reference: http://railscasts.com/episodes/26-hackers-love-mass-assignment 

Mass Assignment Fix ž  Before ž  After Reference: http://railscasts.com/episodes/26-hackers-love-mass-assignment 

No content

SQL Injection 

SQL Injection ž  Recently been a topic of interest for the Rails community —  CVE-2012-2661 (6 months ago) —  CVE-2012-5664 (< 2 weeks ago) ž  Both are deficiencies in framework provided protections. 

CVE-2012-2661 (May 31, 2012) ž  Code like this: ž  Can be manipulated to make params[:id] look like a hash. ž  Solution: Update to Rails: 3.2.4, 3.1.5, 3.0.13 or cast: http://seclists.org/oss-sec/2012/q2/448 

CVE-2012-5664 (Jan 2, 2013) ž  Code like this: ž  Can be manipulated to process input as options to query. ž  Solution: Update to Rails 3.2.10, 3.1.9, 3.0.18 or cast: https://groups.google.com/forum/#!topic/rubyonrails-security/DCNTNp_qjFM 

CVE-2013-0155 (Jan 8, 2013) ž  Code like this: —  find_by_* —  Model.where(:name => params[:name]) ž  Can be made to bypass a query where clause by sending an empty hash in params[:name] ž  Variant of CVE-2012-2660 CVE-2012-2694 ž  Solution: Update to Rails: 3.2.11, 3.1.10, 3.0.19 or cast to string. https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/t1WFuuQyavI 

CVE-2013-0156 (Jan 8, 2013) ž  Any code that accepts XML params. (All) ž  Create symbols. Parse YAML. Basically remote code execution. Not SQLi but exascerbates other SQLi vulns due to symbol manipulation. ž  Solution: Update to Rails 3.2.11, 3.1.10, 3.0.19, 2.3.15, disable XML / YAML interfaces or disable capabilities within XML parsing. https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ https://gist.github.com/4499206 - postmodern RCE 

Credit to: Nicolas Blanco slainer68: @joernchen @charliesome > http://i.imgur.com/tij2x.jpg 

Time out for tenderlovemaking ž  Aaron Patterson might have had a bad week. We don't wish that on anyone. ž  He in turn wants to thank these folks: “Ben Murphy, Magnus Holm, Felix Wilhelm, Darcy Laycock, Jonathan Rudenberg, Bryan Helmkamp, Benoist Claassen and Charlie Somerville for reporting the issue to us and working with us to ensure the fixes worked.” 

Commonalities between SQLi and Mass Assignment issues? 

No content

Session Management ž  By default, Rails uses a cookie based session. —  People put all kinds of things in the session. —  They never expire. Easy to replay after logout. ž  Open source apps sometimes use public secret for signing cookies. ž  Recommendations —  Use the database based session and expire them. —  Update your secret and keep it secret. 

CSRF ž  Need to ensure that controllers protect from forgery: ž  Can sometimes find this disabled for API methods – as for show method below. 

Grab Bag ž  Forceful Browsing ž  Writing an API ž  Password Complexity ž  Filter Logs ž  Secure Cookies ž  File Upload ž  3rd Party Dependencies ž  Routes ž  Sensitive Files 

No content

Rails Casts ž  Some Episodes on Rails Security —  #20 – Restricting Access —  #25 – SQL Injection —  #27 – Cross-site Scripting —  #26 – Hackers Love Mass Assignment —  #178 – Security Tips —  #204 – XSS Protection in Rails 3 —  #352 – Securing an API —  #356 – Dangers of Session Hijacking http://railscasts.com/ 

Brakeman ž  A static analysis security vulnerability scanner for Ruby on Rails applications. —  https://github.com/presidentbeef/brakeman ž  Demo —  Identify vulnerabilities in Rails Apps 

Rails Console 

ChicagoRuby ž  Chicago has an awesome Ruby community. ž  12/4/2012 we presented to ChicagoRuby on Rails Security. We were fortunate to receive a favorable response and lots of interesting follow up conversations. ž  2/13/2013 we have been invited back to do a Ruby “Hack Night” where we'll have folks run brakeman and fix security problems. We would LOVE to have you come help us! 

Thank you!