Rails Security Primer - Speaker Deck

Rails Security Primer

by Markus Wein

Slide 1

Slide 1 text

Rails Security Primer

Slide 2

Slide 2 text

I am not a software security expert

Slide 3

Slide 3 text

Common Vulnerabilities and Exposures CVE?

Slide 4

Slide 4 text

Vulnerability A weakness that an attacker can use to exploit a system

Slide 5

Slide 5 text

Exploit A piece of software that exploits a vulnerability to achieve unintended or unanticipated behavior

Slide 6

Slide 6 text

CVE-2012-5664 SQL Injection Vulnerability

Slide 7

Slide 7 text

SQL Injection Vulnerability …but only exploitable if you used Authlogic or find_by_* methods in a certain way

Slide 8

Slide 8 text

{ "session_id" => "41414141", "user_credentials" => "Phenoelit", "user_credentials_id" => { :select=> " *,\"Phenoelit\" as persistence_token from users -- " } } A cookie like

Slide 9

Slide 9 text

…would create a query like this User.find_by_id(params[:user_credendtials_id])

Slide 10

Slide 10 text

…would create a query like this User.find_by_id({:select =>"*,\"Phenoelit\" as persistence_token from users --"}) User.find_by_id(params[:user_credendtials_id])

Slide 11

Slide 11 text

…would create a query like this User.find_by_id({:select =>"*,\"Phenoelit\" as persistence_token from users --"}) SELECT *,"Phenoelit" as persistence_token from users -- FROM "users" WHERE "users"."id" IS NULL LIMIT 1 User.find_by_id(params[:user_credendtials_id])

Slide 12

Slide 12 text

Blood in the water…

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

CVE-2013-0155 CVE-2013-0156 CVE-2013-0269 CVE-2013-0333

Slide 15

Slide 15 text

"Unsafe Query Generation Risk in Ruby on Rails" CVE-2013-0155

Slide 16

Slide 16 text

def reset_password if (@user = User.find_by_token(params[:token])) @user.reset_password! render :json => 'Success' else render :json => 'Failure' end end # POST to http://localhost:3000/users/ reset_password with "{\"token\":[null]}"

Slide 17

Slide 17 text

"Multiple vulnerabilities in parameter parsing in Action Pack" CVE-2013-0156

Slide 18

Slide 18 text

Content-Type: text/xml yaml: goes here foo: - 1 - 2

Slide 19

Slide 19 text

How can you exploit this?

Slide 20

Slide 20 text

class Helpers def initialize @module = Module.new end def []=(key, value) @module.module_eval <<-END_EVAL def #{value}(*args) # ... other stuff end END_EVAL end end

Slide 21

Slide 21 text

--- !ruby/hash:Helpers foo: |- mname; end; puts 'hello!'; def oops

Slide 22

Slide 22 text

--- !ruby/hash:Helpers foo: |- mname; end; puts 'hello!'; def oops • Ah, this is a subclass of a Ruby hash with the class of Helpers

Slide 23

Slide 23 text

--- !ruby/hash:Helpers foo: |- mname; end; puts 'hello!'; def oops • Ah, this is a subclass of a Ruby hash with the class of Helpers • Create a new instance of Helpers

Slide 24

Slide 24 text

--- !ruby/hash:Helpers foo: |- mname; end; puts 'hello!'; def oops • Ah, this is a subclass of a Ruby hash with the class of Helpers • Create a new instance of Helpers • Use []= method for each key-value-pair

Slide 25

Slide 25 text

class Helpers def initialize @module = Module.new end def []=(key, value) @module.module_eval <<-END_EVAL def #{value}(*args) # ... other stuff end END_EVAL end end ['foo', "mname; end; puts 'hello!'; def oops"]

Slide 26

Slide 26 text

def mname; end; puts 'hello!'; def oops(*args) # ... other stuff end

Slide 27

Slide 27 text

def mname end puts 'hello!' def oops(*args) # ... other stuff end

Slide 28

Slide 28 text

CVE-2013-0269 "Denial of Service and Unsafe Object Creation Vulnerability in JSON"

Slide 29

Slide 29 text

JSON.parse('{"json_class":"JSON:: GenericObject","foo":"bar"}') # => #

Slide 30

Slide 30 text

"Vulnerability in JSON Parser in Ruby on Rails 3.0 and 2.3" CVE-2013-0333

Slide 31

Slide 31 text

Exploits naive JSON “parsing” in Rails

Slide 32

Slide 32 text

User.where(:login_token=>params[:token]).first SELECT * FROM `users` WHERE `login_token` = 0 LIMIT 1; “Potential Query Manipulation with Common Rails Practices”

Slide 33

Slide 33 text

You might be vulnerable even if you don't know it

Slide 34

Slide 34 text

What can you do?

Slide 35

Slide 35 text

rubyonrails-security http://www.ruby-lang.org/en/security/ (etc.) Subscribe to the relevant security news sources

Slide 36

Slide 36 text

(i.e., as a big, "drop everything right now", deal) Treat each vulnerability as if your servers were physically on fire

Slide 37

Slide 37 text

Checklist: What to do when a new CVE is announced

Slide 38

Slide 38 text

Checklist: when you discover someone hacked you

Slide 39

Slide 39 text

(Yes, all of them. Even the internal/ non-released/non-Rails ones) Related: make a list of all your apps and their stacks

Slide 40

Slide 40 text

Minimize number of technologies that you use

Slide 41

Slide 41 text

Invest some time & money into security

Slide 42

Slide 42 text

Add a security page to your app

Slide 43

Slide 43 text

No content

Slide 44

Slide 44 text

Software Security sucks

Slide 45

Slide 45 text

Sources I used for this talk: http://www.kalzumeus.com/2013/01/31/what-the- rails-security-issue-means-for-your-startup/ http://ronin-ruby.github.com/blog/2013/01/09/ rails-pocs.html http://ronin-ruby.github.com/blog/2013/01/28/ new-rails-poc.html http://blog.codeclimate.com/blog/2013/01/10/rails- remote-code-execution-vulnerability-explained/ http://tenderlovemaking.com/2013/02/06/yaml- f7u12.html http://blog.gemfury.com/post/42259456238/ rubygems-vulnerability-explained

Slide 46

Slide 46 text

Further reading: http://guides.rubyonrails.org/security.html Ruby On Rails Security Guide http://rails-sqli.org Rails SQL Injection Overview http://brakemanscanner.org Brakeman: Vulnerability scanner for Rails https://groups.google.com/forum/rubyonrails- security

Slide 47

Slide 47 text

Questions? Slides: https://speakerdeck.com/cypher/ rails-security-primer Blog: http://nuclearsquid.com Contact: http://nuclearsquid.com/about