Vulnerability
A weakness that an attacker
can use to exploit a system
Slide 5
Slide 5 text
Exploit
A piece of software that exploits a
vulnerability to achieve unintended
or unanticipated behavior
Slide 6
Slide 6 text
CVE-2012-5664
SQL Injection
Vulnerability
Slide 7
Slide 7 text
SQL Injection
Vulnerability
…but only exploitable if you used Authlogic or
find_by_* methods in a certain way
Slide 8
Slide 8 text
{
"session_id" => "41414141",
"user_credentials" => "Phenoelit",
"user_credentials_id" => {
:select=> " *,\"Phenoelit\" as
persistence_token from users -- "
}
}
A cookie like
Slide 9
Slide 9 text
…would create a
query like this
User.find_by_id(params[:user_credendtials_id])
Slide 10
Slide 10 text
…would create a
query like this
User.find_by_id({:select =>"*,\"Phenoelit\"
as persistence_token from users --"})
User.find_by_id(params[:user_credendtials_id])
Slide 11
Slide 11 text
…would create a
query like this
User.find_by_id({:select =>"*,\"Phenoelit\"
as persistence_token from users --"})
SELECT *,"Phenoelit" as persistence_token
from users -- FROM "users" WHERE
"users"."id" IS NULL LIMIT 1
User.find_by_id(params[:user_credendtials_id])
"Unsafe Query
Generation Risk in
Ruby on Rails"
CVE-2013-0155
Slide 16
Slide 16 text
def reset_password
if (@user =
User.find_by_token(params[:token]))
@user.reset_password!
render :json => 'Success'
else
render :json => 'Failure'
end
end
# POST to http://localhost:3000/users/
reset_password with "{\"token\":[null]}"
Slide 17
Slide 17 text
"Multiple vulnerabilities
in parameter parsing in
Action Pack"
CVE-2013-0156
Slide 18
Slide 18 text
Content-Type: text/xml
yaml: goes here
foo:
- 1
- 2
Slide 19
Slide 19 text
How can you exploit this?
Slide 20
Slide 20 text
class Helpers
def initialize
@module = Module.new
end
def []=(key, value)
@module.module_eval <<-END_EVAL
def #{value}(*args)
# ... other stuff
end
END_EVAL
end
end
--- !ruby/hash:Helpers
foo: |-
mname; end; puts 'hello!'; def oops
• Ah, this is a subclass of a Ruby hash with the
class of Helpers
Slide 23
Slide 23 text
--- !ruby/hash:Helpers
foo: |-
mname; end; puts 'hello!'; def oops
• Ah, this is a subclass of a Ruby hash with the
class of Helpers
• Create a new instance of Helpers
Slide 24
Slide 24 text
--- !ruby/hash:Helpers
foo: |-
mname; end; puts 'hello!'; def oops
• Ah, this is a subclass of a Ruby hash with the
class of Helpers
• Create a new instance of Helpers
• Use []= method for each key-value-pair
Slide 25
Slide 25 text
class Helpers
def initialize
@module = Module.new
end
def []=(key, value)
@module.module_eval <<-END_EVAL
def #{value}(*args)
# ... other stuff
end
END_EVAL
end
end
['foo', "mname; end; puts 'hello!'; def
oops"]
Slide 26
Slide 26 text
def mname; end; puts 'hello!'; def
oops(*args)
# ... other stuff
end
Slide 27
Slide 27 text
def mname
end
puts 'hello!'
def oops(*args)
# ... other stuff
end
Slide 28
Slide 28 text
CVE-2013-0269
"Denial of Service and
Unsafe Object Creation
Vulnerability in JSON"
"Vulnerability in
JSON Parser in Ruby
on Rails 3.0 and 2.3"
CVE-2013-0333
Slide 31
Slide 31 text
Exploits naive JSON
“parsing” in Rails
Slide 32
Slide 32 text
User.where(:login_token=>params[:token]).first
SELECT * FROM `users` WHERE `login_token` = 0
LIMIT 1;
“Potential Query
Manipulation with
Common Rails Practices”
Slide 33
Slide 33 text
You might be
vulnerable even if you
don't know it
Slide 34
Slide 34 text
What can you do?
Slide 35
Slide 35 text
rubyonrails-security
http://www.ruby-lang.org/en/security/
(etc.)
Subscribe to the
relevant security news
sources
Slide 36
Slide 36 text
(i.e., as a big, "drop everything right now", deal)
Treat each
vulnerability as if your
servers were
physically on fire
Slide 37
Slide 37 text
Checklist:
What to do
when a new CVE is
announced
Slide 38
Slide 38 text
Checklist:
when you discover
someone hacked you
Slide 39
Slide 39 text
(Yes, all of them. Even the internal/
non-released/non-Rails ones)
Related: make a list
of all your apps and
their stacks
Slide 40
Slide 40 text
Minimize number
of technologies
that you use
Slide 41
Slide 41 text
Invest some time &
money into security
Slide 42
Slide 42 text
Add a security
page to your app
Slide 43
Slide 43 text
No content
Slide 44
Slide 44 text
Software Security
sucks
Slide 45
Slide 45 text
Sources I used for this talk:
http://www.kalzumeus.com/2013/01/31/what-the-
rails-security-issue-means-for-your-startup/
http://ronin-ruby.github.com/blog/2013/01/09/
rails-pocs.html
http://ronin-ruby.github.com/blog/2013/01/28/
new-rails-poc.html
http://blog.codeclimate.com/blog/2013/01/10/rails-
remote-code-execution-vulnerability-explained/
http://tenderlovemaking.com/2013/02/06/yaml-
f7u12.html
http://blog.gemfury.com/post/42259456238/
rubygems-vulnerability-explained
Slide 46
Slide 46 text
Further reading:
http://guides.rubyonrails.org/security.html Ruby On
Rails Security Guide
http://rails-sqli.org Rails SQL Injection Overview
http://brakemanscanner.org Brakeman:
Vulnerability scanner for Rails
https://groups.google.com/forum/rubyonrails-
security