Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Evolution of Rails Security

Justin Collins
April 18, 2018
Programming
1
780

The Evolution of Rails Security

Rails has a reputation for being secure by default, but how deserved is that reputation? Let’s take a look back at some of the low points in Rails security history: from the first Rails CVE, to the controversial GitHub mass assignment, the 2013 Rails apocalypse, and more recent remote code execution issues. Then we’ll cheer ourselves up with the many cool security features Rails has added over the years! We’ll cover auto-escaping, strong parameters, default security headers, secret storage, and less well-known features like per-form CSRF tokens and upcoming Content Security Policy support.

Justin Collins

April 18, 2018
Tweet

More Decks by Justin Collins

See All by Justin Collins
Continuous (Application) Security at DevOps Velocity
presidentbeef
0
130
Brakeman RailsConf 2017 Lightning Talk
presidentbeef
0
130
Practical Static Analysis for Continuous Application Security
presidentbeef
0
190
"...But Doesn't Rails Take Care of Security for Me?"
presidentbeef
1
410
Continuous Security with Practical Static Analysis
presidentbeef
1
290
Security Automation at Twitter - Rise of the Machines
presidentbeef
0
220
"Recent Rails SQL Issues" - 2012
presidentbeef
0
64
The World of Rails Security - RailsConf 2015
presidentbeef
8
1.2k
Tales from the Crypt
presidentbeef
1
220

Other Decks in Programming

See All in Programming
On-the-fly Suggestions of Rewriting Method Deprecations
ohbarye
1
2.9k
PHPで書いたAPIをGoに書き換えてみた 〜パフォーマンス改善の可能性を探る実験レポート〜
koguuum
0
170
小田原でみんなで一句詠みたいな #phpcon_odawara
stefafafan
0
340
状態と共に暮らす:ステートフルへの挑戦
ypresto
1
690
Vibe Codingをせずに Clineを使っている
watany
17
6.3k
Chrome Extension Techniques from Hell
moznion
1
160
[NG India] Event-Based State Management with NgRx SignalStore
markostanimirovic
1
160
「理解」を重視したAI活用開発
fast_doctor
0
150
Agentic Applications with Symfony
el_stoffel
2
310
MCP調べてみました! / Exploring MCP
uhzz
2
2.3k
gen_statem - OTP's Unsung Hero
whatyouhide
1
210
SwiftUI API Design Lessons
niw
1
290

Featured

See All Featured
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.5k
Agile that works and the tools we love
rasmusluckow
328
21k
BBQ
matthewcrist
88
9.6k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
Writing Fast Ruby
sferik
628
61k
The Power of CSS Pseudo Elements
geoffreycrofte
75
5.8k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
30
2.3k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
32
5.4k
Speed Design
sergeychernyshev
29
900
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
29
9.4k
Mobile First: as difficult as doing things right
swwweet
223
9.6k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
23
2.6k

Transcript

  1. @presidentbeef The Evolution of Rails Security Justin Collins @presidentbeef RailsConf

    2018

  2. @presidentbeef Ugh, About Me 8 years of application security (AT&T

    Interactive, Twitter, SurveyMonkey) 8 years working on Brakeman OSS (Static analysis security tool for Rails) 4 years working on (More pro static analysis security tool for Rails)

  3. @presidentbeef July 2004 Rails Released to the World http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/107370

  4. @presidentbeef

  5. @presidentbeef December 2005 Rails 1.0 http://weblog.rubyonrails.org/2005/12/13/rails-1-0-party-like-its-one-oh-oh/

  6. @presidentbeef

  7. @presidentbeef August 2006 CVE-2006-4111 CVE-2006-4112

  8. @presidentbeef

  9. @presidentbeef Common Vulnerabilities and Exposures

  10. @presidentbeef Common Vulnerabilities and Exposures®

  11. @presidentbeef https://cve.mitre.org/

  12. @presidentbeef CVE-2006-4111 & CVE-2006-4112

  13. @presidentbeef Panic! http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits/

  14. @presidentbeef Panic! http://weblog.rubyonrails.org/2006/8/10/security-update-rails-1-0-not-affected/

  15. @presidentbeef Panic! http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure/

  16. @presidentbeef

  17. @presidentbeef https://blog.evanweaver.com/2006/08/12/anatomy-of-an-attack-against-1-1-4/

  18. @presidentbeef Remote Code Execution

  19. @presidentbeef October 2007 CVE-2007-5380 http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release/

  20. @presidentbeef example.com/home/?_session_id=...

  21. @presidentbeef If you’re using RESTful routing, pay special attention to

    the changes to route generation and recognition. The previous use of the semicolon in URLs has been replaced with a regular /. For instance /person/1;edit has become /person/1/edit. This change was made as several libraries, including mongrel, mistakenly treated semi-colons as query string seperators[sic] and some browsers and http libraries misbehaved.

  22. @presidentbeef February 2011 CVE-2011-0447 http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails/

  23. @presidentbeef Cross-Site Request Forgery https://bank.com/transfer?amount=100000&to=attacker1337

  24. @presidentbeef Cross-Site Request Forgery Protection “Synchronizer Token Pattern” 1. Save

    a CSRF token to the session 2. Insert the CSRF token in forms 3. Match tokens on POST/DELETE/PATCH

  25. @presidentbeef CSRF Token in Form <form accept-charset="UTF-8" action="/users" class="new_user" id="new_user"

    method="post"> <input name="authenticity_token" type="hidden" value="NvyZey4G/GuBEr6RQJTrsfX1iiptwSBWiu9XOo9h4cE=" />

  26. @presidentbeef What about XHR? It’s cool, an attacker can’t make

    an XHR request

  27. @presidentbeef http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-February/007533.html

  28. @presidentbeef Better Cross-Site Request Forgery Protection 1. Save a CSRF

    token to the session 2. Add meta-tags for JavaScript to read tokens 3. Insert the CSRF token in forms 4. Send token with XHR requests 5. Match tokens on POST/DELETE/PATCH/XHR

  29. @presidentbeef CSRF Meta Tags <meta content="authenticity_token" name="csrf-param" /> <meta content="NvyZey4G/GuBEr6RQJTrsfX1iiptwSBWiu9XOo9h4cE="

    name="csrf-token" />

  30. @presidentbeef March 2012 Mass Assignment, GitHub, and Homakov https://blog.github.com/2012-03-04-public-key-security-vulnerability-and-mitigation/

  31. @presidentbeef Mass Assignment @user = User.find(params[:id]) @user.update_attributes(params[:user])

  32. @presidentbeef Mass Assignment @user = User.find(params[:id]) @user.update_attributes(params[:user]) PUT example.com/users/1?user[admin]=true

  33. @presidentbeef https://github.com/rails/rails/issues/5228

  34. @presidentbeef

  35. @presidentbeef https://github.com/rails/rails/commit/b83965785db1eec019edf1fc272b1aa393e6dc57

  36. @presidentbeef Speculated GitHub Code class PublicKeyController < ApplicationController before_filter :authorize_user

    def update @current_key = PublicKey.find_by_id params[:public_key][:id] @current_key.update_attributes(params[:public_key]) end end https://gist.github.com/peternixey/1978249

  37. @presidentbeef More Speculation <input type="text" name="public_key[title]">

  38. @presidentbeef More Speculation <input type="text" name="public_key[title]"> <input type="text" name="public_key[user_id]">

  39. @presidentbeef Mass Assignment Over Time Rails 2 Optional white/black list

    in models Rails 3.1 Option to require whitelist in models Rails 3.2.3 Whitelist is default in new apps Rails 4 Strong Parameters

  40. @presidentbeef January 2013 CVE-2013-0156 YAML -> RCE https://groups.google.com/d/msg/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ

  41. @presidentbeef YAML Can Serialize Arbitrary Ruby Objects 2.5.0 :001 >

    require 'yaml' => true 2.5.0 :002 > YAML.dump(Object.new) => "--- !ruby/object {}\n" 2.5.0 :003 > YAML.load(_) => #<Object:0x000000000222dbf0>

  42. @presidentbeef Deserialization Can Execute Code https://github.com/charliesome/charlie.bz/blob/master/posts/rails-3.2.10-remote-code-execution.md

  43. @presidentbeef Put the YAML in the XML <id type="yaml"> ---

    !ruby/object {} </id>

  44. @presidentbeef January 2013 YAML -> RCE Part 2

  45. @presidentbeef Rails Parsed JSON as YAML

  46. @presidentbeef CVE-2014-0130 CVE-2016-0752 RCE via Render http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf https://nvisium.com/resources/blog/2016/01/26/rails-dynamic-render-to-rce-cve-2016-0752.html

  47. @presidentbeef Directory Traversal render "custom/#{params[:template]}"

  48. @presidentbeef Directory Traversal render "custom/#{params[:template]}" ?template=../../../../Gemfile

  49. @presidentbeef Render Defaulted to ERB render "blah.txt"

  50. @presidentbeef Log a Payload example.com/users/?x=<%25%3D+%60ls%60+%25>

  51. @presidentbeef Log a Payload example.com/users/?x=<%25%3D+%60ls%60+%25> Started GET "/users/?x=%3C%25%3D+%60ls%60+%25%3E" for 127.0.0.1

    at 2018-04-17 23:37:52 -0700 Processing by UsersController#index as HTML Parameters: {"x"=>"<%= `ls` %>"} Rendered users/index within layouts/application (0.6ms) Completed 200 OK in 16.9ms (Views: 16.4ms | ActiveRecord: 0.0ms)

  52. @presidentbeef Render Log render "custom/#{params[:template]}" ?template=../../../../log/production.log

  53. @presidentbeef No CVEs in 2017 ?!

  54. @presidentbeef Sanitizing vs. Escaping sanitize "<Some <script>prompt(1)</script>> input" => ">

    input" h "<Some <script>prompt(1)</script>> input" => "&lt;Some &lt;script&gt;prompt(1)&lt;/script&gt;&gt; input"

  55. @presidentbeef CVEs Related to Sanitizing Methods • November 2009 -

    No CVE • CVE-2011-2931 • CVE-2012-3465 • CVE-2013-1855 • CVE-2013-1857 • CVE-2015-7579 • CVE-2015-7580 • CVE-2018-8048 • CVE-2018-3741

  56. @presidentbeef Avoid! sanitize() sanitize_css() strip_tags() strip_links()

  57. @presidentbeef Rails Security Features!

  58. @presidentbeef January 2007 Rails 1.2

  59. @presidentbeef Rails 1.2: Parameter Log Filtering class ApplicationController < ActionController::Base

    filter_parameter_logging :password, :cc_number end

  60. @presidentbeef Parameter Log Filtering Started GET "/?password=[FILTERED]" for 127.0.0.1 at

    2018-04-15 11:12:36 -0700 Processing by HomeController#index as HTML Parameters: {"password"=>"[FILTERED]"} Rendered home/index.html.erb within layouts/application (0.0ms) Completed 200 OK in 4.2ms (Views: 4.1ms | ActiveRecord: 0.0ms)

  61. @presidentbeef Rails 4: Parameter Log Filtering Rails.application.config.filter_parameters += [:password] Default

    config/initializers/filter_parameter_logging.rb

  62. @presidentbeef August 2010 Brakeman 0.0.1!

  63. @presidentbeef gem install brakeman brakeman your/app

  64. @presidentbeef August 2010 Rails 3.0!

  65. @presidentbeef Rails 3.0: Auto-escaping HTML Rails 2: <%= h params[:query]

    %> Rails 3: <%= params[:query] %>

  66. @presidentbeef August 2011 Rails 3.1

  67. @presidentbeef Rails 3.1: has_secure_password class User < ActiveRecord::Model has_secure_password end

  68. @presidentbeef Rails 3.1: config.force_ssl In Rails 3.1, this just redirected

    requests to HTTPS As of Rails 5.2, this setting: • Redirects requests to HTTPS • Sets secure flag on all cookies • Sends the Strict-Transport-Security header

  69. @presidentbeef June 2013 Rails 4.0!

  70. @presidentbeef Rails 4.0: Strong Parameters Rails 3: params.class => ActiveSupport::HashWithIndifferentAccess

    Rails 4: params.class => ActionController::Parameters

  71. @presidentbeef Rails 4.0: Encrypted Session Cookies Rails 3: Session cookie

    is marshalled and signed Rails 4: Session cookie is JSON, signed, and encrypted

  72. @presidentbeef Rails 4.0: Default Headers config.action_dispatch.default_headers = { 'X-Frame-Options' =>

    'SAMEORIGIN', 'X-XSS-Protection' => '1; mode=block', 'X-Content-Type-Options' => 'nosniff' }

  73. @presidentbeef Rails 5.0: Per-form CSRF Tokens Rails.configuration.action_controller.per_form_csrf_tokens = true https://medium.com/rubyinside/a-deep-dive-into-csrf-protection-in-rails-19fa0a42c0ef

  74. @presidentbeef Rails 5.1: Encrypted Secrets rails secrets:setup rails secrets:edit https://www.engineyard.com/blog/encrypted-rails-secrets-on-rails-5.1

  75. @presidentbeef Rails 5.2: Encrypted Credentials rails credentials:edit https://www.engineyard.com/blog/rails-encrypted-credentials-on-rails-5.2

  76. @presidentbeef Rails 5.2: Default Headers config.action_dispatch.default_headers = { 'X-Frame-Options' =>

    'SAMEORIGIN', 'X-XSS-Protection' => '1; mode=block', 'X-Content-Type-Options' => 'nosniff', 'X-Download-Options' => 'noopen', 'X-Permitted-Cross-Domain-Policies' => 'none', 'Referrer-Policy' => 'strict-origin-when-cross-origin' }

  77. @presidentbeef Rails 5.2: Content-Security-Policy # config/initializers/content_security_policy.rb Rails.application.config.content_security_policy do |policy| policy.default_src

    :self, :https policy.font_src :self, :https, :data policy.img_src :self, :https, :data policy.object_src :none policy.script_src :self, :https policy.style_src :self, :https # Specify URI for violation reports policy.report_uri "/csp-violation-report-endpoint" end

  78. @presidentbeef Content Security Policy https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

  79. @presidentbeef More Information http://guides.rubyonrails.org/security.html

  80. @presidentbeef Thank You @presidentbeef presidentbeef.com @brakemanpro brakemanpro.com @brakeman brakeman.org