Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Evolution of Rails Security

Justin Collins
April 18, 2018
Programming
1
660

The Evolution of Rails Security

Rails has a reputation for being secure by default, but how deserved is that reputation? Let’s take a look back at some of the low points in Rails security history: from the first Rails CVE, to the controversial GitHub mass assignment, the 2013 Rails apocalypse, and more recent remote code execution issues. Then we’ll cheer ourselves up with the many cool security features Rails has added over the years! We’ll cover auto-escaping, strong parameters, default security headers, secret storage, and less well-known features like per-form CSRF tokens and upcoming Content Security Policy support.

Justin Collins

April 18, 2018
Tweet

More Decks by Justin Collins

See All by Justin Collins
Continuous (Application) Security at DevOps Velocity
presidentbeef
0
110
Brakeman RailsConf 2017 Lightning Talk
presidentbeef
0
99
Practical Static Analysis for Continuous Application Security
presidentbeef
0
150
"...But Doesn't Rails Take Care of Security for Me?"
presidentbeef
1
330
Continuous Security with Practical Static Analysis
presidentbeef
1
250
Security Automation at Twitter - Rise of the Machines
presidentbeef
0
160
"Recent Rails SQL Issues" - 2012
presidentbeef
0
55
The World of Rails Security - RailsConf 2015
presidentbeef
8
1.1k
Tales from the Crypt
presidentbeef
1
160

Other Decks in Programming

See All in Programming
VS Code をプロダクトにどう取り込むか
onomax
1
430
Compose-View Interop in Practice (mDevCamp 2024)
stewemetal
0
140
はてなにおける CSS Modules、及び CSS Modules に足りないもの / CSS Modules in Hatena, and CSS Modules missing parts
mizdra
7
940
Ruby GitHub Packages
bkuhlmann
0
630
検証も兼ねて個人開発でHonoとかと向き合った話
hanetsuki
1
1.2k
Node.js v22 で変わること
yosuke_furukawa
PRO
9
3.5k
二郎系ラーメンのコールで学ぶ AST 解析
memory1994
PRO
7
1.7k
エンターテイメント業界で利用されるAWS
demuyan
0
210
Zero Waste, Radical Magic, and Italian Graft – Quarkus Efficiency Secrets
hollycummins
0
230
コーンフレークから始める モデリング会話入門
ogurotakayuki
0
380
try! Swift Tokyo 2024 参加報告 / try! Swift Tokyo 2024 Report
hironytic
0
210
Git Lint
bkuhlmann
4
750

Featured

See All Featured
Unsuck your backbone
ammeep
663
57k
Design by the Numbers
sachag
274
18k
StorybookのUI Testing Handbookを読んだ
zakiyama
13
4.6k
Why Our Code Smells
bkeepers
PRO
331
56k
Designing for humans not robots
tammielis
248
25k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
14
1.5k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
221
21k
Being A Developer After 40
akosma
57
580k
BBQ
matthewcrist
80
8.8k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
274
13k
What's new in Ruby 2.0
geeforr
337
31k
The Brand Is Dead. Long Live the Brand.
mthomps
49
29k

Transcript

  1. @presidentbeef The Evolution of Rails Security Justin Collins @presidentbeef RailsConf

    2018

  2. @presidentbeef Ugh, About Me 8 years of application security (AT&T

    Interactive, Twitter, SurveyMonkey) 8 years working on Brakeman OSS (Static analysis security tool for Rails) 4 years working on (More pro static analysis security tool for Rails)

  3. @presidentbeef July 2004 Rails Released to the World http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/107370

  4. @presidentbeef

  5. @presidentbeef December 2005 Rails 1.0 http://weblog.rubyonrails.org/2005/12/13/rails-1-0-party-like-its-one-oh-oh/

  6. @presidentbeef

  7. @presidentbeef August 2006 CVE-2006-4111 CVE-2006-4112

  8. @presidentbeef

  9. @presidentbeef Common Vulnerabilities and Exposures

  10. @presidentbeef Common Vulnerabilities and Exposures®

  11. @presidentbeef https://cve.mitre.org/

  12. @presidentbeef CVE-2006-4111 & CVE-2006-4112

  13. @presidentbeef Panic! http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits/

  14. @presidentbeef Panic! http://weblog.rubyonrails.org/2006/8/10/security-update-rails-1-0-not-affected/

  15. @presidentbeef Panic! http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure/

  16. @presidentbeef

  17. @presidentbeef https://blog.evanweaver.com/2006/08/12/anatomy-of-an-attack-against-1-1-4/

  18. @presidentbeef Remote Code Execution

  19. @presidentbeef October 2007 CVE-2007-5380 http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release/

  20. @presidentbeef example.com/home/?_session_id=...

  21. @presidentbeef If you’re using RESTful routing, pay special attention to

    the changes to route generation and recognition. The previous use of the semicolon in URLs has been replaced with a regular /. For instance /person/1;edit has become /person/1/edit. This change was made as several libraries, including mongrel, mistakenly treated semi-colons as query string seperators[sic] and some browsers and http libraries misbehaved.

  22. @presidentbeef February 2011 CVE-2011-0447 http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails/

  23. @presidentbeef Cross-Site Request Forgery https://bank.com/transfer?amount=100000&to=attacker1337

  24. @presidentbeef Cross-Site Request Forgery Protection “Synchronizer Token Pattern” 1. Save

    a CSRF token to the session 2. Insert the CSRF token in forms 3. Match tokens on POST/DELETE/PATCH

  25. @presidentbeef CSRF Token in Form <form accept-charset="UTF-8" action="/users" class="new_user" id="new_user"

    method="post"> <input name="authenticity_token" type="hidden" value="NvyZey4G/GuBEr6RQJTrsfX1iiptwSBWiu9XOo9h4cE=" />

  26. @presidentbeef What about XHR? It’s cool, an attacker can’t make

    an XHR request

  27. @presidentbeef http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-February/007533.html

  28. @presidentbeef Better Cross-Site Request Forgery Protection 1. Save a CSRF

    token to the session 2. Add meta-tags for JavaScript to read tokens 3. Insert the CSRF token in forms 4. Send token with XHR requests 5. Match tokens on POST/DELETE/PATCH/XHR

  29. @presidentbeef CSRF Meta Tags <meta content="authenticity_token" name="csrf-param" /> <meta content="NvyZey4G/GuBEr6RQJTrsfX1iiptwSBWiu9XOo9h4cE="

    name="csrf-token" />

  30. @presidentbeef March 2012 Mass Assignment, GitHub, and Homakov https://blog.github.com/2012-03-04-public-key-security-vulnerability-and-mitigation/

  31. @presidentbeef Mass Assignment @user = User.find(params[:id]) @user.update_attributes(params[:user])

  32. @presidentbeef Mass Assignment @user = User.find(params[:id]) @user.update_attributes(params[:user]) PUT example.com/users/1?user[admin]=true

  33. @presidentbeef https://github.com/rails/rails/issues/5228

  34. @presidentbeef

  35. @presidentbeef https://github.com/rails/rails/commit/b83965785db1eec019edf1fc272b1aa393e6dc57

  36. @presidentbeef Speculated GitHub Code class PublicKeyController < ApplicationController before_filter :authorize_user

    def update @current_key = PublicKey.find_by_id params[:public_key][:id] @current_key.update_attributes(params[:public_key]) end end https://gist.github.com/peternixey/1978249

  37. @presidentbeef More Speculation <input type="text" name="public_key[title]">

  38. @presidentbeef More Speculation <input type="text" name="public_key[title]"> <input type="text" name="public_key[user_id]">

  39. @presidentbeef Mass Assignment Over Time Rails 2 Optional white/black list

    in models Rails 3.1 Option to require whitelist in models Rails 3.2.3 Whitelist is default in new apps Rails 4 Strong Parameters

  40. @presidentbeef January 2013 CVE-2013-0156 YAML -> RCE https://groups.google.com/d/msg/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ

  41. @presidentbeef YAML Can Serialize Arbitrary Ruby Objects 2.5.0 :001 >

    require 'yaml' => true 2.5.0 :002 > YAML.dump(Object.new) => "--- !ruby/object {}\n" 2.5.0 :003 > YAML.load(_) => #<Object:0x000000000222dbf0>

  42. @presidentbeef Deserialization Can Execute Code https://github.com/charliesome/charlie.bz/blob/master/posts/rails-3.2.10-remote-code-execution.md

  43. @presidentbeef Put the YAML in the XML <id type="yaml"> ---

    !ruby/object {} </id>

  44. @presidentbeef January 2013 YAML -> RCE Part 2

  45. @presidentbeef Rails Parsed JSON as YAML

  46. @presidentbeef CVE-2014-0130 CVE-2016-0752 RCE via Render http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf https://nvisium.com/resources/blog/2016/01/26/rails-dynamic-render-to-rce-cve-2016-0752.html

  47. @presidentbeef Directory Traversal render "custom/#{params[:template]}"

  48. @presidentbeef Directory Traversal render "custom/#{params[:template]}" ?template=../../../../Gemfile

  49. @presidentbeef Render Defaulted to ERB render "blah.txt"

  50. @presidentbeef Log a Payload example.com/users/?x=<%25%3D+%60ls%60+%25>

  51. @presidentbeef Log a Payload example.com/users/?x=<%25%3D+%60ls%60+%25> Started GET "/users/?x=%3C%25%3D+%60ls%60+%25%3E" for 127.0.0.1

    at 2018-04-17 23:37:52 -0700 Processing by UsersController#index as HTML Parameters: {"x"=>"<%= `ls` %>"} Rendered users/index within layouts/application (0.6ms) Completed 200 OK in 16.9ms (Views: 16.4ms | ActiveRecord: 0.0ms)

  52. @presidentbeef Render Log render "custom/#{params[:template]}" ?template=../../../../log/production.log

  53. @presidentbeef No CVEs in 2017 ?!

  54. @presidentbeef Sanitizing vs. Escaping sanitize "<Some <script>prompt(1)</script>> input" => ">

    input" h "<Some <script>prompt(1)</script>> input" => "&lt;Some &lt;script&gt;prompt(1)&lt;/script&gt;&gt; input"

  55. @presidentbeef CVEs Related to Sanitizing Methods • November 2009 -

    No CVE • CVE-2011-2931 • CVE-2012-3465 • CVE-2013-1855 • CVE-2013-1857 • CVE-2015-7579 • CVE-2015-7580 • CVE-2018-8048 • CVE-2018-3741

  56. @presidentbeef Avoid! sanitize() sanitize_css() strip_tags() strip_links()

  57. @presidentbeef Rails Security Features!

  58. @presidentbeef January 2007 Rails 1.2

  59. @presidentbeef Rails 1.2: Parameter Log Filtering class ApplicationController < ActionController::Base

    filter_parameter_logging :password, :cc_number end

  60. @presidentbeef Parameter Log Filtering Started GET "/?password=[FILTERED]" for 127.0.0.1 at

    2018-04-15 11:12:36 -0700 Processing by HomeController#index as HTML Parameters: {"password"=>"[FILTERED]"} Rendered home/index.html.erb within layouts/application (0.0ms) Completed 200 OK in 4.2ms (Views: 4.1ms | ActiveRecord: 0.0ms)

  61. @presidentbeef Rails 4: Parameter Log Filtering Rails.application.config.filter_parameters += [:password] Default

    config/initializers/filter_parameter_logging.rb

  62. @presidentbeef August 2010 Brakeman 0.0.1!

  63. @presidentbeef gem install brakeman brakeman your/app

  64. @presidentbeef August 2010 Rails 3.0!

  65. @presidentbeef Rails 3.0: Auto-escaping HTML Rails 2: <%= h params[:query]

    %> Rails 3: <%= params[:query] %>

  66. @presidentbeef August 2011 Rails 3.1

  67. @presidentbeef Rails 3.1: has_secure_password class User < ActiveRecord::Model has_secure_password end

  68. @presidentbeef Rails 3.1: config.force_ssl In Rails 3.1, this just redirected

    requests to HTTPS As of Rails 5.2, this setting: • Redirects requests to HTTPS • Sets secure flag on all cookies • Sends the Strict-Transport-Security header

  69. @presidentbeef June 2013 Rails 4.0!

  70. @presidentbeef Rails 4.0: Strong Parameters Rails 3: params.class => ActiveSupport::HashWithIndifferentAccess

    Rails 4: params.class => ActionController::Parameters

  71. @presidentbeef Rails 4.0: Encrypted Session Cookies Rails 3: Session cookie

    is marshalled and signed Rails 4: Session cookie is JSON, signed, and encrypted

  72. @presidentbeef Rails 4.0: Default Headers config.action_dispatch.default_headers = { 'X-Frame-Options' =>

    'SAMEORIGIN', 'X-XSS-Protection' => '1; mode=block', 'X-Content-Type-Options' => 'nosniff' }

  73. @presidentbeef Rails 5.0: Per-form CSRF Tokens Rails.configuration.action_controller.per_form_csrf_tokens = true https://medium.com/rubyinside/a-deep-dive-into-csrf-protection-in-rails-19fa0a42c0ef

  74. @presidentbeef Rails 5.1: Encrypted Secrets rails secrets:setup rails secrets:edit https://www.engineyard.com/blog/encrypted-rails-secrets-on-rails-5.1

  75. @presidentbeef Rails 5.2: Encrypted Credentials rails credentials:edit https://www.engineyard.com/blog/rails-encrypted-credentials-on-rails-5.2

  76. @presidentbeef Rails 5.2: Default Headers config.action_dispatch.default_headers = { 'X-Frame-Options' =>

    'SAMEORIGIN', 'X-XSS-Protection' => '1; mode=block', 'X-Content-Type-Options' => 'nosniff', 'X-Download-Options' => 'noopen', 'X-Permitted-Cross-Domain-Policies' => 'none', 'Referrer-Policy' => 'strict-origin-when-cross-origin' }

  77. @presidentbeef Rails 5.2: Content-Security-Policy # config/initializers/content_security_policy.rb Rails.application.config.content_security_policy do |policy| policy.default_src

    :self, :https policy.font_src :self, :https, :data policy.img_src :self, :https, :data policy.object_src :none policy.script_src :self, :https policy.style_src :self, :https # Specify URI for violation reports policy.report_uri "/csp-violation-report-endpoint" end

  78. @presidentbeef Content Security Policy https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

  79. @presidentbeef More Information http://guides.rubyonrails.org/security.html

  80. @presidentbeef Thank You @presidentbeef presidentbeef.com @brakemanpro brakemanpro.com @brakeman brakeman.org