Deep Dive into Application Security For Rails Engineers

Deep Dive into Application Security For Rails Engineers

E25b10f84e99fd7cd844c4352db1eb66?s=128

zassmin

May 01, 2019
Tweet

Transcript

  1. 2.
  2. 3.

    CONFIDENTIAL Talk Overview 1. Application Security Overview 2. Security Reviewing

    an Application a. Application + Feature Set b. What can go wrong? c. 5 Security Principles d. Fixing the Problems 3. Recap
  3. 10.

    Built With • Backend: ◦ Rails ◦ Activerecord ◦ APIs

    (3rd party) • Frontend: ◦ Bootstrap (3rd party) ◦ Javascript
  4. 11.
  5. 15.

    What are we working on? Server Winter Exchange Browser Daenerys’s

    Session GET/POST/PUT/DELETE Establish User Session GET Account Info POST Buy POST Send
  6. 17.

    Server Winter Exchange Browser Daenerys’s Session GET/POST/PUT/DELETE Establish User Session

    GET Account Info POST Buy POST Send POST Buy POST Send DGC API Bank API What are we working on?
  7. 18.

    Winter Exchange’s Feature Set • A platform to buy and

    send Dragon Glass Coin (DGC) • Holds the users’ DGC • User can send DGC to anyone with an address • Stores users’ Data • User can buy DGC with USD
  8. 20.

    GET Account Info GET/POST/PUT/DELETE Establish User Session Server Winter Exchange

    Browser Daenerys’s Session POST Buy POST Send POST Buy POST Send DGC API Bank API Trust Boundaries
  9. 22.

    GET Account Info GET/POST/PUT/DELETE Establish User Session Server Winter Exchange

    Browser Daenerys’s Session POST Buy POST Send POST Buy POST Send DGC API Bank API Trust Boundaries
  10. 24.

    Possible Steps to Steal this Session 1. Find a cross

    site scripting (XSS) vulnerability 2. Write quick html/javascript 3. Phish the user somehow to use the html/javascript 4. Steal cookie
  11. 28.

    GET Account Info GET/POST/PUT/DELETE Establish User Session Server Winter Exchange

    Browser Daenerys’s Session POST Buy POST Send POST Buy POST Send DGC API Bank API Trust Boundaries
  12. 30.

    Fixing the Problems 1. Leaked the Session 2. Cross Site

    Scripting Vulnerability in Bootstrap 3. Taking Daenerys’ DGC out of Winter Exchange
  13. 36.

    GET Account Info GET/POST/PUT/DELETE Establish User Session Server Winter Exchange

    Browser Daenerys’s Session POST Buy POST Send POST Buy POST Send DGC API Bank API Trust Boundaries
  14. 38.

    What if Daenerys can get someone else’s account information? Daenerys

    Account Winter Exchange winterexchange.com/user/3 • Aegon Targaryen • Personal Address: ◦ Tower of Joy • Drivers License • DGC Address
  15. 40.

    Fixing the Problems 1. Authorization 2. Insecure Direct Object Reference

    3. Access to another User’s Account Information a. Leaking Information
  16. 44.

    UUID 1. 32 hexadecimal (base 16) digits, plus hyphens 2.

    f81d4fae-7dec-11d0-a765-00a0c91e6bf6 3. One way hashing, deterministically generated
  17. 46.

    GET Account Info GET/POST/PUT/DELETE Establish User Session Server Winter Exchange

    Browser Daenerys’s Session POST Buy POST Send POST Buy POST Send DGC API Bank API Trust Boundaries
  18. 48.

    How did Daenerys get 3 Dragons? Daenerys’s Active Session Buying

    DGC $100 Process Buy Error Processing Payment Processes Error as Successful request Server Winter Exchange Bank API
  19. 55.
  20. 57.
  21. 59.

    Prevention Focused Solutions 1. Restrict cookie flags 2. Sanitize html

    3. Patch 3rd party libraries 4. Write tests 5. Have second factor auth 6. Data confidentiality plan 7. UUIDs
  22. 61.

    Security Principles 1. Don’t Trust the Client 2. Don’t Trust

    Services 3rd Parties 3. Defense in Depth Secure by Default 4. Least Privilege 5. Fail Securely Explicitly
  23. 62.

    Learn More • Coinbase Security Blog: https://blog.coinbase.com/tagged/security • Cryptograve yard:

    https://magoo.github.io/Blockchain-Graveyard/ • Adam Shostack, Learning to Threat Model for Security Professionals: https://www.linkedin.com/learning/learning-threat-modeling-for-security-professionals • OWASP: https://www.owasp.org/index.php/Security_by_Design_Principles • Brad Ediger, Advanced Rails: https://learning.oreilly.com/library/view/advanced-rails (security chapter) • Secure Headers Gem: https://github.com/twitter/secure_headers • Salus Gem: https://github.com/coinbase/salus • Adam Shostack, Threat Modeling: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 • Bundler Audit Gem: https://github.com/rubysec/bundler-audit • Brakeman Gem: https://github.com/presidentbeef/brakeman • Pundit Gem: https://github.com/varvet/pundit • Michal Zalewski, The Tangled Web: https://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886
  24. 63.

    Resources • Cryptograve yard: https://magoo.github.io/Blockchain-Graveyard/ • Adam Shostack, Learning to

    Threat Model for Security Professionals: https://www.linkedin.com/learning/learning-threat-modeling-for-security-professionals • OWASP: https://www.owasp.org/index.php/Security_by_Design_Principles • Brad Ediger, Advanced Rails: https://learning.oreilly.com/library/view/advanced-rails (security chapter) • Secure Headers Gem: https://github.com/twitter/secure_headers • Salus Gem: https://github.com/coinbase/salus • Adam Shostack, Threat Modeling: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 • Bundler Audit Gem: https://github.com/rubysec/bundler-audit • Brakeman Gem: https://github.com/presidentbeef/brakeman • Pundit Gem: https://github.com/varvet/pundit • Kirill Gorshkov: https://blog.smartdec.net/bug-vs-vulnerability-d6d4dc4068bd • Michal Zalewski, The Tangled Web: https://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886
  25. 64.

    Image Resources • Dragon Glass Coin by Lisa Engler: https://dribbble.com/lisaengler

    • Ruby on Rails logo: https://commons.wikimedia.org/wiki/File:Ruby_on_Rails_logo.svg • Game of Thrones Logo: https://commons.wikimedia.org/wiki/File:Game_of_Thrones_2011_logo.svg • Warning Sign: https://pixabay.com/vectors/warning-sign-30915/ • Daenerys’s image: https://3diphonewallpaper.com/daenerys-targaryen-game-of-thrones-iphone-wallpaper-9527/ • Cookie: http://www.publicdomainfiles.com/show_file.php?id=13968371414517 • Salus Logo: https://github.com/coinbase/salus • Brakeman Logo: https://github.com/presidentbeef/brakeman • Bundler Audit Logo: https://github.com/rubysec/bundler-audit • Jean Patch photo: https://www.flickr.com/photos/woolgenie/22805676928 • Duo logo and image: https://brandfolder.com/duo/public-brand-assets • Yubico logo and image: https://www.yubico.com/press/images/ • Google Authenticator Logo: https://en.wikipedia.org/wiki/Google_Authenticator • Jon Snow: https://images.app.goo.gl/prM2x1bFJiBdWWM27 • Bitmoji App
  26. 65.