Download - ATLRUG Security Workshop - 9/10/2014
![Page 1: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/1.jpg)
Rails Security
![Page 2: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/2.jpg)
Introductions
• Jack Mannino – CEO @nVisium
– Lives in the JVM
– Beats up on mobile + wearables
– Scala, Swift, Java (Android)
• Ken Johnson – CTO @nVisium
– Former LivingSocialite
– Develop heavily in Rails
– Railsgoat Co-Author
![Page 3: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/3.jpg)
Why are we all here?
• Us?
– MINASWAN
• You?
– Hopefully to have some fun
![Page 4: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/4.jpg)
Before we begin
• Machine assignment & RDP
• Credentials
– Username: trainee
– Password: tr41n1ng
• Source code: ~/pentest/railsgoat
• Text Editor: type subl
• Burp: ~/Desktop/burp/
![Page 5: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/5.jpg)
Course Outline
• Model Layer
• Presentation Layer (View)
• Logic Layer (Controller)
• Unit-Tests
• Defensive Tools
![Page 6: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/6.jpg)
Course Outline (Model)
• Model Layer
– Mass Assignment
– MetaProgramming
– Hashing / Encryption
– SQL Injection
![Page 7: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/7.jpg)
Course Outline (Presentation)
• Cross-Site Scripting
• Browser Behavior
• Error Messages & Enumeration
![Page 8: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/8.jpg)
Course Outline (Logic)
• Insecure Direct Object Reference
• Remote Code Execution
• Logic Flaws
• CSRF
• Session Handling
• Redirection
• Authentication Tips
![Page 9: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/9.jpg)
Let’s get started
• First though, let’s walk through a few things you’ll need to know in this course:
– What is an intercepting proxy?
• FAQ (No, SSL is not a problem, let me explain why)
– Instructions on getting started
– Start Railsgoat
![Page 10: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/10.jpg)
MODEL LAYER
![Page 11: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/11.jpg)
Model Layer – Mass Assignment
• Mass- Assignment
– Not a huge issue in Rails 4… unless you instantiate models with data *outside* of the controller
– Rails 2 & 3 (don’t be ashamed, someone in this room is running 2.x) – Yes, very much a problem
– Audit for fun & profit
– Ready, set, hack!
![Page 12: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/12.jpg)
Model Layer - MetaProgramming
• Code that writes code, sweet!
• Code that writes code based off user input, dangerous!
• Examples:
– Constantize
– Send
![Page 13: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/13.jpg)
Model Layer – Hashing/Encryption
• Hashing vs. Encryption
• Strong hashing algorithms
• Strong encryption algorithms
• Rack::Utils.secure_compare vs. “==“
• Be careful how you re-use
![Page 14: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/14.jpg)
Model Layer – SQL Injection
• ActiveRecord - Safe… well, sort of
• http://rails-sqli.org/
• “SQLMap Hacker Fun Time”
![Page 15: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/15.jpg)
PRESENTATION LAYER
![Page 16: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/16.jpg)
Presentation Layer – XSS
• XSS = Cross-Site Scripting (aka – html injection)
• DOM
• html_safe
• JSON 3.2x
• Ready, set, hack
![Page 17: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/17.jpg)
Presentation Layer – Browser Behavior
• Cookies
– Flags
– Client-side vs. Server-side
• Caching
– Browser Caching Headers
• Headers
– CSP
– secure_headers
![Page 18: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/18.jpg)
Presentation Layer – Error Messages
• Enumeration
• Common places
– Forgot Password Features
– Sign Up
– Profile Updates
– Login
![Page 19: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/19.jpg)
LOGIC LAYER
![Page 20: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/20.jpg)
Logic Layer – Insecure DOR
• Do not trust users
• Prevention
• Ready, Set, Hack
![Page 21: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/21.jpg)
Logic Layer - RCE
• Remote Code Execution
– YAML
– Marshal
![Page 22: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/22.jpg)
Logic Layer – Logic Flaws
• Example 1:
– Bidding site and account lock-out
• Example 2:
– 3 step checkout, skip step 2?
• Example 3:
– Spot the bug!
![Page 23: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/23.jpg)
Logic Layer - CSRF
• Somewhat well known aspects
– Meta tag helper
– On by default
– protect_from_forgery filter
• Not so well known…
– `match` routes bypass
– Chain of execution is not halted
![Page 24: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/24.jpg)
Logic Layer – Session Handling
• Logout
– reset_session
– Clear session values
• Login
– reset_session
• before_filter(s)
– Take a whitelist approach
• Base access decisions off the current_user
![Page 25: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/25.jpg)
Logic Layer - Redirection
• redirect_to …. You scoundrel
• Why does this matter?
• URI.parse()
![Page 26: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/26.jpg)
Logic Layer – Authentication Tips
• Account Lock-Out
• Password Complexity
• Enumeration
• Password Hashing
• (heads-up) – Covering Devise auth in upcoming release of Railsgoat
![Page 27: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/27.jpg)
UNIT-TESTS & REGRESSION
![Page 28: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/28.jpg)
Unit-Tests / Regression Testing
• Railsgoat has examples
– RSpec
• Regression Testing
– Why
– How
![Page 29: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/29.jpg)
DEFENSIVE TOOLS
![Page 30: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/30.jpg)
Defensive Tools
• Brakeman
• Bundler-Audit
• Ensnare
• Rack-attack
![Page 31: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/31.jpg)
Q&A
![Page 32: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/32.jpg)
Free Subscription
• Send an email to [email protected]
• Subject line – ATLRUG Free Sub
– We will setup on Friday
![Page 33: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/33.jpg)
Contact
• Twitter: – @cktricky
– @jack_mannino
– @mccabe615
• Email:– [email protected]
• Railsgoat– http://railsgoat.cktricky.com
![Page 34: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/34.jpg)
Thanks!
• A big “Thank you” is in order to Al Snow
![Page 35: ATLRUG Security Workshop - 9/10/2014](https://reader035.vdocuments.site/reader035/viewer/2022081404/559dfed51a28ab66098b47dd/html5/thumbnails/35.jpg)
THANK YOU ATLRUG