triangle.rb - how secure is your rails site, anyway?
DESCRIPTION
In this talk from Triangle.rb, Cory Foy details the state of Rails security, including paying attention to libraries you use. He includes real world examples of exploits, and links to resourcesTRANSCRIPT
http://www.flickr.com/photos/mthierry/4595284293http://www.flickr.com/photos/111692634@N04
How Secure is Your Rails Site, Anyway?
Cory [email protected]@cory_foy
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Security in a Web World
http://blogs.msdn.com/blogfiles/rds/WindowsLiveWriter/RDGatewaydeploymentinaperimeternetworkFi_CBD0/clip_image002_thumb.jpg
http://www.comtelindia.com/images/network_diagram_largepic.jpg
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Heartland Payment Systems - 134 Million Credit Cards Exposed via a SQL Injection attack and spyware
TJX Companies - 94 Million Credit Cards Exposed via weak WiFi or In-Store Kiosk Security was compromised
LivingSocial - 50 Million records stolen including names, date of birth and salted password
Federal Reserve - 4,000 records of key bank executives containing personal information stolen via a vulnerability in
an internal website
Smuckers - Names, Addresses, Credit and Debit Card Numbers, Expiration Dates and Verification Codes stolen
from online store
Target - 40-70 million Credit Cards, PIN and CVVs stolenTuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Cory [email protected]
@cory_foy
blog.coryfoy.com
prettykoolapps.com
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
OWASPOpen Web Application Security Project
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
2003
Unvalidated Parameters
Command Injection Flaws
Cross Site Scripting Flaws
Buffer Overflows
Error Handling Problems
Insecure Use of Cryptology
Broken Access Control
Web and Application Server MisconfigurationO
pen
Web
App
licat
ion
Secu
rity
Pro
ject
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
2013
Injection
Cross Site Scripting
Cross Site Request Forgery
Insecure Direct Object References
Unvalidated Redirects and Forwards
Sensitive Data Exposure
Missing Function Level Access Control
Broken Authentication and Session Management
Security Misconfiguration
Using Components with Known Vulnerabilities
2003
Unvalidated Parameters
Command Injection Flaws
Cross Site Scripting Flaws
Buffer Overflows
Error Handling Problems
Insecure Use of Cryptology
Broken Access Control
Web and Application Server MisconfigurationO
pen
Web
App
licat
ion
Secu
rity
Pro
ject
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Rails Security
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
2013
Injection
Cross Site Scripting
Cross Site Request Forgery
Insecure Direct Object References
Unvalidated Redirects and Forwards
Sensitive Data Exposure
Missing Function Level Access Control
Broken Authentication and Session Management
Security Misconfiguration
Using Components with Known Vulnerabilities
Rails
Built in filter to escape SQL Characters
By default, Rails escapes HTML
REST / protect_from_forgery
Manual
Manual
Manual
Manual / Partials
secret_key_base / reset_session
Manual
Manual / Gems
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Injection
http://xkcd.com/327/
http://localhost:3000/bad/injection?id=1
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Cross Site Scripting
http://localhost:3000/bad/comments
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Cross Site Request Forgery
http://localhost:3000/bad/comments
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Insecure Direct Object References
http://localhost:3000/bad/upload_file
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Unvalidated Redirects and Forwards
http://localhost:3000/bad/index
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Sensitive Data Exposure
http://plaintextoffenders.com/
http://localhost:3000/bad/make_payment
http://ghost.teario.com/how-not-to-write-an-api/
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Missing Function Level Access Control
http://localhost:3000/bad/index
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Broken Authentication and Session Management
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Security Misconfiguration
https://github.com/CoryFoy/railssecurityexample
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Using Components with Known Vulnerabilities
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Standard Rails 684,805Lines of default
included Gem code
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Real Examples
http://thunderboltlabs.com/blog/2013/12/04/giving-back-to-open-source-security-edition/
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Responsible Disclosure
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Sorcery Config.send
https://github.com/NoamB/sorcery/
Problem: Sorcery allows the configuration of multiple providers. It figured out the right one by calling
Config.send(provider_name.to_sym)
rails cObject.ancestorsKernel.methods(false).sort
Why’s that a problem?
Fix: Don’t trust user-modifiable input, everTuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Doorkeeper Symbol GC
https://github.com/applicake/doorkeeper/
Problem: Doorkeeper and Sorcery converted user input to symbols. Symbols are not GC’d, so can use up
a lot of memory quickly
Why’s that a problem?
loop { (Time.now.to_f.to_s * 100000).to_sym }
Fix: Inspect User input as a string before converting to a symbol. Whitelist where possible
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
I18n Injection Issue
https://github.com/rails/railshttps://github.com/svenfuchs/i18n
Problem: Missing locales showed an error message which exposed a Cross-Site Scripting attack vector
Why’s that a problem?
http://mysite.com/?locale=”<script>alert(‘Hi Mom’)</script>”
Fix: Don’t trust user-modifiable input, ever
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Summary
DON’TEVER
TRUSTUSER
INPUTTuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Rails Security Resources
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
OWASPhttps://www.owasp.org/index.php/Main_Page
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Rails Security Page and Mailing List
http://guides.rubyonrails.org/security.html
http://rubyonrails.org/security
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
OAuth RFC
http://tools.ietf.org/html/rfc6819
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Books
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Cory [email protected]
@cory_foy
blog.coryfoy.com
prettykoolapps.com
Tuesday, March 11, 14