Your SlideShare is downloading. ×
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply



Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Or if they had a way to upload their own “.rb” files, they could get their own code to run on the server side. Issued 1.1.5, however it was incomplete and didn’t fully check all directories and broke some systems.
  • Change the default storage of the sessions. This can be done with one line in your Enviorimental configuration file. :active_record_store, :drb_store, :mem_cache_store, or :memory_store or “p_store”
  • New in 2007
  • Jeremiah Grossman’s March 2006 blog “while technically possible, the truth is that they are just not seen in the real world in custom web applications”
  • UTF-8? Java
  • Heiko Webers (from Germany) Alex Smolen (foundstone)
  • Transcript

    • 1. Start Rolling with Rails Security Corey Benninger Principal Consultant, Intrepidus Group [email_address]
    • 2. Why Ruby on Rails
        • Don't Repeat Yourself (DRY)
        • Convention over Configuration
        • Model –View - Controller
    • 3. Breaking It Down
      • Ruby – interpreted scripting language
      • Gems – the “apt-get” for Ruby packages
      • Rails – a framework written in Ruby for developing web applications
    • 4. My First Web App
      • One rails call will create basic directories and scripts to start a new application
        • rails RailsBlog
    • 5. How Would You Like that Cooked?
      • Try different file extensions for your data
      • ActionController makes it easy to change response
      respond_to do |format| format.html format.xml { render :xml => @posts.to_xml } format.rss { render :action => "feed.rxml" }
    • 6. Heavy Lifting Made Easy
      • Not your standard GET Parameters
      • Close relationship to database structures
      create table surveys ( `id` INT NOT NULL AUTO_INCREMENT , `title` VARCHAR( 100 ) NOT NULL , PRIMARY KEY ( `id` ) );
    • 7. Great Rails Hack of 1.1.4
      • Rails versions prior to 1.1.6 had a “routing bug”. Remote attackers could call functions Rails modules.
        • GET http://localhost:3000/breakpoint_client
          • Causes application to wait
        • GET http://localhost:3000/db/schema
          • Blank out database
    • 8. Defense in Depth
    • 9. Romancing the Gems
      • Gems are retrieved from ( gem install rails --include-dependencies )
      • No SSL
        • confidentiality
        • integrity
        • authenticity
    • 10. Romancing the Gems
      • RubyGems version 0.8.11 and later supports adding cryptographic signatures to gems.
    • 11. Romancing the Gems
      • Install the gems using the "HighSecurity" policy
        • gem install SomeGem-0.2.0.gem -P HighSecurity
        • gem must be signed
        • signing cert must be valid
        • signing cert must be trusted
    • 12. These Go To Eleven
      • Gems will typically keep older versions of packages
        • Make sure to update Applications after updating gems
    • 13. All Float On OK
      • When “ Floating on Gems ”, check version number in config/environment.rb
        • RAILS_GEM_VERSION = ‘1.2.5’
      • When “ Bound to Gems ”, (files in vendor/rails ), make sure to rake and freeze your gems
        • rake rails:freeze:gems
    • 14. No Soup For You
      • Default Rails setup leaves weak file permissions
      • File Permissions
        • Read all to DB Config
        • Read/Write all to Log files
      • Run your web server with the least needed permissions
        • sudo –u www ruby scripts/server
      # Lock down key files chown <owner:>:<webserver> config/database.yml chmod 640 config/database.yml chown <owner>:<webserver> log/*.log chmod 640 log/*.log
    • 15. Tastes like Cookies
      • Current defaults, Rails will need to write to “tmp/sessions” to store session information.
      • chown this directory to your ruby process. Do not chmod 777 this directory.
      • Plus disk access is slow, try mem_cache_store or memory_store to keep session data in memory.
    • 16. Tastes like Cookies
      • Rails does not expire sessions on the server side
        • session_expire is a client side setting
      • To remove server side session, admins typically create a server side cron job
    • 17. Tastes like really bad idea Cookies
      • Default storage for sessions in Rails 2.0 will be to store them in client side cookies!
        • Data is not encrypted (Base64 and URL encoding)
        • Hash is checked on server to detect tampering
        • No expiration built in
        • Brute force attack to recover password is possible
      _testapp_session= BAh7BiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7AA%253D%253D -- 03978c53b571cb73bb2670b970e5860877f08cf7 ; _( appname )_session=(URLEncode(Base64Encode( session_data)) )- - ( hash )
    • 18. Got a Session Fixation?
      • URL based sessions switched to off by default in Rails 1.2.4 (Oct 2007)
    • 19. Hello Cleveland
      • Rails Rocking Security Features
        • Protects against SQL Injection
        • Simple Validation and HTML Encoding Functions
        • Session Riding Protection (CSRF)
        • Light Buffer Overflow Support 
    • 20. Escaped for Your Pleasure
      • Most developers will use ActiveRecord
      • Standard queries will be parameterized and resist injection
        • book = Book.find(params[:id])
        • settings = Setting.find(:all, :conditions => [“uid=?”,])
      • However, SQL injection maybe possible if bind variables are not used
        • book = Book.find(:all :limit =>#{session[:pref].id})
    • 21. Escaped for Your Pleasure
      • Data will be automatically truncated to match field length
      • Alternatively, it is easy to validate lengths of user input
        • validates_length_of :phone, :within => 5..16, :message => &quot;Invalid Phone Number Length&quot;
    • 22. Validate Me
      • Rails comes with a number of input validations built in
        • validates_length_of
        • validates_presence_of
        • validates_format_of
        • validates_uniqueness_of
    • 23. Validate Me
        • validates_length_of : phone , :within => 5..16
        • validates_format_of :phone, :with => /^[+/-() 0-9]+$/ , :message => &quot;Invalid Phone Number&quot;
        • validates_format_of :url, :with => /^(http|https)://[a-z0-9]+([-.]{1}[a-z0-9]+)*.[a-z]{2,5}(([0-9]{1,5})?/.*)?$/ix
    • 24. Money Back Guarantee
    • 25. Riding the Session
      • “ CSRFKiller” plugin is now on by default in edge rails core
        • On for all “non-GET” requests (PUT/POST/DELETE)
        • Each session will have a unique “_token” value
          • SHA1 hash with “:secret” key and random value
      • Earlier versions of Rails can install plugin for CSRF protection
    • 26. Hey Baby, Nice Buffer Language / Environmnt Compiled or Interpreted Strongly Typed Direct Memory Access Safe or Unsafe Java, Both Yes No Safe .NET Both Yes No Safe Perl Both Yes No Safe Python - interpreted Intepreted Yes No Safe Ruby Interpreted Yes No Safe C/C++ Compiled No Yes Unsafe Assembly Compiled No Yes Unsafe COBOL Compiled Yes No Safe
    • 27. Hey Baby, Nice Buffer
      • A buffer overflow could exist in the interpreter (just like java)
      • Using “RubyInline”, a developer can embed C code with in Ruby
      require 'rubygems' require_gem 'RubyInline' class << self inline do |builder| builder.c &quot; int badcopy(char *input[]) { char buffer[10]; strcpy(buffer, input[]); return 0; } &quot; end end
    • 28. XSS: Not Just for Breakfast Any More
      • A number of Rails resources imply Cross-Site Scripting is only a concern if you use sessions
    • 29. Ruby to the Rexsscue
      • Use the “h” html_escape method when writing user data back out
      <% for comment in @post.comments %> <%= h comment.body %> <% end %>
    • 30. Ruby to the Rexsscue
      • Safe ERB
        • PlugIn that will ensure all strings written through rhtml templates are checked or escaped before written out. (Ruby's built in “$SAFE” can not be properly used with Rails)
        • (Although don’t forget UTF-7 and other encoding issues)
    • 31. WEAK SAUCE ALERT!!!
      • Sanitize Module (ActionView::Helpers::TextHelper)
        • converts <form> and <script> tags into regular text
        • removes all &quot;onxxx&quot; attributes
        • removes href= and src= attributes that start with “javascript:”
      sanitize('<script> do_nasty_stuff() </script>') => &lt;script> do_nasty_stuff() &lt;/script> sanitize('<a href=&quot;javascript: sucker();&quot;>Click for $100</a>') => <a>Click for $100</a>
    • 32. One for my Pentesting Homies
      • Rails has a built in check for XML HTTP Requests (AJAX)
        • request.xhr? simply checks for the header “X-Requested-With=XMLHttpRequest”
    • 33. Would You Like Fries with That?
      • Bulk database assignments, like “create” and “new”, can add data for any column in a table.
    • 34. Would You Like Fries with That?
      • Normal Public Add User Request
      • Malicious Add Admin User Request
      POST /users HTTP/1.1 Host: Content-Length: 31 username=Foo&passwd=p4ssw0rrd! POST /users HTTP/1.1 Host: Content-Length: 52 username=Foo&passwd=p4ssw0rrd! &is_admin=1&approved=1
    • 35. Would You Like Fries with That?
      • Black List Column Exclusion
        • attr_protected :approved, :is_admin
      • White List Column Exclusion
        • attr_accessible :username, :password
    • 36. Shoot the Messenger
      • Rails is single threaded. It can only handle one request at a time.
      • Many sites use a Reverse Proxy for performance.
      • Don’t forget to check for Response Splitting!
        • Filenames, Cookies, Redirects
    • 37. What’s Up 2.0
      • Rails 2.0: Release Candidate 1 (Nov 9 th 2007)
      • Security Default Changes
        • ActionController::RequestForgeryProtection
          • Session Riding Protection on by Default
        • TextHelper#sanitize
          • Defaults to a White-List (was a Black-List)
        • HTTP Only Cookies supported
        • Default Sessions stored in Client Cookies
    • 38. What’s Up 2.0
      • Rails rides with REST
        • Create/Read/Update/Delete
        • One URL, Four HTTP Methods
      PUT /product/3 HTTP/1.1 Host: Content-Length: 19 name=Foo&price=9.99
    • 39. Looking For More?
      • Foundstone’s Hacme Casino
      • (Ruby Fuzzer)
      THANK YOU!!! [email_address]