• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
YAML is the new Eval
 

YAML is the new Eval

on

  • 1,898 views

 

Statistics

Views

Total Views
1,898
Views on SlideShare
1,839
Embed Views
59

Actions

Likes
2
Downloads
6
Comments
0

3 Embeds 59

https://twitter.com 52
http://eventifier.co 6
http://www.eventifier.co 1

Accessibility

Categories

Upload Details

Uploaded via as OpenOffice

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    YAML is the new Eval YAML is the new Eval Presentation Transcript

    • YAML is the new eval 09.02.2013 @rug_b @plexus github/arnebrasseur
    • YouNeed to think about security
    • Im a Rails developer
    • Im a Rails developerIm not a security expert
    • Im a Rails developerIm not a security expertThats the point
    • “You Should Be AtDefcon 2 For Most Of February” http://bit.ly/you_will_be_compromised
    • §“Security”
    • Many aspectsconfidentiality, integrity,availability, authenticity
    • gem “security” ?
    • Emergent PropertyIts not a feature
    • Infinity MaximLimitless vulnerabilities, mostunknown
    • Trade offNo such thing as 100% secure
    • Ignorance is blissIf you believe youre safe,You can assume youre not.
    • Attack SurfaceYour outer shell
    • Least AuthorityCant break what you cant reach
    • Constrained code
    • Positive securityWhitelist vs Blacklist
    • §Rails Security
    • "secure by default"XSS, CSRF, sql escaping, etc.
    • Tasty MagicProgrammer happiness
    • “People who use magic without knowingwhat they are doing usually come to a sticky end. All over the entire room, sometimes.” ~ Terry Pratchett
    • § Whathappened?
    • 4 x Rails VulnerabilityRubygems HackedBonus : MySQL “feature”
    • Jan 2CVE-2012-5664SQL Injection Vulnerability
    • Post.find_by_id(id, opts = {})Plain Old Dynamic Finder Jan 2 CVE-2012-5664 SQL Injection Vulnerability
    • Post.find_by_id(:select => sql)I Can Haz Inject SQL? Jan 2 CVE-2012-5664 SQL Injection Vulnerability
    • Post.find_by_id(params[:id])I Can Haz Inject SQL? Jan 2 CVE-2012-5664 SQL Injection Vulnerability
    • HashWithIndifferentAccessPost.find_by_id(params[:id])I Can Haz Inject SQL? Jan 2 CVE-2012-5664 SQL Injection Vulnerability
    • Exploitable?Probably, but not trivially Jan 2 CVE-2012-5664 SQL Injection Vulnerability
    • AuthLogicUser.find_by_persistence_token(token) Jan 2 CVE-2012-5664 SQL Injection Vulnerability
    • CookieStoresession[:token] = {:select => “foo; DROP TABLE… ; --”} Jan 2 CVE-2012-5664 SQL Injection Vulnerability
    • config.session.keyDo you know where your session key isat 4 oclock in the morning? Jan 2 CVE-2012-5664 SQL Injection Vulnerability
    • Jan 8CVE-2013-0155Unsafe Query Generation
    • Foo.find_by_bar( [ nil ] )JSON or XML payloadResult Jan 8 CVE-2013-0155 Unsafe Query Generation
    • Jan 8 CVE-2013-0155Unsafe Query Generation
    • Jan 14CVE-2013-0156XML will deserialize YAML
    • THE BIG ONEWho thought YAML in XML was a good idea anyway? Jan 14 CVE-2013-0156 XML will deserialize YAML
    • Never trust YAML!ruby/hash:I::Am::In::Your::Objects!ruby/object:Setting::Your::Ivars Jan 14 CVE-2013-0156 XML will deserialize YAML
    • !ruby/hashCalls #[]= Jan 14 CVE-2013-0156 XML will deserialize YAML
    • !ruby/objectCalls instance_variable_set Jan 14 CVE-2013-0156 XML will deserialize YAML
    • ActionController::Routing::RouteSet::NamedRouteCollectiondef add(name, route) define_named_route_methods(name, route)endalias []= adddef define_url_helper(route, name, kind, options) @module.module_eval <<-END def #{name}_#{kind}(*args) Jan 14 options = hash_for_#{name}_#{kind}(args.extract_options!) CVE-2013-0156 XML will deserialize YAML
    • EVAL ALL THE THINGS$ rails new myapp ; cd myapp ; bundle install$ cd `rvm gemdir`/gems$ egrep -r (module_eval|instance_eval|class_eval) . | wc -l321$ egrep -r (module_eval|instance_eval|class_eval) . | sed s//.*// | uniq -c | sort -n 62 activesupport-3.2.11 50 erubis-2.7.0 38 actionpack-3.2.11 24 activerecord-3.2.11 19 railties-3.2.11 Jan 14 CVE-2013-0156 XML will deserialize YAML
    • Jan 28CVE-2013-0333Vulnerability in JSON Parserin Ruby on Rails 3.0 and 2.3
    • Only 3.0 and 2.3 Jan 28 CVE-2013-0333 JSON parsed as YAML
    • JSON is YAMLTrue story Jan 28 CVE-2013-0333 JSON parsed as YAML
    • Jan 30Rubygems HackedGemspecs are … YAML
    • Jan 14 CVE-2013-0156XML will deserialize YAML
    • Feb 7Bonus LevelSELECT 0 = “foo”; # => true
    • §Practical
    • Are you up-to-date?Rails 3.2 / 3.1 get security updatesRails 2.3 for severe security issuesRuby 1.8 is End of Life June 2013
    • What now?Sign up to the security mailing list
    • What now?Read the Rails Guide on Security
    • GET routes dont check CSRF tokenmatch user/reset/:id => user#reset, :via => :put
    • attr_accessibleeven better : strong_parametersparams.require(:person).permit(:name, :age)params.permit(:name, { :emails => [ ] }
    • Careful with to_json in templates<script> Accounts.reset(<%= raw @accounts.to_json %>);</script>
    • Careful with to_json in templates<script>Accounts.reset([{name: "</script><script>alert(xss)</script>", ...}]);</script>
    • Escaped by default in Rails 4ActiveSupport::JSON::Encoding.escape_html_entities_in_json = trueThere are other solutions as well● json_escape● data-* attributes
    • Regexp Anchors“some@email.comn; I AM IN YOUR SQLZ ; --” =~ /^...$/
    • Use A and z$ : beginning of line^ : end of lineA : beginning of stringz : end of stringZ : ignores final newline
    • SafeYAMLWill probably become part of Psych
    • BrakemanStatic security analysis for Rails apps
    • Sanitize Your InputsDistrust params, cookies and request
    • Thank you! Twitter : @plexusGithub : arnebrasseur