The document discusses the prevalence of web application vulnerabilities, including SQL injection and cross-site scripting (XSS), and the average time vulnerabilities remain undisclosed. It highlights the importance of implementing web application firewalls and various defensive coding practices to mitigate risks. Additionally, it mentions Immun.io as a solution for automated protection against various types of attacks and emphasizes the need for ongoing security audits and education.

1. Metasecurity: Beyond
Patching Vulnerabilities
Chase Douglas
Immun.io

2. Anatomy of a security attack
Vulnerability Attacker

3. How to defend against
vulnerabilities?

5. PHP: Over 24
vulnerabilities reported
every year!
cvedetails.com
Rails: Over 7
vulnerabilities reported
every year!

6. How fast can you spin this
wheel?

7. Vulnerabilities sold
remain private for an
average of 151 days
The Known Unknowns - Stefan Frei - NSS Labs
https://www.nsslabs.com/reports/known-unknowns-0

8. How many vulnerabilities
are lurking, unfound?

9. How to defend against
attackers?

10. Web Application Firewalls

11. Web Application Firewalls

12. Field Trip! Castle Gaillard

13. False Positives

14. Anatomy of a security attack
Vulnerability Attacker
Exploitation

15. Metasecurity: Blocking
Exploitations

16. Exploitations
• SQL Injection
• Cross Site Scripting (XSS)

17. SQL Injection

18. SQL Injection

19. SQL Injection

20. SQL Injection

21. SQL Injection

22. SQL Injection

23. SQL Injection

24. SQL Injection

25. Cross Site Scripting (XSS)
But I didn’t click
on anything!

26. +?
XSS

27. XSS
In someone else’s
browser!
+

28. String.html_safe

29. String.html_safe
Escaped!

30. String.html_safe
Not Escaped!

31. Rails Rendering
Start with an empty SafeBuffer
Buffer:

32. Rails Rendering
Append template after calling html_safe on it
Buffer: <head>
<title>

33. Rails Rendering
Append expression result
Buffer: <head>
<title>&lt;script&gt;alert(1)&lt;/script&gt;
I tried to inject <script>alert(1)</script> here!

34. Rails Rendering
Append template after calling html_safe on it
Buffer: <head>
<title>&lt;script&gt;alert(1)&lt;/script&gt;</title>

35. Rails Rendering
Append expression result
Buffer: <head>
<title>&lt;script&gt;alert(1)&lt;/script&gt;</title>
<script src=“/application.js”></script>
javascript_include_tag returned a SafeBuffer

36. Rails Rendering
Append template after calling html_safe on it
Buffer: <head>
<title>&lt;script&gt;alert(1)&lt;/script&gt;</title>
<script src=“/application.js”></script>
</head>

37. XSS

38. XSS
params => {id: 5}

39. XSS
params => {id: “<script>alert(1)</script>”}
<div class=“alert”>
User id
&lt;script&gt;alert(1)&lt;/script&gt;
does not exist
</div>
Rendered HTML:

40. XSS

41. XSS

42. XSS

43. XSS
params => {id: “<script>alert(1)</script>”}
<div class=“alert”>
User id
<script>alert(1)</script>
does not exist
</div>
Rendered HTML:
+

44. XSS

45. How to Fix?

46. How to Fix XSS

47. How to Fix SQL Injection
• Check that args for all `Calculate` methods are actual table names
• Always use hashes or arrays when using `delete_all`/`destroy_all`/
`where`
• Always use hashes when using `find_by`/`find_by!`
• Always convert user input to strings when passed to `exists?`
• Never pass user input to `group`/`joins`/`order`/`reorder`/`pluck`/
`select`/`having`
• Don’t use `find` unless you are a security guru
• etc. etc.

48. “Once you’re done with
that, can you audit all our
dependencies too?”

49. “Can you teach everyone
else about security?”

50. “All changes will be
reviewed by the security
team”
“It won’t be a bottleneck,
we’ve got two security
engineers”

51. Metasecurity Defense

52. Metasecurity for XSS
Should there be
script tags here?

53. Metasecurity for XSS
• Wrap `html_safe` method
• If called from a known good location, like a Rails
helper, let the string through unimpeded
• Otherwise, escape any <script> tags first

54. Metasecurity for SQL
Injection
Structure
Eoknkno1
Structure
Eoknkno1&1o1
Structure
Eoknkno1;Tkn

55. How do we determine
expected structures?

56. Every Query is Executed at
the Top of a Call Stack

57. Match Call Stack to a
Learned Structure
Eoknk

58. Verify Structure
Eoknk
Ok!
Eoknkno1&1o1
Bad!
Block and
respond with 403
Expected Structure: Eoknk

59. Metasecurity
Vulnerability Attacker
Exploitation

60. Immunio is Metasecurity
Automatic protection against:
Cross Site Scripting
SQL Injection
Remote Command Execution
ShellShock
Open Redirects
Unauthorized File I/O
CSRF Tampering
Brute Force Authentication Attempts
HTTP Header Split
HTTP Method Tampering
Automated Scanners
And more…