Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
State of Web Security
Mike Milner
CTO @immunio
RailsConf 2016
Today
Checked in to my flight
Read the News
Paid for Parking
Coffee with the Starbucks app
Boarding Pass Slack
Gmail
Review...
All On the Web
All On the Web
Who is protecting
my data?
How?
Framework up to Date?
Libraries Patched?
Code Reviewed for Security?
Monitoring for New CVEs?
Reviewed External libra...
Security is Hard
But it can be
SOOO
Interesting :)
Three Types of

Vulnerable Code
• Code written by you
• Code written by someone else
• Code not written
SQL Injection
• First publicly discussed in 1998. Well understood.
• Largely fixed in all web apps. Right?
"SELECT * FROM u...
Lost 100k customers and
£60m
157,000 had details stolen
Names, email addresses, passwords, and home addresses
of 4,833,678 parents
200,000 kids
Email addresses,
phone numbers
and dates of birth
656,723
customers
Beer
Vouchers
ActiveRecord
http://rails-sqli.org/
CVE-2016-0752
“Possible Information Leak Vulnerability”
Credited to John Poulin at nVisium
https://nvisium.com/blog/2016/0...
Directory Traversal
def show
render params[:template]
end
What if we try: /etc/passwd ?
Image credit: https://nvisium.com/blog
Directory Traversal
• /etc/passwd
• RAILS_ROOT/config/
secrets.yml
• RAILS_ROOT/config/initializers/
secret_token.rb
• SSL p...
Yikes!
Can We Execute Code?
“Helpful” default behaviour in Rails
Unknown extension defaults to ERB template
<%= `whoami` %>
Simil...
Basics
Write code into file
Ask Rails to execute it
Getting Code into a File
Rails does this for us!
/users/page?mycode=1234
Written to production.log
/users/page?mycode=%3c%...
Putting it Together
/users/../../../production.log?
mycode=<%= `whoami` %>
/users/%2e%2e%2f%2e%2e%2f%2e%2e%2flog%2fproduct...
Website Ransomware
Credential Stuffing
Warranty Fraud
How to protect?
• Educate Developers
• OWASP Top 10
• Stay up-to-date
• Static Analysis
• Manual Code Review
• Pen-test
Active Defence
Signature Based
Hard to maintain, Easy to bypass
WAF?
Traditional Deployment
Deployments Today
RASP
Runtime Application Self Protection
Active Defence
What was the actual exploit?
A file was read that shouldn’t be read
Shell commands were executed
Move INSIDE...
Protect against the exploit
• Uploaded images should not be executed as code
• Don’t load configuration from /tmp
• My app ...
Protect against the exploit
• Most apps don’t need to execute shell commands.
FENCE IT OFF!
• If you do need shell, track ...
Inside the App
Much more accurate Fewer false positives.
• SQL Queries for SQL Injection
• Template rendering for Cross Si...
Inside the App
Better Understanding of Vulnerabilities
• Visibility down to the line of code.
• See how bad input affects ...
Harden the App
SQL Injection with RASP
• SELECT * FROM users WHERE name = ‘Mike’
• SELECT * FROM users WHERE name = ‘’ OR 1=1 --‘;
• "SEL...
Rate Limiting
• Count volume of events in a sliding time window
• Take action when the threshold is exceeded
Three Types of

Vulnerable Code
• Code written by you
• Code written by someone else
• Code not written
Thank You!
Mike Milner
CTO @immunio
RailsConf 2016
www.immun.io
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016
Upcoming SlideShare
Loading in …5
×

State of Web Security RailsConf 2016

463 views

Published on

A wild ride through the dizzying highs and terrifying lows of web security in 2015. Take a look at some major breaches of the year, including some free beer!

We’ll look at how attack trends have changed over the past year and new ways websites are being compromised. We’ve pulled together data from all the sites we protect to show you insights on types and patterns of attacks, and sophistication and origin of the attackers.

After the bad, we’ll look at the good - new technologies like RASP are helping secure the web.

Published in: Internet
  • Be the first to comment

State of Web Security RailsConf 2016

  1. 1. State of Web Security Mike Milner CTO @immunio RailsConf 2016
  2. 2. Today Checked in to my flight Read the News Paid for Parking Coffee with the Starbucks app Boarding Pass Slack Gmail Review some Pull Requests Uber RailsConf Schedule Trello Banking Facebook Twitter Ashley Madison Manage your corporate network
  3. 3. All On the Web
  4. 4. All On the Web Who is protecting my data?
  5. 5. How? Framework up to Date? Libraries Patched? Code Reviewed for Security? Monitoring for New CVEs? Reviewed External libraries? Static Analysis? Fixed Insecure Defaults?
  6. 6. Security is Hard But it can be SOOO Interesting :)
  7. 7. Three Types of
 Vulnerable Code • Code written by you • Code written by someone else • Code not written
  8. 8. SQL Injection • First publicly discussed in 1998. Well understood. • Largely fixed in all web apps. Right? "SELECT * FROM users WHERE name = '" + userName + "';" userName = “' OR 1=1 --“ SELECT * FROM users WHERE name = ‘’ OR 1=1 --‘;
  9. 9. Lost 100k customers and £60m 157,000 had details stolen
  10. 10. Names, email addresses, passwords, and home addresses of 4,833,678 parents 200,000 kids
  11. 11. Email addresses, phone numbers and dates of birth 656,723 customers Beer Vouchers
  12. 12. ActiveRecord http://rails-sqli.org/
  13. 13. CVE-2016-0752 “Possible Information Leak Vulnerability” Credited to John Poulin at nVisium https://nvisium.com/blog/2016/01/26/rails-dynamic-render-to-rce-cve-2016-0752/ https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00
  14. 14. Directory Traversal def show render params[:template] end
  15. 15. What if we try: /etc/passwd ? Image credit: https://nvisium.com/blog
  16. 16. Directory Traversal • /etc/passwd • RAILS_ROOT/config/ secrets.yml • RAILS_ROOT/config/initializers/ secret_token.rb • SSL private keys • /proc/self/environ • /proc/<pid>/environ
  17. 17. Yikes!
  18. 18. Can We Execute Code? “Helpful” default behaviour in Rails Unknown extension defaults to ERB template <%= `whoami` %> Similar technique to CVE-2014-0130 as described by Jeff Jarmoc @ Matasano http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf
  19. 19. Basics Write code into file Ask Rails to execute it
  20. 20. Getting Code into a File Rails does this for us! /users/page?mycode=1234 Written to production.log /users/page?mycode=%3c%25%3d%20%60%69%64%60%20%25%3e <%= `whoami` %>
  21. 21. Putting it Together /users/../../../production.log? mycode=<%= `whoami` %> /users/%2e%2e%2f%2e%2e%2f%2e%2e%2flog%2fproduction%2elog? mycode=%3c%25%3d%20%60%69%64%60%20%25%3e
  22. 22. Website Ransomware
  23. 23. Credential Stuffing
  24. 24. Warranty Fraud
  25. 25. How to protect? • Educate Developers • OWASP Top 10 • Stay up-to-date • Static Analysis • Manual Code Review • Pen-test
  26. 26. Active Defence Signature Based Hard to maintain, Easy to bypass WAF?
  27. 27. Traditional Deployment
  28. 28. Deployments Today
  29. 29. RASP Runtime Application Self Protection
  30. 30. Active Defence What was the actual exploit? A file was read that shouldn’t be read Shell commands were executed Move INSIDE the app and we can see these directly
  31. 31. Protect against the exploit • Uploaded images should not be executed as code • Don’t load configuration from /tmp • My app does NOT need to read or write anywhere inside /etc • In fact, the app shouldn’t be writing anywhere except / tmp and /var/log • And especially not be reading from /etc/ssl or ~/.ssh/id_rsa Track code that opens files
  32. 32. Protect against the exploit • Most apps don’t need to execute shell commands. FENCE IT OFF! • If you do need shell, track the code that runs commands. • The command that minifies my CSS should not be downloading and executing a perl script! • The command that sends an invoice should not be opening a reverse shell to Russia! • And block shell access from everywhere else. Track shell code execution
  33. 33. Inside the App Much more accurate Fewer false positives. • SQL Queries for SQL Injection • Template rendering for Cross Site Scripting • Authentication attacks and Brute Forcing • Cross Site Request Forgery
  34. 34. Inside the App Better Understanding of Vulnerabilities • Visibility down to the line of code. • See how bad input affects each template interpolation. • Monitor what libraries are installed and how they’re used. • Report gem versions that have known vulnerabilities.
  35. 35. Harden the App
  36. 36. SQL Injection with RASP • SELECT * FROM users WHERE name = ‘Mike’ • SELECT * FROM users WHERE name = ‘’ OR 1=1 --‘; • "SELECT * FROM users WHERE name = '" + userName + "';"
  37. 37. Rate Limiting • Count volume of events in a sliding time window • Take action when the threshold is exceeded
  38. 38. Three Types of
 Vulnerable Code • Code written by you • Code written by someone else • Code not written
  39. 39. Thank You! Mike Milner CTO @immunio RailsConf 2016 www.immun.io

×