Successfully reported this slideshow.

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

YAML is the new Eval

  1. 1. YAML is the new eval 09.02.2013 @rug_b @plexus github/arnebrasseur
  2. 2. You Need to think about security
  3. 3. I'm a Rails developer
  4. 4. I'm a Rails developer I'm not a security expert
  5. 5. I'm a Rails developer I'm not a security expert That's the point
  6. 6. “You Should Be At Defcon 2 For Most Of February” http://bit.ly/you_will_be_compromised
  7. 7. § “Security”
  8. 8. Many aspects confidentiality, integrity, availability, authenticity
  9. 9. gem “security” ?
  10. 10. Emergent Property It's not a feature
  11. 11. Infinity Maxim Limitless vulnerabilities, most unknown
  12. 12. Trade off No such thing as 100% secure
  13. 13. Ignorance is bliss If you believe you're safe, You can assume you're not.
  14. 14. Attack Surface Your outer shell
  15. 15. Least Authority Can't break what you can't reach
  16. 16. Constrained code
  17. 17. Positive security Whitelist vs Blacklist
  18. 18. § Rails Security
  19. 19. "secure by default" XSS, CSRF, sql escaping, etc.
  20. 20. Tasty Magic Programmer happiness
  21. 21. “People who use magic without knowing what they are doing usually come to a sticky end. All over the entire room, sometimes.” ~ Terry Pratchett
  22. 22. § What happened?
  23. 23. 4 x Rails Vulnerability Rubygems Hacked Bonus : MySQL “feature”
  24. 24. Jan 2 CVE-2012-5664 SQL Injection Vulnerability
  25. 25. Post.find_by_id(id, opts = {}) Plain Old Dynamic Finder Jan 2 CVE-2012-5664 SQL Injection Vulnerability
  26. 26. Post.find_by_id(:select => sql) I Can Haz Inject SQL? Jan 2 CVE-2012-5664 SQL Injection Vulnerability
  27. 27. Post.find_by_id(params[:id]) I Can Haz Inject SQL? Jan 2 CVE-2012-5664 SQL Injection Vulnerability
  28. 28. HashWithIndifferentAccess Post.find_by_id(params[:id]) I Can Haz Inject SQL? Jan 2 CVE-2012-5664 SQL Injection Vulnerability
  29. 29. Exploitable? Probably, but not trivially Jan 2 CVE-2012-5664 SQL Injection Vulnerability
  30. 30. AuthLogic User.find_by_persistence_token(token) Jan 2 CVE-2012-5664 SQL Injection Vulnerability
  31. 31. CookieStore session[:token] = {:select => “foo; DROP TABLE… ; --”} Jan 2 CVE-2012-5664 SQL Injection Vulnerability
  32. 32. config.session.key Do you know where your session key is at 4 o'clock in the morning? Jan 2 CVE-2012-5664 SQL Injection Vulnerability
  33. 33. Jan 8 CVE-2013-0155 Unsafe Query Generation
  34. 34. Foo.find_by_bar( [ nil ] ) JSON or XML payload Result Jan 8 CVE-2013-0155 Unsafe Query Generation
  35. 35. Jan 8 CVE-2013-0155 Unsafe Query Generation
  36. 36. Jan 14 CVE-2013-0156 XML will deserialize YAML
  37. 37. THE BIG ONE Who thought YAML in XML was a good idea anyway? Jan 14 CVE-2013-0156 XML will deserialize YAML
  38. 38. Never trust YAML !ruby/hash:I::Am::In::Your::Objects !ruby/object:Setting::Your::Ivars Jan 14 CVE-2013-0156 XML will deserialize YAML
  39. 39. !ruby/hash Calls #[]= Jan 14 CVE-2013-0156 XML will deserialize YAML
  40. 40. !ruby/object Calls instance_variable_set Jan 14 CVE-2013-0156 XML will deserialize YAML
  41. 41. ActionController::Routing:: RouteSet::NamedRouteCollection def add(name, route) define_named_route_methods(name, route) end alias []= add def define_url_helper(route, name, kind, options) @module.module_eval <<-END def #{name}_#{kind}(*args) Jan 14 options = hash_for_#{name}_#{kind}(args.extract_options!) CVE-2013-0156 XML will deserialize YAML
  42. 42. EVAL ALL THE THINGS $ rails new myapp ; cd myapp ; bundle install $ cd `rvm gemdir`/gems $ egrep -r '(module_eval|instance_eval|class_eval)' . | wc -l 321 $ egrep -r '(module_eval|instance_eval|class_eval)' . | sed 's//.*//' | uniq -c | sort -n 62 activesupport-3.2.11 50 erubis-2.7.0 38 actionpack-3.2.11 24 activerecord-3.2.11 19 railties-3.2.11 Jan 14 CVE-2013-0156 XML will deserialize YAML
  43. 43. Jan 28 CVE-2013-0333 Vulnerability in JSON Parser in Ruby on Rails 3.0 and 2.3
  44. 44. Only 3.0 and 2.3 Jan 28 CVE-2013-0333 JSON parsed as YAML
  45. 45. JSON is YAML True story Jan 28 CVE-2013-0333 JSON parsed as YAML
  46. 46. Jan 30 Rubygems Hacked Gemspecs are … YAML
  47. 47. Jan 14 CVE-2013-0156 XML will deserialize YAML
  48. 48. Feb 7 Bonus Level SELECT 0 = “foo”; # => true
  49. 49. § Practical
  50. 50. Are you up-to-date? Rails 3.2 / 3.1 get security updates Rails 2.3 for severe security issues Ruby 1.8 is End of Life June 2013
  51. 51. What now? Sign up to the security mailing list
  52. 52. What now? Read the Rails Guide on Security
  53. 53. GET routes don't check CSRF token match 'user/reset/:id' => 'user#reset', :via => :put
  54. 54. attr_accessible even better : strong_parameters params.require(:person).permit(:name, :age) params.permit(:name, { :emails => [ ] }
  55. 55. Careful with to_json in templates <script> Accounts.reset(<%= raw @accounts.to_json %>); </script>
  56. 56. Careful with to_json in templates <script> Accounts.reset([{name: "</script><script>alert('xss')</script>", ...}]); </script>
  57. 57. Escaped by default in Rails 4 ActiveSupport::JSON::Encoding.escape_html_entities_in_json = true There are other solutions as well ● json_escape ● data-* attributes
  58. 58. Regexp Anchors “some@email.comn'; I AM IN YOUR SQLZ ; --” =~ /^...$/
  59. 59. Use A and z $ : beginning of line ^ : end of line A : beginning of string z : end of string Z : ignores final newline
  60. 60. SafeYAML Will probably become part of Psych
  61. 61. Brakeman Static security analysis for Rails apps
  62. 62. Sanitize Your Inputs Distrust params, cookies and request
  63. 63. Thank you! Twitter : @plexus Github : arnebrasseur

×