YAML is the new Eval

3,259 views

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,259
On SlideShare
0
From Embeds
0
Number of Embeds
64
Actions
Shares
0
Downloads
23
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

YAML is the new Eval

  1. 1. YAML is the new eval 09.02.2013 @rug_b @plexus github/arnebrasseur
  2. 2. YouNeed to think about security
  3. 3. Im a Rails developer
  4. 4. Im a Rails developerIm not a security expert
  5. 5. Im a Rails developerIm not a security expertThats the point
  6. 6. “You Should Be AtDefcon 2 For Most Of February” http://bit.ly/you_will_be_compromised
  7. 7. §“Security”
  8. 8. Many aspectsconfidentiality, integrity,availability, authenticity
  9. 9. gem “security” ?
  10. 10. Emergent PropertyIts not a feature
  11. 11. Infinity MaximLimitless vulnerabilities, mostunknown
  12. 12. Trade offNo such thing as 100% secure
  13. 13. Ignorance is blissIf you believe youre safe,You can assume youre not.
  14. 14. Attack SurfaceYour outer shell
  15. 15. Least AuthorityCant break what you cant reach
  16. 16. Constrained code
  17. 17. Positive securityWhitelist vs Blacklist
  18. 18. §Rails Security
  19. 19. "secure by default"XSS, CSRF, sql escaping, etc.
  20. 20. Tasty MagicProgrammer happiness
  21. 21. “People who use magic without knowingwhat they are doing usually come to a sticky end. All over the entire room, sometimes.” ~ Terry Pratchett
  22. 22. § Whathappened?
  23. 23. 4 x Rails VulnerabilityRubygems HackedBonus : MySQL “feature”
  24. 24. Jan 2CVE-2012-5664SQL Injection Vulnerability
  25. 25. Post.find_by_id(id, opts = {})Plain Old Dynamic Finder Jan 2 CVE-2012-5664 SQL Injection Vulnerability
  26. 26. Post.find_by_id(:select => sql)I Can Haz Inject SQL? Jan 2 CVE-2012-5664 SQL Injection Vulnerability
  27. 27. Post.find_by_id(params[:id])I Can Haz Inject SQL? Jan 2 CVE-2012-5664 SQL Injection Vulnerability
  28. 28. HashWithIndifferentAccessPost.find_by_id(params[:id])I Can Haz Inject SQL? Jan 2 CVE-2012-5664 SQL Injection Vulnerability
  29. 29. Exploitable?Probably, but not trivially Jan 2 CVE-2012-5664 SQL Injection Vulnerability
  30. 30. AuthLogicUser.find_by_persistence_token(token) Jan 2 CVE-2012-5664 SQL Injection Vulnerability
  31. 31. CookieStoresession[:token] = {:select => “foo; DROP TABLE… ; --”} Jan 2 CVE-2012-5664 SQL Injection Vulnerability
  32. 32. config.session.keyDo you know where your session key isat 4 oclock in the morning? Jan 2 CVE-2012-5664 SQL Injection Vulnerability
  33. 33. Jan 8CVE-2013-0155Unsafe Query Generation
  34. 34. Foo.find_by_bar( [ nil ] )JSON or XML payloadResult Jan 8 CVE-2013-0155 Unsafe Query Generation
  35. 35. Jan 8 CVE-2013-0155Unsafe Query Generation
  36. 36. Jan 14CVE-2013-0156XML will deserialize YAML
  37. 37. THE BIG ONEWho thought YAML in XML was a good idea anyway? Jan 14 CVE-2013-0156 XML will deserialize YAML
  38. 38. Never trust YAML!ruby/hash:I::Am::In::Your::Objects!ruby/object:Setting::Your::Ivars Jan 14 CVE-2013-0156 XML will deserialize YAML
  39. 39. !ruby/hashCalls #[]= Jan 14 CVE-2013-0156 XML will deserialize YAML
  40. 40. !ruby/objectCalls instance_variable_set Jan 14 CVE-2013-0156 XML will deserialize YAML
  41. 41. ActionController::Routing::RouteSet::NamedRouteCollectiondef add(name, route) define_named_route_methods(name, route)endalias []= adddef define_url_helper(route, name, kind, options) @module.module_eval <<-END def #{name}_#{kind}(*args) Jan 14 options = hash_for_#{name}_#{kind}(args.extract_options!) CVE-2013-0156 XML will deserialize YAML
  42. 42. EVAL ALL THE THINGS$ rails new myapp ; cd myapp ; bundle install$ cd `rvm gemdir`/gems$ egrep -r (module_eval|instance_eval|class_eval) . | wc -l321$ egrep -r (module_eval|instance_eval|class_eval) . | sed s//.*// | uniq -c | sort -n 62 activesupport-3.2.11 50 erubis-2.7.0 38 actionpack-3.2.11 24 activerecord-3.2.11 19 railties-3.2.11 Jan 14 CVE-2013-0156 XML will deserialize YAML
  43. 43. Jan 28CVE-2013-0333Vulnerability in JSON Parserin Ruby on Rails 3.0 and 2.3
  44. 44. Only 3.0 and 2.3 Jan 28 CVE-2013-0333 JSON parsed as YAML
  45. 45. JSON is YAMLTrue story Jan 28 CVE-2013-0333 JSON parsed as YAML
  46. 46. Jan 30Rubygems HackedGemspecs are … YAML
  47. 47. Jan 14 CVE-2013-0156XML will deserialize YAML
  48. 48. Feb 7Bonus LevelSELECT 0 = “foo”; # => true
  49. 49. §Practical
  50. 50. Are you up-to-date?Rails 3.2 / 3.1 get security updatesRails 2.3 for severe security issuesRuby 1.8 is End of Life June 2013
  51. 51. What now?Sign up to the security mailing list
  52. 52. What now?Read the Rails Guide on Security
  53. 53. GET routes dont check CSRF tokenmatch user/reset/:id => user#reset, :via => :put
  54. 54. attr_accessibleeven better : strong_parametersparams.require(:person).permit(:name, :age)params.permit(:name, { :emails => [ ] }
  55. 55. Careful with to_json in templates<script> Accounts.reset(<%= raw @accounts.to_json %>);</script>
  56. 56. Careful with to_json in templates<script>Accounts.reset([{name: "</script><script>alert(xss)</script>", ...}]);</script>
  57. 57. Escaped by default in Rails 4ActiveSupport::JSON::Encoding.escape_html_entities_in_json = trueThere are other solutions as well● json_escape● data-* attributes
  58. 58. Regexp Anchors“some@email.comn; I AM IN YOUR SQLZ ; --” =~ /^...$/
  59. 59. Use A and z$ : beginning of line^ : end of lineA : beginning of stringz : end of stringZ : ignores final newline
  60. 60. SafeYAMLWill probably become part of Psych
  61. 61. BrakemanStatic security analysis for Rails apps
  62. 62. Sanitize Your InputsDistrust params, cookies and request
  63. 63. Thank you! Twitter : @plexusGithub : arnebrasseur

×