Ruby on Rails Penetration Testing

3,884 views

Published on

Slides from our presentation on Ruby on Rails Penetration Testing

Published in: Software, Technology, Education
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,884
On SlideShare
0
From Embeds
0
Number of Embeds
49
Actions
Shares
0
Downloads
61
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Ruby on Rails Penetration Testing

  1. 1. Ruby on Rails Building and Breaking Rails App http://www.3SLabs.com
  2. 2. • Released to the world as ‘extracted’ from BaseCamp (37Signals) by @dhh during July 2004. • Merged with Merb Project during December 2008 and Rails 3.0 was released. • Two supported branch of development currently: – Rails 3.x – Rails 4.x
  3. 3. Acceptance of RoR .. and LOT more
  4. 4. Building Web Applications using Ruby on Rails
  5. 5. RoR Application Structure Image Source: http://blog.ifuturz.com/ruby-on-rails/ruby-on-rails-mvc-learn-with-fun.html
  6. 6. Building a RoR App 1. Ruby & Ruby Gem Installation 2. Generate RoR Project 3. Design ERD 4. Generate Scaffolds 5. Define Relationships 6. Create Database Schema 7. Start Application Server
  7. 7. RoR: Web Blog Example Our Blog is a web application where one or more Users can self-register and sign-in using their registered credentials. Upon sign-in each User should be able to publish Blog Post that is visible to any user or visitor of the portal. Any User or Visitor of the portal should optionally Comment on any Blog Post.
  8. 8. RoR: Web Blog ERD
  9. 9. Step1: Generate Project
  10. 10. Step2: Generate Scaffolds
  11. 11. Step3: Setup Database Schema
  12. 12. Step4: Launch App Server
  13. 13. http://m.xkcd.org/844/ Now write some code or customize the views..
  14. 14. After some love of Bootstrap3
  15. 15. Learning Ruby on Rails • Ruby on Rails Official Guide – http://guides.rubyonrails.org/ • Agile Web Development with Rails – http://pragprog.com/book/rails4/agile-web-development-with-rails • Ruby on Rails Podcasts – http://podcast.rubyonrails.org/ • Rails Code School – https://www.codeschool.com/courses/rails-for-zombies-redux • Rails Cast – http://railscasts.com/
  16. 16. Breaking Ruby on Rails Applications Image (Karate) by Nicholas Riggle from The Noun Project CC By 2.0
  17. 17. Penetration Testing Rails App • Black/Gray Box Approach – Conventional Testing – Fingerprinting Rails Framework – Rails specific Vulnerability Testing – Rails specific Weakness Testing • White Box Approach – Automated Scan for known Vulnerabilities • Brakeman – Attack Surface enumeration through Routes – Authentication & Authorization Testing – Common Rails information disclosures (secret_token.rb) – Model Attributes Security – Custom/Unconventional SQL Queries Audit – Responsive View Audit
  18. 18. Fingerprinting Rails Applications • No generic and definitive technique! – It’s a cat & mouse game really. • Heuristics – Session Identifier – Asset Pipeline – [ … ]
  19. 19. Fingerprinting Rails Application Not so easy for an application served with a reverse proxy which is almost always the case in production.
  20. 20. Fingerprinting Rails Application Leveraging the assets pipeline which is enabled by default from Rails 3.1
  21. 21. Automated Testing: Brakeman http://brakemanscanner.org/ Need source code access !
  22. 22. Automated Testing: grep(1) eval instance_eval class_eval DRb.start_server find_by_sql system exec popen You will be surprised to see how effective this is ! /`(.*)`/
  23. 23. Attack Surface: Routes
  24. 24. Attack Surface: Routes • Default Routing – <Resource> is handled by app/controllers/<resources>_controller.rb – CRUD on Resource
  25. 25. Session Security • A whole set of attacks are possible on Session Management functionality of any Web Application. – Session Hijack, Session Fixation, Session Id Prediction, Session Data Tampering, Leveraging Session Data for RCE etc. • Rails provide inbuilt Session Management – The session object is available to application developer as a Hash/Map to store arbitrary data. – The session object is serialized and stored in corresponding session storage as per configuration. – Signed cookie is used for session storage by default.
  26. 26. Session Security http://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/ Not a Good idea !
  27. 27. Session Security: Best Practices Enforce SSL in order to avoid sniffing of session id Re-generate session after authentication to avoid session fixation Store session in database instead of Cookie which is default Cookie based Session Store are susceptible to Replay Attacks
  28. 28. Authentication • Multiple Popular Authentication Plugin – Devise – RESTful Authentication – […] • Devise – Auto-generated Registration, Confirmation, Login, Forgot Password etc. – Controller filter for enforcing authentication.
  29. 29. Testing Authentication • Generic Issues – Weak Session Management – Weak Authentication Enforcement – Weak Password Encryption • Plugin/Gem Specific – Devise Vulnerabilities – Lack of Authentication Enforcement – Timing Attacks – Information Gathering through default message Are all controllers protected by Authentication System?
  30. 30. Authorization • Not provided by default in the framework. – Encourages RESTful design. • Easy to implement RBAC on Resources – Multiple Gem/Plugin available Example usage of CanCan for Authorization https://github.com/ryanb/cancan
  31. 31. Testing Authorization • Authorization Plugin or Custom Coded? • Every functionality is RESTful? • Query scoping in Controller
  32. 32. Rails CSRF Protection CSRF Token generation and checking is enforced by default. • Application must use Rails Form Tag Helps to generate forms rather than HTML directly. • HTTP GET is not protected !
  33. 33. Killing Rails CSRF Protection http://blog.codeclimate.com/blog/2013/03/27/rails-insecure-defaults/
  34. 34. Rails Model Security • The Business Logic Layer – Database Abstraction through ORM – Entity Relationship Definition – Business Logic • Common Security Issues – Attribute Mass Assignment • Mitigated by default in newer version of Rails – Custom (insecure) SQL Queries – Business Logic Vulnerabilities
  35. 35. Rails Model: Attribute Mass Assignment The Model The Controller The Malicious Input
  36. 36. Rails Model: SQL Queries Model Scope Chained Query Interface (ActiveRelation) Parameterized Qury
  37. 37. Rails Model: Insecure SQL Queries The application developer should ensure that the Query Interface understand the difference between Query and Data.
  38. 38. Rails Model: SQL Injection Vectors • ActiveRecord does not escape parameters for certain options: Source: http://rails-sqli.org/
  39. 39. View Rendering • Dynamic parameters are encoded by default unless explicitly marked as safe. • There are scope for Reflected XSS – Strings marked explicitly with html_safe method. – Textile/Markdown Injection – Insecure used of content_tag
  40. 40. Secure Headers • Rails 3.x is vulnerable to Clickjacking & UI Redressing Type of attacks in default configuration. – Easy Mitigation • gem ‘secureheaders’ in Gemfile – https://github.com/twitter/secureheaders
  41. 41. Rails: Framework Vulnerabilities http://www.cvedetails.com/vulnerability-list/vendor_id-12043/product_id-22568/Rubyonrails-Ruby-On-Rails.html
  42. 42. References • Ruby on Rails Security Guide – http://guides.rubyonrails.org/security.html • Brakeman Scanner – http://brakemanscanner.org/ • Rails SQLi Examples – http://rails-sqli.org/ • OWASP Cheatsheet for RoR – https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet • Ruby Security Configuration – http://blog.codeclimate.com/blog/2013/03/27/rails-insecure-defaults/ • Ruby Mechanize – http://mechanize.rubyforge.org/ • Ruby Nokogiri – http://nokogiri.org/ • The Noun Project – http://thenounproject.com/

×