The document discusses securing Ruby on Rails applications. It covers topics like transport layer security (TLS and SSL), session hijacking, content security policy, cross-site scripting protection, and static code analysis tools. Gems like secure_headers, Brakeman, codesake-dawn and gauntlt can help audit code and build attacks to test vulnerabilities. Maintaining TLS is important to protect against man-in-the-middle attacks and securely transmit sensitive data like passwords.

1. Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL ‹#›
Securing Your Rails
Application
Christophe Lucas
Mandiant, a FireEye Company

2. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Heartbleed

3. Copyright (c) 2014, FireEye, Inc. All rights reserved.
OpenSSL CVE-2014-0160 vulnerability
• Allows attacker to read unencrypted traffic
!
• Steal keys, usernames, passwords
!
• Programming mistake

4. Copyright (c) 2014, FireEye, Inc. All rights reserved.
New OpenSSL release to fix 6 bugs
• SSL/TLS MITM vulnerability (CVE-2014-0224)
• DTLS recursion flaw (CVE-2014-0221)
• DTLS invalid fragment vulnerability
(CVE-2014-0195)
• SSL_MODE_RELEASE_BUFFERS NULL
pointer dereference (CVE-2014-0198)
• SSL_MODE_RELEASE_BUFFERS session
injection or denial of service (CVE-2010-5298)
• Anonymous ECDH denial of service
(CVE-2014-3470)

5. Copyright (c) 2014, FireEye, Inc. All rights reserved.
OpenSSL?
• Open source implementation of the TLS
protocols, written in C
!
• SSL: Secure Socket layer
• TLS: Transport Layer Security
!
• The ’S’ in HTTPS

6. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Transport Layer Security
• developed by Netscape
• 1995: SSL 2.0
• 1996: SSL 3.0
• 1999: TLS 1.0, RFC 2246
• 2006: TLS 1.1, RFC 4346
• 2008: TLS 1.2, RFC 5246

7. Copyright (c) 2014, FireEye, Inc. All rights reserved.
TLS handshake
Client Server
Client Hello
TLS version, cypher
Server Hello
TLS version, cypher
Public Key and certificate
Validate certificate
Client Finished
Encrypted with PK
Server Finished
Encrypted
TLS Record Protocol

8. Copyright (c) 2014, FireEye, Inc. All rights reserved.
HTTP Secure

9. Copyright (c) 2014, FireEye, Inc. All rights reserved.
How is my SSL?
• https://www.howsmyssl.com
• Version
• Ephemeral key support
• Session ticket support
• TLS compression
• Cypher suites

10. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Secure Hash Algorithm
• 1993 SHA-0
• 1995 SHA-1, published by
• 2001 SHA-2, published by
• 2014 SHA-3 (Draft), published by

11. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Use SSL/TLS
Credits: http://www.nsa.gov

12. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Being Boring: A Survival Guide to Ruby
Cryptography
Crypto API
!
A bunch of crazy code written by
amateurs
Ruby OpenSSL
Credits: Tony Acieri - Rubyconf 2013
Not boring

13. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Being Boring: A Survival Guide to Ruby
Cryptography
Crypto API
Crypto library written by
cryptographers
Boring
Credits: Tony Acieri - Rubyconf 2013

14. Copyright (c) 2014, FireEye, Inc. All rights reserved.
OpenSSL
Ruby NaCl
!
https://github.com/cryptosphere/rbnacl

15. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Vulnerabilities
• Transport
• Rendering
!
=> secure the HTTP header

16. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Secure session
• config/environments/production.rb
config.force_ssl = true
!
• Only send session cookie over secure
connection
!
• Adds secure attribute to Set-Cookie

17. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Request - Response
Browser http:// https://

18. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Request - Response
Browser http:// https://

19. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Request - Response
Browser http:// https://

20. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Request - Response
Browser http:// https://

21. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Request - Response
Browser http:// https://

22. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Session Hijacking (MITM)
Browser http:// https://Attacker

23. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Session Hijacking
Browser http:// https://Attacker

24. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Session Hijacking
Browser http:// https://Attacker

25. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Prevent Attack
• Use HTTP Strict Transport Security (HSTS)
!
• Ensure that the browser only visits the
HTTPS version of the website
Strict-Transport-Security:
max-age=15768000 ; includeSubDomains
!
• no more redirect, eliminates the first
insecure roundtrip

26. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Transport
• TLS: Transport Layer Security
• Secure Cookies
• HSTS: HTTP Strict Transport Security

27. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Protect Cookie
Set-Cookie the_secure_cookie; Secure
<script>alert(document.cookie);</script>
!
HTTP only:
!
Set-Cookie the_cookie; Secure; HttpOnly;
!
Session cookies are HttpOnly by default

28. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Content Security Policy
Whitelist content
!
Content-Security-Policy:
default-src 'self';
img-src 'self' data:;
media-src mediastream:;
script-src: ‘self’ https://example.com

29. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Audit your CSP
!
Content-Security-Policy-Report-Only:
default-src 'self';
img-src 'self' data:;
media-src mediastream:;
script-src: ‘self’ https://example.com

30. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Frame Option (XFO)
Prevent clickjacking
!
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM https://
example.com/

31. Copyright (c) 2014, FireEye, Inc. All rights reserved.
XSS protection
Cross site scripting filter:
!
X-XSS-Protection: 1; mode=block

32. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Prevent content sniffing
Prevent attacks based on MIME-type
confusion:
!
X-Content-Type-Options: nosniff

33. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Rendering
• HttpOnly Cookies
• Content Security Policy
• Frame Options
• XSS protection
• Content Type Options

34. Copyright (c) 2014, FireEye, Inc. All rights reserved.
secure_headers gem
• https://github.com/twitter/secureheaders
• Content Security Policy (CSP)
• HTTP Strict Transport Security (HSTS)
• X-Frame-Options (XFO)
• XSS Protection
• MIME type sniffing protection

35. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Brakeman gem
Static analyzer for vulnerabilities
> brakeman
+-------------------+---------+
| Scanned/Reported | Total |
+-------------------+---------+
| Controllers | 17 |
| Models | 11 |
| Templates | 72 |
| Errors | 0 |
| Security Warnings | 21 (12) |
+-------------------+---------+
!
+----------------------------+-------+
| Warning Type | Total |
+----------------------------+-------+
| Cross Site Scripting | 4 |
| Cross-Site Request Forgery | 1 |
| Denial of Service | 2 |
| File Access | 1 |
| Format Validation | 1 |
| Mass Assignment | 5 |
| Remote Code Execution | 4 |
| SQL Injection | 2 |
| Session Setting | 1 |
+----------------------------+-------+

36. Copyright (c) 2014, FireEye, Inc. All rights reserved.
codesake-dawn gem
static code scanner
> dawn --rails .
13:37:54 [*] dawn v1.1.3 is starting up
13:37:54 [$] dawn: scanning .
13:37:54 [$] dawn: rails v4.1.1 detected
13:37:54 [$] dawn: applying all security checks
13:37:54 [$] dawn: 173 security checks applied - 0 security checks skipped
13:37:54 [$] dawn: 2 vulnerabilities found
13:37:54 [!] dawn: Owasp Ror CheatSheet: Session management check failed
13:37:54 [$] dawn: Severity: info
13:37:54 [$] dawn: Priority: unknown
13:37:54 [$] dawn: Description: By default, Ruby on Rails uses a Cookie based session
store. What that means is that unless you change something, the session will not expire
on the server. That means that some default applications may be vulnerable to replay
attacks. It also means that sensitive information should never be put in the session.
13:37:54 [$] dawn: Solution: Use ActiveRecord or the ORM you love most to handle your
code session_store. Add "Application.config.session_store :active_record_store" to your
session_store.rb file.
13:37:54 [$] dawn: Evidence:
13:37:54 [$] dawn: In your session_store.rb file you are not using ActiveRercord to
store session data. This will let rails to use a cookie based session and it can expose
your web application to a session replay attack.
13:37:54 [$] dawn: {:filename=>"./config/initializers/session_store.rb", :matches=>[]}

37. Copyright (c) 2014, FireEye, Inc. All rights reserved.
gauntlt gem
• Build attacks with cucumber scripts
> gauntlt
!

38. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Rugged DevOps
!
InfoSec + Dev +Ops
=
Rugged DevOps
!
http://ruggeddevops.org
!
https://www.ruggedsoftware.org
!

39. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Code Monitoring tools
• https://codeclimate.com
• https://gemcanary.com
• https://gemnasium.com

40. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Resources
• http://guides.rubyonrails.org/security.html
• https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet
• https://www.ssllabs.com
• https://github.com/cryptosphere/rbnacl
• https://github.com/twitter/secureheaders
• http://brakemanscanner.org
• https://github.com/codesake/codesake-dawn
• http://gauntlt.org

41. Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL ‹#›
Questions?
christophe.lucas@mandiant.com
@krof