Recommended
More Related Content
What's hot
What's hot (10)
Viewers also liked
Viewers also liked (20)
Similar to YAML is the new Eval
Similar to YAML is the new Eval (18)
Recently uploaded
Recently uploaded (20)
YAML is the new Eval
- 1. YAML is the new eval 09.02.2013 @rug_b @plexus github/arnebrasseur
- 2. You Need to think about security
- 4. I'm a Rails developer
- 5. I'm a Rails developer I'm not a security expert
- 6. I'm a Rails developer I'm not a security expert That's the point
- 7. “You Should Be At Defcon 2 For Most Of February” http://bit.ly/you_will_be_compromised
- 8. § “Security”
- 9. Many aspects confidentiality, integrity, availability, authenticity
- 10. gem “security” ?
- 12. Emergent Property It's not a feature
- 13. Infinity Maxim Limitless vulnerabilities, most unknown
- 14. Trade off No such thing as 100% secure
- 15. Ignorance is bliss If you believe you're safe, You can assume you're not.
- 16. Attack Surface Your outer shell
- 17. Least Authority Can't break what you can't reach
- 18. Constrained code
- 19. Positive security Whitelist vs Blacklist
- 20. § Rails Security
- 22. "secure by default" XSS, CSRF, sql escaping, etc.
- 24. “People who use magic without knowing what they are doing usually come to a sticky end. All over the entire room, sometimes.” ~ Terry Pratchett
- 25. § What happened?
- 26. 4 x Rails Vulnerability Rubygems Hacked Bonus : MySQL “feature”
- 27. Jan 2 CVE-2012-5664 SQL Injection Vulnerability
- 28. Post.find_by_id(id, opts = {}) Plain Old Dynamic Finder Jan 2 CVE-2012-5664 SQL Injection Vulnerability
- 29. Post.find_by_id(:select => sql) I Can Haz Inject SQL? Jan 2 CVE-2012-5664 SQL Injection Vulnerability
- 30. Post.find_by_id(params[:id]) I Can Haz Inject SQL? Jan 2 CVE-2012-5664 SQL Injection Vulnerability
- 31. HashWithIndifferentAccess Post.find_by_id(params[:id]) I Can Haz Inject SQL? Jan 2 CVE-2012-5664 SQL Injection Vulnerability
- 32. Exploitable? Probably, but not trivially Jan 2 CVE-2012-5664 SQL Injection Vulnerability
- 33. AuthLogic User.find_by_persistence_token(token) Jan 2 CVE-2012-5664 SQL Injection Vulnerability
- 34. CookieStore session[:token] = {:select => “foo; DROP TABLE… ; --”} Jan 2 CVE-2012-5664 SQL Injection Vulnerability
- 35. config.session.key Do you know where your session key is at 4 o'clock in the morning? Jan 2 CVE-2012-5664 SQL Injection Vulnerability
- 36. Jan 8 CVE-2013-0155 Unsafe Query Generation
- 37. Foo.find_by_bar( [ nil ] ) JSON or XML payload Result Jan 8 CVE-2013-0155 Unsafe Query Generation
- 38. Jan 8 CVE-2013-0155 Unsafe Query Generation
- 39. Jan 14 CVE-2013-0156 XML will deserialize YAML
- 40. THE BIG ONE Who thought YAML in XML was a good idea anyway? Jan 14 CVE-2013-0156 XML will deserialize YAML
- 41. Never trust YAML !ruby/hash:I::Am::In::Your::Objects !ruby/object:Setting::Your::Ivars Jan 14 CVE-2013-0156 XML will deserialize YAML
- 42. !ruby/hash Calls #[]= Jan 14 CVE-2013-0156 XML will deserialize YAML
- 43. !ruby/object Calls instance_variable_set Jan 14 CVE-2013-0156 XML will deserialize YAML
- 44. ActionController::Routing:: RouteSet::NamedRouteCollection def add(name, route) define_named_route_methods(name, route) end alias []= add def define_url_helper(route, name, kind, options) @module.module_eval <<-END def #{name}_#{kind}(*args) Jan 14 options = hash_for_#{name}_#{kind}(args.extract_options!) CVE-2013-0156 XML will deserialize YAML
- 45. EVAL ALL THE THINGS $ rails new myapp ; cd myapp ; bundle install $ cd `rvm gemdir`/gems $ egrep -r '(module_eval|instance_eval|class_eval)' . | wc -l 321 $ egrep -r '(module_eval|instance_eval|class_eval)' . | sed 's//.*//' | uniq -c | sort -n 62 activesupport-3.2.11 50 erubis-2.7.0 38 actionpack-3.2.11 24 activerecord-3.2.11 19 railties-3.2.11 Jan 14 CVE-2013-0156 XML will deserialize YAML
- 46. Jan 28 CVE-2013-0333 Vulnerability in JSON Parser in Ruby on Rails 3.0 and 2.3
- 47. Only 3.0 and 2.3 Jan 28 CVE-2013-0333 JSON parsed as YAML
- 48. JSON is YAML True story Jan 28 CVE-2013-0333 JSON parsed as YAML
- 49. Jan 30 Rubygems Hacked Gemspecs are … YAML
- 50. Jan 14 CVE-2013-0156 XML will deserialize YAML
- 51. Feb 7 Bonus Level SELECT 0 = “foo”; # => true
- 53. § Practical
- 55. Are you up-to-date? Rails 3.2 / 3.1 get security updates Rails 2.3 for severe security issues Ruby 1.8 is End of Life June 2013
- 56. What now? Sign up to the security mailing list
- 57. What now? Read the Rails Guide on Security
- 58. GET routes don't check CSRF token match 'user/reset/:id' => 'user#reset', :via => :put
- 59. attr_accessible even better : strong_parameters params.require(:person).permit(:name, :age) params.permit(:name, { :emails => [ ] }
- 60. Careful with to_json in templates <script> Accounts.reset(<%= raw @accounts.to_json %>); </script>
- 61. Careful with to_json in templates <script> Accounts.reset([{name: "</script><script>alert('xss')</script>", ...}]); </script>
- 62. Escaped by default in Rails 4 ActiveSupport::JSON::Encoding.escape_html_entities_in_json = true There are other solutions as well ● json_escape ● data-* attributes
- 63. Regexp Anchors “some@email.comn'; I AM IN YOUR SQLZ ; --” =~ /^...$/
- 64. Use A and z $ : beginning of line ^ : end of line A : beginning of string z : end of string Z : ignores final newline
- 65. SafeYAML Will probably become part of Psych
- 66. Brakeman Static security analysis for Rails apps
- 67. Sanitize Your Inputs Distrust params, cookies and request
- 68. Thank you! Twitter : @plexus Github : arnebrasseur