Rails Security

Introductions

• Jack Mannino – CEO @nVisium

– Lives in the JVM

– Beats up on mobile + wearables

– Scala, Swift, Java (Android)

• Ken Johnson – CTO @nVisium

– Former LivingSocialite

– Develop heavily in Rails

– Railsgoat Co-Author

Why are we all here?

• Us?

– MINASWAN

• You?

– Hopefully to have some fun

Before we begin

• Machine assignment & RDP

• Credentials

– Username: trainee

– Password: tr41n1ng

• Source code: ~/pentest/railsgoat

• Text Editor: type subl

• Burp: ~/Desktop/burp/

Course Outline

• Model Layer

• Presentation Layer (View)

• Logic Layer (Controller)

• Unit-Tests

• Defensive Tools

Course Outline (Model)

• Model Layer

– Mass Assignment

– MetaProgramming

– Hashing / Encryption

– SQL Injection

Course Outline (Presentation)

• Cross-Site Scripting

• Browser Behavior

• Error Messages & Enumeration

Course Outline (Logic)

• Insecure Direct Object Reference

• Remote Code Execution

• Logic Flaws

• CSRF

• Session Handling

• Redirection

• Authentication Tips

Let’s get started

• First though, let’s walk through a few things you’ll need to know in this course:

– What is an intercepting proxy?

• FAQ (No, SSL is not a problem, let me explain why)

– Instructions on getting started

– Start Railsgoat

MODEL LAYER

Model Layer – Mass Assignment

• Mass- Assignment

– Not a huge issue in Rails 4… unless you instantiate models with data *outside* of the controller

– Rails 2 & 3 (don’t be ashamed, someone in this room is running 2.x) – Yes, very much a problem

– Audit for fun & profit

– Ready, set, hack!

Model Layer - MetaProgramming

• Code that writes code, sweet!

• Code that writes code based off user input, dangerous!

• Examples:

– Constantize

– Send

Model Layer – Hashing/Encryption

• Hashing vs. Encryption

• Strong hashing algorithms

• Strong encryption algorithms

• Rack::Utils.secure_compare vs. “==“

• Be careful how you re-use

Model Layer – SQL Injection

• ActiveRecord - Safe… well, sort of

• http://rails-sqli.org/

• “SQLMap Hacker Fun Time”

PRESENTATION LAYER

Presentation Layer – XSS

• XSS = Cross-Site Scripting (aka – html injection)

• DOM

• html_safe

• JSON 3.2x

• Ready, set, hack

Presentation Layer – Browser Behavior

• Cookies

– Flags

– Client-side vs. Server-side

• Caching

– Browser Caching Headers

• Headers

– CSP

– secure_headers

Presentation Layer – Error Messages

• Enumeration

• Common places

– Forgot Password Features

– Sign Up

– Profile Updates

– Login

LOGIC LAYER

Logic Layer – Insecure DOR

• Do not trust users

• Prevention

• Ready, Set, Hack

Logic Layer - RCE

• Remote Code Execution

– YAML

– Marshal

Logic Layer – Logic Flaws

• Example 1:

– Bidding site and account lock-out

• Example 2:

– 3 step checkout, skip step 2?

• Example 3:

– Spot the bug!

Logic Layer - CSRF

• Somewhat well known aspects

– Meta tag helper

– On by default

– protect_from_forgery filter

• Not so well known…

– `match` routes bypass

– Chain of execution is not halted

Logic Layer – Session Handling

• Logout

– reset_session

– Clear session values

• Login

– reset_session

• before_filter(s)

– Take a whitelist approach

• Base access decisions off the current_user

Logic Layer - Redirection

• redirect_to …. You scoundrel

• Why does this matter?

• URI.parse()

Logic Layer – Authentication Tips

• Account Lock-Out

• Password Complexity

• Enumeration

• Password Hashing

• (heads-up) – Covering Devise auth in upcoming release of Railsgoat

UNIT-TESTS & REGRESSION

Unit-Tests / Regression Testing

• Railsgoat has examples

– RSpec

• Regression Testing

– Why

– How

DEFENSIVE TOOLS

Defensive Tools

• Brakeman

• Bundler-Audit

• Ensnare

• Rack-attack

Q&A

Free Subscription

• Send an email to contact@seccasts.com

• Subject line – ATLRUG Free Sub

– We will setup on Friday

Contact

• Twitter: – @cktricky

– @jack_mannino

– @mccabe615

• Email:– ken@nvisium.com

– jack@nvisium.com

• Railsgoat– http://railsgoat.cktricky.com

Thanks!

• A big “Thank you” is in order to Al Snow

THANK YOU ATLRUG