Upload
jasnow
View
65
Download
4
Tags:
Embed Size (px)
DESCRIPTION
4-hour ATLRUG Rails Security Workshop on 9/10/2014 by Ken Johnson
Citation preview
Rails Security
Introductions
• Jack Mannino – CEO @nVisium
– Lives in the JVM
– Beats up on mobile + wearables
– Scala, Swift, Java (Android)
• Ken Johnson – CTO @nVisium
– Former LivingSocialite
– Develop heavily in Rails
– Railsgoat Co-Author
Why are we all here?
• Us?
– MINASWAN
• You?
– Hopefully to have some fun
Before we begin
• Machine assignment & RDP
• Credentials
– Username: trainee
– Password: tr41n1ng
• Source code: ~/pentest/railsgoat
• Text Editor: type subl
• Burp: ~/Desktop/burp/
Course Outline
• Model Layer
• Presentation Layer (View)
• Logic Layer (Controller)
• Unit-Tests
• Defensive Tools
Course Outline (Model)
• Model Layer
– Mass Assignment
– MetaProgramming
– Hashing / Encryption
– SQL Injection
Course Outline (Presentation)
• Cross-Site Scripting
• Browser Behavior
• Error Messages & Enumeration
Course Outline (Logic)
• Insecure Direct Object Reference
• Remote Code Execution
• Logic Flaws
• CSRF
• Session Handling
• Redirection
• Authentication Tips
Let’s get started
• First though, let’s walk through a few things you’ll need to know in this course:
– What is an intercepting proxy?
• FAQ (No, SSL is not a problem, let me explain why)
– Instructions on getting started
– Start Railsgoat
MODEL LAYER
Model Layer – Mass Assignment
• Mass- Assignment
– Not a huge issue in Rails 4… unless you instantiate models with data *outside* of the controller
– Rails 2 & 3 (don’t be ashamed, someone in this room is running 2.x) – Yes, very much a problem
– Audit for fun & profit
– Ready, set, hack!
Model Layer - MetaProgramming
• Code that writes code, sweet!
• Code that writes code based off user input, dangerous!
• Examples:
– Constantize
– Send
Model Layer – Hashing/Encryption
• Hashing vs. Encryption
• Strong hashing algorithms
• Strong encryption algorithms
• Rack::Utils.secure_compare vs. “==“
• Be careful how you re-use
Model Layer – SQL Injection
• ActiveRecord - Safe… well, sort of
• http://rails-sqli.org/
• “SQLMap Hacker Fun Time”
PRESENTATION LAYER
Presentation Layer – XSS
• XSS = Cross-Site Scripting (aka – html injection)
• DOM
• html_safe
• JSON 3.2x
• Ready, set, hack
Presentation Layer – Browser Behavior
• Cookies
– Flags
– Client-side vs. Server-side
• Caching
– Browser Caching Headers
• Headers
– CSP
– secure_headers
Presentation Layer – Error Messages
• Enumeration
• Common places
– Forgot Password Features
– Sign Up
– Profile Updates
– Login
LOGIC LAYER
Logic Layer – Insecure DOR
• Do not trust users
• Prevention
• Ready, Set, Hack
Logic Layer - RCE
• Remote Code Execution
– YAML
– Marshal
Logic Layer – Logic Flaws
• Example 1:
– Bidding site and account lock-out
• Example 2:
– 3 step checkout, skip step 2?
• Example 3:
– Spot the bug!
Logic Layer - CSRF
• Somewhat well known aspects
– Meta tag helper
– On by default
– protect_from_forgery filter
• Not so well known…
– `match` routes bypass
– Chain of execution is not halted
Logic Layer – Session Handling
• Logout
– reset_session
– Clear session values
• Login
– reset_session
• before_filter(s)
– Take a whitelist approach
• Base access decisions off the current_user
Logic Layer - Redirection
• redirect_to …. You scoundrel
• Why does this matter?
• URI.parse()
Logic Layer – Authentication Tips
• Account Lock-Out
• Password Complexity
• Enumeration
• Password Hashing
• (heads-up) – Covering Devise auth in upcoming release of Railsgoat
UNIT-TESTS & REGRESSION
Unit-Tests / Regression Testing
• Railsgoat has examples
– RSpec
• Regression Testing
– Why
– How
DEFENSIVE TOOLS
Defensive Tools
• Brakeman
• Bundler-Audit
• Ensnare
• Rack-attack
Q&A
Free Subscription
• Send an email to [email protected]
• Subject line – ATLRUG Free Sub
– We will setup on Friday
Contact
• Twitter: – @cktricky
– @jack_mannino
– @mccabe615
• Email:– [email protected]
• Railsgoat– http://railsgoat.cktricky.com
Thanks!
• A big “Thank you” is in order to Al Snow
THANK YOU ATLRUG