Metasecurity: Beyond Patching Vulnerabilities

Chase Douglas Immun.io

Anatomy of a security attack

Vulnerability Attacker

How to defend against vulnerabilities?

PHP: Over 24 vulnerabilities reported

every year!

cvedetails.com

Rails: Over 7 vulnerabilities reported

every year!

How fast can you spin this wheel?

Vulnerabilities sold remain private for an average of 151 days

The Known Unknowns - Stefan Frei - NSS Labs https://www.nsslabs.com/reports/known-unknowns-0

How many vulnerabilities are lurking, unfound?

How to defend against attackers?

Web Application Firewalls

Web Application Firewalls

Field Trip! Castle Gaillard

False Positives

Anatomy of a security attack

Vulnerability Attacker

Exploitation

Metasecurity: Blocking Exploitations

Exploitations

• SQL Injection • Cross Site Scripting (XSS)

SQL Injection

SQL Injection

SQL Injection

SQL Injection

SQL Injection

SQL Injection

SQL Injection

SQL Injection

Cross Site Scripting (XSS)

But I didn’t click on anything!

+?

XSS

XSSIn someone else’s

browser!

+

String.html_safe

String.html_safe

Escaped!

String.html_safe

Not Escaped!

Rails RenderingStart with an empty SafeBuffer

Buffer:

Rails RenderingAppend template after calling html_safe on it

Buffer: <head> <title>

Rails RenderingAppend expression result

Buffer: <head> <title>&lt;script&gt;alert(1)&lt;/script&gt;

I tried to inject <script>alert(1)</script> here!

Rails RenderingAppend template after calling html_safe on it

Buffer: <head> <title>&lt;script&gt;alert(1)&lt;/script&gt;</title>

Rails RenderingAppend expression result

Buffer: <head> <title>&lt;script&gt;alert(1)&lt;/script&gt;</title> <script src=“/application.js”></script>

javascript_include_tag returned a SafeBuffer

Rails RenderingAppend template after calling html_safe on it

Buffer: <head> <title>&lt;script&gt;alert(1)&lt;/script&gt;</title> <script src=“/application.js”></script></head>

XSS

XSS

params => {id: 5}

XSSparams => {id: “<script>alert(1)</script>”}

<div class=“alert”> User id &lt;script&gt;alert(1)&lt;/script&gt; does not exist</div>

Rendered HTML:

XSS

XSS

XSS

XSS

params => {id: “<script>alert(1)</script>”}

<div class=“alert”> User id <script>alert(1)</script> does not exist</div>

Rendered HTML:

+

XSS

How to Fix?

How to Fix XSS

How to Fix SQL Injection• Check that args for all `Calculate` methods are actual table names

• Always use hashes or arrays when using `delete_all`/`destroy_all`/`where`

• Always use hashes when using `find_by`/`find_by!`

• Always convert user input to strings when passed to `exists?`

• Never pass user input to `group`/`joins`/`order`/`reorder`/`pluck`/`select`/`having`

• Don’t use `find` unless you are a security guru

• etc. etc.

“Once you’re done with that, can you audit all our

dependencies too?”

“Can you teach everyone else about security?”

“All changes will be reviewed by the security

team”

“It won’t be a bottleneck, we’ve got two security

engineers”

Metasecurity Defense

Metasecurity for XSS

Should there be script tags here?

Metasecurity for XSS

• Wrap `html_safe` method

• If called from a known good location, like a Rails helper, let the string through unimpeded

• Otherwise, escape any <script> tags first

Metasecurity for SQL Injection

Structure Eoknkno1

Structure Eoknkno1&1o1

Structure Eoknkno1;Tkn

How do we determine expected structures?

Every Query is Executed at the Top of a Call Stack

Match Call Stack to a Learned Structure

Eoknk

Verify Structure

EoknkOk!

Eoknkno1&1o1Bad!

Block and respond with 403

Expected Structure: Eoknk

Metasecurity

Vulnerability Attacker

Exploitation

Immunio is MetasecurityAutomatic protection against:

Cross Site Scripting

SQL Injection

Remote Command Execution

ShellShock

Open Redirects

Unauthorized File I/O

CSRF Tampering

Brute Force Authentication Attempts

HTTP Header Split

HTTP Method Tampering

Automated Scanners

And more…