slides here
DESCRIPTION
TRANSCRIPT
![Page 1: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/1.jpg)
Copyright © 2007 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/
The OWASP Foundation
OWASP & WASC
AppSec 2007
ConferenceSan Jose – Nov
2007
http://www.owasp.org/http://www.webappsec.org/
Start Rolling with Rails Security
Corey BenningerPrincipal Consultant, Intrepidus [email protected]
![Page 2: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/2.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Why Ruby on Rails
Don't Repeat Yourself (DRY)
Convention over Configuration
Model –View - Controller
2
![Page 3: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/3.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
3
Breaking It Down
Ruby – interpreted scripting languageGems – the “apt-get” for Ruby packagesRails – a framework written in Ruby for
developing web applications
![Page 4: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/4.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
My First Web App
One rails call will create basic directories and scripts to start a new applicationrails RailsBlog
4
![Page 5: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/5.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
How Would You Like that Cooked?
Try different file extensions for your datahttp://example.com/products.htmlhttp://example.com/products.xml http://example.com/products.rss
ActionController makes it easy to change response
5
respond_to do |format| format.html format.xml { render :xml => @posts.to_xml } format.rss { render :action => "feed.rxml" }
![Page 6: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/6.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Heavy Lifting Made Easy
Not your standard GET Parametershttp://example.com/survey/listhttp://example.com/survey/1/edit http://example.com/users/2
Close relationship to database structures
6
create table surveys ( `id` INT NOT NULL AUTO_INCREMENT , `title` VARCHAR( 100 ) NOT NULL , PRIMARY KEY ( `id` )
);
![Page 7: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/7.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Great Rails Hack of 1.1.4
Rails versions prior to 1.1.6 had a “routing bug”. Remote attackers could call functions Rails modules.GET http://localhost:3000/breakpoint_client
Causes application to wait
GET http://localhost:3000/db/schema Blank out database
7
![Page 8: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/8.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Defense in Depth
8
![Page 9: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/9.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Romancing the Gems
Gems are retrieved from http://gems.rubyforge.org
(gem install rails --include-dependencies)
9
![Page 10: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/10.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Romancing the Gems
RubyGems version 0.8.11 and later supports adding cryptographic signatures to gems.
10
![Page 11: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/11.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Romancing the Gems
Install the gems using the "HighSecurity" policy gem install SomeGem-0.2.0.gem -P HighSecurity
gem must be signed signing cert must be valid signing cert must be trusted
11
![Page 12: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/12.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
These Go To Eleven
Gems will typically keep older versions of packagesMake sure to update Applications after
updating gems
12
![Page 13: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/13.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
All Float On OK
When “Floating on Gems”, check version number in config/environment.rbRAILS_GEM_VERSION = ‘1.2.5’
When “Bound to Gems”, (files in vendor/rails), make sure to rake and freeze your gemsrake rails:freeze:gems
13
![Page 14: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/14.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
No Soup For You
Default Rails setup leaves weak file permissions
File PermissionsRead all to DB ConfigRead/Write all to Log files
Run your web server with the least needed permissionssudo –u www ruby scripts/server
14
# Lock down key fileschown <owner:>:<webserver> config/database.ymlchmod 640 config/database.ymlchown <owner>:<webserver> log/*.logchmod 640 log/*.log
![Page 15: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/15.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Tastes like Cookies
Current defaults, Rails will need to write to “tmp/sessions” to store session information.
chown this directory to your ruby process. Do not chmod 777 this directory.
Plus disk access is slow, try mem_cache_store or memory_store to keep session data in memory.
15
![Page 16: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/16.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Tastes like Cookies
Rails does not expire sessions on the server sidesession_expire is a client side setting
To remove server side session, admins typically create a server side cron job
16
![Page 17: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/17.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Tastes like really bad idea Cookies
Default storage for sessions in Rails 2.0 will be to store them in client side cookies! Data is not encrypted (Base64 and URL encoding) Hash is checked on server to detect tamperingNo expiration built inBrute force attack to recover password is possible
17
_testapp_session=BAh7BiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7AA%253D%253D--03978c53b571cb73bb2670b970e5860877f08cf7;
_(appname)_session=(URLEncode(Base64Encode(session_data)))- - (hash)
![Page 18: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/18.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Got a Session Fixation?
URL based sessions switched to off by default in Rails 1.2.4 (Oct 2007)
http://example.org/user/signup?_session_id=2a18e3557e0412139c0871c4581e29a1
18
![Page 19: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/19.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Hello Cleveland
Rails Rocking Security FeaturesProtects against SQL InjectionSimple Validation and HTML Encoding
FunctionsSession Riding Protection (CSRF)Light Buffer Overflow Support
19
![Page 20: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/20.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Escaped for Your Pleasure
Most developers will use ActiveRecord Standard queries will be parameterized
and resist injectionbook = Book.find(params[:id])settings = Setting.find(:all, :conditions => [“uid=?”, user.id])
However, SQL injection maybe possible if bind variables are not usedbook = Book.find(:all
:limit =>#{session[:pref].id})
20
![Page 21: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/21.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Escaped for Your Pleasure
Data will be automatically truncated to match field length
Alternatively, it is easy to validate lengths of user inputvalidates_length_of :phone, :within =>
5..16, :message => "Invalid Phone Number Length"
21
![Page 22: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/22.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Validate Me
Rails comes with a number of input validations built invalidates_length_ofvalidates_presence_ofvalidates_format_ofvalidates_uniqueness_of
22
![Page 23: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/23.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Validate Me
validates_length_of :phone, :within => 5..16
validates_format_of :phone, :with => /^[+\/\-() 0-9]+$/, :message => "Invalid Phone Number"
validates_format_of :url, :with => /^(http|https):\/\/[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(([0-9]{1,5})?\/.*)?$/ix
23
![Page 24: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/24.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Money Back Guarantee
24
![Page 25: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/25.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Riding the Session
“CSRFKiller” plugin is now on by default in edge rails coreOn for all “non-GET” requests
(PUT/POST/DELETE)Each session will have a unique “_token” value
SHA1 hash with “:secret” key and random value
Earlier versions of Rails can install plugin for CSRF protection
25
![Page 26: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/26.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Hey Baby, Nice Buffer
Language / Environmnt
Compiled or Interpreted
Strongly Typed
Direct Memory Access
Safe or Unsafe
Java, Both Yes No Safe
.NET Both Yes No Safe
Perl Both Yes No Safe
Python - interpreted
Intepreted Yes No Safe
Ruby Interpreted
Yes No Safe
C/C++ Compiled No Yes Unsafe
Assembly Compiled No Yes Unsafe
COBOL Compiled Yes No Safe
26
http://www.owasp.org/index.php/Buffer_Overflows
![Page 27: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/27.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Hey Baby, Nice Buffer
A buffer overflow could exist in the interpreter (just like java)
Using “RubyInline”, a developer can embed C code with in Ruby
27
require 'rubygems'require_gem 'RubyInline'
class << self inline do |builder| builder.c " int badcopy(char *input[]) { char buffer[10]; strcpy(buffer, input[]); return 0; } " endend
![Page 28: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/28.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
XSS: Not Just for Breakfast Any More
A number of Rails resources imply Cross-Site Scripting is only a concern if you use sessions
28
![Page 29: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/29.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Ruby to the Rexsscue
Use the “h” html_escape method when writing user data back out
29
<% for comment in @post.comments %> <%=h comment.body %><% end %>
![Page 30: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/30.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Ruby to the Rexsscue
Safe ERBPlugIn that will ensure all strings written
through rhtml templates are checked or escaped before written out. (Ruby's built in “$SAFE” can not be properly used with Rails)
(Although don’t forget UTF-7 and other encoding issues)
30
![Page 31: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/31.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
WEAK SAUCE ALERT!!!
Sanitize Module (ActionView::Helpers::TextHelper)
converts <form> and <script> tags into regular text
removes all "onxxx" attributes removes href= and src= attributes that start
with “javascript:”
31
sanitize('<script> do_nasty_stuff() </script>') => <script> do_nasty_stuff() </script> sanitize('<a href="javascript: sucker();">Click for $100</a>') => <a>Click for $100</a>
![Page 32: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/32.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
One for my Pentesting Homies
Rails has a built in check for XML HTTP Requests (AJAX)request.xhr? simply checks for the header
“X-Requested-With=XMLHttpRequest”
32
![Page 33: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/33.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Would You Like Fries with That?
Bulk database assignments, like “create” and “new”, can add data for any column in a table.
33
![Page 34: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/34.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Would You Like Fries with That?
Normal Public Add User Request
Malicious Add Admin User Request
34
POST /users HTTP/1.1Host: example.comContent-Length: 31
username=Foo&passwd=p4ssw0rrd!
POST /users HTTP/1.1Host: example.comContent-Length: 52
username=Foo&passwd=p4ssw0rrd!&is_admin=1&approved=1
![Page 35: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/35.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Would You Like Fries with That?
Black List Column Exclusionattr_protected :approved, :is_admin
White List Column Exclusionattr_accessible :username, :password
35
![Page 36: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/36.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Shoot the Messenger
Rails is single threaded. It can only handle one request at a time.
Many sites use a Reverse Proxy for performance.
Don’t forget to check for Response Splitting!Filenames, Cookies, Redirects
36
![Page 37: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/37.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
What’s Up 2.0
Rails 2.0: Release Candidate 1 (Nov 9th 2007)
Security Default ChangesActionController::RequestForgeryProtection
Session Riding Protection on by Default
TextHelper#sanitize Defaults to a White-List (was a Black-List)
HTTP Only Cookies supportedDefault Sessions stored in Client Cookies
37
![Page 38: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/38.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
What’s Up 2.0
Rails rides with RESTPOST/GET/PUT/DELETECreate/Read/Update/Delete
One URL, Four HTTP Methods
38
PUT /product/3 HTTP/1.1Host: example.comContent-Length: 19
name=Foo&price=9.99
![Page 39: SLIDES Here](https://reader033.vdocuments.mx/reader033/viewer/2022061220/54bc87564a795966278b45ec/html5/thumbnails/39.jpg)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Looking For More?
http://www.owasp.org/index.php/Image:Owasp-rails-security.pdf
http://www.rorsecurity.info Foundstone’s Hacme Casino
http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm
http://weblog.rubyonrails.org http://rfuzz.rubyforge.org (Ruby Fuzzer)
39
THANK [email protected]