![Page 1: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/1.jpg)
Rails Derailed
Presenter: Tim Goddard (pruby)
![Page 2: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/2.jpg)
whoami
Who is this guy?
Tim Goddard (a.k.a. pruby)
Pentester @ Insomnia Security
Ex Rails Dev
Focus on white box web application review
… in my own time dance West Coast Swing.
![Page 3: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/3.jpg)
Conventional Testing
We test most apps the same way, regardless of how they’re written:
Find the endpoints / entry points.
Capture samples of how to invoke these.
Manipulate network traffic, look for technical vulns (XSS, SQLi, etc).
![Page 4: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/4.jpg)
Rails et al.
Opinionated Development Frameworks
One way to do things.
Many security benefits from the common method.
… but also add their own attack surface.
![Page 5: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/5.jpg)
Spectrum of Convention
The Manual, the Mainstream, and the Magical
DeveloperUnderstands
ConsistentImplementation
![Page 6: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/6.jpg)
The Mainstream
e.g. Authorization
Things like cancan and cancancan exist.
… but every app is different.
You still have to remember to specify and check rules.
![Page 7: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/7.jpg)
Business Logic
No framework can prevent business logic bugs.
Different for every application. For example, in an online store can I apply a
discount code twice?
![Page 8: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/8.jpg)
Magic can protect…
…
<div class=“alert”>
<%= @warning %>
</div>
…
![Page 9: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/9.jpg)
… but never perfectly
…
<script>
var message = <%= raw JSON.dump(@message) %>
</script>
…
![Page 10: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/10.jpg)
The Magical: Additional Attack Surface
Complicated Input Model
Automatic coercion of parameters to objects:
?foo=bar params[“foo”] == “bar”
?foo[]=zig&foo[]=zag params[“foo”] == [“zig”, “zag”]
?foo[zig]=1&foo[zag]=2 params[“foo”] == {“zig” => 1, “zag” => 2}
HTTP-Method-Override
![Page 11: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/11.jpg)
Type Confusion Attacks
Ruby is a Dynamically Typed Language.
Any variable could be of any supported type (e.g. string, number, array).
No automatic type checks, but methods often vary behaviour.
![Page 12: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/12.jpg)
Type Confusion Attacks
Example: phonebook with anti-scraping requirement
Entry.find(surname: params[:surname], city: params[:city])
![Page 13: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/13.jpg)
Type Confusion Attacks
… WHERE city IN (‘Auckland’, ‘Wellington’, ‘Christchurch’) AND surname IN
(‘SMITH’, ‘WRIGHT’, ‘CARTER’)
![Page 14: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/14.jpg)
Imperfect Components
Common Components, Common Flaws
Devise framework used for authentication, contains well-known user
enumeration.
Paperclip framework containing SSRF flaw – to my embarrassment never
reported.
![Page 15: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/15.jpg)
Mass Assignment
@account.update_attributes(params[“account”])
![Page 16: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/16.jpg)
Mass Assignment
account[name]=Tim%20Goddard&account[telephone]=0211234567
![Page 17: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/17.jpg)
Mass Assignment
account[balance]=1000000
![Page 18: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/18.jpg)
Mass Assignment
@account.update_attributes(balance: 1000000)
![Page 19: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/19.jpg)
Info Disclosure
/account/1/profile
![Page 20: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/20.jpg)
Info Disclosure
/account/1/profile.json
![Page 21: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/21.jpg)
Info Disclosure
{…, password: “Winter17”, …}
![Page 22: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/22.jpg)
Race Conditions
Convention: All Checks in Ruby
TOC-TOU
![Page 23: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/23.jpg)
Race Conditions
Person:
validates :card_number, uniqueness: true
Company:
has_many :people
accept_nested_attributes_for :people
![Page 24: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/24.jpg)
Rare but Severe
Surprising amount of rope…
![Page 25: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/25.jpg)
Rare but Severe
RCE via
YAML.load(params[:data])
![Page 26: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/26.jpg)
Rare but Severe
@record.send(params[:type])
![Page 27: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/27.jpg)
Rare but Severe
@record.send(‘delete’)
![Page 28: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/28.jpg)
Rare but Severe
RCE via
render(inline: @page.content)
![Page 29: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/29.jpg)
Rare but Severe
RCE via
render(inline: ‘<% `rm –rf /` %>’)
![Page 30: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/30.jpg)
Rare but Severe
RCE via
File.read(params[:filename])
![Page 31: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/31.jpg)
Rare but Severe
RCE via
File.read(‘|whoami’)
![Page 32: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/32.jpg)
Rare but Severe
RCE via
eval(params[:data])
![Page 33: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/33.jpg)
Security over Support
Rails gets better via breaking changes…
![Page 34: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/34.jpg)
What can I do?
If you’re a developer, run these tools yourself:
Brakeman finds lots of flaws by static analysis, great hit rate.
Don’t ignore the findings – treat every one as an opportunity to improve.
bundler-audit finds out of date libraries, good hygiene.
Beyond that, focus on authorisation and business rules.
If you’re a tester, try the following:
Insist on white-box code review.
config/routes.rb lists every endpoint in the app…
Hunt the manual and the magical.
![Page 35: Rails Derailed - insomniasec · Rails et al. Opinionated Development Frameworks One way to do things. Many security benefits from the common method. … but also add their own attack](https://reader035.vdocuments.us/reader035/viewer/2022062603/5f0303857e708231d4071c4d/html5/thumbnails/35.jpg)
www.insomniasec.com
For sales enquiries: [email protected]
All other enquiries: [email protected]
Auckland office: +64 (0)9 972 3432
Wellington office: +64 (0)4 974 6654
Insomnia Security Group Limited