slides here
DESCRIPTION
TRANSCRIPT
Copyright © 2007 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/
The OWASP Foundation
OWASP & WASC
AppSec 2007
ConferenceSan Jose – Nov
2007
http://www.owasp.org/http://www.webappsec.org/
Start Rolling with Rails Security
Corey BenningerPrincipal Consultant, Intrepidus [email protected]
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Why Ruby on Rails
Don't Repeat Yourself (DRY)
Convention over Configuration
Model –View - Controller
2
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
3
Breaking It Down
Ruby – interpreted scripting languageGems – the “apt-get” for Ruby packagesRails – a framework written in Ruby for
developing web applications
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
My First Web App
One rails call will create basic directories and scripts to start a new applicationrails RailsBlog
4
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
How Would You Like that Cooked?
Try different file extensions for your datahttp://example.com/products.htmlhttp://example.com/products.xml http://example.com/products.rss
ActionController makes it easy to change response
5
respond_to do |format| format.html format.xml { render :xml => @posts.to_xml } format.rss { render :action => "feed.rxml" }
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Heavy Lifting Made Easy
Not your standard GET Parametershttp://example.com/survey/listhttp://example.com/survey/1/edit http://example.com/users/2
Close relationship to database structures
6
create table surveys ( `id` INT NOT NULL AUTO_INCREMENT , `title` VARCHAR( 100 ) NOT NULL , PRIMARY KEY ( `id` )
);
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Great Rails Hack of 1.1.4
Rails versions prior to 1.1.6 had a “routing bug”. Remote attackers could call functions Rails modules.GET http://localhost:3000/breakpoint_client
Causes application to wait
GET http://localhost:3000/db/schema Blank out database
7
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Defense in Depth
8
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Romancing the Gems
Gems are retrieved from http://gems.rubyforge.org
(gem install rails --include-dependencies)
9
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Romancing the Gems
RubyGems version 0.8.11 and later supports adding cryptographic signatures to gems.
10
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Romancing the Gems
Install the gems using the "HighSecurity" policy gem install SomeGem-0.2.0.gem -P HighSecurity
gem must be signed signing cert must be valid signing cert must be trusted
11
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
These Go To Eleven
Gems will typically keep older versions of packagesMake sure to update Applications after
updating gems
12
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
All Float On OK
When “Floating on Gems”, check version number in config/environment.rbRAILS_GEM_VERSION = ‘1.2.5’
When “Bound to Gems”, (files in vendor/rails), make sure to rake and freeze your gemsrake rails:freeze:gems
13
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
No Soup For You
Default Rails setup leaves weak file permissions
File PermissionsRead all to DB ConfigRead/Write all to Log files
Run your web server with the least needed permissionssudo –u www ruby scripts/server
14
# Lock down key fileschown <owner:>:<webserver> config/database.ymlchmod 640 config/database.ymlchown <owner>:<webserver> log/*.logchmod 640 log/*.log
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Tastes like Cookies
Current defaults, Rails will need to write to “tmp/sessions” to store session information.
chown this directory to your ruby process. Do not chmod 777 this directory.
Plus disk access is slow, try mem_cache_store or memory_store to keep session data in memory.
15
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Tastes like Cookies
Rails does not expire sessions on the server sidesession_expire is a client side setting
To remove server side session, admins typically create a server side cron job
16
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Tastes like really bad idea Cookies
Default storage for sessions in Rails 2.0 will be to store them in client side cookies! Data is not encrypted (Base64 and URL encoding) Hash is checked on server to detect tamperingNo expiration built inBrute force attack to recover password is possible
17
_testapp_session=BAh7BiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7AA%253D%253D--03978c53b571cb73bb2670b970e5860877f08cf7;
_(appname)_session=(URLEncode(Base64Encode(session_data)))- - (hash)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Got a Session Fixation?
URL based sessions switched to off by default in Rails 1.2.4 (Oct 2007)
http://example.org/user/signup?_session_id=2a18e3557e0412139c0871c4581e29a1
18
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Hello Cleveland
Rails Rocking Security FeaturesProtects against SQL InjectionSimple Validation and HTML Encoding
FunctionsSession Riding Protection (CSRF)Light Buffer Overflow Support
19
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Escaped for Your Pleasure
Most developers will use ActiveRecord Standard queries will be parameterized
and resist injectionbook = Book.find(params[:id])settings = Setting.find(:all, :conditions => [“uid=?”, user.id])
However, SQL injection maybe possible if bind variables are not usedbook = Book.find(:all
:limit =>#{session[:pref].id})
20
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Escaped for Your Pleasure
Data will be automatically truncated to match field length
Alternatively, it is easy to validate lengths of user inputvalidates_length_of :phone, :within =>
5..16, :message => "Invalid Phone Number Length"
21
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Validate Me
Rails comes with a number of input validations built invalidates_length_ofvalidates_presence_ofvalidates_format_ofvalidates_uniqueness_of
22
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Validate Me
validates_length_of :phone, :within => 5..16
validates_format_of :phone, :with => /^[+\/\-() 0-9]+$/, :message => "Invalid Phone Number"
validates_format_of :url, :with => /^(http|https):\/\/[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(([0-9]{1,5})?\/.*)?$/ix
23
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Money Back Guarantee
24
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Riding the Session
“CSRFKiller” plugin is now on by default in edge rails coreOn for all “non-GET” requests
(PUT/POST/DELETE)Each session will have a unique “_token” value
SHA1 hash with “:secret” key and random value
Earlier versions of Rails can install plugin for CSRF protection
25
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Hey Baby, Nice Buffer
Language / Environmnt
Compiled or Interpreted
Strongly Typed
Direct Memory Access
Safe or Unsafe
Java, Both Yes No Safe
.NET Both Yes No Safe
Perl Both Yes No Safe
Python - interpreted
Intepreted Yes No Safe
Ruby Interpreted
Yes No Safe
C/C++ Compiled No Yes Unsafe
Assembly Compiled No Yes Unsafe
COBOL Compiled Yes No Safe
26
http://www.owasp.org/index.php/Buffer_Overflows
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Hey Baby, Nice Buffer
A buffer overflow could exist in the interpreter (just like java)
Using “RubyInline”, a developer can embed C code with in Ruby
27
require 'rubygems'require_gem 'RubyInline'
class << self inline do |builder| builder.c " int badcopy(char *input[]) { char buffer[10]; strcpy(buffer, input[]); return 0; } " endend
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
XSS: Not Just for Breakfast Any More
A number of Rails resources imply Cross-Site Scripting is only a concern if you use sessions
28
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Ruby to the Rexsscue
Use the “h” html_escape method when writing user data back out
29
<% for comment in @post.comments %> <%=h comment.body %><% end %>
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Ruby to the Rexsscue
Safe ERBPlugIn that will ensure all strings written
through rhtml templates are checked or escaped before written out. (Ruby's built in “$SAFE” can not be properly used with Rails)
(Although don’t forget UTF-7 and other encoding issues)
30
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
WEAK SAUCE ALERT!!!
Sanitize Module (ActionView::Helpers::TextHelper)
converts <form> and <script> tags into regular text
removes all "onxxx" attributes removes href= and src= attributes that start
with “javascript:”
31
sanitize('<script> do_nasty_stuff() </script>') => <script> do_nasty_stuff() </script> sanitize('<a href="javascript: sucker();">Click for $100</a>') => <a>Click for $100</a>
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
One for my Pentesting Homies
Rails has a built in check for XML HTTP Requests (AJAX)request.xhr? simply checks for the header
“X-Requested-With=XMLHttpRequest”
32
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Would You Like Fries with That?
Bulk database assignments, like “create” and “new”, can add data for any column in a table.
33
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Would You Like Fries with That?
Normal Public Add User Request
Malicious Add Admin User Request
34
POST /users HTTP/1.1Host: example.comContent-Length: 31
username=Foo&passwd=p4ssw0rrd!
POST /users HTTP/1.1Host: example.comContent-Length: 52
username=Foo&passwd=p4ssw0rrd!&is_admin=1&approved=1
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Would You Like Fries with That?
Black List Column Exclusionattr_protected :approved, :is_admin
White List Column Exclusionattr_accessible :username, :password
35
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Shoot the Messenger
Rails is single threaded. It can only handle one request at a time.
Many sites use a Reverse Proxy for performance.
Don’t forget to check for Response Splitting!Filenames, Cookies, Redirects
36
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
What’s Up 2.0
Rails 2.0: Release Candidate 1 (Nov 9th 2007)
Security Default ChangesActionController::RequestForgeryProtection
Session Riding Protection on by Default
TextHelper#sanitize Defaults to a White-List (was a Black-List)
HTTP Only Cookies supportedDefault Sessions stored in Client Cookies
37
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
What’s Up 2.0
Rails rides with RESTPOST/GET/PUT/DELETECreate/Read/Update/Delete
One URL, Four HTTP Methods
38
PUT /product/3 HTTP/1.1Host: example.comContent-Length: 19
name=Foo&price=9.99
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Looking For More?
http://www.owasp.org/index.php/Image:Owasp-rails-security.pdf
http://www.rorsecurity.info Foundstone’s Hacme Casino
http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm
http://weblog.rubyonrails.org http://rfuzz.rubyforge.org (Ruby Fuzzer)
39
THANK [email protected]