SLIDES Here

Copyright © 2007 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/

The OWASP Foundation

OWASP & WASC

AppSec 2007

ConferenceSan Jose – Nov

2007

http://www.owasp.org/http://www.webappsec.org/

Start Rolling with Rails Security

Corey BenningerPrincipal Consultant, Intrepidus [email protected]

OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007

Why Ruby on Rails

Don't Repeat Yourself (DRY)

Convention over Configuration

Model –View - Controller

2


3

Breaking It Down

Ruby – interpreted scripting languageGems – the “apt-get” for Ruby packagesRails – a framework written in Ruby for

developing web applications


My First Web App

One rails call will create basic directories and scripts to start a new applicationrails RailsBlog

4


How Would You Like that Cooked?

Try different file extensions for your datahttp://example.com/products.htmlhttp://example.com/products.xml http://example.com/products.rss

ActionController makes it easy to change response

5

respond_to do |format| format.html format.xml { render :xml => @posts.to_xml } format.rss { render :action => "feed.rxml" }


Heavy Lifting Made Easy

Not your standard GET Parametershttp://example.com/survey/listhttp://example.com/survey/1/edit http://example.com/users/2

Close relationship to database structures

6

create table surveys ( `id` INT NOT NULL AUTO_INCREMENT , `title` VARCHAR( 100 ) NOT NULL , PRIMARY KEY ( `id` )

);


Great Rails Hack of 1.1.4

Rails versions prior to 1.1.6 had a “routing bug”. Remote attackers could call functions Rails modules.GET http://localhost:3000/breakpoint_client

Causes application to wait

GET http://localhost:3000/db/schema Blank out database

7


Defense in Depth

8


Romancing the Gems

Gems are retrieved from http://gems.rubyforge.org

(gem install rails --include-dependencies)

9


Romancing the Gems

RubyGems version 0.8.11 and later supports adding cryptographic signatures to gems.

10


Romancing the Gems

Install the gems using the "HighSecurity" policy gem install SomeGem-0.2.0.gem -P HighSecurity

gem must be signed signing cert must be valid signing cert must be trusted

11


These Go To Eleven

Gems will typically keep older versions of packagesMake sure to update Applications after

updating gems

12


All Float On OK

When “Floating on Gems”, check version number in config/environment.rbRAILS_GEM_VERSION = ‘1.2.5’

When “Bound to Gems”, (files in vendor/rails), make sure to rake and freeze your gemsrake rails:freeze:gems

13


No Soup For You

Default Rails setup leaves weak file permissions

File PermissionsRead all to DB ConfigRead/Write all to Log files

Run your web server with the least needed permissionssudo –u www ruby scripts/server

14

# Lock down key fileschown <owner:>:<webserver> config/database.ymlchmod 640 config/database.ymlchown <owner>:<webserver> log/*.logchmod 640 log/*.log


Tastes like Cookies

Current defaults, Rails will need to write to “tmp/sessions” to store session information.

chown this directory to your ruby process. Do not chmod 777 this directory.

Plus disk access is slow, try mem_cache_store or memory_store to keep session data in memory.

15


Tastes like Cookies

Rails does not expire sessions on the server sidesession_expire is a client side setting

To remove server side session, admins typically create a server side cron job

16


Tastes like really bad idea Cookies

Default storage for sessions in Rails 2.0 will be to store them in client side cookies! Data is not encrypted (Base64 and URL encoding) Hash is checked on server to detect tamperingNo expiration built inBrute force attack to recover password is possible

17

_testapp_session=BAh7BiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7AA%253D%253D--03978c53b571cb73bb2670b970e5860877f08cf7;

_(appname)_session=(URLEncode(Base64Encode(session_data)))- - (hash)


Got a Session Fixation?

URL based sessions switched to off by default in Rails 1.2.4 (Oct 2007)

http://example.org/user/signup?_session_id=2a18e3557e0412139c0871c4581e29a1

18


Hello Cleveland

Rails Rocking Security FeaturesProtects against SQL InjectionSimple Validation and HTML Encoding

FunctionsSession Riding Protection (CSRF)Light Buffer Overflow Support

19


Escaped for Your Pleasure

Most developers will use ActiveRecord Standard queries will be parameterized

and resist injectionbook = Book.find(params[:id])settings = Setting.find(:all, :conditions => [“uid=?”, user.id])

However, SQL injection maybe possible if bind variables are not usedbook = Book.find(:all

:limit =>#{session[:pref].id})

20


Escaped for Your Pleasure

Data will be automatically truncated to match field length

Alternatively, it is easy to validate lengths of user inputvalidates_length_of :phone, :within =>

5..16, :message => "Invalid Phone Number Length"

21


Validate Me

Rails comes with a number of input validations built invalidates_length_ofvalidates_presence_ofvalidates_format_ofvalidates_uniqueness_of

22


Validate Me

validates_length_of :phone, :within => 5..16

validates_format_of :phone, :with => /^[+\/\-() 0-9]+$/, :message => "Invalid Phone Number"

validates_format_of :url, :with => /^(http|https):\/\/[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(([0-9]{1,5})?\/.*)?$/ix

23


Money Back Guarantee

24


Riding the Session

“CSRFKiller” plugin is now on by default in edge rails coreOn for all “non-GET” requests

(PUT/POST/DELETE)Each session will have a unique “_token” value

SHA1 hash with “:secret” key and random value

Earlier versions of Rails can install plugin for CSRF protection

25


Hey Baby, Nice Buffer

Language / Environmnt

Compiled or Interpreted

Strongly Typed

Direct Memory Access

Safe or Unsafe

Java, Both Yes No Safe

.NET Both Yes No Safe

Perl Both Yes No Safe

Python - interpreted

Intepreted Yes No Safe

Ruby Interpreted

Yes No Safe

C/C++ Compiled No Yes Unsafe

Assembly Compiled No Yes Unsafe

COBOL Compiled Yes No Safe

26

http://www.owasp.org/index.php/Buffer_Overflows


Hey Baby, Nice Buffer

A buffer overflow could exist in the interpreter (just like java)

Using “RubyInline”, a developer can embed C code with in Ruby

27

require 'rubygems'require_gem 'RubyInline'

class << self inline do |builder| builder.c " int badcopy(char *input[]) { char buffer[10]; strcpy(buffer, input[]); return 0; } " endend


XSS: Not Just for Breakfast Any More

A number of Rails resources imply Cross-Site Scripting is only a concern if you use sessions

28


Ruby to the Rexsscue

Use the “h” html_escape method when writing user data back out

29

<% for comment in @post.comments %> <%=h comment.body %><% end %>


Ruby to the Rexsscue

Safe ERBPlugIn that will ensure all strings written

through rhtml templates are checked or escaped before written out. (Ruby's built in “$SAFE” can not be properly used with Rails)

(Although don’t forget UTF-7 and other encoding issues)

30


WEAK SAUCE ALERT!!!

Sanitize Module (ActionView::Helpers::TextHelper)

converts <form> and <script> tags into regular text

removes all "onxxx" attributes removes href= and src= attributes that start

with “javascript:”

31

sanitize('<script> do_nasty_stuff() </script>') => <script> do_nasty_stuff() </script> sanitize('<a href="javascript: sucker();">Click for $100</a>') => <a>Click for $100</a>


One for my Pentesting Homies

Rails has a built in check for XML HTTP Requests (AJAX)request.xhr? simply checks for the header

“X-Requested-With=XMLHttpRequest”

32


Would You Like Fries with That?

Bulk database assignments, like “create” and “new”, can add data for any column in a table.

33



Normal Public Add User Request

Malicious Add Admin User Request

34

POST /users HTTP/1.1Host: example.comContent-Length: 31

username=Foo&passwd=p4ssw0rrd!

POST /users HTTP/1.1Host: example.comContent-Length: 52

username=Foo&passwd=p4ssw0rrd!&is_admin=1&approved=1



Black List Column Exclusionattr_protected :approved, :is_admin

White List Column Exclusionattr_accessible :username, :password

35


Shoot the Messenger

Rails is single threaded. It can only handle one request at a time.

Many sites use a Reverse Proxy for performance.

Don’t forget to check for Response Splitting!Filenames, Cookies, Redirects

36


What’s Up 2.0

Rails 2.0: Release Candidate 1 (Nov 9th 2007)

Security Default ChangesActionController::RequestForgeryProtection

Session Riding Protection on by Default

TextHelper#sanitize Defaults to a White-List (was a Black-List)

HTTP Only Cookies supportedDefault Sessions stored in Client Cookies

37


What’s Up 2.0

Rails rides with RESTPOST/GET/PUT/DELETECreate/Read/Update/Delete

One URL, Four HTTP Methods

38

PUT /product/3 HTTP/1.1Host: example.comContent-Length: 19

name=Foo&price=9.99


Looking For More?

http://www.owasp.org/index.php/Image:Owasp-rails-security.pdf

http://www.rorsecurity.info Foundstone’s Hacme Casino

http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm

http://weblog.rubyonrails.org http://rfuzz.rubyforge.org (Ruby Fuzzer)

39

THANK [email protected]

Documents

SLIDES Here