OWASP & WASC AppSec 2007 Conference – San Jose - Bad Request

bricklayerbelchedInternet and Web Development

Feb 5, 2013 (4 years and 6 months ago)

186 views

Copyright © 2007
-

The OWASP Foundation

Permission is granted to copy, distribute and/or modify this document under the
terms of the Creative Commons Attribution
-
ShareAlike

2.5 License. To view this
license, visit http://creativecommons.org/licenses/by
-
sa/2.5/

The OWASP Foundation

OWASP &
WASC
AppSec

2007
Conference

San Jose


Nov 2007

http://www.owasp.org
/

http://www.webappsec.org
/

Start Rolling with

Rails Security

Corey Benninger

Principal Consultant,

Intrepidus Group

Corey.Benninger@IntrepidusGroup.com

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Why Ruby on Rails


Don't Repeat Yourself (DRY)


Convention over
Configuration


Model

View
-

Controller


2

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

3

Breaking It Down


Ruby



interpreted scripting language


Gems



the “apt
-
get” for Ruby packages


Rails



a framework written in Ruby for
developing web applications



OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

My First Web App


One rails call will create basic directories and
scripts to start a new application


rails RailsBlog

4

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

How Would You Like that Cooked?


Try different file extensions for your data


http://example.com/products.html


http://example.com/products.xml


http://example.com/products.rss



ActionController makes it easy to change
response

5

respond_to do |format|


format.html


format.xml { render :xml => @posts.to_xml }


format.rss { render :action => "feed.rxml" }

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Heavy Lifting Made Easy


Not your standard GET Parameters


http://example.com/survey/list


http://example.com/survey/1/edit


http://example.com/users/2


Close relationship to database structures

6

create table surveys (


`id` INT NOT NULL AUTO_INCREMENT ,


`title` VARCHAR( 100 ) NOT NULL ,


PRIMARY KEY ( `id` )


);

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Great Rails Hack of 1.1.4


Rails versions prior to 1.1.6 had a “routing bug”.
Remote attackers could call functions Rails
modules.


GET http://localhost:3000/breakpoint_client


Causes application to wait


GET http://localhost:3000/db/schema


Blank out database


7

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Defense in Depth

8

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Romancing the Gems


Gems are retrieved from
http://gems.rubyforge.org


(
gem install rails
--
include
-
dependencies
)



9


No SSL


confidentiality


integrity


authenticity


OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Romancing the Gems


RubyGems version 0.8.11 and later supports
adding cryptographic signatures to gems.


10

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Romancing the Gems


Install the gems using the
"HighSecurity"

policy


gem install SomeGem
-
0.2.0.gem
-
P
HighSecurity




gem must be signed



signing cert must be valid



signing cert must be trusted



11

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

These Go To Eleven


Gems will typically keep older versions of
packages


Make sure to update Applications after updating gems

12

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

All Float On OK



When “
Floating on Gems
”, check version
number in
config/environment.rb


RAILS_GEM_VERSION = ‘1.2.5’



When “
Bound to Gems
”, (files in
vendor/rails
),
make sure to rake and freeze your gems


rake rails:freeze:gems

13

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

No Soup For You


Default Rails setup leaves weak file permissions


File Permissions


Read all to DB Config


Read/Write all to Log files




Run your web server with the least needed
permissions


sudo

u www ruby scripts/server


14

# Lock down key files

chown <owner:>:<webserver>
config/database.yml

chmod 640 config/database.yml

chown <owner>:<webserver> log/*.log

chmod 640 log/*.log

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Tastes like Cookies


Current defaults, Rails will need to write to
“tmp/sessions” to store session information.


chown this directory to your ruby process. Do
not chmod 777 this directory.


Plus disk access is slow, try
mem_cache_store
or
memory_store

to keep session data in
memory.

15

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Tastes like Cookies


Rails does not expire sessions on the server side


session_expire

is a client side setting



To remove server side session, admins typically
create a server side cron job

16

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Tastes like really bad idea Cookies


Default storage for sessions in Rails 2.0 will be
to store them in client side cookies!


Data is not encrypted (Base64 and URL encoding)


Hash is checked on server to detect tampering


No expiration built in


Brute force attack to recover password is possible

17

_testapp_session=
BAh7BiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxh
c2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7AA%253D%253D
--
03978c53b571cb73bb2670b970e5860877f08cf7
;


_(
appname
)_session=(URLEncode(Base64Encode(
session_data))
)
-

-

(
hash
)

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Got a Session Fixation?


URL based sessions switched to off by default in
Rails 1.2.4 (Oct 2007)



http://example.org/user/signup?_session_id=2a
18e3557e0412139c0871c4581e29a1

18

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Hello Cleveland


Rails Rocking Security Features


Protects against SQL Injection


Simple Validation and HTML Encoding Functions


Session Riding Protection (CSRF)


Light Buffer Overflow Support



19

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Escaped for Your Pleasure


Most developers will use ActiveRecord


Standard queries will be parameterized and
resist injection


book = Book.find(params[:id])


settings = Setting.find(:all,


:conditions => [“uid=?”, user.id])



However, SQL injection maybe possible if bind
variables are not used


book = Book.find(:all


:limit =>#{session[:pref].id})


20

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Escaped for Your Pleasure


Data will be automatically truncated to match
field length


Alternatively, it is easy to validate lengths of
user input


validates_length_of :phone, :within => 5..16,
:message => "Invalid Phone Number Length"


21

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Validate Me


Rails comes with a number of input validations
built in


validates_length_of


validates_presence_of


validates_format_of


validates_uniqueness_of

22

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Validate Me

validates_length_of

:
phone
, :within =>
5..16


validates_format_of

:phone, :with =>
/^[+
\
/
\
-
() 0
-
9]+$/
, :message =>
"Invalid Phone Number"


validates_format_of

:url, :with =>
/^(http|https):
\
/
\
/[a
-
z0
-
9]+([
\
-
\
.]{1}[a
-
z0
-
9]+)*
\
.[a
-
z]{2,5}(([0
-
9]{1,5})?
\
/.*)?$/ix


23

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Money Back Guarantee

24

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Riding the Session


“CSRFKiller” plugin is now on by default in edge
rails core


On for all “non
-
GET” requests (PUT/POST/DELETE)


Each session will have a unique “_token” value


SHA1 hash with “:secret” key and random value



Earlier versions of Rails can install plugin for
CSRF protection

25

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Hey Baby, Nice Buffer

Language /
Environmnt


Compiled or
Interpreted

Strongly
Typed

Direct
Memory
Access

Safe or
Unsafe

Java,

Both

Yes

No

Safe

.NET

Both

Yes

No

Safe

Perl

Both

Yes

No

Safe

Python
-

interpreted

Intepreted

Yes

No

Safe

Ruby

Interpreted

Yes

No

Safe

C/C++

Compiled

No

Yes

Unsafe

Assembly

Compiled

No

Yes

Unsafe

COBOL

Compiled

Yes

No

Safe

26

http://www.owasp.org/index.php/Buffer_Overflows

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Hey Baby, Nice Buffer


A buffer overflow could exist in the interpreter
(just like java)


Using “RubyInline”, a developer can embed C
code with in Ruby

27

require 'rubygems'

require_gem 'RubyInline'


class << self


inline do |builder|


builder.c "



int badcopy(char *input[]) {


char buffer[10];


strcpy(buffer, input[]);


return 0; }

"


end

end

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

XSS: Not Just for Breakfast Any More


A number of Rails resources imply Cross
-
Site
Scripting is only a concern if you use sessions

28

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Ruby to the Rexsscue


Use the “h” html_escape method when writing
user data back out


29

<% for comment in @post.comments %>


<%=
h

comment.body %>

<% end %>

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Ruby to the Rexsscue


Safe ERB


PlugIn that will ensure all strings written through
rhtml templates are checked or escaped before
written out. (Ruby's built in “$SAFE” can not be
properly used with Rails)



(Although don’t forget UTF
-
7 and other encoding
issues)


30

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

WEAK SAUCE ALERT!!!


Sanitize Module
(ActionView::Helpers::TextHelper)


converts <form> and <script> tags into regular text


removes all "onxxx" attributes


removes href= and src= attributes that start with
“javascript:”


31

sanitize('<script> do_nasty_stuff() </script>')


=> &lt;script> do_nasty_stuff() &lt;/script>

sanitize('<a href="javascript: sucker();">Click for $100</a>')

=> <a>Click for $100</a>

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

One for my Pentesting Homies


Rails has a built in check for XML HTTP Requests
(AJAX)


request.xhr?
simply checks for the header

“X
-
Requested
-
With=XMLHttpRequest”

32

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Would You Like Fries with That?


Bulk database assignments, like “create” and
“new”, can add data for any column in a table.


33

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Would You Like Fries with That?


Normal Public Add User Request






Malicious Add Admin User Request

34

POST /users HTTP/1.1

Host: example.com

Content
-
Length: 31


username=Foo&passwd=p4ssw0rrd!




POST /users HTTP/1.1

Host: example.com

Content
-
Length: 52


username=Foo&passwd=p4ssw0rrd!
&is_admin=1&approved=1

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Would You Like Fries with That?


Black List Column Exclusion


attr_protected :approved, :is_admin



White List Column Exclusion


attr_accessible :username, :password

35

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Shoot the Messenger


Rails is single threaded. It can only handle one
request at a time.


Many sites use a Reverse Proxy for
performance.



Don’t forget to check for Response Splitting!


Filenames, Cookies, Redirects

36

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

What’s Up 2.0


Rails 2.0: Release Candidate 1 (Nov 9
th

2007)



Security Default Changes


ActionController::RequestForgeryProtection


Session Riding Protection on by Default


TextHelper#sanitize


Defaults to a White
-
List (was a Black
-
List)


HTTP Only Cookies supported


Default Sessions stored in Client Cookies

37

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

What’s Up 2.0


Rails rides with REST


POST/GET/PUT/DELETE


Create/Read/Update/Delete






One URL, Four HTTP Methods

38

PUT /product/3 HTTP/1.1

Host: example.com

Content
-
Length: 19


name=Foo&price=9.99

OWASP & WASC
AppSec

2007 Conference


San Jose


Nov 2007

Looking For More?


http://www.owasp.org/index.php/Image:Owasp
-
rails
-
security.pdf


http://www.rorsecurity.info


Foundstone’s Hacme Casino


http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm


http://weblog.rubyonrails.org


http://rfuzz.rubyforge.org (Ruby Fuzzer)

39

THANK YOU!!!

Corey.Benninger@IntrepidusGroup.com