RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
-
Upload
immunio -
Category
Technology
-
view
215 -
download
2
Transcript of RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
![Page 1: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/1.jpg)
Metasecurity: Beyond Patching Vulnerabilities
Chase Douglas Immun.io
![Page 2: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/2.jpg)
Anatomy of a security attack
Vulnerability Attacker
![Page 3: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/3.jpg)
How to defend against vulnerabilities?
![Page 4: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/4.jpg)
![Page 5: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/5.jpg)
PHP: Over 24 vulnerabilities reported
every year!
cvedetails.com
Rails: Over 7 vulnerabilities reported
every year!
![Page 6: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/6.jpg)
How fast can you spin this wheel?
![Page 7: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/7.jpg)
Vulnerabilities sold remain private for an average of 151 days
The Known Unknowns - Stefan Frei - NSS Labs https://www.nsslabs.com/reports/known-unknowns-0
![Page 8: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/8.jpg)
How many vulnerabilities are lurking, unfound?
![Page 9: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/9.jpg)
How to defend against attackers?
![Page 10: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/10.jpg)
Web Application Firewalls
![Page 11: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/11.jpg)
Web Application Firewalls
![Page 12: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/12.jpg)
Field Trip! Castle Gaillard
![Page 13: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/13.jpg)
False Positives
![Page 14: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/14.jpg)
Anatomy of a security attack
Vulnerability Attacker
Exploitation
![Page 15: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/15.jpg)
Metasecurity: Blocking Exploitations
![Page 16: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/16.jpg)
Exploitations
• SQL Injection • Cross Site Scripting (XSS)
![Page 17: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/17.jpg)
SQL Injection
![Page 18: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/18.jpg)
SQL Injection
![Page 19: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/19.jpg)
SQL Injection
![Page 20: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/20.jpg)
SQL Injection
![Page 21: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/21.jpg)
SQL Injection
![Page 22: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/22.jpg)
SQL Injection
![Page 23: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/23.jpg)
SQL Injection
![Page 24: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/24.jpg)
SQL Injection
![Page 25: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/25.jpg)
Cross Site Scripting (XSS)
But I didn’t click on anything!
![Page 26: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/26.jpg)
+?
XSS
![Page 27: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/27.jpg)
XSSIn someone else’s
browser!
+
![Page 28: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/28.jpg)
String.html_safe
![Page 29: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/29.jpg)
String.html_safe
Escaped!
![Page 30: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/30.jpg)
String.html_safe
Not Escaped!
![Page 31: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/31.jpg)
Rails RenderingStart with an empty SafeBuffer
Buffer:
![Page 32: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/32.jpg)
Rails RenderingAppend template after calling html_safe on it
Buffer: <head> <title>
![Page 33: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/33.jpg)
Rails RenderingAppend expression result
Buffer: <head> <title><script>alert(1)</script>
I tried to inject <script>alert(1)</script> here!
![Page 34: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/34.jpg)
Rails RenderingAppend template after calling html_safe on it
Buffer: <head> <title><script>alert(1)</script></title>
![Page 35: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/35.jpg)
Rails RenderingAppend expression result
Buffer: <head> <title><script>alert(1)</script></title> <script src=“/application.js”></script>
javascript_include_tag returned a SafeBuffer
![Page 36: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/36.jpg)
Rails RenderingAppend template after calling html_safe on it
Buffer: <head> <title><script>alert(1)</script></title> <script src=“/application.js”></script></head>
![Page 37: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/37.jpg)
XSS
![Page 38: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/38.jpg)
XSS
params => {id: 5}
![Page 39: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/39.jpg)
XSSparams => {id: “<script>alert(1)</script>”}
<div class=“alert”> User id <script>alert(1)</script> does not exist</div>
Rendered HTML:
![Page 40: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/40.jpg)
XSS
![Page 41: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/41.jpg)
XSS
![Page 42: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/42.jpg)
XSS
![Page 43: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/43.jpg)
XSS
params => {id: “<script>alert(1)</script>”}
<div class=“alert”> User id <script>alert(1)</script> does not exist</div>
Rendered HTML:
+
![Page 44: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/44.jpg)
XSS
![Page 45: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/45.jpg)
How to Fix?
![Page 46: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/46.jpg)
How to Fix XSS
![Page 47: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/47.jpg)
How to Fix SQL Injection• Check that args for all `Calculate` methods are actual table names
• Always use hashes or arrays when using `delete_all`/`destroy_all`/`where`
• Always use hashes when using `find_by`/`find_by!`
• Always convert user input to strings when passed to `exists?`
• Never pass user input to `group`/`joins`/`order`/`reorder`/`pluck`/`select`/`having`
• Don’t use `find` unless you are a security guru
• etc. etc.
![Page 48: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/48.jpg)
“Once you’re done with that, can you audit all our
dependencies too?”
![Page 49: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/49.jpg)
“Can you teach everyone else about security?”
![Page 50: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/50.jpg)
“All changes will be reviewed by the security
team”
“It won’t be a bottleneck, we’ve got two security
engineers”
![Page 51: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/51.jpg)
Metasecurity Defense
![Page 52: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/52.jpg)
Metasecurity for XSS
Should there be script tags here?
![Page 53: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/53.jpg)
Metasecurity for XSS
• Wrap `html_safe` method
• If called from a known good location, like a Rails helper, let the string through unimpeded
• Otherwise, escape any <script> tags first
![Page 54: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/54.jpg)
Metasecurity for SQL Injection
Structure Eoknkno1
Structure Eoknkno1&1o1
Structure Eoknkno1;Tkn
![Page 55: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/55.jpg)
How do we determine expected structures?
![Page 56: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/56.jpg)
Every Query is Executed at the Top of a Call Stack
![Page 57: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/57.jpg)
Match Call Stack to a Learned Structure
Eoknk
![Page 58: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/58.jpg)
Verify Structure
EoknkOk!
Eoknkno1&1o1Bad!
Block and respond with 403
Expected Structure: Eoknk
![Page 59: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/59.jpg)
Metasecurity
Vulnerability Attacker
Exploitation
![Page 60: RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities](https://reader031.fdocuments.us/reader031/viewer/2022022001/58a0c2a01a28ab6d018b47c7/html5/thumbnails/60.jpg)
Immunio is MetasecurityAutomatic protection against:
Cross Site Scripting
SQL Injection
Remote Command Execution
ShellShock
Open Redirects
Unauthorized File I/O
CSRF Tampering
Brute Force Authentication Attempts
HTTP Header Split
HTTP Method Tampering
Automated Scanners
And more…