The web has become a part of our lives. We bank online, we shop online, we talk online, we even pay our taxes online. It's made our lives very convenient, but all that data makes a tempting target for hackers. Learn about some recent attacks on popular web frameworks and dig in to why they were effective. Learn how these advanced attacks can be detected, and how they can be stopped by applications which learn to protect themselves.
2. Today
Checked in to my flight
Read the News
Paid for Parking
Coffee with the Starbucks app
Boarding Pass Slack
Gmail
Review some Pull Requests Uber
GoSec Schedule
Trello
Banking
Facebook
Twitter
Ashley Madison
TOP SECRET
Security Clearance
with the OPM
5. How?
Framework up to Date?
Libraries Patched?
Code Reviewed for Security?
Monitoring for New CVEs?
Reviewed External libraries?
Static Analysis?
Fixed Insecure Defaults?
7. CVE-2014-0130
“Directory traversal vulnerability”
Credited to Ville Lautanala of Flowdock
expanded on by Jeff Jarmoc @ Matasano
http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0130
8. Directory Traversal
Vulnerable Route with globbing:
get 'my_url/*action', controller: ‘asdf’
*action should be a function name, or a file name
RAILS_ROOT/app/views/<controller_name>/
What if I try: my_url/../../../Gemfile
11. Directory Traversal
Recommendation - use non-globbing route:
get ‘my_url/:action', controller: ‘asdf’
Something like ../../../Gemfile won’t match
BUT!
Route matching happens BEFORE URI decoding:
my_url/%2e%2e%2f%2e%2e%2f%2e%2e%2fGemfile
12. Can We Execute Code?
“Helpful” default behaviour in Rails
Unknown extension defaults to ERB template
<%= `whoami` %>
14. Getting Code into a File
Rails does this for us!
/some/page?mycode=1234
Written to production.log
/some/page?mycode=%3c%25%3d
%20%60%69%64%60%20%25%3e
<%= `whoami` %>
17. How to Defend?
Upgrade Rails - fixed in 4.1.1, 4.0.5, 3.2.18
Scan your code - Brakeman >= 2.5.1
Use recommended workarounds
Only helps AFTER the vulnerability is announced!
20. Active Defence
What was the actual exploit?
A file was read that shouldn’t be read
Shell commands were executed
Move INSIDE the app
and we can see these directly
21. Protect against the exploit
• Uploaded images should not be executed as code
• Don’t load configuration from /tmp
• My app does NOT need to read or write anywhere inside
/etc
• In fact, the app shouldn’t be writing anywhere except /
tmp and /var/log
• And especially not be reading from /etc/ssl or
~/.ssh/id_rsa
Track code that opens files
22. Protect against the exploit
• Most apps don’t need to execute shell commands.
FENCE IT OFF!
• If you do need shell, track the code that runs commands.
• The command that minifies my CSS should not be
downloading and executing a perl script!
• The command that sends an invoice should not be
opening a reverse shell to Russia!
• And block shell access from everywhere else.
Track shell code execution
23. Inside the App
Much more accurate Fewer false positives.
• SQL Queries for SQL Injection
• Template rendering for Cross Site Scripting
• Authentication attacks and Brute Forcing
• Cross Site Request Forgery
24. Real-time web application security
Automatic detection and protection against
app security vulnerabilities
Java Python Ruby
2 Minute Install