Securing your Rails application

Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL ‹#›

Securing Your Rails Application

Christophe Lucas Mandiant, a FireEye Company

Copyright (c) 2014, FireEye, Inc. All rights reserved.

Heartbleed


OpenSSL CVE-2014-0160 vulnerability

• Allows attacker to read unencrypted traffic

!

• Steal keys, usernames, passwords

!

• Programming mistake


New OpenSSL release to fix 6 bugs

• SSL/TLS MITM vulnerability (CVE-2014-0224) • DTLS recursion flaw (CVE-2014-0221) • DTLS invalid fragment vulnerability

(CVE-2014-0195) • SSL_MODE_RELEASE_BUFFERS NULL

pointer dereference (CVE-2014-0198) • SSL_MODE_RELEASE_BUFFERS session

injection or denial of service (CVE-2010-5298) • Anonymous ECDH denial of service

(CVE-2014-3470)


OpenSSL?

• Open source implementation of the TLS protocols, written in C !

• SSL: Secure Socket layer • TLS: Transport Layer Security !

• The ’S’ in HTTPS


Transport Layer Security

• developed by Netscape

• 1995: SSL 2.0

• 1996: SSL 3.0

• 1999: TLS 1.0, RFC 2246

• 2006: TLS 1.1, RFC 4346

• 2008: TLS 1.2, RFC 5246


TLS handshake

Client ServerClient Hello TLS version, cypher

Server Hello TLS version, cypher

Public Key and certificateValidate certificate

Client Finished Encrypted with PK

Server Finished Encrypted

TLS Record Protocol


HTTP Secure


How is my SSL?

• https://www.howsmyssl.com

• Version

• Ephemeral key support

• Session ticket support

• TLS compression

• Cypher suites

https://www.howsmyssl.com


Secure Hash Algorithm

• 1993 SHA-0

• 1995 SHA-1, published by

• 2001 SHA-2, published by

• 2014 SHA-3 (Draft), published by


Use SSL/TLS

Credits: http://www.nsa.gov

http://www.nsa.gov


Being Boring: A Survival Guide to Ruby Cryptography

Crypto API

!A bunch of crazy code written by

amateurs

Ruby OpenSSL

Credits: Tony Acieri - Rubyconf 2013

Not boring


Being Boring: A Survival Guide to Ruby Cryptography

Crypto API

Crypto library written by cryptographers

Boring

Credits: Tony Acieri - Rubyconf 2013


OpenSSL

Ruby NaCl !

https://github.com/cryptosphere/rbnacl



Vulnerabilities

• Transport

• Rendering

!

=> secure the HTTP header


Secure session

• config/environments/production.rb config.force_ssl = true !

• Only send session cookie over secure connection !

• Adds secure attribute to Set-Cookie


Request - Response

Browser http:// https://


Session Hijacking (MITM)

Browser http:// https://Attacker


Session Hijacking

Browser http:// https://Attacker


Prevent Attack

• Use HTTP Strict Transport Security (HSTS) !

• Ensure that the browser only visits the HTTPS version of the website

Strict-Transport-Security: max-age=15768000 ; includeSubDomains !

• no more redirect, eliminates the first insecure roundtrip


Transport

• TLS: Transport Layer Security

• Secure Cookies

• HSTS: HTTP Strict Transport Security


Protect Cookie

Set-Cookie the_secure_cookie; Secure <script>alert(document.cookie);</script> !HTTP only: !Set-Cookie the_cookie; Secure; HttpOnly; !Session cookies are HttpOnly by default


Content Security Policy

Whitelist content !Content-Security-Policy: default-src 'self'; img-src 'self' data:; media-src mediastream:; script-src: ‘self’ https://example.com

https://example.com


Audit your CSP

!Content-Security-Policy-Report-Only: default-src 'self'; img-src 'self' data:; media-src mediastream:; script-src: ‘self’ https://example.com

https://example.com


Frame Option (XFO)

Prevent clickjacking !X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM https://example.com/

https://example.com/


XSS protection

Cross site scripting filter: !X-XSS-Protection: 1; mode=block


Prevent content sniffing

Prevent attacks based on MIME-type confusion: !X-Content-Type-Options: nosniff


Rendering

• HttpOnly Cookies

• Content Security Policy

• Frame Options

• XSS protection

• Content Type Options


secure_headers gem

• https://github.com/twitter/secureheaders

• Content Security Policy (CSP)

• HTTP Strict Transport Security (HSTS)

• X-Frame-Options (XFO)

• XSS Protection

• MIME type sniffing protection

https://github.com/twitter/secureheaders


Brakeman gem

Static analyzer for vulnerabilities > brakeman

+-------------------+---------+ | Scanned/Reported | Total | +-------------------+---------+ | Controllers | 17 | | Models | 11 | | Templates | 72 | | Errors | 0 | | Security Warnings | 21 (12) | +-------------------+---------+ !+----------------------------+-------+ | Warning Type | Total | +----------------------------+-------+ | Cross Site Scripting | 4 | | Cross-Site Request Forgery | 1 | | Denial of Service | 2 | | File Access | 1 | | Format Validation | 1 | | Mass Assignment | 5 | | Remote Code Execution | 4 | | SQL Injection | 2 | | Session Setting | 1 | +----------------------------+-------+


codesake-dawn gem

static code scanner > dawn --rails . 13:37:54 [*] dawn v1.1.3 is starting up 13:37:54 [$] dawn: scanning . 13:37:54 [$] dawn: rails v4.1.1 detected 13:37:54 [$] dawn: applying all security checks 13:37:54 [$] dawn: 173 security checks applied - 0 security checks skipped 13:37:54 [$] dawn: 2 vulnerabilities found 13:37:54 [!] dawn: Owasp Ror CheatSheet: Session management check failed 13:37:54 [$] dawn: Severity: info 13:37:54 [$] dawn: Priority: unknown 13:37:54 [$] dawn: Description: By default, Ruby on Rails uses a Cookie based session store. What that means is that unless you change something, the session will not expire on the server. That means that some default applications may be vulnerable to replay attacks. It also means that sensitive information should never be put in the session. 13:37:54 [$] dawn: Solution: Use ActiveRecord or the ORM you love most to handle your code session_store. Add "Application.config.session_store :active_record_store" to your session_store.rb file. 13:37:54 [$] dawn: Evidence: 13:37:54 [$] dawn: In your session_store.rb file you are not using ActiveRercord to store session data. This will let rails to use a cookie based session and it can expose your web application to a session replay attack. 13:37:54 [$] dawn: {:filename=>"./config/initializers/session_store.rb", :matches=>[]}


gauntlt gem

• Build attacks with cucumber scripts > gauntlt !


Rugged DevOps

!InfoSec + Dev +Ops

= Rugged DevOps

!http://ruggeddevops.org

!https://www.ruggedsoftware.org

!

http://ruggeddevops.org

https://www.ruggedsoftware.org


Code Monitoring tools

• https://codeclimate.com

• https://gemcanary.com

• https://gemnasium.com

https://codeclimate.com/

https://gemcanary.com/

https://gemnasium.com/


Resources

• http://guides.rubyonrails.org/security.html

• https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet

• https://www.ssllabs.com

• https://github.com/cryptosphere/rbnacl

• https://github.com/twitter/secureheaders

• http://brakemanscanner.org

• https://github.com/codesake/codesake-dawn

• http://gauntlt.org

http://guides.rubyonrails.org/security.html

https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet

https://www.ssllabs.com


https://github.com/twitter/secureheaders

http://brakemanscanner.org

https://github.com/codesake/codesake-dawn

http://gauntlt.org/

Securing your Rails application

Internet

Transcript of Securing your Rails application