1. Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL ‹#›
Securing Your Rails
Application
Christophe Lucas
Mandiant, a FireEye Company
3. Copyright (c) 2014, FireEye, Inc. All rights reserved.
OpenSSL CVE-2014-0160 vulnerability
• Allows attacker to read unencrypted traffic
!
• Steal keys, usernames, passwords
!
• Programming mistake
4. Copyright (c) 2014, FireEye, Inc. All rights reserved.
New OpenSSL release to fix 6 bugs
• SSL/TLS MITM vulnerability (CVE-2014-0224)
• DTLS recursion flaw (CVE-2014-0221)
• DTLS invalid fragment vulnerability
(CVE-2014-0195)
• SSL_MODE_RELEASE_BUFFERS NULL
pointer dereference (CVE-2014-0198)
• SSL_MODE_RELEASE_BUFFERS session
injection or denial of service (CVE-2010-5298)
• Anonymous ECDH denial of service
(CVE-2014-3470)
5. Copyright (c) 2014, FireEye, Inc. All rights reserved.
OpenSSL?
• Open source implementation of the TLS
protocols, written in C
!
• SSL: Secure Socket layer
• TLS: Transport Layer Security
!
• The ’S’ in HTTPS
6. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Transport Layer Security
• developed by Netscape
• 1995: SSL 2.0
• 1996: SSL 3.0
• 1999: TLS 1.0, RFC 2246
• 2006: TLS 1.1, RFC 4346
• 2008: TLS 1.2, RFC 5246
7. Copyright (c) 2014, FireEye, Inc. All rights reserved.
TLS handshake
Client Server
Client Hello
TLS version, cypher
Server Hello
TLS version, cypher
Public Key and certificate
Validate certificate
Client Finished
Encrypted with PK
Server Finished
Encrypted
TLS Record Protocol
9. Copyright (c) 2014, FireEye, Inc. All rights reserved.
How is my SSL?
• https://www.howsmyssl.com
• Version
• Ephemeral key support
• Session ticket support
• TLS compression
• Cypher suites
10. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Secure Hash Algorithm
• 1993 SHA-0
• 1995 SHA-1, published by
• 2001 SHA-2, published by
• 2014 SHA-3 (Draft), published by
11. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Use SSL/TLS
Credits: http://www.nsa.gov
12. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Being Boring: A Survival Guide to Ruby
Cryptography
Crypto API
!
A bunch of crazy code written by
amateurs
Ruby OpenSSL
Credits: Tony Acieri - Rubyconf 2013
Not boring
13. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Being Boring: A Survival Guide to Ruby
Cryptography
Crypto API
Crypto library written by
cryptographers
Boring
Credits: Tony Acieri - Rubyconf 2013
14. Copyright (c) 2014, FireEye, Inc. All rights reserved.
OpenSSL
Ruby NaCl
!
https://github.com/cryptosphere/rbnacl
15. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Vulnerabilities
• Transport
• Rendering
!
=> secure the HTTP header
16. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Secure session
• config/environments/production.rb
config.force_ssl = true
!
• Only send session cookie over secure
connection
!
• Adds secure attribute to Set-Cookie
17. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Request - Response
Browser http:// https://
18. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Request - Response
Browser http:// https://
19. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Request - Response
Browser http:// https://
20. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Request - Response
Browser http:// https://
21. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Request - Response
Browser http:// https://
22. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Session Hijacking (MITM)
Browser http:// https://Attacker
23. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Session Hijacking
Browser http:// https://Attacker
24. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Session Hijacking
Browser http:// https://Attacker
25. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Prevent Attack
• Use HTTP Strict Transport Security (HSTS)
!
• Ensure that the browser only visits the
HTTPS version of the website
Strict-Transport-Security:
max-age=15768000 ; includeSubDomains
!
• no more redirect, eliminates the first
insecure roundtrip
26. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Transport
• TLS: Transport Layer Security
• Secure Cookies
• HSTS: HTTP Strict Transport Security
27. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Protect Cookie
Set-Cookie the_secure_cookie; Secure
<script>alert(document.cookie);</script>
!
HTTP only:
!
Set-Cookie the_cookie; Secure; HttpOnly;
!
Session cookies are HttpOnly by default
28. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Content Security Policy
Whitelist content
!
Content-Security-Policy:
default-src 'self';
img-src 'self' data:;
media-src mediastream:;
script-src: ‘self’ https://example.com
29. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Audit your CSP
!
Content-Security-Policy-Report-Only:
default-src 'self';
img-src 'self' data:;
media-src mediastream:;
script-src: ‘self’ https://example.com
30. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Frame Option (XFO)
Prevent clickjacking
!
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM https://
example.com/
31. Copyright (c) 2014, FireEye, Inc. All rights reserved.
XSS protection
Cross site scripting filter:
!
X-XSS-Protection: 1; mode=block
32. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Prevent content sniffing
Prevent attacks based on MIME-type
confusion:
!
X-Content-Type-Options: nosniff
33. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Rendering
• HttpOnly Cookies
• Content Security Policy
• Frame Options
• XSS protection
• Content Type Options
34. Copyright (c) 2014, FireEye, Inc. All rights reserved.
secure_headers gem
• https://github.com/twitter/secureheaders
• Content Security Policy (CSP)
• HTTP Strict Transport Security (HSTS)
• X-Frame-Options (XFO)
• XSS Protection
• MIME type sniffing protection
35. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Brakeman gem
Static analyzer for vulnerabilities
> brakeman
+-------------------+---------+
| Scanned/Reported | Total |
+-------------------+---------+
| Controllers | 17 |
| Models | 11 |
| Templates | 72 |
| Errors | 0 |
| Security Warnings | 21 (12) |
+-------------------+---------+
!
+----------------------------+-------+
| Warning Type | Total |
+----------------------------+-------+
| Cross Site Scripting | 4 |
| Cross-Site Request Forgery | 1 |
| Denial of Service | 2 |
| File Access | 1 |
| Format Validation | 1 |
| Mass Assignment | 5 |
| Remote Code Execution | 4 |
| SQL Injection | 2 |
| Session Setting | 1 |
+----------------------------+-------+
36. Copyright (c) 2014, FireEye, Inc. All rights reserved.
codesake-dawn gem
static code scanner
> dawn --rails .
13:37:54 [*] dawn v1.1.3 is starting up
13:37:54 [$] dawn: scanning .
13:37:54 [$] dawn: rails v4.1.1 detected
13:37:54 [$] dawn: applying all security checks
13:37:54 [$] dawn: 173 security checks applied - 0 security checks skipped
13:37:54 [$] dawn: 2 vulnerabilities found
13:37:54 [!] dawn: Owasp Ror CheatSheet: Session management check failed
13:37:54 [$] dawn: Severity: info
13:37:54 [$] dawn: Priority: unknown
13:37:54 [$] dawn: Description: By default, Ruby on Rails uses a Cookie based session
store. What that means is that unless you change something, the session will not expire
on the server. That means that some default applications may be vulnerable to replay
attacks. It also means that sensitive information should never be put in the session.
13:37:54 [$] dawn: Solution: Use ActiveRecord or the ORM you love most to handle your
code session_store. Add "Application.config.session_store :active_record_store" to your
session_store.rb file.
13:37:54 [$] dawn: Evidence:
13:37:54 [$] dawn: In your session_store.rb file you are not using ActiveRercord to
store session data. This will let rails to use a cookie based session and it can expose
your web application to a session replay attack.
13:37:54 [$] dawn: {:filename=>"./config/initializers/session_store.rb", :matches=>[]}
37. Copyright (c) 2014, FireEye, Inc. All rights reserved.
gauntlt gem
• Build attacks with cucumber scripts
> gauntlt
!
38. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Rugged DevOps
!
InfoSec + Dev +Ops
=
Rugged DevOps
!
http://ruggeddevops.org
!
https://www.ruggedsoftware.org
!
39. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Code Monitoring tools
• https://codeclimate.com
• https://gemcanary.com
• https://gemnasium.com
40. Copyright (c) 2014, FireEye, Inc. All rights reserved.
Resources
• http://guides.rubyonrails.org/security.html
• https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet
• https://www.ssllabs.com
• https://github.com/cryptosphere/rbnacl
• https://github.com/twitter/secureheaders
• http://brakemanscanner.org
• https://github.com/codesake/codesake-dawn
• http://gauntlt.org
41. Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL ‹#›
Questions?
christophe.lucas@mandiant.com
@krof