Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL ‹#›
Securing Your Rails Application
Christophe Lucas Mandiant, a FireEye Company
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Heartbleed
Copyright (c) 2014, FireEye, Inc. All rights reserved.
OpenSSL CVE-2014-0160 vulnerability
• Allows attacker to read unencrypted traffic
!
• Steal keys, usernames, passwords
!
• Programming mistake
Copyright (c) 2014, FireEye, Inc. All rights reserved.
New OpenSSL release to fix 6 bugs
• SSL/TLS MITM vulnerability (CVE-2014-0224) • DTLS recursion flaw (CVE-2014-0221) • DTLS invalid fragment vulnerability
(CVE-2014-0195) • SSL_MODE_RELEASE_BUFFERS NULL
pointer dereference (CVE-2014-0198) • SSL_MODE_RELEASE_BUFFERS session
injection or denial of service (CVE-2010-5298) • Anonymous ECDH denial of service
(CVE-2014-3470)
Copyright (c) 2014, FireEye, Inc. All rights reserved.
OpenSSL?
• Open source implementation of the TLS protocols, written in C !
• SSL: Secure Socket layer • TLS: Transport Layer Security !
• The ’S’ in HTTPS
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Transport Layer Security
• developed by Netscape
• 1995: SSL 2.0
• 1996: SSL 3.0
• 1999: TLS 1.0, RFC 2246
• 2006: TLS 1.1, RFC 4346
• 2008: TLS 1.2, RFC 5246
Copyright (c) 2014, FireEye, Inc. All rights reserved.
TLS handshake
Client ServerClient Hello TLS version, cypher
Server Hello TLS version, cypher
Public Key and certificateValidate certificate
Client Finished Encrypted with PK
Server Finished Encrypted
TLS Record Protocol
Copyright (c) 2014, FireEye, Inc. All rights reserved.
HTTP Secure
Copyright (c) 2014, FireEye, Inc. All rights reserved.
How is my SSL?
• https://www.howsmyssl.com
• Version
• Ephemeral key support
• Session ticket support
• TLS compression
• Cypher suites
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Secure Hash Algorithm
• 1993 SHA-0
• 1995 SHA-1, published by
• 2001 SHA-2, published by
• 2014 SHA-3 (Draft), published by
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Use SSL/TLS
Credits: http://www.nsa.gov
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Being Boring: A Survival Guide to Ruby Cryptography
Crypto API
!A bunch of crazy code written by
amateurs
Ruby OpenSSL
Credits: Tony Acieri - Rubyconf 2013
Not boring
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Being Boring: A Survival Guide to Ruby Cryptography
Crypto API
Crypto library written by cryptographers
Boring
Credits: Tony Acieri - Rubyconf 2013
Copyright (c) 2014, FireEye, Inc. All rights reserved.
OpenSSL
Ruby NaCl !
https://github.com/cryptosphere/rbnacl
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Vulnerabilities
• Transport
• Rendering
!
=> secure the HTTP header
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Secure session
• config/environments/production.rb config.force_ssl = true !
• Only send session cookie over secure connection !
• Adds secure attribute to Set-Cookie
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Request - Response
Browser http:// https://
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Request - Response
Browser http:// https://
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Request - Response
Browser http:// https://
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Request - Response
Browser http:// https://
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Request - Response
Browser http:// https://
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Session Hijacking (MITM)
Browser http:// https://Attacker
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Session Hijacking
Browser http:// https://Attacker
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Session Hijacking
Browser http:// https://Attacker
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Prevent Attack
• Use HTTP Strict Transport Security (HSTS) !
• Ensure that the browser only visits the HTTPS version of the website
Strict-Transport-Security: max-age=15768000 ; includeSubDomains !
• no more redirect, eliminates the first insecure roundtrip
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Transport
• TLS: Transport Layer Security
• Secure Cookies
• HSTS: HTTP Strict Transport Security
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Protect Cookie
Set-Cookie the_secure_cookie; Secure <script>alert(document.cookie);</script> !HTTP only: !Set-Cookie the_cookie; Secure; HttpOnly; !Session cookies are HttpOnly by default
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Content Security Policy
Whitelist content !Content-Security-Policy: default-src 'self'; img-src 'self' data:; media-src mediastream:; script-src: ‘self’ https://example.com
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Audit your CSP
!Content-Security-Policy-Report-Only: default-src 'self'; img-src 'self' data:; media-src mediastream:; script-src: ‘self’ https://example.com
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Frame Option (XFO)
Prevent clickjacking !X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM https://example.com/
Copyright (c) 2014, FireEye, Inc. All rights reserved.
XSS protection
Cross site scripting filter: !X-XSS-Protection: 1; mode=block
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Prevent content sniffing
Prevent attacks based on MIME-type confusion: !X-Content-Type-Options: nosniff
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Rendering
• HttpOnly Cookies
• Content Security Policy
• Frame Options
• XSS protection
• Content Type Options
Copyright (c) 2014, FireEye, Inc. All rights reserved.
secure_headers gem
• https://github.com/twitter/secureheaders
• Content Security Policy (CSP)
• HTTP Strict Transport Security (HSTS)
• X-Frame-Options (XFO)
• XSS Protection
• MIME type sniffing protection
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Brakeman gem
Static analyzer for vulnerabilities > brakeman
+-------------------+---------+ | Scanned/Reported | Total | +-------------------+---------+ | Controllers | 17 | | Models | 11 | | Templates | 72 | | Errors | 0 | | Security Warnings | 21 (12) | +-------------------+---------+ !+----------------------------+-------+ | Warning Type | Total | +----------------------------+-------+ | Cross Site Scripting | 4 | | Cross-Site Request Forgery | 1 | | Denial of Service | 2 | | File Access | 1 | | Format Validation | 1 | | Mass Assignment | 5 | | Remote Code Execution | 4 | | SQL Injection | 2 | | Session Setting | 1 | +----------------------------+-------+
Copyright (c) 2014, FireEye, Inc. All rights reserved.
codesake-dawn gem
static code scanner > dawn --rails . 13:37:54 [*] dawn v1.1.3 is starting up 13:37:54 [$] dawn: scanning . 13:37:54 [$] dawn: rails v4.1.1 detected 13:37:54 [$] dawn: applying all security checks 13:37:54 [$] dawn: 173 security checks applied - 0 security checks skipped 13:37:54 [$] dawn: 2 vulnerabilities found 13:37:54 [!] dawn: Owasp Ror CheatSheet: Session management check failed 13:37:54 [$] dawn: Severity: info 13:37:54 [$] dawn: Priority: unknown 13:37:54 [$] dawn: Description: By default, Ruby on Rails uses a Cookie based session store. What that means is that unless you change something, the session will not expire on the server. That means that some default applications may be vulnerable to replay attacks. It also means that sensitive information should never be put in the session. 13:37:54 [$] dawn: Solution: Use ActiveRecord or the ORM you love most to handle your code session_store. Add "Application.config.session_store :active_record_store" to your session_store.rb file. 13:37:54 [$] dawn: Evidence: 13:37:54 [$] dawn: In your session_store.rb file you are not using ActiveRercord to store session data. This will let rails to use a cookie based session and it can expose your web application to a session replay attack. 13:37:54 [$] dawn: {:filename=>"./config/initializers/session_store.rb", :matches=>[]}
Copyright (c) 2014, FireEye, Inc. All rights reserved.
gauntlt gem
• Build attacks with cucumber scripts > gauntlt !
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Rugged DevOps
!InfoSec + Dev +Ops
= Rugged DevOps
!http://ruggeddevops.org
!https://www.ruggedsoftware.org
!
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Code Monitoring tools
• https://codeclimate.com
• https://gemcanary.com
• https://gemnasium.com
Copyright (c) 2014, FireEye, Inc. All rights reserved.
Resources
• http://guides.rubyonrails.org/security.html
• https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet
• https://www.ssllabs.com
• https://github.com/cryptosphere/rbnacl
• https://github.com/twitter/secureheaders
• http://brakemanscanner.org
• https://github.com/codesake/codesake-dawn
• http://gauntlt.org
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL ‹#›
Questions?
[email protected] @krof