Upload
immunio
View
215
Download
2
Embed Size (px)
Citation preview
Metasecurity: Beyond Patching Vulnerabilities
Chase Douglas Immun.io
Anatomy of a security attack
Vulnerability Attacker
How to defend against vulnerabilities?
PHP: Over 24 vulnerabilities reported
every year!
cvedetails.com
Rails: Over 7 vulnerabilities reported
every year!
How fast can you spin this wheel?
Vulnerabilities sold remain private for an average of 151 days
The Known Unknowns - Stefan Frei - NSS Labs https://www.nsslabs.com/reports/known-unknowns-0
How many vulnerabilities are lurking, unfound?
How to defend against attackers?
Web Application Firewalls
Web Application Firewalls
Field Trip! Castle Gaillard
False Positives
Anatomy of a security attack
Vulnerability Attacker
Exploitation
Metasecurity: Blocking Exploitations
Exploitations
• SQL Injection • Cross Site Scripting (XSS)
SQL Injection
SQL Injection
SQL Injection
SQL Injection
SQL Injection
SQL Injection
SQL Injection
SQL Injection
Cross Site Scripting (XSS)
But I didn’t click on anything!
+?
XSS
XSSIn someone else’s
browser!
+
String.html_safe
String.html_safe
Escaped!
String.html_safe
Not Escaped!
Rails RenderingStart with an empty SafeBuffer
Buffer:
Rails RenderingAppend template after calling html_safe on it
Buffer: <head> <title>
Rails RenderingAppend expression result
Buffer: <head> <title><script>alert(1)</script>
I tried to inject <script>alert(1)</script> here!
Rails RenderingAppend template after calling html_safe on it
Buffer: <head> <title><script>alert(1)</script></title>
Rails RenderingAppend expression result
Buffer: <head> <title><script>alert(1)</script></title> <script src=“/application.js”></script>
javascript_include_tag returned a SafeBuffer
Rails RenderingAppend template after calling html_safe on it
Buffer: <head> <title><script>alert(1)</script></title> <script src=“/application.js”></script></head>
XSS
XSS
params => {id: 5}
XSSparams => {id: “<script>alert(1)</script>”}
<div class=“alert”> User id <script>alert(1)</script> does not exist</div>
Rendered HTML:
XSS
XSS
XSS
XSS
params => {id: “<script>alert(1)</script>”}
<div class=“alert”> User id <script>alert(1)</script> does not exist</div>
Rendered HTML:
+
XSS
How to Fix?
How to Fix XSS
How to Fix SQL Injection• Check that args for all `Calculate` methods are actual table names
• Always use hashes or arrays when using `delete_all`/`destroy_all`/`where`
• Always use hashes when using `find_by`/`find_by!`
• Always convert user input to strings when passed to `exists?`
• Never pass user input to `group`/`joins`/`order`/`reorder`/`pluck`/`select`/`having`
• Don’t use `find` unless you are a security guru
• etc. etc.
“Once you’re done with that, can you audit all our
dependencies too?”
“Can you teach everyone else about security?”
“All changes will be reviewed by the security
team”
“It won’t be a bottleneck, we’ve got two security
engineers”
Metasecurity Defense
Metasecurity for XSS
Should there be script tags here?
Metasecurity for XSS
• Wrap `html_safe` method
• If called from a known good location, like a Rails helper, let the string through unimpeded
• Otherwise, escape any <script> tags first
Metasecurity for SQL Injection
Structure Eoknkno1
Structure Eoknkno1&1o1
Structure Eoknkno1;Tkn
How do we determine expected structures?
Every Query is Executed at the Top of a Call Stack
Match Call Stack to a Learned Structure
Eoknk
Verify Structure
EoknkOk!
Eoknkno1&1o1Bad!
Block and respond with 403
Expected Structure: Eoknk
Metasecurity
Vulnerability Attacker
Exploitation
Immunio is MetasecurityAutomatic protection against:
Cross Site Scripting
SQL Injection
Remote Command Execution
ShellShock
Open Redirects
Unauthorized File I/O
CSRF Tampering
Brute Force Authentication Attempts
HTTP Header Split
HTTP Method Tampering
Automated Scanners
And more…