yaml is the new eval
If you can't read please download the document
TRANSCRIPT
YAML is the new eval
@plexusgithub/arnebrasseur
09.02.2013 @rug_b
You
Need to think about security
I'm a Rails developer
I'm a Rails developer
I'm not a security expert
I'm a Rails developer
I'm not a security expert
That's the point
You Should Be At Defcon 2 For Most Of February
http://bit.ly/you_will_be_compromised
Security
Many aspectsconfidentiality, integrity, availability, authenticity
gem security ?
Emergent PropertyIt's not a feature
Infinity MaximLimitless vulnerabilities, most unknown
Trade offNo such thing as 100% secure
Ignorance is blissIf you believe you're safe,You can assume you're not.
Attack SurfaceYour outer shell
Least AuthorityCan't break what you can't reach
Constrained code
Positive securityWhitelist vs Blacklist
Rails Security
"secure by default"XSS, CSRF, sql escaping, etc.
Tasty MagicProgrammer happiness
People who use magic without knowing what they are doing usually come to a sticky end. All over the entire room, sometimes. ~ Terry Pratchett
What happened?
4 x Rails VulnerabilityRubygems HackedBonus : MySQL feature
Jan 2CVE-2012-5664SQL Injection Vulnerability
Post.find_by_id(id, opts = {})Plain Old Dynamic Finder
Jan 2CVE-2012-5664SQL Injection Vulnerability
Post.find_by_id(:select => sql)I Can Haz Inject SQL?
Jan 2CVE-2012-5664SQL Injection Vulnerability
Post.find_by_id(params[:id])I Can Haz Inject SQL?
Jan 2CVE-2012-5664SQL Injection Vulnerability
Post.find_by_id(params[:id])I Can Haz Inject SQL?
Jan 2CVE-2012-5664SQL Injection Vulnerability
HashWithIndifferentAccess
Exploitable?Probably, but not trivially
Jan 2CVE-2012-5664SQL Injection Vulnerability
AuthLogicUser.find_by_persistence_token(token)
Jan 2CVE-2012-5664SQL Injection Vulnerability
CookieStoresession[:token] = {:select => foo; DROP TABLE ; --}
Jan 2CVE-2012-5664SQL Injection Vulnerability
config.session.keyDo you know where your session key is at 4 o'clock in the morning?
Jan 2CVE-2012-5664SQL Injection Vulnerability
Jan 8CVE-2013-0155Unsafe Query Generation
Jan 8CVE-2013-0155Unsafe Query Generation
Foo.find_by_bar( [ nil ] )
JSON or XML payload
Result
Jan 8CVE-2013-0155Unsafe Query Generation
Jan 14CVE-2013-0156XML will deserialize YAML
THE BIG ONEWho thought YAML in XML was a good idea anyway?
Jan 14CVE-2013-0156XML will deserialize YAML
Never trust YAML!ruby/hash:I::Am::In::Your::Objects!ruby/object:Setting::Your::Ivars
Jan 14CVE-2013-0156XML will deserialize YAML
!ruby/hashCalls #[]=
Jan 14CVE-2013-0156XML will deserialize YAML
!ruby/objectCalls instance_variable_set
Jan 14CVE-2013-0156XML will deserialize YAML
ActionController::Routing::RouteSet::NamedRouteCollectiondef add(name, route) define_named_route_methods(name, route)endalias []= add
def define_url_helper(route, name, kind, options) @module.module_eval