Gem security updates, AWS auditing & password hash hacking: Rails ? digest #25

Hacker, Hack Thyself

A good read about the worst-case scenario, stolen password hashes. A rate of 600 passwords in 3 weeks seems to be possible even with slow algorithms.

Free tools for auditing the security of an AWS account

Comparing several authentication approaches and their security

Safari will soon come with an Intelligent Tracking Prevention to prevent privacy violations by advertisers and their tracking cookies.

Understanding the prevalence of web traffic interception

4-10% of encrypted web traffic is intercepted. Not all these interceptions are malicious. Antivirus solutions, firewalls perform interception mostly by installing their own certificate on the user’s machine. But the interception affects security due to basic cryptographic mistakes. Between 16-37% of the outgoing connections are easily vulnerable to man-in-the-middle attacks.

Want to add tests for your cookie and session flags?

 Security updates
All RabbitMQ versions before 3.6.9 have several XSS vulnerabilities and a medium one

The mail gem was vulnerable to header injection in versions < 2.5.5. All 2.6 versions were not vulnerable due to a bug. Install 2.6.6 to get the fix for the vulnerability.

New Apache HTTP Server Release Fixes Authentication Bypass, Denial-of-Service Flaws

Rails and web security reading list ?  #24

New Rails 5.1 came out recently

It includes encrypted secrets and supports JS package mangers for easier updates. That’s important too because of JS vulnerabilities.

New version for authorization framework CanCanCan

Check and update your SSH keys with this easy command

Which security implications of the Serverless approach are better or worse?

And another post about serverless security issues

Replacing Disqus with Github Comments for less load time and far less tracking

Don’t repeat these 2FA design mistakes

Another Rails security checklist with a few bits

CloudFlare introduced TLS client-side authorization

Check your nginx config for security issues

Security Updates

PostgreSQL security update

Rails and web security digest ⚡ #23

CodeBuild, Brakeman, and CodePipeline

How to set up AWS CodeBuild (a CI server) to run brakeman

Login/logout CSRF: Time to reconsider?

Login/logout CSRF: Time to make them non­-GET routes (you probably have already)

Rails GEMS Vulnerable to CSRF Show Vulnerability Disclosure in Open-Source Projects Needs a Re-Think

Content-Security-Policy Hackerone bypass

Check the popularity, maintenance and maturity of gems before using

Validation, Database Constraint, or Both?

Vulnerabilities

Update jQuery UI to 1.12.0

Rails and web application security ? Sunday #22

Upcoming Rails 5.1 will contain encrypted secrets
The feature came in with this pull request and was inspired by the sekrets gem. This allows you to commit encrypted production secrets. The encryption happens using a master key which will live in an env var (production). Or in a git-ignored file (development). This video explains the process.
This Slack hack shows how not to use addEventListener and postMessage
They fixed it within 5 hours, but the pitfalls of the JS postMessage API might live in your code, as well. In short: Specify which origin may receive the message and validate the origin on the other side.

Used to Rails’ security? Check your plain Ruby code using Net::HTTP

The long discussion here makes clear (again) that we’ve to take good care of user input and Net::HTTP. Hint: Line breaks lead to HTTP header injection.

What about security if SSL/TLS fails?

The recent memory leak in Cloudflare showed various secrets to random visitors of these sites. Also, read these pragmatic thoughts about #Cloudbleed.
But 1Password shows us how important it is to think about the worst-case scenario. They use a Secure Remote Password protocol where the client and server prove their identity to each other.

Google introduces the invisible reCaptcha

Time to finally stop using SHA1

But also read the pragmatic thoughts of Linus Torvalds about the matter.

Safer debugging, postmortem and security reading list ? #22

Lots of web application security articles last week again. So here are the most interesting ones.

  • Phillip shares a way to color­-code the PRY console in a production environment. He always has 2 debugging consoles open side by side. One in production and one in development. You know what can happen.
  • A good example of a postmortem for the Gitlab disaster,  including the issue tickets. Similar steps might  be needed after a security incident.
  • The Mozilla Security Bytes podcast starts with an episode on the Content­Security­-Policy.
  • If you’re using Docker, there are now Docker secrets.
  • And did you ever write a commit message “remove password”? You’re not alone. Don’t use it again, it might be a public repository.

Security updates

These friends of Rails saw security updates last week:

  • Jenkins released new versions after fixing several security issues, including a high one.

Web application and Rails security reading list #21

Oh this, „… is the closest I’ve ever come to falling for a Gmail phishing attack.“, shows a real clever attack. An embedded fake attachment image sends you to a data:text/html address. The first part of it then is a plausible-looking Google URL. And only after lots of spaces, it actually loads the phishing site in an iframe. A lot to watch out for in 2017. Including this:

A short story about how encryption can go very wrong with a (Ruby) workflow we’re all guilty of using.

The ongoing Content-Security-Policy journey at Github.

This time focusing on images and dangling markup. That’s when an attacker injects an <img> tag without closing it to extract the HTML of the rest of the page.

A new two-factor authentication lockout recovery process at Github: Using Facebook

 The HTTPS-traffic via Firefox is now over 50% for the first time

There are now „Not Secure“ warnings for insecure pages with password and credit card input fields in Chrome and Firefox 51.

 Mozilla’s coding and security checklist for their services

Ransom attacks turn to web apps, check your MongoDB, Elasticsearch, Redis, Cassandra, Hadoop

Rails security reading list, vulnerabilities and browser news (? edition)

Welcome! Also in 2017 we want to find the right mix of security information, vulnerabilities in Rails’ friends and browser news. Let’s see what was interesting this week:

Several ‘exotic’ security HTTP headers tested

Saves you some time to try out all configuration options.

Invisible Captcha: Spam protection gem

It’s based on the honeypot strategy. That means you know it’s a spam bot if the invisible field is filled out.

Another Rails security checklist

CSRF vulnerability in rails_admin gem

Tool to detect TLS/SSL vulnerabilities and versions

This is probably only useful if you can’t use the Qualys SSL Server Test. For example in a restricted environment.

Version handling differences between RubyGems and npm

If you’re using both Node and Ruby, you might find this guide interesting.

New Content-Security-Policy (CSP) directive require-sri-for coming to Chrome

Subresource Integrity (SRI) is a mechanism by which user agents may verify that fetched scripts/styles have been delivered without manipulation. This CSP directive allows developers to require SRI for certain types of resources.

Important security updates

[ImageMagick] Critical buffer overflow vulnerability before version 7.0.2-7.
There were also several memory problems in the versions before.

(Rails) security reading list and updates #19

This issue includes for the first time important security updates for Rails’ friends. I’ll include products that we use alongside Rails, for example nginx, Mysql, Redis. Products that have an automatic updater aren’t worth mentioning. Let’s get started with this weeks interesting (Rails) security articles:

Distrusting New WoSign and StartCom Certificates

Email Security – SPF

Protecting from XSS with Rails’ sanitize()

A video introduction to Rails’ sanitize(). While you might already know it, he also looks at how it’s useful against Javascript links in user profiles.

Rails API – throttling with Rack::Attack

An introduction to Rack::Attack and how to throttle requests.

How to quickly audit a Linux system from the command line

Be afraid of HTTP Public Key Pinning (HPKP)

Http Public Key Pinning went wrong for a major site.

Enforcing content security by default within Firefox

If you’re interested in the security internals of browsers, this will be for you. So this is how Firefox now centralizes all content security checks.

Observatory by Mozilla

A central place for all kinds of security checks: TLS, HTTP security headers, HSTS configuration.

Important security updates

[Gitlab] There were several important security update in the past for Gitlab.

[Mysql] Several critical security updates in a massive “Oracle Critical Patch Update Advisory”

[Memcached] Very critical vulnerabilities that allow for remote code execution

? Rails security update #18

Did you see the Bundler vulnerability recently? It seems Bundler switches to a different source every time it sees a new one in a Gemfile. Even if that source was only for one gem. So Bundler might load gems from unexpected sources. You’ve got that source in your Gemfile, so you already trust it to some extent. But we should probably use the several source blocks as described in the original blog post. And now for something completely different:

Exploiting CORS Misconfigurations for Bitcoins and Bounties

Some Cross-Origin Resource Sharing (CORS) misconfiguration misconceptions

Is Your Site Leaking Password Reset Links?

Password Reset URLs may be leaked to third-party tools via the Referer header. Fix this on your site if you care about a second layer of defense.

CSP Mitigator

A Content-Security-Policy test tool to come up with the best policy in the first place. By Google.

Rails and web security digest #17

Since Let’s Encrypt started, the adaption of HTTPS picked up speed. In Firefox the percentage of HTTPS page loads is now at 42%. Browsers also campaign for it. More & more of them mark forms with sensitive information as insecure. More about this in today’s interesting security news:

Ruby method and class injection

Injecting Ruby method and class names. This is a pretty frequent „guest“ in my security code audits, so I wrote about it.

Is HTTP Public Key Pinning dead?

Opinion by Ivan Ristić about HTTP Public Key Pinning (HPKP) being too complicated and dangerous to implement.

Storing Passwords in a Highly Parallelized World

As password cracking methods get faster & faster, it might be time to move from bcrypt to Argon2. Ruby gem.

Authorization with Pundit

Reshaping web defenses with strict Content Security Policy

Interesting new tools and research about Content-Security-Policy

Is your database affected by CVE-2016-6662?

Are you affected by the latest MySQL critical vulnerability?

Two Factor Authentication

Screencast on how to add 2FA to your application

Moving towards a more secure web

Also Chrome will mark login screens as insecure if served over plain HTTP.