Tales from the Crypt

by Aaron Bedra, Justin Collins, and Matt Konda

The video titled "Tales from the Crypt" features a presentation by three Rails security specialists: Aaron Bedra, Justin Collins, and Matt Konda, who take the audience through a fictional yet illustrative scenario involving a Rails application, Rubas l.com, to highlight common security vulnerabilities developers might encounter in real-world situations. The discussion emphasizes practical advice on how to identify, fix, and prevent security issues, with a strong narrative that keeps the content engaging.

Key points discussed include:
- Scenario Setup: The narrative begins with a hectic workday at a startup, where developers discover unusual customer orders and increasing user complaints, suggesting a security breach.
- Cross-Site Request Forgery (CSRF): The root cause of the issue is identified as CSRF, which occurred due to commenting out a method that protects against such vulnerabilities.
- Mass Assignment and SQL Injection: The talk delves into how poor parameter handling allowed an attacker to exploit the database using SQL injection, gaining access to sensitive user data.
- Password Management: The team finds their application using MD5 for password hashing, highlighting the need for secure password practices.
- Audit and Testing Tools: The presenters recommend tools like Brakeman for static analysis to catch vulnerabilities early in the development process and emphasize the importance of regular vulnerability scanning.
- Best Practices for Security: The discussion wraps up with suggestions on improving security through enhanced training, code reviews, and employing automated tools to ensure secure coding practices.

The video ultimately illustrates that while frameworks like Rails offer certain built-in security features, responsibility lies with the developers to maintain vigilance and adhere to best practices to prevent vulnerabilities. The concluded message emphasizes the need for continuous learning and adaptation in the fast-evolving landscape of security threats, encouraging developers to proactively address security in their coding practices.

00:00:15.990 Hello, can you hear me now? Welcome to 'Tales from the Crypt.' Today's tale features RubasL.com, a growing startup that sells awesomely designed MacBook cases, like the one you're looking at.

00:00:27.480 The business has been brisk, with locally sourced fresh coffee flowing. However, last Monday brought more than just blinged-out MacBooks.

00:00:40.450 Little did our poor developers know how terrifying the day was going to be. It was the Monday before RailsConf at the RubasL headquarters in Chicago.

00:01:03.520 "Hey man, how was your weekend?" "It was okay, but we had a little outage. You know, we survived. Sorry, we got a couple of things to talk about at stand-up today, though. Oh cool!"

00:01:23.799 "Hey, I just got off the phone with a couple of customers, and they're telling me that they're getting laptops ordered that they never ordered, or they're receiving emails about laptops they never ordered. Man, people can be so stupid sometimes." "They probably just ordered something and forgot about it. Uh, wait, when did they say this happened?"

00:01:46.509 "They said the orders started coming in last night. Oh well, we just updated the order UI. You know, we tested it pretty well, and I think it was reviewed by a lot of people, so I bet it's not a bug. I bet the problem exists between the keyboard and the chair."

00:02:01.119 People have said that about me before, but I'm going to say that maybe it's not just that. Uh, why don't you take a look?" "Please, okay, sure, we'll get right on that."

00:02:19.540 "Hey, wait a minute! I'm getting more emails. There are lots of people having this issue; it looks like it may be more widespread than we initially thought. Can you take a look?" "I mean, I have a lot on my plate right now. We've got a release heading out, and I don't think this is that urgent. I mean, it only affects a couple of people.""

00:02:46.690 "Well, based on the email I'm looking at, it’s up to like twenty, and I think this is a significant issue. Plus, all those orders have lots of items on them. It's not like they're ordering one case; they might be ordering five, ten, or twenty, so I want you to get on it." "I mean, okay fine, we'll take a look."

00:03:00.819 "All the tests are passing, and I’m clicking through. It looks like everything is working as expected. I don’t know what’s going on. Hey, can you give me the usernames of the people that were affected? Maybe I can take a look at their accounts." "Sure, let me just check my email here: it's [email protected], [email protected], and [email protected]."

00:03:18.670 "Oh, wait a minute, that's strange. All the user requests are coming from the same place. What is this? Wow, so dogememe.com? I guess that must be the common referrer here. I wonder what this means; looks like there are some credit card numbers in there too!"

00:03:36.430 "I mean, look at that! That's kind of funny. It’s the Doge meme!" "Yeah, oh come on, let’s not get distracted by some silly memes. Wait, hold on, what's going on? I didn't place an order. What? Um, okay, wait a minute, something really strange is going on! Everything looked fine until I visited this Doge meme site! I clicked through some images and all of a sudden, I got an order confirmation!"

00:03:54.190 "Okay, okay, this is strange. All these complaining users had this in common. Okay, I don’t know. Um, I’ll go into the site and look at the page source. Let’s see what they’re doing. Okay, let’s pull this up real quick and we’ll take a look."

00:04:19.870 "Um, hey, why is our domain in the JavaScript on the page? Um, that’s weird! That request is going to the order endpoint, but someone would have to be logged in to even complete that request. Yeah, that’s strange. Um, I’ll tell you what, let’s go over the last changes from the release to see if we missed something."

00:04:38.110 "Hey wait, wait who the hell did this?" "Uh, yeah that was me. I was having trouble setting up the new JavaScript UI. Every time I tried to process an order, I got some weird error about authenticity tokens or something, so I just looked on Stack Overflow, and they said to comment out this method. So I tried it, it worked, and I went with it." "Wait what? So did you figure it out?"

00:05:12.130 "Um, I mean, you could say we figured it out. That comment above the one you made? Yeah, that’s the thing that says 'don’t comment this out!' So, I mean, that little protection against CSRF is the thing that actually prevents what's happening right now! It looks like that site also had a cross-site scripting vulnerability, and somebody just pasted this in here to attack. Every time somebody views the page..."