 Yeah, so uh, yeah, I talk a lot, but I talk kind of low so So you can see up here. This is actually I think Banksy tweeted this or from Banksy account This is something that I don't abide by I kind of tell people everything about myself and everything that I know and for our security goes I pretty much talk a lot You're gonna ask anybody that works with me. So So first of all, I'm passionate about a couple of things. I'm passionate about food You can probably tell I'm passionate about Ruby security and just all kind of other things But one of the things that we do we're Austin based company I live here. I live in Round Rock, but I work we work downtown and so one of the things we love to do at V thread is we We're touring all the food establishments in Austin last night. We had a speaker dinner and it was amazing So if you haven't checked out this place, this place was pretty awesome My man Alex is here with V threat. We got to check out this place Alex. This place was awesome So it was great So uh, so a little bit about myself one of the first rules of being a speaker is you want to establish credibility So I'm gonna tell you a little bit about myself. It's gonna be like a history of Marcus real quick When I was 18 years old, I'm from a small small town called Marlin, Texas anybody ever heard of Marlin in here Yeah, so it's a real small town about 2,000 people. So I joined the Navy when I was 18 I worked crypto. So I worked for NSA for eight years and I worked at DIA Defense cyber crime center. All these places are either spy places or trying to catch spies so Worked the CSE CSE is a big federal contractor. There I trained federal agents how to catch hackers I worked the CMS. This is important because the the the last not hard with whenever doing the whole Fire cell thing that was actually that facility. I was securing a facility. I was a senior security guy there So how I got to Austin is I work for this company called rapid seven I know we probably have some rapid seven people in the house. It's a ruby shop And then after I left rapid seven I Started just in the wilderness trying to try to do security my Trying to do security myself and trying to help people out So there's a lot of consulting but over time all these years I've been doing security about 20 years or either securing or breaking in the stuff or or stealing people's communications reading all your emails all that stuff Beside that Over all those years I noticed that nothing's really changed, right? So this is a bicycle. This is like a vintage bicycle and I think they like security and pretty much everything no matter What what what's happening over time? Security is still the same and the most important thing that people want to do is they want to try to keep stuff confidential like confidential Information, you know, if you write code some of you guys write platforms some of you guys do in-house development So the most important thing is confidentiality Probably to most of you guys so what's going to happen here is I'm gonna at the end of this I'm gonna tempt the demo gods and I'm gonna try to do a demonstration of me hacking a Rails app So I wrote a brails app and are in actually I've got paid before To hack rails apps before as well. So and trying to break in the apps for people So I'm gonna write a app I so I wrote a app this app has a lot of stuff that I see You know the current problems that I see a lot of developers do I've seen senior developers Firms I see people that are learning rails make these same mistakes. So you're gonna see a little bit So So as I said, like I'm also passionate about being an entrepreneur and all the developers in here If you want to start a company, I would like to talk about this a little bit because I like rails I like Ruby because it allowed me to you know, create my company and all that stuff So after I left rapid seven, I said I was wondering wondering around the wilderness Wilderness I wrote all kind of hacker tools. So a lot of hackers like they think I'm cool some some when you write hacker tools What happens is sometimes you have good guys and sometimes you have bad guys use your stuff If you really can't you can't control it So a lot of people like me and it's kind of weird because on Twitter. I got black hats following me and stuff It's kind of it's kind of awkward so So anyway, I went through an accelerator. I went to Accelerator in Virginia and this is the entrepreneur bet So so I just want to just the Ruby the rails community has really been awesome because it allowed me to start my company So we we did a total rails based app and this is how our app looks Excuse me. So this is this is all built in Ruby on rails. We use Sinatra So we're a heavy Ruby shop and also I was told back until that we're going to be looking for senior rails They have a Ruby dev at v threat. So that's a plug But the thing is like this is a beautiful web app We read so what we do at v threat is we imitate attackers on networks So, you know, I'm trying to give to people like, you know, what we call blue teamers in the security community something to imitate bad guys in our network and Also, like I said at the end of this, I'm gonna show you demo to see how people hack Rails apps also in the talk I'm gonna give you plenty of tips and tools to use to help try to secure your rails applications So a shout out to heroku we we host our stuff on heroku and this is relevant because I'm gonna tell you how we kind of secure our stuff Because at the end of the day information wants to be free And you know, you heard that probably for Richard Stallman said that a long time ago You're going to get hacked. You just need to notice When it happens. So in order to determine if you've been hacked or not You need to log all the things so Log everything and so since we're on heroku We use paper trail and we use paper trail logs. We log errors and all those things So I'm gonna get real heavy into tips and I'm gonna get it into a demo another tip. Anybody heard about let's encrypt yet All right, sweet. So that's that's pretty hot Anybody mess around burp Couple of people I'm gonna show I'm gonna do a burp demo to show you like how people will or trying to hack your apps Is that proxy zap? So so burp is that is a proxy? Let me tell you a little bit about it It's a proxy. It helps you it helps attackers to break into your rails apps do manipulate parameters manipulate all the kind of things in order to and try to hack into your apps There's a zap zap is a free open source one It's a so burp is pretty cheap. It's like 300 bucks. But the importance of all these tools is I'm trying to give you the tools I'm just trying to show you what attackers are using so it would be wise for you to try to play around with these things Not if now I'm not saying your whole team has to be proficient But you should have a couple of people on your team playing with these things. That's a free tool So there's also another tool called Nikto. This is a it's written in pearl Which is kind of like blasphemy for a Ruby conference But uh, but uh, Nikto it does enumeration. It looks with your certificates It tries to you know brute force logins. It tries to do all kind of stuff. It's free. So check it out How many people use breakman? It's pretty cool. How many people using breakman pro? So if you haven't heard about breakman pro you need to you need to check it out It's it's like the same, you know base open source platform. It's pretty hot This is actually so I created an app and I ran Breakman against it and it says I had all these vulnerabilities There's a detail about the vulnerabilities and this is cool just to do the basic, you know housekeeping of your Rails apps, right? Right here. So so right here. I had all these vulnerabilities. You see I'm running out there the version of rails So I'll go to rail site. Hey, what's the new version? I get the new gem And so now I only have one one problem and that problem is I Have this key in here and you shouldn't put that in a repo That's something I wouldn't necessarily change on my side, but I wouldn't upload that to my repo So also there's bundler audit. How many people use this before? You need to be getting up getting up into it. So hopefully if you if you could I don't know You could take some notes, but these tools these tools are this is free. These are the things you should be doing to your Rails apps There's also Jim canary it uses a combination of some of those things So what I'm going to get into is a little bit of the gem file and things that I use and we use a v-thread to try to keep our stuff secure So right here a couple important things right here. This device password this this gem right here I'm I'm terrible at names. I'm from Texas. So forgive me. I'm a native Texan I come from the George W. Bush School of Pronounce and stuff So so whatever that whatever that is right there That's that's pretty good for password strength It prevents people from putting in terrible passwords It's like almost too hard really it's a challenge for us that it's challenge for me to remember my passwords I use one pass the room passwords though. There's the biosecurity extensions It helps you do all kind of policy So if you're doing enterprise especially if you're trying to sell to big customers that that's a great great Jim and and the gym that we found this is kind of funny because I Know I'm always in customer meetings and this is what I love so much about the Ruby community So I was in a I was in a custom meeting Dallas the customer is like hey Do you guys do two practice authentication? And I was like dang it. We don't have that in yet So I drove back down Austin to our office and I was like, oh, there's a gym for that cool It's like it's an app for that right? So I was like I hooked it up. We styled it and you know call the customer. Hey, we got to practice authentication now beautiful stuff so What am I talking about quick quick about it's about user model So this is going to get a little bit little bit geeky, but this is like basic stuff So looking into the to the user model I try to tell people and this is how we this is how we do stuff at V thread and and since I've looked at I've Done web app assessments. I've looked at people source code I've been paid to look at people source code. And so this is the kind of things that that we we kind of look for So when you're creating when you're creating users and teams It's active record is pretty cool on how it ties everything together for you And since and we we use device on at our in our shop, too So does everybody I mean I mean I've seen like everybody I've looked at a lot of people use device Can I get a Henry's on who who uses device? So a lot of people right so we use device and so I'm gonna tell you a little bit about how we use it and how we use the built-in What's the things that are built-in device and I'm going to show you a demonstration that too So, uh, you know user belongs to a team And this is the things I'm going to talk about here This is the count this is what we we mostly do how we how we can find our stuff So device gives you gives you an object current user and you're able to you're able to constrain things based on that And we don't we don't use pretty much IDs for anything and I do see people using IDs We use you you IDs for everything for any any kind of record. We don't really look it up by We never look it up by the actual ID of that record This is how we we set contacts when people come in you you want to always use that current user contacts Because what that does is allows you to use device to kind of weed out stuff And so you're not letting users just arbitrary You're not telling people what user they are and I'm going to show you it and burp how how attackers change that kind of stuff This is kind of like a little pattern that we use To to create you you IDs we create a random you you ID and we'll sign that to to the we'll sign that to Every record we do everything we do has a you you ID on it We never want to expose so basically if you the more stuff you expose to an attacker the worst off you are So we rather do a random you ID you you ID is pretty strong mathematically and it's hard for you to to guess that stuff So here's the whole current current root user paradigm I'm gonna get you know, I can talk more about this in the demo Where you you everything we do if you're doing new record if you're doing a look up or anything We're we're basing it off the device thing. So I tell people don't use Don't don't use the base model like if it's a team never do team that whatever like capital team You know never never do that stuff. It was a couple of different. Here's a couple of uh, uh It's this was from rails comp 2005. I mean 2015 I don't know if you guys seen these these are really two good talks and they talk about a lot of stuff like that But what I'm gonna do real quick is I'm gonna I'm gonna get to the nitty gritty So I always forget Always forget to give my contact information. So here it is you can email me at Marcus And I'm gonna do this for again to the demo or my man Alex is here Alex Alex is our lead developer and like I said, we're gonna we're looking for another we're looking for a senior rails developer in our shop so first of all Automation is pretty cool. So I like I said, this is breakman pro Breakman pro what I did there is is a I wrote a app. I patched the app, you know all the patches and Then what what do we have now is we have a app and I call this this the name of this app is called weirdo So uh, so the app is like super insecure I know that because I wrote it to be insecure. Yeah, how many people like write insecure code? So I wrote it insecure on purpose just so I could go through and show you With use of burp how people can enumerate stuff So this is kind of risky. I'm gonna go through and I'm gonna try to secure app on the fly and I'm gonna try to hack an app on the fly So, uh, you know, everybody make a sacrifice the sacrifice and chicken wings to the demo gods So we're gonna go So this is this is our risk. I'm gonna be in and out of several apps, but um, I Want to show I also want to show you a couple things. I guess I don't have internet So I use uh, I use Adam from my tech center and that's looking weird so what I'm gonna do I want to be going back and forth between real code And to hacking to what they call burp and the app so and I'm working with two browsers Let me get everything set up. So the browser that I have I'm going to be working with Uh We work with chrome here See that there's a fresh app in it. That's the hot. That's the hotness right there. And on this side. We have We have this this right here And let me see if that's still working. Let me see if I have my proxy working So this is burp right here and so burp allows you to intercept all communications From from the browser. So I said you set up I set up firefox as a as a proxy And and what I'm doing here is it intercepts all the communications. So I can forward or drop These communications. So, uh, I would recommend you guys get into burp. It is pretty cool So you can you can forward this I'm going to forward those things And I should get So this is firefox right here. So every time I'm doing something in fox if I say show It doesn't initially show it because I have to go back to burp and I have to forward their request Come back and it shows the record So that's how that's how you that's how you use burp. You go back and forth and there's a lot of automation What? Let's get bad. Let's get bad. Oh Somebody you said bad chicken somebody Dang Hold on a second. Let me try to restart burp This is the danger trying to do live demos One of my high-risk type of guy So this is a this is the free edition of burp. I think burp costs like 300 dollars. So So what what I like what I like burp is uh, because uh, I like anything that the sacros are using All right, cool. Looks like burp burp is back back up and running So what what's uh, what's interesting about burp and and I'm going to show you the code like I said I'm using a bad pattern here that I see a lot of people will do It's like when I when I look up the index of things Here I'm doing thing where and I say current user ID because it's it's pulling the current user ID from It's pulling it's using a device that to get that right there And so uh, when I do when I do an index, let me give to When I do the index of chrome here and I go to things It's going to give me all the the the records here. So one of my users is willy and the other one's nelson So this is this is nelson here And so this is showing the the user here So let me show you a couple of things. These are these are the patterns that I see that are that are kind of epic fail From a development perspective I'll make it a little bit bigger. So this is like a whatever the new thing is uh, if if you look here, I'm going to give you the source here And uh here you can see that there's a value of two here And so that's a problem that I see a lot people put parameters hidden hidden fills and nobody's going to see it You know, right? They put hidden fills and it's giving them to me to use right there And and another epic thing is it doesn't even matter if you do a uuid there You don't want to put any user direct user related information in your page hidden But I see that a lot And uh, you know, some some people try to put in cookies and all that that other stuff But the the thing about burp that makes burp pretty cool. And another thing is I showed you let's encrypt Like burp it actually can break ssl and so you can put burp And burp will handle all the ssl connectivity and it'll it'll break out all your stuff in the plain text So don't think just because your website has ssl on it that nobody can't do these kind of things So it's a very important that you you like lock some of these things up So the fact that I have the field here that means that some I can submit And and I'll show you this on on the other side. So this is on this is using I'm using burp proxy And if I create new thing again, I have to go back to burp and forth that And I'm going to say Hello there This So when I create thing it's going to create a post request, right? So when I go back over to burp It's going to show me the that request The token all these cool things that that that you expect and so We're here user thing user id one So I must be logged in as willy But I can actually edit this and I can actually put a two there And I can actually submit that to the other person's account You know, let's try to let's try to make that happen So but just by editing this and it can get way more complicated and we burp a lot There's stuff built in here that and I'm just trying to be really really simple here You can enumerate all kind of stuff. You can break encryption with this you can do like a ridiculous amount of stuff So we're going to forward this Forward it And so here, uh, it says user id too, but I'm I'm willy So it posted to the other count So now when I go back to things we said hello, there this We shouldn't see we shouldn't see that for the request so These are all the things that willy created right But using burp what I did is I actually added it to the other person's account And these are the kind of things you you can do with burp and these are how attackers will will get get your stuff so also if I said if I mean it's that this things like that So remember I told you the whole the whole problem with ui with uh, why we do ui d for everything Is because like i'm going to go back here I'm going to show this record and you see right here it says six so Uh, this six right here. This belongs to me Uh, this belongs to the user nelson, right? and so The fact that I'm exposing And never do this. This is another thing you do not do if you're doing rails apps Don't expose. I would I would refrain on exposing the record number, right? Because they're too easy to guess. So I know this is six This user is is nelson. I'm going to go back to willy and i'm going to I'm going to go back to the willy account and delete something in somebody else's account uh This stuff happens all the time on major sites. It's kind of it's kind of Hilarious. So when I do when I do a delete here, I'm going to say destroy this Yep, okay So when I go to burp here, I see that it's going to destroy something And it's doing a post method And we when we dang it, where in the heck is it? It's uh, actually encoded here Almost a second. You see this right here. I'm going to change the six And I'll see what happens here Now if we're if we're Look here. It says high test See it got rid of the the it got rid of the record from the other person's account Right, so you're you're able to If you're not if you're not doing this correctly And so I'm going to show you the the fix real quick on how you how you do this correctly So is everybody everybody on board? So we're basically since we're able to when you're able to notice the IDs of the other records And we're not doing any kind of Checking here You're able to delete stuff on other people's accounts add stuff on other people's accounts And and do things like that and this is all by using that using that proxy So don't assume that the the data the the lesson is don't assume that the data that your users are giving you is valid data It's never about don't don't never never trust it so Here what we're going to do is we're going to short short us up I'm going to just I'm going to go through and change all change all these things real quick It's only a couple of things So so my lesson my lesson to everyone is do not let people do capital model it's like my golden rule if you can is there somehow you can parse or or or get rid of any kind of any kind of Ability for them to write anything to your database do it. So what we'll do here is we'll say current user Dot things And we don't need where because it's going to take it off the current user So this is going to grab records from the current user So that's the first step So that's that's getting rid of the I can request any record from the index page So now we're on things We refresh it And it should it should tell me the same things So that's got that's one that's one problem out of the way It's only going to ever show me stuff from my from my account Second thing you can do here is when you create new things when you create new You can just go down here current user Dot things new Right that's going to that's going to write every every time that's going to give you that's going to give you UID so you don't have to do the hidden UID now You don't have to do a hidden fill because it's going to take care of take care of it for you And when you write something to the database When you create it You want to do the same thing user dot things And also down here what you can do is you can get rid of You can get rid of you your user ID from here You don't have to accept that in its parameter When it when it says destroy right here So what's going to happen here? Is when you set it you want to do this also You want to say current user dot things And it's going to find that parameter It's only going to find it if it belongs to that current user Because we already established a relationship that the user owns all the things Save that In any any place where you see like a capital t thing you want to get rid of that It looks like everything should work here. Am I missing anything? I'm good sweet So now we're now we refresh or we delete or anything We're going to What we can do here is I want to also go back and fix this thing where if we say new thing We want to get rid of that hidden fill in our rails. So if I go over here, it's a form We're going to get rid of that hidden fill Hidden fills are usually a bad idea So save it and uh when we refresh it when we refresh our form It's not going to have that it's not going to have that in there so I can refresh this And so the hidden is gone now So what we've done is we're not exposing our record information to the user And it's all going to be done on the back end by devising this case So everything should work and if I go back It's creating a new record But the but the thing that we want to try to figure out is if we can go into We can't go into burp now to actually update that record because what we did is we On this side if I I'm going to create a new thing. Oh, this is not So now when we post that we're not posting that that user ID at all So it's going to be taking a user ID off the thing off the off uh off a device And not then what we have here We haven't we have we have everything what we what we expect here and we destroy it now So so the key thing is like I'm going to look for a record Over here On the other account and I'm going to try to do the same thing where I delete it across the accounts So I'm going to show it. I'm just going to say three here So I should be able to say in burp. I can I can go in burp and say in uh And change that to delete three Let's go in there. So I'm going to try to change that Forward it and it doesn't it doesn't exist now So who cares if you get an ugly message, you know, who cares about that What you're doing is you're preventing somebody from writing arbitrary records to the database All right, cool that so as so that that's it. That's a quick thing That's a quick demonstration of how you can use burp And and I recommend you all the tools you can email me if you want to just play around with those tools You can definitely use use uh Use all those tools for free the the version of burp that I just used is totally free And it'll allow it'll allow anybody in your organization all developers Maybe pincers they need to be getting into these tools because this is what hackers are going to be using to to compromise your networks Thanks for listening and thanks for having me guys. Appreciate it. Thanks