0
RAILS SECURITY
         Bart ten Brinke
        movesonrails.com
  bart.tenbrinke@movesonrails.com
Why I did this
After a security presentation at RailsConfEurope 2007, I
         found a lot was missing, so I made this.
...
SQL Injection
        (Old, but even Jason still does this wrong)

                      Don’t do this
 Person.find(:first...
Cross Site
    Scripting (XXS)
            Don’t do this in a view
          <p>Name: <%= @name %></p>



                ...
Skipping security
                   Don’t do this
          skip_before_filter :check_auth



                     Do thi...
Watch out for the
  TO_JSON XSS exploit

            Don’t do this in a view
<script>posts = <%= @posts.to_json %></script...
Obfuscate passwords
             in logging

                       If your log looks like this
Processing LoginController...
Are you accessable?
           Don’t have everything XML or JSON
                  /mykillerapp/users.xml

<users>
   <use...
Production deploy
                  Don’t do this
                  production:
                    adapter: mysql
       ...
CONCLUSIONS

These are all examples of things I ran into during about
 one year of full-time Rails development. Realize th...
Upcoming SlideShare
Loading in...5
×

Rails Security - Bart ten Brinke

2,615

Published on

A few slides common holes in rails applications. Finished it to late for reject conf.

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,615
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
55
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Transcript of "Rails Security - Bart ten Brinke"

  1. 1. RAILS SECURITY Bart ten Brinke movesonrails.com bart.tenbrinke@movesonrails.com
  2. 2. Why I did this After a security presentation at RailsConfEurope 2007, I found a lot was missing, so I made this. I didn’t finish it in time for reject conf, so I posted it on my blog. No, I am not australian :)
  3. 3. SQL Injection (Old, but even Jason still does this wrong) Don’t do this Person.find(:first, :conditions => “name = #{name}”) Do this Person.find(:first, :conditions => [“name = ?”, name]) Or Person.find_by_name(name)
  4. 4. Cross Site Scripting (XXS) Don’t do this in a view <p>Name: <%= @name %></p> Do this <p>Name: <%= h @name %></p> Don’t forget your link_to’s and images. If you forget just one you are an easy victim.
  5. 5. Skipping security Don’t do this skip_before_filter :check_auth Do this skip_before_filter :check_auth, :only =>[:login] Explicitly specify the actions that skip security. Otherwise new ones will be unsecure by default
  6. 6. Watch out for the TO_JSON XSS exploit Don’t do this in a view <script>posts = <%= @posts.to_json %></script> This is fixed in edge rails (6893) So if you are on 1.2.3, you have a problem. Write your own to_json for the model or mixin the patch for ticket 8371 of rails.
  7. 7. Obfuscate passwords in logging If your log looks like this Processing LoginController#create (for 127.0.0.1 at 2007-09-20 18:16:32) [POST] Session ID: 023b70d61b76c29a0e123e79c8772f4d Parameters: {quot;sign_inquot;=>quot;Sign inquot;, quot;rememberquot;=>quot;quot;, quot;actionquot;=>quot;createquot;, quot;usernamequot;=>quot;Administratorquot;, quot;controllerquot;=>quot;loginquot;, quot;passwordquot;=>quot;im1337quot;} Add this to your application.rb filter_parameter_logging quot;passwordquot;
  8. 8. Are you accessable? Don’t have everything XML or JSON /mykillerapp/users.xml <users> <user> <id type=quot;integerquot;>3</id> <username>administrator</username> <password-hash> 4fc62477c37b2880646336e5b753daef6ae3377b36cab20ddc27c7b933ca6ecd </password-hash> <password-salt>ntoRnlDr</password-salt> </user> </users>
  9. 9. Production deploy Don’t do this production: adapter: mysql database: my_killer_app username: root password: host: localhost Do this Use decent security in a production environment. Also strip all the stuff you don’t need from your tags (like /test).
  10. 10. CONCLUSIONS These are all examples of things I ran into during about one year of full-time Rails development. Realize that there are more! Greetings to everyone who came to RailsConf Europe 2007. It was inspiring! If you have any questions, feel free to email me. Bart ten Brinke movesonrails.com bart.tenbrinke@movesonrails.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×