Rails Security - Bart ten Brinke

RAILS SECURITY Bart ten Brinke movesonrails.com bart.tenbrinke@movesonrails.com

Why I did this After a security presentation at RailsConfEurope 2007, I found a lot was missing, so I made this. I didn’t ﬁnish it in time for reject conf, so I posted it on my blog. No, I am not australian :)

SQL Injection (Old, but even Jason still does this wrong) Don’t do this Person.find(:first, :conditions => “name = #{name}”) Do this Person.find(:first, :conditions => [“name = ?”, name]) Or Person.find_by_name(name)

Cross Site Scripting (XXS) Don’t do this in a view <p>Name: <%= @name %></p> Do this <p>Name: <%= h @name %></p> Don’t forget your link_to’s and images. If you forget just one you are an easy victim.

Skipping security Don’t do this skip_before_filter :check_auth Do this skip_before_filter :check_auth, :only =>[:login] Explicitly specify the actions that skip security. Otherwise new ones will be unsecure by default

Watch out for the TO_JSON XSS exploit Don’t do this in a view <script>posts = <%= @posts.to_json %></script> This is ﬁxed in edge rails (6893) So if you are on 1.2.3, you have a problem. Write your own to_json for the model or mixin the patch for ticket 8371 of rails.

Obfuscate passwords in logging If your log looks like this Processing LoginController#create (for 127.0.0.1 at 2007-09-20 18:16:32) [POST] Session ID: 023b70d61b76c29a0e123e79c8772f4d Parameters: {quot;sign_inquot;=>quot;Sign inquot;, quot;rememberquot;=>quot;quot;, quot;actionquot;=>quot;createquot;, quot;usernamequot;=>quot;Administratorquot;, quot;controllerquot;=>quot;loginquot;, quot;passwordquot;=>quot;im1337quot;} Add this to your application.rb filter_parameter_logging quot;passwordquot;

Are you accessable? Don’t have everything XML or JSON /mykillerapp/users.xml <users> <user> <id type=quot;integerquot;>3</id> <username>administrator</username> <password-hash> 4fc62477c37b2880646336e5b753daef6ae3377b36cab20ddc27c7b933ca6ecd </password-hash> <password-salt>ntoRnlDr</password-salt> </user> </users>

Production deploy Don’t do this production: adapter: mysql database: my_killer_app username: root password: host: localhost Do this Use decent security in a production environment. Also strip all the stuff you don’t need from your tags (like /test).

CONCLUSIONS These are all examples of things I ran into during about one year of full-time Rails development. Realize that there are more! Greetings to everyone who came to RailsConf Europe 2007. It was inspiring! If you have any questions, feel free to email me. Bart ten Brinke movesonrails.com bart.tenbrinke@movesonrails.com

Rails Security - Bart ten Brinke

by BCC on Sep 20, 2007

Accessibility

Categories

Tags

Upload Details

Usage Rights

2 Embeds 6

Statistics

Rails Security - Bart ten Brinke — Presentation Transcript

http://websecurity.com.ua	5
http://www.slideshare.net	1