Your SlideShare is downloading. ×
Triangle.rb - How Secure is Your Rails Site, Anyway?
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Triangle.rb - How Secure is Your Rails Site, Anyway?

1,298
views

Published on

In this talk from Triangle.rb, Cory Foy details the state of Rails security, including paying attention to libraries you use. He includes real world examples of exploits, and links to resources

In this talk from Triangle.rb, Cory Foy details the state of Rails security, including paying attention to libraries you use. He includes real world examples of exploits, and links to resources

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,298
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. http://www.flickr.com/photos/mthierry/4595284293 http://www.flickr.com/photos/111692634@N04 How Secure isYour Rails Site, Anyway? Cory Foy foyc@coryfoy.com @cory_foy Tuesday, March 11, 14
  • 2. http://www.flickr.com/photos/mthierry/4595284293 Security in a Web World http://blogs.msdn.com/blogfiles/rds/WindowsLiveWriter/RDGatewaydeploymentinaperimeternetworkFi_CBD0/clip_image002_thumb.jpg http://www.comtelindia.com/images/network_diagram_largepic.jpg Tuesday, March 11, 14
  • 3. http://www.flickr.com/photos/mthierry/4595284293 Heartland Payment Systems - 134 Million Credit Cards Exposed via a SQL Injection attack and spyware TJX Companies - 94 Million Credit Cards Exposed via weak WiFi or In-Store Kiosk Security was compromised LivingSocial - 50 Million records stolen including names, date of birth and salted password Federal Reserve - 4,000 records of key bank executives containing personal information stolen via a vulnerability in an internal website Smuckers - Names, Addresses, Credit and Debit Card Numbers, Expiration Dates andVerification Codes stolen from online store Target - 40-70 million Credit Cards, PIN and CVVs stolen Tuesday, March 11, 14
  • 4. http://www.flickr.com/photos/mthierry/4595284293 Cory Foy foyc@coryfoy.com @cory_foy blog.coryfoy.com prettykoolapps.com Tuesday, March 11, 14
  • 5. http://www.flickr.com/photos/mthierry/4595284293 OWASP Open Web Application Security Project Tuesday, March 11, 14
  • 6. http://www.flickr.com/photos/mthierry/4595284293 2003 Unvalidated Parameters Command Injection Flaws Cross Site Scripting Flaws Buffer Overflows Error Handling Problems Insecure Use of Cryptology Broken Access Control Web and Application Server Misconfiguration OpenWebApplicationSecurityProject Tuesday, March 11, 14
  • 7. http://www.flickr.com/photos/mthierry/4595284293 2013 Injection Cross Site Scripting Cross Site Request Forgery Insecure Direct Object References Unvalidated Redirects and Forwards Sensitive Data Exposure Missing Function Level Access Control Broken Authentication and Session Management Security Misconfiguration Using Components with Known Vulnerabilities 2003 Unvalidated Parameters Command Injection Flaws Cross Site Scripting Flaws Buffer Overflows Error Handling Problems Insecure Use of Cryptology Broken Access Control Web and Application Server Misconfiguration OpenWebApplicationSecurityProject Tuesday, March 11, 14
  • 8. http://www.flickr.com/photos/mthierry/4595284293 Rails Security Tuesday, March 11, 14
  • 9. http://www.flickr.com/photos/mthierry/4595284293 2013 Injection Cross Site Scripting Cross Site Request Forgery Insecure Direct Object References Unvalidated Redirects and Forwards Sensitive Data Exposure Missing Function Level Access Control Broken Authentication and Session Management Security Misconfiguration Using Components with Known Vulnerabilities Rails Built in filter to escape SQL Characters By default, Rails escapes HTML REST / protect_from_forgery Manual Manual Manual Manual / Partials secret_key_base / reset_session Manual Manual / Gems Tuesday, March 11, 14
  • 10. http://www.flickr.com/photos/mthierry/4595284293 Injection http://xkcd.com/327/ http://localhost:3000/bad/injection?id=1 Tuesday, March 11, 14
  • 11. http://www.flickr.com/photos/mthierry/4595284293 Cross Site Scripting http://localhost:3000/bad/comments Tuesday, March 11, 14
  • 12. http://www.flickr.com/photos/mthierry/4595284293 Cross Site Request Forgery http://localhost:3000/bad/comments Tuesday, March 11, 14
  • 13. http://www.flickr.com/photos/mthierry/4595284293 Insecure Direct Object References http://localhost:3000/bad/upload_file Tuesday, March 11, 14
  • 14. http://www.flickr.com/photos/mthierry/4595284293 Unvalidated Redirects and Forwards http://localhost:3000/bad/index Tuesday, March 11, 14
  • 15. http://www.flickr.com/photos/mthierry/4595284293 Sensitive Data Exposure http://plaintextoffenders.com/ http://localhost:3000/bad/make_payment http://ghost.teario.com/how-not-to-write-an-api/ Tuesday, March 11, 14
  • 16. http://www.flickr.com/photos/mthierry/4595284293 Missing Function Level Access Control http://localhost:3000/bad/index Tuesday, March 11, 14
  • 17. http://www.flickr.com/photos/mthierry/4595284293 Broken Authentication and Session Management Tuesday, March 11, 14
  • 18. http://www.flickr.com/photos/mthierry/4595284293 Security Misconfiguration https://github.com/CoryFoy/railssecurityexample Tuesday, March 11, 14
  • 19. http://www.flickr.com/photos/mthierry/4595284293 Using Components with KnownVulnerabilities Tuesday, March 11, 14
  • 20. http://www.flickr.com/photos/mthierry/4595284293 Standard Rails 684,805 Lines of default included Gem code Tuesday, March 11, 14
  • 21. http://www.flickr.com/photos/mthierry/4595284293 Real Examples http://thunderboltlabs.com/blog/2013/12/04/giving-back-to- open-source-security-edition/ Tuesday, March 11, 14
  • 22. http://www.flickr.com/photos/mthierry/4595284293 Responsible Disclosure Tuesday, March 11, 14
  • 23. http://www.flickr.com/photos/mthierry/4595284293 Sorcery Config.send https://github.com/NoamB/sorcery/ Problem: Sorcery allows the configuration of multiple providers. It figured out the right one by calling Config.send(provider_name.to_sym) rails c Object.ancestors Kernel.methods(false).sort Why’s that a problem? Fix: Don’t trust user-modifiable input, ever Tuesday, March 11, 14
  • 24. http://www.flickr.com/photos/mthierry/4595284293 Doorkeeper Symbol GC https://github.com/applicake/doorkeeper/ Problem: Doorkeeper and Sorcery converted user input to symbols. Symbols are not GC’d, so can use up a lot of memory quickly Why’s that a problem? loop { (Time.now.to_f.to_s * 100000).to_sym } Fix: Inspect User input as a string before converting to a symbol.Whitelist where possible Tuesday, March 11, 14
  • 25. http://www.flickr.com/photos/mthierry/4595284293 I18n Injection Issue https://github.com/rails/rails https://github.com/svenfuchs/i18n Problem: Missing locales showed an error message which exposed a Cross-Site Scripting attack vector Why’s that a problem? http://mysite.com/?locale=”<script>alert(‘Hi Mom’)</script>” Fix: Don’t trust user-modifiable input, ever Tuesday, March 11, 14
  • 26. http://www.flickr.com/photos/mthierry/4595284293 Summary DON’T EVER TRUST USER INPUT Tuesday, March 11, 14
  • 27. http://www.flickr.com/photos/mthierry/4595284293 Rails Security Resources Tuesday, March 11, 14
  • 28. http://www.flickr.com/photos/mthierry/4595284293 OWASP https://www.owasp.org/index.php/Main_Page Tuesday, March 11, 14
  • 29. http://www.flickr.com/photos/mthierry/4595284293 Rails Security Page and Mailing List http://guides.rubyonrails.org/security.html http://rubyonrails.org/security Tuesday, March 11, 14
  • 30. http://www.flickr.com/photos/mthierry/4595284293 OAuth RFC http://tools.ietf.org/html/rfc6819 Tuesday, March 11, 14
  • 31. http://www.flickr.com/photos/mthierry/4595284293 Books Tuesday, March 11, 14
  • 32. http://www.flickr.com/photos/mthierry/4595284293 Cory Foy foyc@coryfoy.com @cory_foy blog.coryfoy.com prettykoolapps.com Tuesday, March 11, 14