Rails comes with many powerful security protections out of the box, but no code is perfect. This talk will highlight a new approach to web app security, one focusing on a higher level of abstraction than current techniques. We will take a look at current security processes and tools and some common vulnerabilities still found in many Rails apps. Then we will investigate novel ways to protect against these vulnerabilities.
7. Vulnerabilities sold
remain private for an
average of 151 days
The Known Unknowns - Stefan Frei - NSS Labs
https://www.nsslabs.com/reports/known-unknowns-0
33. Rails Rendering
Append expression result
Buffer: <head>
<title><script>alert(1)</script>
I tried to inject <script>alert(1)</script> here!
34. Rails Rendering
Append template after calling html_safe on it
Buffer: <head>
<title><script>alert(1)</script></title>
35. Rails Rendering
Append expression result
Buffer: <head>
<title><script>alert(1)</script></title>
<script src=“/application.js”></script>
javascript_include_tag returned a SafeBuffer
36. Rails Rendering
Append template after calling html_safe on it
Buffer: <head>
<title><script>alert(1)</script></title>
<script src=“/application.js”></script>
</head>
39. XSS
params => {id: “<script>alert(1)</script>”}
<div class=“alert”>
User id
<script>alert(1)</script>
does not exist
</div>
Rendered HTML:
47. How to Fix SQL Injection
• Check that args for all `Calculate` methods are actual table names
• Always use hashes or arrays when using `delete_all`/`destroy_all`/
`where`
• Always use hashes when using `find_by`/`find_by!`
• Always convert user input to strings when passed to `exists?`
• Never pass user input to `group`/`joins`/`order`/`reorder`/`pluck`/
`select`/`having`
• Don’t use `find` unless you are a security guru
• etc. etc.
48. “Once you’re done with
that, can you audit all our
dependencies too?”
53. Metasecurity for XSS
• Wrap `html_safe` method
• If called from a known good location, like a Rails
helper, let the string through unimpeded
• Otherwise, escape any <script> tags first