Rails and security

2,765 views
2,553 views

Published on

See review at http://tokarchuk.ru/2012/06/devconf-2012/

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,765
On SlideShare
0
From Embeds
0
Number of Embeds
1,111
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Rails and security

  1. Rails & Security People should know it Insecure-by-default means insecure http://homakov.blogspot.com
  2. Agenda● GET Accessible Actions(method “match”, CSRF)● Mass Assignment(attr_accessible, “SQL Inject”)● JS(ON) and DOM Injects, Responders and XSS● Regular Expressions and Validators● Common Tips● Headers● [bonus?] OAuth
  3. Rails ARE Secure● CSRF Protection by default (authenticity_token)● XSS Protection(HtmlSafe, sanitize by default)● SQL Injects are impossible(active record)● Hundreds of commits with security improvements, etc
  4. PHP(and others) is not● if I see PHP site with (proper)CSRF protection than .. its facebook.com● SQL Injects, XSS, includes, zomg etc● "secure by default" just impossiblethus rails is more secure than most php sitesare...
  5. BUT
  6. case 1#routes.rb#match usage is a common mistakematch “/follow”, to: “followings#create”match “/followers, to: “followings#index”
  7. case 1Hey, “match” means GET too. GET means no csrf protection!
  8. case 1>This commit disallows calling +match+ without an HTTPverb constraint by default. To explicitly match all verbs, thiscommit also adds a :via => :all option to +match+.(@wycats)#update code:post “/follow”, to: “followings#create”get “/followers, to: “followings#index”match “/getpost_endpoint”, via: :all, to: “etc#etc”
  9. case 1 tipsMake sure to set “post” for state-changingrequests.Avoid using of “match”Use “get” for all data retrieval requests.Scope your routes, be RESTful, please.
  10. case 2#comments/index.haml:javascript var comments = #{@comments.to_json}OR:javascript var value = "#{current_user.name}"
  11. case 2@comments = {k:"</script><script>alert(1)</script>"}JSON Encoder and :javascript (:css too!)both dont escape anything - output is RAW.
  12. case 2XSS?!
  13. case 2 tipsUpdate rails to 4(now html entities areescaped by default) or set manuallyActiveSupport.escape_html_entities_in_html= truein initializers or dont use .to_json intemplates.
  14. case 3#comments/index.haml:javascript var data = #{@data.to_json} #or getJSON $(.datacontainer).html(data.body);
  15. case 3Pitfall. That is a pure DOM XSS - you didntsanitize it! Escaping u only helps JSONparser but you should sanitize it before youinsert into DOMDont trust/use any input param until yousanitized it.
  16. case 3
  17. case 3 tipsUse $.text()/innerText instead of $.html()/innerHTML when possible, always sanitizeany user input even in JS(Rails justescapes). I strongly recommend this patch:ActiveSupport::JSON::Encoding::ESCAPED_CHARS.merge! < => &lt;
  18. case 4params[:user][:url]="http://#{params[:user][:url]}" unless params[:user][:url] =~ /^https?/#update attributes
  19. case 4
  20. case 4 tipsKeep in mind - in ruby $^ always match newlines. Your manuals and books lie. Use AzThis passes:javascript:alert(1)/*http://hi.com*/added warning/exception in RoR
  21. case 5#in application_controller.rbskip_before_filter :verify_authenticity_token
  22. case 5 tipsprotect_from_forgery is a MUST. It is ahassle to deal with tokens but dont bestupid.No, presence of authenticity_token inputdoesnt scare a hacker.
  23. case 6found an XSS for auto_link, remember,always *whitelist* everything - protocols toojavascript://%0Aalert(1)Update your bundle, if you use auto_link orrails_autolink gem
  24. case 7class PublicKey < ActiveRecord::Base #attr_accessible, where are you...end
  25. case 7
  26. case 7Github and Assembla shared the samevulnerability.It was easy to steal or push code intoanybody’s repo dropping your public key.Also you could(still can) set“created/updated_at” to 3012 in *really* a lotof applications to have fun and get the 1stplace in order by *_at
  27. case 7 tipsIf use update_attributes/new/create+hash -you should set attr_accessible(If you don’tuse mass assignment - don’t care.)gem strong_parameterswhitelist_attributes = true by default.it takes slightly more time to write an app butit’s worth it.IT IS NOT attr_accessor :±
  28. case 8#hand-made jsonpjson = Order.all.to_jsonrender text: "#{params[:callback]}(#{json})"https://api.github.com/user/repos?callback=leak
  29. case 8 tipsdont give out private data via JSONPavoid - render text: contains_user_inputXSS - ?callback=<script>..</script>use - render json: data, callback: params[:cb]
  30. case 9 - CVE-2012-2660Mass assignment[extended edition]. Youcan send nested arrays/hashes in anyparam.params[:token] can be a huge array(brute):?token[]=1&token[]=2&token[]=3...it also may contain nils!?token[] <- nil
  31. case 9 - CVE-2012-2660ChangeUser.find_by_token(params[:token]) andUser.where(token: params[:token])use explicit castingparams[:token].to_s
  32. common tips● use system(ls, .) instead of `ls .`● before_filter{headers[X-Frame-Options] =SAMEORIGIN}#application_controller. rb● hide config/initializers/secret_token.rb● obvious: check permissions● WHITELIST● RTFM
  33. #DISCUSSSecurity is not developers business.Web is poorly designed: Clickjacking, CSRF
  34. bonus
  35. bonus OAuthCSRF + GET.code/tokengetting into master-account with nofingerprints.omniauth fb strategy vulnerabilitydepends on server side logic
  36. bonus OAuthhttp://soundcloud.com/connect/facebook/create?code=AQBXeR_dORPlx4RRUt_YzJ6Rdg0eb9CWHek8J2fB4vqfdNPvznmx-d-J36gGQlXJICRdfqFb9a_VWqke4ZamE2HytlXtK5c6sMaOQUQLPPhSWNv3v8z-ze6hdT6x4LNSXC_-jxGRecjw1WTmifzO_rBFaDI86xPo2YH3k_ehEtw5wM9rVduymjZumXkoistF7I9g2MQ
  37. bonus OAuthMitigation: CSRF token in state param.Checking$_SESSION[state]==$_REQUEST[session] IS NOT WORKINGCheck existence and equality both.OR use client side JS based authentication.
  38. references[old] http://www.rorsecurity.info/http://guides.rubyonrails.org/security.htmlhttp://developers.facebook.com/docs/authentication/server-side/get new stuff 1st!: homakov.blogspot.com
  39. Teh Edn.Y U NO PAY ME FOR SECURITY AUDIT?

×