Your SlideShare is downloading. ×
OWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.com
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

OWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.com

516
views

Published on

Silicon Valley Ruby on Rails Meetup - December 10th, 2013 …

Silicon Valley Ruby on Rails Meetup - December 10th, 2013
OWASP Top 10 and Securing Rails
An introduction to the OWASP Top 10 and how to use it and other tools to secure your Rails code.

Published in: Technology

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
516
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. OWASP and Rails Security RoR Meetup, December 10, 2013
  • 2. What could happen if your source code was leaked?
  • 3. MongoDB Hacked • CI and Static Analysis companies used them to store GitHub Keys • Those GitHub keys could have granted the attacker access to your source code
  • 4. Prezi Source Leaked • One of their developers inadvertently posted his repo credentials • White hat hacker was able to grab all of their source without their knowledge
  • 5. What is OWASP?
  • 6. OWASP Background • Founded in 2001 • Non-profit organization • Produces lots of material on how to secure web applications • Top 10 is an ongoing list of the most important web app vulnerabilities
  • 7. OWASP Top 10, 2013 1. Injection 6. Sensitive Data Exposure 2. Broken Authentication 7. Missing Function Level Access Control 3. Cross Site Scripting 8. CSRF 4. Insecure Direct Object References 9. Vulnerable Components 5. Security Misconfiguration 10.Unvalidated Forward/Redirect
  • 8. OWASP Top 10, 2013 1. Injection 6. Sensitive Data Exposure 2. Broken Authentication 7. Missing Function Level Access Control 3. Cross Site Scripting 8. CSRF 4. Insecure Direct Object References 9. Vulnerable Components 5. Security Misconfiguration 10.Unvalidated Redirects
  • 9. Injection Allowing non-sanitized user data into persistent data queries.
  • 10. Injection Most obvious example User.where("email LIKE '%#{params[:email]}%'") Less obvious example User.find(params[:id]).update_attributes(params[:user])
  • 11. Injection Solution is to use scopes or Squeel Turn this bad code User.where("email LIKE '%#{params[:email]}%'") into this sanitized code User.where{email =~ “%#{params[:email]}%”}
  • 12. Injection This update allows them to get the admin role User.update_attributes(params[:user]) This does not good_params = params[:user].slice(:name, :email) User.update_attributes(good_params)
  • 13. Cross Site Scripting Allowing user injected Javascript to run in your site.
  • 14. Cross Site Scripting Most obvious example %p=@user.biography.html_safe Less obvious example %p=link_to @user.name.html_safe, @user.homepage
  • 15. Cross Site Scripting Solution #1 Don’t use html_safe Solution #2 Use a sanitizer gem like rgrove/sanitize
  • 16. Insecure Direct Object Reference Allowing a user to access data they should not access.
  • 17. Insecure Direct Object Reference Using file references send_file “docs/#{params[:id]}.pdf” Using a UNIX command `rake gen:test_data[#{params[:test_id]}]`
  • 18. Insecure Direct Object Reference Use whitelists for file references Use thoughtbot/cocaine for UNIX commands Or just don’t use UNIX commands
  • 19. Missing Authorization Every secure page needs to authorize the user against the used data
  • 20. Missing Authorization ! 1.Non-admin user can read, but not update an order 2.They navigate to the order show page • /site/123/order/456 3. They hand edit the url to this • /site/123/order/456/edit With authorization they should not see that page
  • 21. Cross Site Request Forgery Accepting potentially dangerous data from other domains
  • 22. Cross Site Request Forgery Logs in Admin Navigates to Your site Via hidden image Posts back to Malicious site Your site
  • 23. Cross Site Request Forgery Solution Part 1 Disable posting from other domains. See rhk/rack_protection. Solution Part 2 Always use POST for editing data
  • 24. Unvalidated Redirects Redirecting a user to an unvalidated URL
  • 25. Unvalidated Redirects render params[:page]
  • 26. Unvalidated Redirects redirect_to @user.website
  • 27. Unvalidated Redirects Dynamic Rendering case params[:page] when ‘show’ render :show when ‘edit’ render :edit else render :index end
  • 28. Unvalidated Redirects Dynamic Redirect Either avoid doing it or use an interstitial page.
  • 29. Never trust user input!
  • 30. How many vulnerabilities in your code?
  • 31. Tools to Answer That • Brakeman gem • • good to get started Code Climate • good for ongoing analysis • Coupon! IFU15MA2
  • 32. Demo Time