Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Rails Security - Bart ten Brinke

3,148 views

Published on

A few slides common holes in rails applications. Finished it to late for reject conf.

Published in: Technology
  • Be the first to comment

Rails Security - Bart ten Brinke

  1. 1. RAILS SECURITY Bart ten Brinke movesonrails.com bart.tenbrinke@movesonrails.com
  2. 2. Why I did this After a security presentation at RailsConfEurope 2007, I found a lot was missing, so I made this. I didn’t finish it in time for reject conf, so I posted it on my blog. No, I am not australian :)
  3. 3. SQL Injection (Old, but even Jason still does this wrong) Don’t do this Person.find(:first, :conditions => “name = #{name}”) Do this Person.find(:first, :conditions => [“name = ?”, name]) Or Person.find_by_name(name)
  4. 4. Cross Site Scripting (XXS) Don’t do this in a view <p>Name: <%= @name %></p> Do this <p>Name: <%= h @name %></p> Don’t forget your link_to’s and images. If you forget just one you are an easy victim.
  5. 5. Skipping security Don’t do this skip_before_filter :check_auth Do this skip_before_filter :check_auth, :only =>[:login] Explicitly specify the actions that skip security. Otherwise new ones will be unsecure by default
  6. 6. Watch out for the TO_JSON XSS exploit Don’t do this in a view <script>posts = <%= @posts.to_json %></script> This is fixed in edge rails (6893) So if you are on 1.2.3, you have a problem. Write your own to_json for the model or mixin the patch for ticket 8371 of rails.
  7. 7. Obfuscate passwords in logging If your log looks like this Processing LoginController#create (for 127.0.0.1 at 2007-09-20 18:16:32) [POST] Session ID: 023b70d61b76c29a0e123e79c8772f4d Parameters: {quot;sign_inquot;=>quot;Sign inquot;, quot;rememberquot;=>quot;quot;, quot;actionquot;=>quot;createquot;, quot;usernamequot;=>quot;Administratorquot;, quot;controllerquot;=>quot;loginquot;, quot;passwordquot;=>quot;im1337quot;} Add this to your application.rb filter_parameter_logging quot;passwordquot;
  8. 8. Are you accessable? Don’t have everything XML or JSON /mykillerapp/users.xml <users> <user> <id type=quot;integerquot;>3</id> <username>administrator</username> <password-hash> 4fc62477c37b2880646336e5b753daef6ae3377b36cab20ddc27c7b933ca6ecd </password-hash> <password-salt>ntoRnlDr</password-salt> </user> </users>
  9. 9. Production deploy Don’t do this production: adapter: mysql database: my_killer_app username: root password: host: localhost Do this Use decent security in a production environment. Also strip all the stuff you don’t need from your tags (like /test).
  10. 10. CONCLUSIONS These are all examples of things I ran into during about one year of full-time Rails development. Realize that there are more! Greetings to everyone who came to RailsConf Europe 2007. It was inspiring! If you have any questions, feel free to email me. Bart ten Brinke movesonrails.com bart.tenbrinke@movesonrails.com

×