Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
http://www.flickr.com/photos/mthierry/4595284293
http://www.flickr.com/photos/111692634@N04
How Secure isYour Rails Site,
An...
http://www.flickr.com/photos/mthierry/4595284293
Security in a Web World
http://blogs.msdn.com/blogfiles/rds/WindowsLiveWrit...
http://www.flickr.com/photos/mthierry/4595284293
Heartland Payment Systems - 134 Million Credit Cards
Exposed via a SQL Inj...
http://www.flickr.com/photos/mthierry/4595284293
Cory Foy
foyc@coryfoy.com
@cory_foy
blog.coryfoy.com
prettykoolapps.com
Tu...
http://www.flickr.com/photos/mthierry/4595284293
OWASP
Open Web Application Security Project
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
2003
Unvalidated Parameters
Command Injection Flaws
Cross Site Scripting F...
http://www.flickr.com/photos/mthierry/4595284293
2013
Injection
Cross Site Scripting
Cross Site Request Forgery
Insecure Di...
http://www.flickr.com/photos/mthierry/4595284293
Rails Security
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
2013
Injection
Cross Site Scripting
Cross Site Request Forgery
Insecure Di...
http://www.flickr.com/photos/mthierry/4595284293
Injection
http://xkcd.com/327/
http://localhost:3000/bad/injection?id=1
Tu...
http://www.flickr.com/photos/mthierry/4595284293
Cross Site Scripting
http://localhost:3000/bad/comments
Tuesday, March 11,...
http://www.flickr.com/photos/mthierry/4595284293
Cross Site Request Forgery
http://localhost:3000/bad/comments
Tuesday, Mar...
http://www.flickr.com/photos/mthierry/4595284293
Insecure Direct Object References
http://localhost:3000/bad/upload_file
Tue...
http://www.flickr.com/photos/mthierry/4595284293
Unvalidated Redirects and Forwards
http://localhost:3000/bad/index
Tuesday...
http://www.flickr.com/photos/mthierry/4595284293
Sensitive Data Exposure
http://plaintextoffenders.com/
http://localhost:30...
http://www.flickr.com/photos/mthierry/4595284293
Missing Function Level Access Control
http://localhost:3000/bad/index
Tues...
http://www.flickr.com/photos/mthierry/4595284293
Broken Authentication and Session Management
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Security Misconfiguration
https://github.com/CoryFoy/railssecurityexample
T...
http://www.flickr.com/photos/mthierry/4595284293
Using Components with KnownVulnerabilities
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Standard Rails 684,805
Lines of default
included Gem code
Tuesday, March 1...
http://www.flickr.com/photos/mthierry/4595284293
Real Examples
http://thunderboltlabs.com/blog/2013/12/04/giving-back-to-
o...
http://www.flickr.com/photos/mthierry/4595284293
Responsible Disclosure
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Sorcery Config.send
https://github.com/NoamB/sorcery/
Problem: Sorcery allo...
http://www.flickr.com/photos/mthierry/4595284293
Doorkeeper Symbol GC
https://github.com/applicake/doorkeeper/
Problem: Doo...
http://www.flickr.com/photos/mthierry/4595284293
I18n Injection Issue
https://github.com/rails/rails
https://github.com/sve...
http://www.flickr.com/photos/mthierry/4595284293
Summary
DON’T
EVER
TRUST
USER
INPUT
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Rails Security Resources
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
OWASP
https://www.owasp.org/index.php/Main_Page
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Rails Security Page and Mailing List
http://guides.rubyonrails.org/securit...
http://www.flickr.com/photos/mthierry/4595284293
OAuth RFC
http://tools.ietf.org/html/rfc6819
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Books
Tuesday, March 11, 14
http://www.flickr.com/photos/mthierry/4595284293
Cory Foy
foyc@coryfoy.com
@cory_foy
blog.coryfoy.com
prettykoolapps.com
Tu...
Upcoming SlideShare
Loading in …5
×

Triangle.rb - How Secure is Your Rails Site, Anyway?

1,796 views

Published on

In this talk from Triangle.rb, Cory Foy details the state of Rails security, including paying attention to libraries you use. He includes real world examples of exploits, and links to resources

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Triangle.rb - How Secure is Your Rails Site, Anyway?

  1. 1. http://www.flickr.com/photos/mthierry/4595284293 http://www.flickr.com/photos/111692634@N04 How Secure isYour Rails Site, Anyway? Cory Foy foyc@coryfoy.com @cory_foy Tuesday, March 11, 14
  2. 2. http://www.flickr.com/photos/mthierry/4595284293 Security in a Web World http://blogs.msdn.com/blogfiles/rds/WindowsLiveWriter/RDGatewaydeploymentinaperimeternetworkFi_CBD0/clip_image002_thumb.jpg http://www.comtelindia.com/images/network_diagram_largepic.jpg Tuesday, March 11, 14
  3. 3. http://www.flickr.com/photos/mthierry/4595284293 Heartland Payment Systems - 134 Million Credit Cards Exposed via a SQL Injection attack and spyware TJX Companies - 94 Million Credit Cards Exposed via weak WiFi or In-Store Kiosk Security was compromised LivingSocial - 50 Million records stolen including names, date of birth and salted password Federal Reserve - 4,000 records of key bank executives containing personal information stolen via a vulnerability in an internal website Smuckers - Names, Addresses, Credit and Debit Card Numbers, Expiration Dates andVerification Codes stolen from online store Target - 40-70 million Credit Cards, PIN and CVVs stolen Tuesday, March 11, 14
  4. 4. http://www.flickr.com/photos/mthierry/4595284293 Cory Foy foyc@coryfoy.com @cory_foy blog.coryfoy.com prettykoolapps.com Tuesday, March 11, 14
  5. 5. http://www.flickr.com/photos/mthierry/4595284293 OWASP Open Web Application Security Project Tuesday, March 11, 14
  6. 6. http://www.flickr.com/photos/mthierry/4595284293 2003 Unvalidated Parameters Command Injection Flaws Cross Site Scripting Flaws Buffer Overflows Error Handling Problems Insecure Use of Cryptology Broken Access Control Web and Application Server Misconfiguration OpenWebApplicationSecurityProject Tuesday, March 11, 14
  7. 7. http://www.flickr.com/photos/mthierry/4595284293 2013 Injection Cross Site Scripting Cross Site Request Forgery Insecure Direct Object References Unvalidated Redirects and Forwards Sensitive Data Exposure Missing Function Level Access Control Broken Authentication and Session Management Security Misconfiguration Using Components with Known Vulnerabilities 2003 Unvalidated Parameters Command Injection Flaws Cross Site Scripting Flaws Buffer Overflows Error Handling Problems Insecure Use of Cryptology Broken Access Control Web and Application Server Misconfiguration OpenWebApplicationSecurityProject Tuesday, March 11, 14
  8. 8. http://www.flickr.com/photos/mthierry/4595284293 Rails Security Tuesday, March 11, 14
  9. 9. http://www.flickr.com/photos/mthierry/4595284293 2013 Injection Cross Site Scripting Cross Site Request Forgery Insecure Direct Object References Unvalidated Redirects and Forwards Sensitive Data Exposure Missing Function Level Access Control Broken Authentication and Session Management Security Misconfiguration Using Components with Known Vulnerabilities Rails Built in filter to escape SQL Characters By default, Rails escapes HTML REST / protect_from_forgery Manual Manual Manual Manual / Partials secret_key_base / reset_session Manual Manual / Gems Tuesday, March 11, 14
  10. 10. http://www.flickr.com/photos/mthierry/4595284293 Injection http://xkcd.com/327/ http://localhost:3000/bad/injection?id=1 Tuesday, March 11, 14
  11. 11. http://www.flickr.com/photos/mthierry/4595284293 Cross Site Scripting http://localhost:3000/bad/comments Tuesday, March 11, 14
  12. 12. http://www.flickr.com/photos/mthierry/4595284293 Cross Site Request Forgery http://localhost:3000/bad/comments Tuesday, March 11, 14
  13. 13. http://www.flickr.com/photos/mthierry/4595284293 Insecure Direct Object References http://localhost:3000/bad/upload_file Tuesday, March 11, 14
  14. 14. http://www.flickr.com/photos/mthierry/4595284293 Unvalidated Redirects and Forwards http://localhost:3000/bad/index Tuesday, March 11, 14
  15. 15. http://www.flickr.com/photos/mthierry/4595284293 Sensitive Data Exposure http://plaintextoffenders.com/ http://localhost:3000/bad/make_payment http://ghost.teario.com/how-not-to-write-an-api/ Tuesday, March 11, 14
  16. 16. http://www.flickr.com/photos/mthierry/4595284293 Missing Function Level Access Control http://localhost:3000/bad/index Tuesday, March 11, 14
  17. 17. http://www.flickr.com/photos/mthierry/4595284293 Broken Authentication and Session Management Tuesday, March 11, 14
  18. 18. http://www.flickr.com/photos/mthierry/4595284293 Security Misconfiguration https://github.com/CoryFoy/railssecurityexample Tuesday, March 11, 14
  19. 19. http://www.flickr.com/photos/mthierry/4595284293 Using Components with KnownVulnerabilities Tuesday, March 11, 14
  20. 20. http://www.flickr.com/photos/mthierry/4595284293 Standard Rails 684,805 Lines of default included Gem code Tuesday, March 11, 14
  21. 21. http://www.flickr.com/photos/mthierry/4595284293 Real Examples http://thunderboltlabs.com/blog/2013/12/04/giving-back-to- open-source-security-edition/ Tuesday, March 11, 14
  22. 22. http://www.flickr.com/photos/mthierry/4595284293 Responsible Disclosure Tuesday, March 11, 14
  23. 23. http://www.flickr.com/photos/mthierry/4595284293 Sorcery Config.send https://github.com/NoamB/sorcery/ Problem: Sorcery allows the configuration of multiple providers. It figured out the right one by calling Config.send(provider_name.to_sym) rails c Object.ancestors Kernel.methods(false).sort Why’s that a problem? Fix: Don’t trust user-modifiable input, ever Tuesday, March 11, 14
  24. 24. http://www.flickr.com/photos/mthierry/4595284293 Doorkeeper Symbol GC https://github.com/applicake/doorkeeper/ Problem: Doorkeeper and Sorcery converted user input to symbols. Symbols are not GC’d, so can use up a lot of memory quickly Why’s that a problem? loop { (Time.now.to_f.to_s * 100000).to_sym } Fix: Inspect User input as a string before converting to a symbol.Whitelist where possible Tuesday, March 11, 14
  25. 25. http://www.flickr.com/photos/mthierry/4595284293 I18n Injection Issue https://github.com/rails/rails https://github.com/svenfuchs/i18n Problem: Missing locales showed an error message which exposed a Cross-Site Scripting attack vector Why’s that a problem? http://mysite.com/?locale=”<script>alert(‘Hi Mom’)</script>” Fix: Don’t trust user-modifiable input, ever Tuesday, March 11, 14
  26. 26. http://www.flickr.com/photos/mthierry/4595284293 Summary DON’T EVER TRUST USER INPUT Tuesday, March 11, 14
  27. 27. http://www.flickr.com/photos/mthierry/4595284293 Rails Security Resources Tuesday, March 11, 14
  28. 28. http://www.flickr.com/photos/mthierry/4595284293 OWASP https://www.owasp.org/index.php/Main_Page Tuesday, March 11, 14
  29. 29. http://www.flickr.com/photos/mthierry/4595284293 Rails Security Page and Mailing List http://guides.rubyonrails.org/security.html http://rubyonrails.org/security Tuesday, March 11, 14
  30. 30. http://www.flickr.com/photos/mthierry/4595284293 OAuth RFC http://tools.ietf.org/html/rfc6819 Tuesday, March 11, 14
  31. 31. http://www.flickr.com/photos/mthierry/4595284293 Books Tuesday, March 11, 14
  32. 32. http://www.flickr.com/photos/mthierry/4595284293 Cory Foy foyc@coryfoy.com @cory_foy blog.coryfoy.com prettykoolapps.com Tuesday, March 11, 14

×