• Released to the world as ‘extracted’ from BaseCamp
(37Signals) by @dhh during July 2004.
• Merged with Merb Project during December 2008 and Rails
3.0 was released.
• Two supported branch of development currently:
– Rails 3.x
– Rails 4.x
RoR: Web Blog Example
Our Blog is a web application where one or more Users
can self-register and sign-in using their registered
Upon sign-in each User should be able to publish Blog
Post that is visible to any user or visitor of the portal.
Any User or Visitor of the portal should optionally
Comment on any Blog Post.
Learning Ruby on Rails
• Ruby on Rails Official Guide
• Agile Web Development with Rails
• Ruby on Rails Podcasts
• Rails Code School
• Rails Cast
Breaking Ruby on Rails Applications
Image (Karate) by Nicholas Riggle from The Noun Project CC By 2.0
Penetration Testing Rails App
• Black/Gray Box Approach
– Conventional Testing
– Fingerprinting Rails Framework
– Rails specific Vulnerability Testing
– Rails specific Weakness Testing
• White Box Approach
– Automated Scan for known Vulnerabilities
– Attack Surface enumeration through Routes
– Authentication & Authorization Testing
– Common Rails information disclosures (secret_token.rb)
– Model Attributes Security
– Custom/Unconventional SQL Queries Audit
– Responsive View Audit
Attack Surface: Routes
• Default Routing
– <Resource> is handled by app/controllers/<resources>_controller.rb
– CRUD on Resource
• A whole set of attacks are possible on Session
Management functionality of any Web
– Session Hijack, Session Fixation, Session Id Prediction, Session
Data Tampering, Leveraging Session Data for RCE etc.
• Rails provide inbuilt Session Management
– The session object is available to application
developer as a Hash/Map to store arbitrary data.
– The session object is serialized and stored in
corresponding session storage as per configuration.
– Signed cookie is used for session storage by default.
Session Security: Best Practices
Enforce SSL in order to avoid sniffing of session id
Re-generate session after authentication to avoid session fixation
Store session in database instead of Cookie which is default
Cookie based Session Store are susceptible to Replay Attacks
• Multiple Popular Authentication Plugin
– RESTful Authentication
– Auto-generated Registration, Confirmation, Login,
Forgot Password etc.
– Controller filter for enforcing authentication.
• Generic Issues
– Weak Session Management
– Weak Authentication Enforcement
– Weak Password Encryption
• Plugin/Gem Specific
– Devise Vulnerabilities
– Lack of Authentication Enforcement
– Timing Attacks
– Information Gathering through default message
Are all controllers protected by Authentication System?
• Not provided by default in the framework.
– Encourages RESTful design.
• Easy to implement RBAC on Resources
– Multiple Gem/Plugin available
Example usage of CanCan for Authorization
Rails Model Security
• The Business Logic Layer
– Database Abstraction through ORM
– Entity Relationship Definition
– Business Logic
• Common Security Issues
– Attribute Mass Assignment
• Mitigated by default in newer version of Rails
– Custom (insecure) SQL Queries
– Business Logic Vulnerabilities
Rails Model: Insecure SQL Queries
The application developer should ensure that the Query Interface
understand the difference between Query and Data.
Rails Model: SQL Injection Vectors
• ActiveRecord does not escape parameters for
• Dynamic parameters are encoded by default
unless explicitly marked as safe.
• There are scope for Reflected XSS
– Strings marked explicitly with html_safe method.
– Textile/Markdown Injection
– Insecure used of content_tag
• Rails 3.x is vulnerable to Clickjacking & UI
Redressing Type of attacks in default
– Easy Mitigation
• gem ‘secureheaders’ in Gemfile