Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web Appliction Security - Scotland on Rails presentation

1,882 views

Published on

My presentation for the Scotland on Rails 2009 conference. There will be a video of it later which will (hopefully) make more sense also look out for related blog entries at http://www.mccune.org.uk

Published in: Technology
  • Be the first to comment

Web Appliction Security - Scotland on Rails presentation

  1. 1. Web Application Security Rails & the OWASP Top-10 Rory McCune - rorym@mccune.org.uk
  2. 2. Background - Who am I?
  3. 3. Background - Who am I? IT Security Professional 14 years in IT, 9 Years in IT Security, 3 in “Ethical Hacking” I get to break into websites for a living
  4. 4. Why is this Important?
  5. 5. Why is this Important? 1. Bad guys will try to break into your applications
  6. 6. Why is this Important? 1. Bad guys will try to break into your applications 2. Good guys will try to break into your applications
  7. 7. Why is this Important? 1. Bad guys will try to break into your applications 2. Good guys will try to break into your applications 3. Depending on your industry , regulators will be interested in the security of your code.
  8. 8. OWASP & the Top-10
  9. 9. OWASP & the Top-10 OWASP - Open Web Application Security Project
  10. 10. OWASP & the Top-10 OWASP - Open Web Application Security Project Hosts and sponsors web application security projects
  11. 11. OWASP & the Top-10 OWASP - Open Web Application Security Project Hosts and sponsors web application security projects Also has a chapter organisation around the world
  12. 12. OWASP & the Top-10 OWASP - Open Web Application Security Project Hosts and sponsors web application security projects Also has a chapter organisation around the world OWASP Top-10
  13. 13. OWASP & the Top-10 OWASP - Open Web Application Security Project Hosts and sponsors web application security projects Also has a chapter organisation around the world OWASP Top-10 Listing of the “most critical” Web Application Security flaws
  14. 14. No Silver Bullets
  15. 15. No Silver Bullets - “We’ve got a Firewall, so we don’t need to worry” - “We use SSL, so we don’t need to worry” - “We use a framework, so we don’t need to worry”
  16. 16. No Silver Bullets - “We’ve got a Firewall, so we don’t need to worry” - “We use SSL, so we don’t need to worry” - “We use a framework, so we don’t need to worry”
  17. 17. No Silver Bullets - “We’ve got a Firewall, so we don’t need to worry” - “We use SSL, so we don’t need to worry” - “We use a framework, so we don’t need to worry”
  18. 18. No Silver Bullets - “We’ve got a Firewall, so we don’t need to worry” - “We use SSL, so we don’t need to worry” - “We use a framework, so we don’t need to worry”
  19. 19. Public Enemy Number 1
  20. 20. Public Enemy Number 1 INPUT
  21. 21. Dealing with Input
  22. 22. Dealing with Input Two main approaches
  23. 23. Dealing with Input Two main approaches Input Validation
  24. 24. Dealing with Input Two main approaches Input Validation Output Normalization
  25. 25. Dealing with Input Two main approaches Input Validation Output Normalization Things to Think about
  26. 26. Dealing with Input Two main approaches Input Validation Output Normalization Things to Think about Need to deal with All inputs/outputs (form fields, cookie, headers...)
  27. 27. Dealing with Input Two main approaches Input Validation Output Normalization Things to Think about Need to deal with All inputs/outputs (form fields, cookie, headers...) Where to validate
  28. 28. Dealing with Input Two main approaches Input Validation Output Normalization Things to Think about Need to deal with All inputs/outputs (form fields, cookie, headers...) Where to validate How to validate (Black List/White List)
  29. 29. Specific Problems - XSS
  30. 30. Specific Problems - XSS “Allowing a malicious user of your application to execute scripts in other users browsers”
  31. 31. Specific Problems - XSS “Allowing a malicious user of your application to execute scripts in other users browsers” Very common in web applications 90%+ of sites
  32. 32. Specific Problems - XSS “Allowing a malicious user of your application to execute scripts in other users browsers” Very common in web applications 90%+ of sites Can have serious consequences - cookie stealing, page defacement...
  33. 33. Example - Rails Weblog
  34. 34. Example - Rails Weblog XSS in the Comment section of a popular rails weblog application
  35. 35. Example - Rails Weblog XSS in the Comment section of a popular rails weblog application Comment body, e-mail address,website address escaped ok with h()
  36. 36. Example - Rails Weblog XSS in the Comment section of a popular rails weblog application Comment body, e-mail address,website address escaped ok with h() <%= link_to_unless item.url.blank?, ((item.author || '(unknown)').slice(0,40)), item.url %>
  37. 37. Example - Rails Weblog XSS in the Comment section of a popular rails weblog application Comment body, e-mail address,website address escaped ok with h() <%= link_to_unless item.url.blank?, ((item.author || '(unknown)').slice(0,40)), item.url %> <%= link_to_unless item.url.blank?, ((h(item.author) || '(unknown)').slice(0,40)), item.url %>
  38. 38. Fixing XSS - 1
  39. 39. Fixing XSS - 1 Standard recommended approach
  40. 40. Fixing XSS - 1 Standard recommended approach Use h() function on all your views
  41. 41. Fixing XSS - 1 Standard recommended approach Use h() function on all your views Problem - The bad data goes into your database
  42. 42. Fixing XSS - 1 Standard recommended approach Use h() function on all your views Problem - The bad data goes into your database Problem - You need to remember *EVERY* time
  43. 43. Fixing XSS - 1 Standard recommended approach Use h() function on all your views Problem - The bad data goes into your database Problem - You need to remember *EVERY* time Safe ERB can help with this.
  44. 44. Fixing XSS - 2
  45. 45. Fixing XSS - 2 Input Validation
  46. 46. Fixing XSS - 2 Input Validation Loads of Options here
  47. 47. Fixing XSS - 2 Input Validation Loads of Options here sanitize helper
  48. 48. Fixing XSS - 2 Input Validation Loads of Options here sanitize helper plugin - sanitize_params
  49. 49. Fixing XSS - 2 Input Validation Loads of Options here sanitize helper plugin - sanitize_params plugin - xss_terminate
  50. 50. SQL Injection * * Comic courtesy of xkcd.com
  51. 51. SQL Injection * SQL Injection * Comic courtesy of xkcd.com
  52. 52. SQL Injection * SQL Injection Allowing SQL statements to be inserted into your application by a user. * Comic courtesy of xkcd.com
  53. 53. SQL Injection * SQL Injection Allowing SQL statements to be inserted into your application by a user. Potentially devastating, allow for an attacker to take over the server. * Comic courtesy of xkcd.com
  54. 54. SQL Injection in Rails
  55. 55. SQL Injection in Rails Limited problem due to use of ActiveRecord
  56. 56. SQL Injection in Rails Limited problem due to use of ActiveRecord Never directly insert strings into queries
  57. 57. SQL Injection in Rails Limited problem due to use of ActiveRecord Never directly insert strings into queries User.find(:all, :conditions => quot;name = '#{params[:name]}'quot;)
  58. 58. SQL Injection in Rails Limited problem due to use of ActiveRecord Never directly insert strings into queries User.find(:all, :conditions => quot;name = '#{params[:name]}'quot;) Who knew someone’s name could be ‘ OR 1=1--
  59. 59. SQL Injection in Rails Limited problem due to use of ActiveRecord Never directly insert strings into queries User.find(:all, :conditions => quot;name = '#{params[:name]}'quot;) Who knew someone’s name could be ‘ OR 1=1-- one other thing - Framework bugs...
  60. 60. Session Management
  61. 61. Session Management Web Applications are innately stateless
  62. 62. Session Management Web Applications are innately stateless We use session id’s to manage this
  63. 63. Session Management Web Applications are innately stateless We use session id’s to manage this Problem - The Session ID needs to be secured
  64. 64. Cookie Store
  65. 65. Cookie Store Default Session handling method in Rails 2+
  66. 66. Cookie Store Default Session handling method in Rails 2+ Stores session on the client machine
  67. 67. Cookie Store Default Session handling method in Rails 2+ Stores session on the client machine Uses a signature to prevent tampering
  68. 68. Cookie Store - Problems?
  69. 69. Cookie Store - Problems? Generated some controversy when it was first released
  70. 70. Cookie Store - Problems? Generated some controversy when it was first released Concerns around Security of storing session client side
  71. 71. Cookie Store - Problems? Generated some controversy when it was first released Concerns around Security of storing session client side Actually not too much of a problem, so long as you....
  72. 72. Cookie Store - Problems? Generated some controversy when it was first released Concerns around Security of storing session client side Actually not too much of a problem, so long as you.... use a strong secret
  73. 73. Cookie Store - Problems? Generated some controversy when it was first released Concerns around Security of storing session client side Actually not too much of a problem, so long as you.... use a strong secret Don’t store anything sensitive in session
  74. 74. Cookie Store - Problems? Generated some controversy when it was first released Concerns around Security of storing session client side Actually not too much of a problem, so long as you.... use a strong secret Don’t store anything sensitive in session Watch out for session replay
  75. 75. Things to think about
  76. 76. Things to think about Session Expiry
  77. 77. Things to think about Session Expiry Set as short as practical (consider shared machines!)
  78. 78. Things to think about Session Expiry Set as short as practical (consider shared machines!) Transmission in the clear
  79. 79. Things to think about Session Expiry Set as short as practical (consider shared machines!) Transmission in the clear anyone using the conference wi-fi?
  80. 80. Things to think about Session Expiry Set as short as practical (consider shared machines!) Transmission in the clear anyone using the conference wi-fi? Cookie Options
  81. 81. Things to think about Session Expiry Set as short as practical (consider shared machines!) Transmission in the clear anyone using the conference wi-fi? Cookie Options Set Secure session cookie option
  82. 82. Authentication & Authorization
  83. 83. Authentication & Authorization Authentication
  84. 84. Authentication & Authorization Authentication http authentication
  85. 85. Authentication & Authorization Authentication http authentication restful_authentication & Others
  86. 86. Authentication & Authorization Authentication http authentication restful_authentication & Others Authorization
  87. 87. Authentication & Authorization Authentication http authentication restful_authentication & Others Authorization dealing with forceful browsing
  88. 88. Password Management
  89. 89. Password Management Common Password Security Problems
  90. 90. Password Management Common Password Security Problems Passing in the clear
  91. 91. Password Management Common Password Security Problems Passing in the clear ssl_requirement
  92. 92. Password Management Common Password Security Problems Passing in the clear ssl_requirement Storing in the clear
  93. 93. Password Management Common Password Security Problems Passing in the clear ssl_requirement Storing in the clear always store hashes with Salt and Pepper
  94. 94. More Password Management
  95. 95. More Password Management Brute Forcing
  96. 96. More Password Management Brute Forcing password strength (validates_format_of)
  97. 97. More Password Management Brute Forcing password strength (validates_format_of) Account lockout?
  98. 98. More Password Management Brute Forcing password strength (validates_format_of) Account lockout? Password change forms
  99. 99. More Password Management Brute Forcing password strength (validates_format_of) Account lockout? Password change forms Always ask for the original password
  100. 100. More Password Management Brute Forcing password strength (validates_format_of) Account lockout? Password change forms Always ask for the original password Password Reset
  101. 101. Conclusion Rails Provides a lot of tools to help develop secure applications Doesn’t remove the need to think about this during development
  102. 102. More information OWASP - Ruby On Rails Security Guide, Secure Coding Guide ... (www.owasp.org) Rails wiki Blogs
  103. 103. Questions?
  104. 104. Bonus Box - How to Test Where to start OWASP Testing guide Web Application Hackers Handbook Tools Proxy (eg, WebScarab, Burp) Automation - Ronin, Metasploit

×