OWASP and Rails Security
RoR Meetup, December 10, 2013
What could happen if
your source code was
leaked?
MongoDB Hacked
•

CI and Static Analysis
companies used them to store
GitHub Keys

•

Those GitHub keys could have
granted...
Prezi Source Leaked
•

One of their developers
inadvertently posted his repo
credentials

•

White hat hacker was able to
...
What is OWASP?
OWASP Background
•

Founded in 2001

•

Non-profit organization

•

Produces lots of material on how to
secure web applicat...
OWASP Top 10, 2013
1. Injection

6. Sensitive Data Exposure

2. Broken Authentication

7. Missing Function Level
Access Co...
OWASP Top 10, 2013
1. Injection

6. Sensitive Data Exposure

2. Broken Authentication

7. Missing Function Level
Access Co...
Injection
Allowing non-sanitized user data into
persistent data queries.
Injection
Most obvious example
User.where("email LIKE '%#{params[:email]}%'")

Less obvious example
User.find(params[:id])...
Injection
Solution is to use scopes or Squeel
Turn this bad code
User.where("email LIKE '%#{params[:email]}%'")

into this...
Injection
This update allows them to get the admin role
User.update_attributes(params[:user])

This does not
good_params =...
Cross Site Scripting
Allowing user injected Javascript to run
in your site.
Cross Site Scripting
Most obvious example
%p=@user.biography.html_safe

Less obvious example
%p=link_to @user.name.html_sa...
Cross Site Scripting
Solution #1
Don’t use html_safe

Solution #2
Use a sanitizer gem like rgrove/sanitize
Insecure Direct Object Reference
Allowing a user to access data they
should not access.
Insecure Direct Object Reference
Using file references
send_file “docs/#{params[:id]}.pdf”

Using a UNIX command
`rake gen:...
Insecure Direct Object Reference
Use whitelists for file references
Use thoughtbot/cocaine for UNIX commands
Or just don’t ...
Missing Authorization
Every secure page needs to authorize
the user against the used data
Missing Authorization
!

1.Non-admin user can read, but not update an order
2.They navigate to the order show page
• /site...
Cross Site Request Forgery
Accepting potentially dangerous data
from other domains
Cross Site Request Forgery
Logs in
Admin

Navigates to
Your site

Via hidden image
Posts back to

Malicious site

Your sit...
Cross Site Request Forgery
Solution Part 1
Disable posting from other domains.
See rhk/rack_protection.

Solution Part 2
A...
Unvalidated Redirects
Redirecting a user to an unvalidated
URL
Unvalidated Redirects
render params[:page]
Unvalidated Redirects
redirect_to @user.website
Unvalidated Redirects
Dynamic Rendering
case params[:page]
when ‘show’
render :show
when ‘edit’
render :edit
else
render :...
Unvalidated Redirects
Dynamic Redirect
Either avoid doing it or use an interstitial page.
Never trust user input!
How many
vulnerabilities in your
code?
Tools to Answer That
•

Brakeman gem
•

•

good to get started

Code Climate
•

good for ongoing analysis

•

Coupon! IFU1...
Demo Time
Upcoming SlideShare
Loading in …5
×

OWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.com

1,407 views

Published on

Silicon Valley Ruby on Rails Meetup - December 10th, 2013
OWASP Top 10 and Securing Rails
An introduction to the OWASP Top 10 and how to use it and other tools to secure your Rails code.

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,407
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
0
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

OWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.com

  1. 1. OWASP and Rails Security RoR Meetup, December 10, 2013
  2. 2. What could happen if your source code was leaked?
  3. 3. MongoDB Hacked • CI and Static Analysis companies used them to store GitHub Keys • Those GitHub keys could have granted the attacker access to your source code
  4. 4. Prezi Source Leaked • One of their developers inadvertently posted his repo credentials • White hat hacker was able to grab all of their source without their knowledge
  5. 5. What is OWASP?
  6. 6. OWASP Background • Founded in 2001 • Non-profit organization • Produces lots of material on how to secure web applications • Top 10 is an ongoing list of the most important web app vulnerabilities
  7. 7. OWASP Top 10, 2013 1. Injection 6. Sensitive Data Exposure 2. Broken Authentication 7. Missing Function Level Access Control 3. Cross Site Scripting 8. CSRF 4. Insecure Direct Object References 9. Vulnerable Components 5. Security Misconfiguration 10.Unvalidated Forward/Redirect
  8. 8. OWASP Top 10, 2013 1. Injection 6. Sensitive Data Exposure 2. Broken Authentication 7. Missing Function Level Access Control 3. Cross Site Scripting 8. CSRF 4. Insecure Direct Object References 9. Vulnerable Components 5. Security Misconfiguration 10.Unvalidated Redirects
  9. 9. Injection Allowing non-sanitized user data into persistent data queries.
  10. 10. Injection Most obvious example User.where("email LIKE '%#{params[:email]}%'") Less obvious example User.find(params[:id]).update_attributes(params[:user])
  11. 11. Injection Solution is to use scopes or Squeel Turn this bad code User.where("email LIKE '%#{params[:email]}%'") into this sanitized code User.where{email =~ “%#{params[:email]}%”}
  12. 12. Injection This update allows them to get the admin role User.update_attributes(params[:user]) This does not good_params = params[:user].slice(:name, :email) User.update_attributes(good_params)
  13. 13. Cross Site Scripting Allowing user injected Javascript to run in your site.
  14. 14. Cross Site Scripting Most obvious example %p=@user.biography.html_safe Less obvious example %p=link_to @user.name.html_safe, @user.homepage
  15. 15. Cross Site Scripting Solution #1 Don’t use html_safe Solution #2 Use a sanitizer gem like rgrove/sanitize
  16. 16. Insecure Direct Object Reference Allowing a user to access data they should not access.
  17. 17. Insecure Direct Object Reference Using file references send_file “docs/#{params[:id]}.pdf” Using a UNIX command `rake gen:test_data[#{params[:test_id]}]`
  18. 18. Insecure Direct Object Reference Use whitelists for file references Use thoughtbot/cocaine for UNIX commands Or just don’t use UNIX commands
  19. 19. Missing Authorization Every secure page needs to authorize the user against the used data
  20. 20. Missing Authorization ! 1.Non-admin user can read, but not update an order 2.They navigate to the order show page • /site/123/order/456 3. They hand edit the url to this • /site/123/order/456/edit With authorization they should not see that page
  21. 21. Cross Site Request Forgery Accepting potentially dangerous data from other domains
  22. 22. Cross Site Request Forgery Logs in Admin Navigates to Your site Via hidden image Posts back to Malicious site Your site
  23. 23. Cross Site Request Forgery Solution Part 1 Disable posting from other domains. See rhk/rack_protection. Solution Part 2 Always use POST for editing data
  24. 24. Unvalidated Redirects Redirecting a user to an unvalidated URL
  25. 25. Unvalidated Redirects render params[:page]
  26. 26. Unvalidated Redirects redirect_to @user.website
  27. 27. Unvalidated Redirects Dynamic Rendering case params[:page] when ‘show’ render :show when ‘edit’ render :edit else render :index end
  28. 28. Unvalidated Redirects Dynamic Redirect Either avoid doing it or use an interstitial page.
  29. 29. Never trust user input!
  30. 30. How many vulnerabilities in your code?
  31. 31. Tools to Answer That • Brakeman gem • • good to get started Code Climate • good for ongoing analysis • Coupon! IFU15MA2
  32. 32. Demo Time

×