Web Security Basics (in Rails)

Transcript

1. ! Web Security Basics (in Rails)

2. ! @alindeman Posted a cat GIF

3. Users

4. Vectors

5. Cross Site Scripting Sometimes written as XSS

6. <%# application.html.erb %> The last user to sign up was

   <%= @user.username %>
7. None

8. Rails 2 The last user to sign up was <script>alert("Howdy");</script>

9. Rails 3+ The last user to sign up was &lt;script&gt;alert("Howdy");&lt;/script&gt;

10. It's more difficult to write code vulnerable to XSS in

    Rails 3+ but not impossible

11. Avoid <%# create.js.erb %>
 $("#welcome").html("Hello <%= @user.username %>"); <%# application.html.erb

    %>
 <%= raw "Hello <strong>#{@user.username}</strong>" %>

12. never render user input directly as HTML

13. SQL Injection

14. None

15. Avoid class Post < ActiveRecord::Base
 def self.search(term)
 where("title LIKE \"%#{term}%\"")


    end
 end

16. Better class Post < ActiveRecord::Base
 def self.search(term)
 where("title LIKE ?",

    "%#{term}%")
 end
 end

17. Best? class Post < ActiveRecord::Base
 def self.search(term)
 where("title LIKE :title",

    title: "%#{term}%")
 end
 end

18. never pass user input directly as SQL

19. class PasswordResetsController < ApplicationController
 # POST /password_resets/reset
 def reset
 if

    user = User.find_by_token(params[:token])
 user.password = params[:password]
 user.save
 else
 render status: 404
 end
 end
 end

20. User.find_by_token("validToken") User.find_by_token("NOTvalidToken") User.find_by_token(0) User.find_by_token(nil)

21. class PasswordResetsController < ApplicationController
 def reset
 if user = User.find_by_token(params[:token])


    user.password = params[:password]
 user.save
 else
 render status: 404
 end
 end
 end

22. class PasswordResetsController < ApplicationController
 # POST /password_resets/reset
 def reset
 if

    params[:token].present? && user = User.find_by_token(params[:token].to_s)
 user.password = params[:password]
 user.save
 else
 render status: 404
 end
 end
 end

23. Cross Site Request Forgery Sometimes written as CSRF

24. The Old Days (Rails 2) # config/routes.rb
 match ':controller(/:action(/:id))(.:format)'

25. The Old Days (Rails 2) <img src="https://example.com/comments/create?comment[body]=lol">

26. some apps may still have this route but it's terribly

    insecure

27. Only use the GET verb for safe actions

28. But what about? <form id="lol" method="post" action="https://example.com/ comments">
 <input type="hidden"

    name="comment[body]" value="lol">
 </form> 
 <script>document.getElementById("lol").submit();</script>

29. NOPE class ApplicationController < ActionController::Base
 # Prevent CSRF attacks by

    raising an exception.
 # For APIs, you may want to use :null_session instead.
 protect_from_forgery with: :exception
 end

30. Authenticity Token <input name="authenticity_token" type="hidden" value="dxhWM3OVQGnnLUN80VdpHOx6zbLeR+XOp7UVSNmngPU=" />

31. Forgery protection is only enabled for verbs other than GET

32. Mass Assignment

33. <%= form_for @user do |f| %>
 <%= f.label :username %>


    <%= f.text_field :username %>
 
 <%= f.label :password %>
 <%= f.text_field :password %>
 <%- end %>

34. class UsersController < ApplicationController
 def create
 @user = User.create(user_params)
 redirect_to

    root_url, notice: "Thanks for signing up!"
 end
 
 private
 def user_params
 params.require(:user).permit!
 end
 end

35. Malicious Users Aren't Limited By Form Fields • Malicious users

    can add extra form fields, either by editing the HTML page in their browser or by submitting requests via other tools • Consider a malicious user who themselves adds
 <input type="hidden" name="user[admin]" value="1">

36. class UsersController < ApplicationController
 def create
 @user = User.create(user_params)
 redirect_to

    root_url, notice: "Thanks for signing up!"
 end
 
 private
 def user_params
 params.require(:user).permit(:username, :password)
 end
 end

37. Not So Obvious Dangers

38. class GraphsController < ApplicationController
 # requests.html.erb
 def requests
 end
 


    # mysql.html.erb
 def mysql
 end
 
 # exceptions.html.erb
 def exceptions
 end
 end

39. A Common Refactor class GraphsController < ApplicationController
 # GET /graphs?name=requests


    # GET /graphs?name=mysql
 # GET /graphs?name=exceptions
 def index
 render params[:name]
 end
 end

40. A Vulnerable Refactor •GET /graphs?name=/etc/passwd •GET /graphs?name=/proc/self/environ •GET /graphs?name[inline]="%3C%25%3D%60rm+-rf+ %2F%60%25%3E"

41. Security Folks <3 Whitelists class GraphsController < ApplicationController
 ValidGraphs =

    ["requests", "mysql", "exceptions"]
 
 def index
 if ValidGraphs.include?(params[:name])
 render params[:name]
 else
 render status: 404
 end
 end
 end

42. Web Security Some Science Some Art

43. None
44. None
45. None
46. None