In this talk, Matt Konda and I talk about common security issues with Rails apps and encourage our security audience to find ways to meet with and work with the Ruby/Rails community.
and interesting platform in much need of security attention. At a recent ChicagoRuby Meetup, 2 of 97 attendees had ever heard of OWASP. We want to change that. We want you to help.
Ruby language features Makes development process fast and simple Default restful interface and xml + json API's Very healthy library ecosystem Popular with developers for prototyping and rapid small team application development Also used for large scale applications
3.x should escape everything. Rails 2.x need to escape text. Rails 3.x should escape everything. However, in the case where a programmer wants to store unescaped input this can be bypassed. Happens all the time.
creation from values in a hash. Made famous by Egor Homahov Demonstrated rails vulnerability by exploiting GitHub, which runs on rails, to make a commit to the rails source code.
be manipulated to make params[:id] look like a hash. Solution: Update to Rails: 3.2.4, 3.1.5, 3.0.13 or cast: http://seclists.org/oss-sec/2012/q2/448
be manipulated to process input as options to query. Solution: Update to Rails 3.2.10, 3.1.9, 3.0.18 or cast: https://groups.google.com/forum/#!topic/rubyonrails-security/DCNTNp_qjFM
Model.where(:name => params[:name]) Can be made to bypass a query where clause by sending an empty hash in params[:name] Variant of CVE-2012-2660 CVE-2012-2694 Solution: Update to Rails: 3.2.11, 3.1.10, 3.0.19 or cast to string. https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/t1WFuuQyavI
params. (All) Create symbols. Parse YAML. Basically remote code execution. Not SQLi but exascerbates other SQLi vulns due to symbol manipulation. Solution: Update to Rails 3.2.11, 3.1.10, 3.0.19, 2.3.15, disable XML / YAML interfaces or disable capabilities within XML parsing. https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ https://gist.github.com/4499206 - postmodern RCE
a bad week. We don't wish that on anyone. He in turn wants to thank these folks: “Ben Murphy, Magnus Holm, Felix Wilhelm, Darcy Laycock, Jonathan Rudenberg, Bryan Helmkamp, Benoist Claassen and Charlie Somerville for reporting the issue to us and working with us to ensure the fixes worked.”
session. People put all kinds of things in the session. They never expire. Easy to replay after logout. Open source apps sometimes use public secret for signing cookies. Recommendations Use the database based session and expire them. Update your secret and keep it secret.
we presented to ChicagoRuby on Rails Security. We were fortunate to receive a favorable response and lots of interesting follow up conversations. 2/13/2013 we have been invited back to do a Ruby “Hack Night” where we'll have folks run brakeman and fix security problems. We would LOVE to have you come help us!