nil authenticate_user! else key = ApiKey.find_by_token(token) if key != nil and key.worker == true return true else puts "Invalid token" return false end end end In command controller: before_filter :authenticate_user!, :except => [:show] In show method: worker = restrict_access_by_token_to_worker Tuesday, December 4, 12
on variable input that is passed down to a command line call. • Most easily demonstrated like so… http://example.com/page.php?id=123;ifconfig Tuesday, December 4, 12
do |format| format.html { redirect_to service_requests_url } format.json { head :no_content } end end def show @service_request = ServiceRequest.find(params[:id]) respond_to do |format| format.html # show.html.erb format.json { render json: @service_request } end end Tuesday, December 4, 12
respond_to do |format| format.html { redirect_to service_requests_url } format.json { head :no_content } end end def show @service_request = ServiceRequest.find(params[:id]) respond_to do |format| if (user_can_access_service_request(@service_request)) format.html # show.html.erb format.json { render json: @service_request } else @service_request = ServiceRequest.new @service_request.errors.add(:base, "You do not have access to this object.") flash[:error] = "Unable to access specified instance." format.html { render action: "new" } format.json { render json: @service_request.errors, status: :unprocessable_entit end end end Tuesday, December 4, 12
AHacker convinces user to click a link, Javascript is executed in target browser. • Most easily demonstrated like so… • hHp://example.com/page?id=<script>alert(‘xss’)</ script> Tuesday, December 4, 12
claudijd
paulrobertlloyd
revolveconf
jasonvnalue
mza
keavy
chrislema
cherdarchuk
pauljervisheath
dougneiner
iamctodd
maltzj
cassininazir
![In ApplicationController: def restrict_access_by_token_to_worker() token = request.env["HTTP_AUTHORIZATION"] if token ==](https://files.speakerdeck.com/presentations/925ccf004ddf0130e7f01231381d4fe0/slide_33.jpg){kind=link}
![SQL Injection 1 @project = Project.find(params[:id]) 2 @projects = Project.find(:all,](https://files.speakerdeck.com/presentations/925ccf004ddf0130e7f01231381d4fe0/slide_39.jpg){kind=link}
![Before and After def destroy @service_request = ServiceRequest.find(params[:id]) @service_request.destroy respond_to](https://files.speakerdeck.com/presentations/925ccf004ddf0130e7f01231381d4fe0/slide_42.jpg){kind=link}
![After def destroy @service_request = ServiceRequest.find(params[:id]) if (user_can_access_service_request(@service_request)) @service_request.destroy end](https://files.speakerdeck.com/presentations/925ccf004ddf0130e7f01231381d4fe0/slide_44.jpg){kind=link}
