OWASP Top 10 for Rails developers

Transcript

1. Greg Molnar

2. Greg Molnar Working with Rails since 2012

3. Greg Molnar Working with Rails since 2012 Certified penetration tester

   since 2017

4. OWASP Top 10 for Rails developers

5. OWASP Top 10 Top 10 most common vulnerabilities found in

   web applications

6. OWASP Top 10 Top 10 most common vulnerabilities found in

   web applications Last updated in 2025

7. A10: Mishandling of Exceptional Conditions

8. Mishandling of Exceptional Conditions improper error handling logical errors failing

   open triggering abnormal conditions

9. class PaymentsController < ActionController::Base before_action :verify_authorization! def show @payment =

   Payment.find(params[:id]) end private def verify_authorization! AuthorizationService.authorize!(:read_payment, params[:id]) rescue => e Rails.logger.info "Authorization Service Failed: #{e.message}" # No 'render' or 'redirect' here means the filter chain continues. end end Mishandling of Exceptional Conditions

10. class ProfilesController < ApplicationController before_action :set_user before_action :verify_owner!, only: [:settings]

    def show;end def settings;end end Mishandling of Exceptional Conditions

11. class ProfilesController < ApplicationController before_action :set_user before_action :verify_owner!, only: [:settings]

    def show;end def settings;end def api_keys;end end Mishandling of Exceptional Conditions

12. class ProfilesController < ApplicationController before_action :set_user before_action :verify_owner!, except: [:show]

    def show;end def settings;end def api_keys;end end Mishandling of Exceptional Conditions

13. class CartController < ApplicationController def update @product = Product.find(params[:product_id]) quantity

    = params[:quantity].to_i if @product.in_stock? current_cart.add(@product, quantity) redirect_to cart_path, notice: "Cart updated!" else redirect_to product_path(@product), alert: "Item out of stock." end end end Mishandling of Exceptional Conditions

14. class CartController < ApplicationController def update @product = Product.find(params[:product_id]) quantity

    = params[:quantity].to_i.abs if @product.in_stock? current_cart.add(@product, quantity) redirect_to cart_path, notice: "Cart updated!" else redirect_to product_path(@product), alert: "Item out of stock." end end end Mishandling of Exceptional Conditions

15. A9: Security Logging & Alerting Failures

16. A9: Security Logging & Alerting Failures insufficient logging and alerting

    inserting sensitive data to log files

17. Logging Failures API keys PII (Personally Identifiable Information) data

18. Logging Failures API keys PII (Personally Identifiable Information) data Logs

    are not encrypted Usually stored at 3rd parties

19. Logging Failures # config/initializers/filter_parameter_logging.rb Rails.application.config.filter_parameters += [ :passw, :email, :secret,

    :token, :_key, :crypt, :salt, :certificate, :otp, :ssn, :cvv, :cvc ]

20. Alerting Failures Lack of alerting Setup monitoring and alerting in

    Datadog, Splunk, etc

21. Alerting Failures Elevated number of login attempts(successful and failed) Authorization

    failures or access denials Rate-limit hits Permission or role changes Integration settings changes like API key generation Error events Business logic related events.

22. A8: Software or Data Integrity Failures

23. A8: Software or Data Integrity Failures wrong assumptions related to

    dependencies and critical data without verifying integrity

24. Software or Data Integrity Failures bundle --trust-policy HighSecurity

25. Software or Data Integrity Failures verifier = ActiveSupport::MessageVerifier.new token =

    verifier.generate("signed message", purpose: :login) @verifier.verify(token, purpose: :login) # => "signed message"

26. A7: Authentication Failures

27. A7: Authentication Failures insufficient prevention of automated attacks

28. Rate limiting class SessionsController < ApplicationController rate_limit to: 10, within:

    3.minutes, only: :create, with: -> { redirect_to new_session_path, alert: "Try again later." } # ... end

29. Authentication Failures rack-attack gem

30. Weak passwords

31. Weak passwords class User validates :password, format: { with: /\A(?=.{10,})(?=.*[A-Z])(?=.*[a-z])(?=.*\d)(?=.*[[:punct:]])/,

    message: "is too weak. It must be at least 10 characters long and include an uppercase letter, a lowercase letter, a digit, and a special character." }, if: -> { password.present? } end

32. Weak passwords Admin1234!

33. Weak passwords Admin1234! Validate for complexity

34. Weak passwords Admin1234! Validate for complexity zxcvbn

35. Weak passwords Admin1234! Validate for complexity zxcvbn pwned

36. Weak passwords Encrypt passwords

37. Multi-factor authentication

38. Multi-factor authentication SMS codes are prone to SIM swapping

39. Multi-factor authentication SMS codes are prone to SIM swapping TOTP

    or hardware key

40. Multi-factor authentication SMS codes are prone to SIM swapping TOTP

    or hardware key Password reset

41. Session fixation

42. Session fixation reset_session

43. A6: Insecure Design

44. Insecure Design

45. Insecure Design Involve security team or champion

46. Insecure Design Involve security team or champion Secure coding practices

47. Insecure Design Involve security team or champion Secure coding practices

    Tests for security

48. Insecure Design Involve security team or champion Secure coding practices

    Tests for security Make sure security requirements are met

49. Insecure Design Involve security team or champion Secure coding practices

    Tests for security Make sure security requirements are met Static code analysis Vulnerable dependencies check

50. A5: Injections

51. A5: Injections SQL injections NoSQL injections Cross-Site Scripting(XSS) Command injections

52. SQL Injection group select ActiveRecord::Calculations#calculate `count`, `sum`, `average`, `minimum`, and

    `maximum`

53. Second order SQL Injection

54. Second order SQL Injection class ReportsController < ApplicationController def create

    @report = Report.new(report_params) if @report.save redirect_to reports_path else render :new end end private def report_params params.require(:report).permit(:group, :columns) end end

55. Second order SQL Injection def show @report = Report.find(params[:id]) @result

    = Order.select(@report.columns).group(@report.group) end

56. XSS

57. XSS params[:back] = 'javascript:alert(xss)' link_to "Back", params[:back]

58. Command injection system `` (backticks) exec eval open IO.popen

59. Command injection Terrapin gem

60. A04: Cryptographic Failures

61. Cryptographic Failures Active Record Encryption

62. Cryptographic Failures has_secure_token has_secure_password generates_token_for

63. A03: Software Supply Chain Failures

64. A03: Software Supply Chain Failures Install Rails and Ruby security

    releases

65. A03: Software Supply Chain Failures Install Rails and Ruby security

    releases bundle audit importmaps audit yarn audit

66. A02:Security Misconfiguration

67. A02:Security Misconfiguration Development features in production

68. A02:Security Misconfiguration Development features in production Unauthenticated MissionControl, SidekiqUI

69. A01:Broken Access Control

70. class ProfilesController < ApplicationController before_action :set_user before_action :verify_owner!, only: [:settings]

    def show;end def settings;end def api_keys;end end Broken Access Control

71. class DocumentsController < ApplicationController def create @document = Document.new(document_params) @document.uploader

    = Current.user … End private def document_params params.require(:document).permit(:title, :description, :external_url, :company_id, :file) end end Broken Access Control

72. class AdminUser < ApplicationRecord ... enum :role, %w[moderator maintainer core].index_by(&:itself)

    ... end Broken Access Control

73. class AdminUserPolicy def initialize(admin_user) @admin_user = admin_user end def change_role?

    admin_user.core? end def invite? admin_user.core? || admin_user.maintainer? end def deactivate? admin_user.core? end ... end Broken Access Control

74. module Admin class InvitationsController < Devise::InvitationsController before_action :authorize_admin, only: %i[new

    create] before_action :configure_permitted_parameters def create ... end private def configure_permitted_parameters devise_parameter_sanitizer.permit(:invite, keys: %i[name email role]) end end Broken Access Control

75. Thank you You can follow me on Twitter @gregmolnar Or

    on my blog https://greg.molnar.io