OWASP Top 10 for Rails developers

Greg Molnar

Greg Molnar Working with Rails since 2012

Greg Molnar Working with Rails since 2012 Certified penetration tester
since 2017

OWASP Top 10 Top 10 most common vulnerabilities found in
web applications

OWASP Top 10 Top 10 most common vulnerabilities found in
web applications Last updated in 2025

A10: Mishandling of Exceptional Conditions

Mishandling of Exceptional Conditions improper error handling logical errors failing
open triggering abnormal conditions

class PaymentsController < ActionController::Base before_action :verify_authorization! def show @payment =
Payment.find(params[:id]) end private def verify_authorization! AuthorizationService.authorize!(:read_payment, params[:id]) rescue => e Rails.logger.info "Authorization Service Failed: #{e.message}" # No 'render' or 'redirect' here means the filter chain continues. end end Mishandling of Exceptional Conditions

class ProfilesController < ApplicationController before_action :set_user before_action :verify_owner!, only: [:settings]
def show;end def settings;end end Mishandling of Exceptional Conditions

def show;end def settings;end def api_keys;end end Mishandling of Exceptional Conditions

class ProfilesController < ApplicationController before_action :set_user before_action :verify_owner!, except: [:show]
def show;end def settings;end def api_keys;end end Mishandling of Exceptional Conditions

class CartController < ApplicationController def update @product = Product.find(params[:product_id]) quantity
= params[:quantity].to_i if @product.in_stock? current_cart.add(@product, quantity) redirect_to cart_path, notice: "Cart updated!" else redirect_to product_path(@product), alert: "Item out of stock." end end end Mishandling of Exceptional Conditions

class CartController < ApplicationController def update @product = Product.find(params[:product_id]) quantity
= params[:quantity].to_i.abs if @product.in_stock? current_cart.add(@product, quantity) redirect_to cart_path, notice: "Cart updated!" else redirect_to product_path(@product), alert: "Item out of stock." end end end Mishandling of Exceptional Conditions

A9: Security Logging & Alerting Failures

A9: Security Logging & Alerting Failures insufficient logging and alerting
inserting sensitive data to log files

Logging Failures API keys PII (Personally Identifiable Information) data

Logging Failures API keys PII (Personally Identifiable Information) data Logs
are not encrypted Usually stored at 3rd parties

Logging Failures # config/initializers/filter_parameter_logging.rb Rails.application.config.filter_parameters += [ :passw, :email, :secret,
:token, :_key, :crypt, :salt, :certificate, :otp, :ssn, :cvv, :cvc ]

Alerting Failures Lack of alerting Setup monitoring and alerting in
Datadog, Splunk, etc

Alerting Failures Elevated number of login attempts(successful and failed) Authorization
failures or access denials Rate-limit hits Permission or role changes Integration settings changes like API key generation Error events Business logic related events.

A8: Software or Data Integrity Failures

A8: Software or Data Integrity Failures wrong assumptions related to
dependencies and critical data without verifying integrity

Software or Data Integrity Failures bundle --trust-policy HighSecurity

Software or Data Integrity Failures verifier = ActiveSupport::MessageVerifier.new token =
verifier.generate("signed message", purpose: :login) @verifier.verify(token, purpose: :login) # => "signed message"

A7: Authentication Failures

A7: Authentication Failures insufficient prevention of automated attacks

Rate limiting class SessionsController < ApplicationController rate_limit to: 10, within:
3.minutes, only: :create, with: -> { redirect_to new_session_path, alert: "Try again later." } # ... end

Authentication Failures rack-attack gem

Weak passwords

Weak passwords class User validates :password, format: { with: /\A(?=.{10,})(?=.*[A-Z])(?=.*[a-z])(?=.*\d)(?=.*[[:punct:]])/,
message: "is too weak. It must be at least 10 characters long and include an uppercase letter, a lowercase letter, a digit, and a special character." }, if: -> { password.present? } end

Weak passwords Admin1234!

Weak passwords Admin1234! Validate for complexity

Weak passwords Admin1234! Validate for complexity zxcvbn

Weak passwords Admin1234! Validate for complexity zxcvbn pwned

Weak passwords Encrypt passwords

Multi-factor authentication

Multi-factor authentication SMS codes are prone to SIM swapping

Multi-factor authentication SMS codes are prone to SIM swapping TOTP
or hardware key

Multi-factor authentication SMS codes are prone to SIM swapping TOTP
or hardware key Password reset

Session fixation

Session fixation reset_session

A6: Insecure Design

Insecure Design

Insecure Design Involve security team or champion

Insecure Design Involve security team or champion Secure coding practices

Tests for security

Tests for security Make sure security requirements are met

Tests for security Make sure security requirements are met Static code analysis Vulnerable dependencies check

A5: Injections

A5: Injections SQL injections NoSQL injections Cross-Site Scripting(XSS) Command injections

SQL Injection group select ActiveRecord::Calculations#calculate `count`, `sum`, `average`, `minimum`, and
`maximum`

Second order SQL Injection

Second order SQL Injection class ReportsController < ApplicationController def create
@report = Report.new(report_params) if @report.save redirect_to reports_path else render :new end end private def report_params params.require(:report).permit(:group, :columns) end end

Second order SQL Injection def show @report = Report.find(params[:id]) @result
= Order.select(@report.columns).group(@report.group) end

XSS params[:back] = 'javascript:alert(xss)' link_to "Back", params[:back]

Command injection system `` (backticks) exec eval open IO.popen

Command injection Terrapin gem

A04: Cryptographic Failures

Cryptographic Failures Active Record Encryption

Cryptographic Failures has_secure_token has_secure_password generates_token_for

A03: Software Supply Chain Failures

A03: Software Supply Chain Failures Install Rails and Ruby security
releases

A03: Software Supply Chain Failures Install Rails and Ruby security
releases bundle audit importmaps audit yarn audit

A02:Security Misconfiguration

A02:Security Misconfiguration Development features in production

A02:Security Misconfiguration Development features in production Unauthenticated MissionControl, SidekiqUI

A01:Broken Access Control

def show;end def settings;end def api_keys;end end Broken Access Control

class DocumentsController < ApplicationController def create @document = Document.new(document_params) @document.uploader
= Current.user … End private def document_params params.require(:document).permit(:title, :description, :external_url, :company_id, :file) end end Broken Access Control

class AdminUser < ApplicationRecord ... enum :role, %w[moderator maintainer core].index_by(&:itself)
... end Broken Access Control

class AdminUserPolicy def initialize(admin_user) @admin_user = admin_user end def change_role?
admin_user.core? end def invite? admin_user.core? || admin_user.maintainer? end def deactivate? admin_user.core? end ... end Broken Access Control

module Admin class InvitationsController < Devise::InvitationsController before_action :authorize_admin, only: %i[new
create] before_action :configure_permitted_parameters def create ... end private def configure_permitted_parameters devise_parameter_sanitizer.permit(:invite, keys: %i[name email role]) end end Broken Access Control

Thank you You can follow me on Twitter @gregmolnar Or
on my blog https://greg.molnar.io

OWASP Top 10 for Rails developers

OWASP Top 10 for Rails developers

More Decks by Greg Molnar

Other Decks in Programming

Featured

Transcript