Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Rails and security

D2881b5d4c082996a62f23055b61956d?s=47 name
June 10, 2012
How-to & DIY
4
180

Rails and security

be secure

D2881b5d4c082996a62f23055b61956d?s=128

name

June 10, 2012
Tweet

More Decks by name

See All by name
D2881b5d4c082996a62f23055b61956d?s=48 homakov
0
100

Other Decks in How-to & DIY

See All in How-to & DIY
Dae1d4cc4599a65a5da6e1a1f9d96f05?s=48 n0bisuke
0
340
5bf54e7ef7042b951e001ee1659917d9?s=48 imiro
0
370
E6c980b93d086e757643971b318a40a9?s=48 maepu
0
140
0b666fd93192da360be3afb839f09da5?s=48 achamixx
2
1k
9301d0a5152361eb609b1d947733645e?s=48 nakaamino
0
130
9260cf8a1a6dd81ac381c56547f589d5?s=48 bigtree
0
320
Fc358d63dcdcbad7a5c29198785dec2c?s=48 naototty
1
210
Dae1d4cc4599a65a5da6e1a1f9d96f05?s=48 n0bisuke
1
350
E6c980b93d086e757643971b318a40a9?s=48 maepu
0
360
E28bdf8c7732503016adfa076809e694?s=48 aoisaya
4
580
13baeabe6f414defa311a640ea09c943?s=48 taokiuhuru
0
140
A4279da93d5e574c797061134aa42dbb?s=48 wyamazak
0
440

Featured

See All Featured
282d599b414022eba5096510f675b6e2?s=48 chrislema
173
14k
C44e1f7e22c3f23cff7bc130871047ef?s=48 eileencodes
113
25k
D47656e20ff5e42f125fc5ea0fd636c6?s=48 tmm1
61
9.4k
Ded01cdab114abe4ec13511e4c25b9bb?s=48 andyhume
63
3.7k
E195ae45320d9202eaa01c9f1d31a416?s=48 marktimemedia
7
400
Ae14cc4491ac334f9cd23f9f93b4305e?s=48 orderedlist
PRO
328
36k
245cee81a9c424266e5e401d844ea881?s=48 lara
15
2.7k
5b6a2bd86ef643786a381a212e0ef2f1?s=48 geoffreycrofte
21
930
56c4053438af8e8b90d6f53cbb7573be?s=48 jakevdp
775
200k
Bfd6b681ec6e8c9bef82ff0521c364f7?s=48 kastner
54
1.9k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
683
180k
C0b42577cfc2b321be3474618107e933?s=48 samanthasiow
56
6.4k

Transcript

  1. Rails & Security People should know it Insecure-by-default means insecure

    http://homakov.blogspot.com

  2. Agenda • GET Accessible Actions(method “match”, CSRF) • Mass Assignment(attr_accessible,

    “SQL Inject”) • JS(ON) and DOM Injects, Responders and XSS • Regular Expressions and Validators • Common Tips • Headers • [bonus?] OAuth

  3. • CSRF Protection by default (authenticity_token) • XSS Protection(HtmlSafe, sanitize

    by default) • SQL Injects are impossible(active record) • Hundreds of commits with security improvements, etc Rails ARE Secure

  4. • if I see PHP site with (proper)CSRF protection than

    .. it's facebook.com • SQL Injects, XSS, includes, zomg etc • "secure by default" just impossible thus rails is more secure than most php sites are... PHP(and others) is not

  5. BUT

  6. None

  7. #routes.rb #match usage is a common mistake match “/follow”, to:

    “followings#create” match “/followers, to: “followings#index” case 1

  8. Hey, “match” means GET too. GET means no csrf protection!

    case 1

  9. >This commit disallows calling +match+ without an HTTP verb constraint

    by default. To explicitly match all verbs, this commit also adds a :via => :all option to +match+. (@wycats) #update code: post “/follow”, to: “followings#create” get “/followers, to: “followings#index” match “/getpost_endpoint”, via: :all, to: “etc#etc” case 1

  10. Make sure to set “post” for state-changing requests. Avoid using

    of “match” Use “get” for all data retrieval requests. Scope your routes, be RESTful, please. case 1 tips

  11. #comments/index.haml :javascript var comments = #{@comments.to_json} OR :javascript var value

    = "#{current_user.name}" case 2

  12. @comments = {k:"</script><script>alert(1) </script>"} JSON Encoder and ':javascript' (:css too!)

    both don't escape anything - output is RAW. case 2

  13. XSS?! case 2

  14. Update rails to 4(now html entities are escaped by default)

    or set manually ActiveSupport.escape_html_entities_in_html = true in initializers or don't use .to_json in templates. case 2 tips

  15. #comments/index.haml :javascript var data = #{@data.to_json} #or getJSON $('.datacontainer').html(data.body); case

    3

  16. Pitfall. That is a pure DOM XSS - you didn't

    sanitize it! Escaping \u only helps JSON parser but you should sanitize it before you insert into DOM Don't trust/use any input param until you sanitized it. case 3

  17. case 3

  18. Use $.text()/innerText instead of $.html() /innerHTML when possible, always sanitize

    any user input even in JS(Rails just escapes). I strongly recommend this patch: ActiveSupport::JSON::Encoding:: ESCAPED_CHARS.merge! '<' => '&lt;' case 3 tips

  19. params[:user][:url]="http://#{params[:user][: url]}" unless params[:user][:url] =~ /^https?/ #update attributes case 4

  20. case 4

  21. Keep in mind - in ruby $^ always match new

    lines. Your manuals and books lie. Use \A\z This passes: javascript:alert(1)/* http://hi.com */ added warning/exception in RoR case 4 tips

  22. #in application_controller.rb skip_before_filter :verify_authenticity_token case 5

  23. protect_from_forgery is a MUST. It is a hassle to deal

    with tokens but don't be stupid. No, presence of authenticity_token input doesn't scare a hacker. case 5 tips

  24. found an XSS for auto_link, remember, always *whitelist* everything -

    protocols too javascript://%0Aalert(1) Update your bundle, if you use auto_link or rails_autolink gem case 6
  25. None

  26. class PublicKey < ActiveRecord::Base #attr_accessible, where are you... end case

    7

  27. case 7

  28. Github and Assembla shared the same vulnerability. It was easy

    to steal or push code into anybody’s repo 'dropping' your public key. Also you could(still can) set “created/updated_at” to 3012 in *really* a lot of applications to have fun and get the 1st place in 'order by *_at' case 7

  29. If use update_attributes/new/create+hash - you should set attr_accessible(If you don’t

    use mass assignment - don’t care.) gem 'strong_parameters' whitelist_attributes = true by default. it takes slightly more time to write an app but it’s worth it. IT IS NOT attr_accessor :± case 7 tips

  30. #hand-made jsonp json = Order.all.to_json render text: "#{params[:callback]}(#{json})" https://api.github.com/user/repos? callback=leak

    case 8

  31. don't give out private data via JSONP avoid - render

    text: contains_user_input XSS - ?callback=<script>..</script> use - render json: data, callback: params[: cb] case 8 tips

  32. Mass assignment[extended edition]. You can send nested arrays/hashes in any

    param. params[:token] can be a huge array(brute): ?token[]=1&token[]=2&token[]=3... it also may contain nils! ?token[] <- nil case 9 - CVE-2012-2660

  33. Change User.find_by_token(params[:token]) and User.where(token: params[:token]) use explicit casting params[:token].to_s case

    9 - CVE-2012-2660

  34. • use system('ls', '.') instead of `ls .` • before_filter{headers['X-Frame-Options']

    ='SAMEORIGIN'}#application_controller. rb • hide config/initializers/secret_token.rb • obvious: check permissions • WHITELIST • RTFM common tips

  35. Security is not developers' business. Web is poorly designed: Clickjacking,

    CSRF #DISCUSS

  36. bonus

  37. CSRF + GET. code/token getting into master-account with no fingerprints.

    omniauth fb strategy vulnerability depends on server side logic bonus OAuth

  38. http://soundcloud. com/connect/facebook/create? code=AQBXeR_dORPlx4RRUt_YzJ6Rdg0 eb9CWHek8J2fB4vqfdNPvznmx-d- J36gGQlXJICRdfqFb9a_VWqke4ZamE2H ytlXtK5c6sMaOQUQLPPhSWNv3v8z- ze6hdT6x4LNSXC_- jxGRecjw1WTmifzO_rBFaDI86xPo2YH3k_ ehEtw5wM9rVduymjZumXkoistF7I9g2MQ bonus

    OAuth

  39. Mitigation: CSRF token in 'state' param. Checking $_SESSION['state']==$_REQUEST ['session'] IS

    NOT WORKING Check existence and equality both. OR use client side JS based authentication. bonus OAuth

  40. [old] http://www.rorsecurity.info/ http://guides.rubyonrails.org/security.html http://developers.facebook. com/docs/authentication/server-side/ get new stuff 1st!: homakov.blogspot.com

    references

  41. Teh Edn. Y U NO PAY ME FOR SECURITY AUDIT?