Rails Security Pitfalls

Transcript

1. Rails Security Pitfalls Jerome Basa @jldbasa March 2014

2. whoami 2014 2.6 years many to mention 3 years 7

   years hire me! ^^;

3. Web Application Security

4. Web Application Security source: Cenzic Vulnerability Report 2014

5. Web Application Security “96% of tested applications in 2013
 have

   vulnerabilities” - CENZIC developer usually prioritise feature completion rather than security certification not all companies hire dedicated
 security experts

6. is Rails secure?

7. Is Rails secure? relatively secure by default Attack Type Rails

   Countermeasure SQL Injection SQL Escape XSS HTML Escape CSRF Authenticity Token

8. Is Rails secure? one framework is not more secure 


   than another flawed coding = successful attack

9. Security Pitfalls

10. SQL Injection

11. SQL Injection exploits of a mom » xkcd.com/327

12. SQL Injection 
 User.where("username LIKE '%#{params[:q]}%'") ! ! SELECT `users`.*

    FROM `users` WHERE (username LIKE '%jerome%') ! !

13. SQL Injection ! params[:q] = "') UNION SELECT username, password,1,1,1

    FROM users --" ! ! SELECT `users`.* FROM `users` WHERE (username LIKE '%') UNION SELECT username, password, 1,1,1 FROM users --%')

14. SQL Injection ! params[:q] = "') UNION SELECT username, password,1,1,1

    FROM users --" ! ! SELECT `users`.* FROM `users` WHERE (username LIKE '%') UNION SELECT username, password, 1,1,1 FROM users --%')

15. SQL Injection 
 User.where("username LIKE ?", "%#{params[:q]}%") countermeasure countermeasure

16. Cross-site Scripting (XSS)

17. XSS ! <span> <%= raw @post.content %> </span> template code

    
 params[:content] = "<script>alert('hello');</script>" content from user

18. XSS

19. XSS 
 <span> <%= sanitize(@post.content, tags: %w(a), attributes: %w(href)) %>

    </span> countermeasure sanitize user input; use Rails method such 
 as sanitize look for: raw and .html_safe

20. Cross-site Request Forgery (CSRF)

21. CSRF attacker sends request on victim’s behalf User Your Site

    logs in Malicious Site navigates to Your Site hidden image, post back to doesn’t depend on XSS

22. CSRF use HTTP (GET, POST) methods
 appropriately countermeasure use Rails

    default CSRF protection

23. ‘match’ in Routing 
 # Example in config/routes.rb match ':controller(/:action(/:id))(.:format)'

    match matches all HTTP verb and Rails CSRF protection doesn’t apply to GET requests. route will allow GET method to delete posts 
 match ‘/posts/delete/:id', :to => “posts#destroy",
 :as => "delete_post"

24. ‘match’ in Routing # Example in config/routes.rb # match ':controller(/:action(/:id))(.:format)'

    ! match '/posts/delete/:id', :to => "posts#destroy", :as => “delete_post", :via => :delete use correct HTTP verb in routing e.g. ‘get’, 
 ‘post’, etc. countermeasure use :via

25. Mass Assignment

26. Mass Assignment ! def create # ... @user = User.new(params[:user])

    # ... end ! <input type="text" name=“user[username]" type="text" /> <input type="text" name="user[email]" type=“text" /> ! <input type="text" name="user[admin]" value="1" type="text" />

27. Mass Assignment ! class User < ActiveRecord::Base attr_protected :admin !

    # ... end blacklist attributes using attr_protected countermeasure

28. Mass Assignment ! class User < ActiveRecord::Base attr_accessible :username, :email

    # ... end whitelist attributes using attr_accessible ! config.active_record.whitelist_attributes = true

29. Mass Assignment ! def create # ... @user = User.new(params_user)

    # ... end ! private ! def params_user params.require(:user).permit( :username, :email) end use strong parameters

30. Secret Token

31. Secret Token ! MyApp::Application.config.secret_token = '38d07e4b…' config/initializers/secret_token.rb this token is

    used to sign cookies that the 
 application sets. for more info, read:
 
 http://bit.ly/hack_rails_app_using_secret_token

32. Secret Token ! MyApp::Application.config.secret_token = ENV['TOKEN'] config/initializers/secret_token.rb * generate new

    secret by running $ rake secret countermeasure

33. Logging Parameters

34. Logging Parameters ! Rails.application.config.filter_parameters += [:password, :ssn] :password & :ssn

    will be replaced with “[FILTERED]” logs

35. Scopes

36. Scopes ! class User < ActiveRecord::Base has_many :posts end !

    def edit @post = Post.find_by id: params[:id] end

37. Scopes ! def edit @post = current_user.posts.find_by id: params[:id] end

    use authorization gem such as cancan or pundit look for :edit, :update, :destroy methods countermeasure

38. Admin

39. Admin URL http://yourapp.com/admin “old habits die hard”

40. Admin URL whitelist IP address recommendation use sub-domain separate application

    VPN or intranet access only

41. Conclusion

42. Conclusion keep your application up to date on all layers

    never trust any data from a user code review use brakeman gem - brakemanscanner.org

43. Conclusion brakeman - Rails security scanner ! $ brakeman -o

    report.html ! +----------------------+-------+ | Warning Type | Total | +----------------------+-------+ | Cross Site Scripting | 1 | | SQL Injection | 1 | | Session Setting | 1 | +----------------------+-------+

44. brakeman demo

45. Further Resources

46. RoR Security Guide

47. RoR Security Google Groups

48. Railscasts on Security

49. Questions?