Rails Security Pitfalls - Jerome Basa

B044a0f039af800f4df09bf3b2465f18?s=47 Las Vegas Ruby Group
March 26, 2014
45

Rails Security Pitfalls - Jerome Basa

B044a0f039af800f4df09bf3b2465f18?s=128

Las Vegas Ruby Group

March 26, 2014
Tweet

Transcript

  1. Rails Security Pitfalls Jerome Basa @jldbasa March 2014

  2. whoami 2014 2.6 years many to mention 3 years 7

    years hire me! ^^;
  3. Web Application Security

  4. Web Application Security source: Cenzic Vulnerability Report 2014

  5. Web Application Security “96% of tested applications in 2013
 have

    vulnerabilities” - CENZIC developer usually prioritise feature completion rather than security certification not all companies hire dedicated
 security experts
  6. is Rails secure?

  7. Is Rails secure? relatively secure by default Attack Type Rails

    Countermeasure SQL Injection SQL Escape XSS HTML Escape CSRF Authenticity Token
  8. Is Rails secure? one framework is not more secure 


    than another flawed coding = successful attack
  9. Security Pitfalls

  10. SQL Injection

  11. SQL Injection exploits of a mom » xkcd.com/327

  12. SQL Injection 
 User.where("username LIKE '%#{params[:q]}%'") ! ! SELECT `users`.*

    FROM `users` WHERE (username LIKE '%jerome%') ! !
  13. SQL Injection ! params[:q] = "') UNION SELECT username, password,1,1,1

    FROM users --" ! ! SELECT `users`.* FROM `users` WHERE (username LIKE '%') UNION SELECT username, password, 1,1,1 FROM users --%')
  14. SQL Injection ! params[:q] = "') UNION SELECT username, password,1,1,1

    FROM users --" ! ! SELECT `users`.* FROM `users` WHERE (username LIKE '%') UNION SELECT username, password, 1,1,1 FROM users --%')
  15. SQL Injection 
 User.where("username LIKE ?", "%#{params[:q]}%") countermeasure countermeasure

  16. Cross-site Scripting (XSS)

  17. XSS ! <span> <%= raw @post.content %> </span> template code

    
 params[:content] = "<script>alert('hello');</script>" content from user
  18. XSS

  19. XSS 
 <span> <%= sanitize(@post.content, tags: %w(a), attributes: %w(href)) %>

    </span> countermeasure sanitize user input; use Rails method such 
 as sanitize look for: raw and .html_safe
  20. Cross-site Request Forgery (CSRF)

  21. CSRF attacker sends request on victim’s behalf User Your Site

    logs in Malicious Site navigates to Your Site hidden image, post back to doesn’t depend on XSS
  22. CSRF use HTTP (GET, POST) methods
 appropriately countermeasure use Rails

    default CSRF protection
  23. ‘match’ in Routing 
 # Example in config/routes.rb match ':controller(/:action(/:id))(.:format)'

    match matches all HTTP verb and Rails CSRF protection doesn’t apply to GET requests. route will allow GET method to delete posts 
 match ‘/posts/delete/:id', :to => “posts#destroy",
 :as => "delete_post"
  24. ‘match’ in Routing # Example in config/routes.rb # match ':controller(/:action(/:id))(.:format)'

    ! match '/posts/delete/:id', :to => "posts#destroy", :as => “delete_post", :via => :delete use correct HTTP verb in routing e.g. ‘get’, 
 ‘post’, etc. countermeasure use :via
  25. Mass Assignment

  26. Mass Assignment ! def create # ... @user = User.new(params[:user])

    # ... end ! <input type="text" name=“user[username]" type="text" /> <input type="text" name="user[email]" type=“text" /> ! <input type="text" name="user[admin]" value="1" type="text" />
  27. Mass Assignment ! class User < ActiveRecord::Base attr_protected :admin !

    # ... end blacklist attributes using attr_protected countermeasure
  28. Mass Assignment ! class User < ActiveRecord::Base attr_accessible :username, :email

    # ... end whitelist attributes using attr_accessible ! config.active_record.whitelist_attributes = true
  29. Mass Assignment ! def create # ... @user = User.new(params_user)

    # ... end ! private ! def params_user params.require(:user).permit( :username, :email) end use strong parameters
  30. Secret Token

  31. Secret Token ! MyApp::Application.config.secret_token = '38d07e4b…' config/initializers/secret_token.rb this token is

    used to sign cookies that the 
 application sets. for more info, read:
 
 http://bit.ly/hack_rails_app_using_secret_token
  32. Secret Token ! MyApp::Application.config.secret_token = ENV['TOKEN'] config/initializers/secret_token.rb * generate new

    secret by running $ rake secret countermeasure
  33. Logging Parameters

  34. Logging Parameters ! Rails.application.config.filter_parameters += [:password, :ssn] :password & :ssn

    will be replaced with “[FILTERED]” logs
  35. Scopes

  36. Scopes ! class User < ActiveRecord::Base has_many :posts end !

    def edit @post = Post.find_by id: params[:id] end
  37. Scopes ! def edit @post = current_user.posts.find_by id: params[:id] end

    use authorization gem such as cancan or pundit look for :edit, :update, :destroy methods countermeasure
  38. Admin

  39. Admin URL http://yourapp.com/admin “old habits die hard”

  40. Admin URL whitelist IP address recommendation use sub-domain separate application

    VPN or intranet access only
  41. Conclusion

  42. Conclusion keep your application up to date on all layers

    never trust any data from a user code review use brakeman gem - brakemanscanner.org
  43. Conclusion brakeman - Rails security scanner ! $ brakeman -o

    report.html ! +----------------------+-------+ | Warning Type | Total | +----------------------+-------+ | Cross Site Scripting | 1 | | SQL Injection | 1 | | Session Setting | 1 | +----------------------+-------+
  44. brakeman demo

  45. Further Resources

  46. RoR Security Guide

  47. RoR Security Google Groups

  48. Railscasts on Security

  49. Questions?