Slide 1
Slide 1 text
Fortify Rails
Defending Your Ruby on Rails
Applications from Bad Actors
FastRuby.io & Wafris.org
Rails Security Webinar, June 2023
Slide 2
Slide 2 text
Founder &
CTO
@FastRubyIO
Slide 3
Slide 3 text
🇦🇷 Hi, I’m from Argentina
Slide 4
Slide 4 text
🇦🇷 Hi, I’m from Argentina
🦅 I live in Philadelphia
Slide 5
Slide 5 text
🇦🇷 Hi, I’m from Argentina
🦅 I live in Philadelphia
👨💻 I love Ruby & Open Source!
Slide 6
Slide 6 text
🇦🇷 Hi, I’m from Argentina
🦅 I live in Philadelphia
👨💻 I love Ruby & Open Source!
🤓 My pronouns are he/him
Slide 7
Slide 7 text
FastRuby.io
1. Ruby/Rails Upgrade Services
Slide 8
Slide 8 text
FastRuby.io
1. Ruby/Rails Upgrade Services
2. Fixed-cost, Monthly Maintenance Services
Slide 9
Slide 9 text
FastRuby.io
1. Ruby/Rails Upgrade Services
2. Fixed-cost, Monthly Maintenance Services
3. Ruby/Rails Performance Optimization
Slide 10
Slide 10 text
FastRuby.io
1. Ruby/Rails Upgrade Services
2. Fixed-cost, Monthly Maintenance Services
3. Ruby/Rails Performance Optimization
4. Ruby/Rails Security Audits
Slide 11
Slide 11 text
I ❤ Ruby & Rails
Slide 12
Slide 12 text
Rails ❤
1. Convention over Configuration
Slide 13
Slide 13 text
Rails ❤
1. Convention over Configuration
2. Development Speed
Slide 14
Slide 14 text
Rails ❤
1. Convention over Configuration
2. Development Speed
3. Security Goodies
Slide 15
Slide 15 text
Rails ❤
1. Convention over Configuration
2. Development Speed
3. Security Goodies
Slide 16
Slide 16 text
Native Rails Security
Countermeasures
Slide 17
Slide 17 text
Native Rails Security
Countermeasures
1. Cross-Site Scripting (XSS)
Slide 18
Slide 18 text
Native Rails Security
Countermeasures
1. Cross-Site Scripting (XSS)
2. SQL Injection
Slide 19
Slide 19 text
Native Rails Security
Countermeasures
1. Cross-Site Scripting (XSS)
2. SQL Injection
3. CSRF
Slide 20
Slide 20 text
Native Rails Security
Countermeasures
1. Cross-Site Scripting (XSS)
2. SQL Injection
3. CSRF
4. Content-Security-Policy Header
5. Encrypted Credentials
6. Unsafe Query Generation
7. CSS Injection
8. Session Hijacking
9. ...
Slide 21
Slide 21 text
Rails Security
Policy
Slide 22
Slide 22 text
No content
Slide 23
Slide 23 text
No content
Slide 24
Slide 24 text
No content
Slide 25
Slide 25 text
No content
Slide 26
Slide 26 text
No content
Slide 27
Slide 27 text
Ruby / Rails
Security Risks
Slide 28
Slide 28 text
Attack Vectors
1. Vulnerable dependencies
Slide 29
Slide 29 text
Attack Vectors
1. Vulnerable dependencies
2. Exploitable application code
Slide 30
Slide 30 text
Attack Vectors
1. Vulnerable dependencies
2. Exploitable application code
Slide 31
Slide 31 text
Vulnerable Dependencies
Slide 32
Slide 32 text
Vulnerable Dependencies
Slide 33
Slide 33 text
Vulnerable Dependencies
bundle update rails
git commit -m “Patched version of Rails.”
git push production master
Slide 34
Slide 34 text
Vulnerable Dependencies
$ gem install bundler-stats
$ bundle-stats
.. .. .. .. .. .. .. .. ..
| pg | 0 | 0 |
| spring | 0 | 0 |
| stripe | 0 | 0 |
| timecop | 0 | 0 |
| tzinfo-data | 0 | 0 |
+------------------------------------|------------|----------------+
Declared Gems 62
Total Gems 218
Unpinned Versions 39
Github Refs 3
Slide 35
Slide 35 text
bundler-audit
Slide 36
Slide 36 text
No content
Slide 37
Slide 37 text
No content
Slide 38
Slide 38 text
Vulnerable Dependencies
$ gem install bundler-audit
$ bundle-audit
No vulnerabilities found
Slide 39
Slide 39 text
Vulnerable Dependencies
Slide 40
Slide 40 text
No content
Slide 41
Slide 41 text
For patch versions
(e.g. 1.0.X):
- Dependabot
- Depfu
Slide 42
Slide 42 text
For minor/major
versions (e.g. A.B.0):
Fixed-cost
Monthly Maintenance
by FastRuby.io
Slide 43
Slide 43 text
Attack Vectors
1. Vulnerable dependencies
2. Exploitable application code
Slide 44
Slide 44 text
Exploitable Code
1. Poorly scoped queries
2. SQL-injectable code
3. Poorly filtered parameters
3. Too many un-rescued exceptions
4. Etc…
Slide 45
Slide 45 text
Sharp knives:
- Ruby (e.g. monkey patches)
Slide 46
Slide 46 text
Sharp knives:
- Ruby (e.g. monkey patches)
- ActiveRecord
Slide 47
Slide 47 text
Sharp knives:
- Ruby (e.g. monkey patches)
- ActiveRecord
- N+1 Performance Issues
- Slow queries
- SQL-injection, and more…
Slide 48
Slide 48 text
Example #1
Slide 49
Slide 49 text
ActiveRecord
def find_estimate
@estimate = Estimate.where(story_id:
params[:story_id]).find(params[:id])
end
Slide 50
Slide 50 text
GET /stories/2/estimates/
235/edit
Slide 51
Slide 51 text
No content
Slide 52
Slide 52 text
ActiveRecord
def find_estimate
@estimate = current_user.estimates.where(story_id:
params[:story_id]).find(params[:id])
end
Slide 53
Slide 53 text
Example #2
Slide 54
Slide 54 text
ActiveRecord
def find_estimate
@estimate = current_user.estimates.where("story_id =
'#{params[:story_id]}'").find(params[:id])
end
Slide 55
Slide 55 text
GET /stories/`1'; DROP
TABLE users; —`/
estimates/123/edit
Slide 56
Slide 56 text
No content
Slide 57
Slide 57 text
ActiveRecord
def find_estimate
@estimate = current_user.estimates.where(story_id:
params[:story_id]).find(params[:id])
end
Slide 58
Slide 58 text
Dozens of known Rails
idioms are exploitable
Slide 59
Slide 59 text
brakeman
Slide 60
Slide 60 text
ActiveRecord
def find_estimate
@estimate = current_user.estimates.where("story_id =
'#{params[:story_id]}'").find(params[:id])
end
Slide 61
Slide 61 text
Brakeman
$ gem install brakeman
$ brakeman
.. .. .. .. .. .. ..
== Warnings ==
Confidence: Medium
Category: SQL Injection
Check: SQL
Message: Possible SQL injection
Code: current_user.estimates.where("story_id = '#{params[:story_id]}'")
File: app/controllers/estimates_controller.rb
Line: 64
Slide 62
Slide 62 text
Brakeman
$ gem install brakeman
$ brakeman
.. .. .. .. .. .. ..
== Brakeman Report ==
Application Path: /Users/etagwerker/Projects/fastruby/points
Rails Version: 7.0.4.3
Brakeman Version: 6.0.0
Scan Date: 2023-06-09 09:47:32 -0400
Duration: 0.961275 seconds
Checks Run: BasicAuth, BasicAuthTimingAttack, CSRFTokenForgeryCVE, ContentTag, CookieSerialization,
CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, DynamicFinders,
EOLRails, EOLRuby, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping,
ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONEntityEscape, JSONParsing, LinkTo,
LinkToHref, MailTo, MassAssignment, MimeTypeDoS, ModelAttrAccessible, ModelAttributes, ModelSerialize,
NestedAttributes, NestedAttributesBypass, NumberToCurrency, PageCachingCVE, Pathname, PermitAttributes,
QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, RouteDoS, SQL,
SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeConfigCve, SanitizeMethods, SelectTag,
SelectVulnerability, Send, SendFile, SessionManipulation, SessionSettings, SimpleFormat, SingleQuotes,
SkipBeforeFilter, SprocketsPathTraversal, StripTags, SymbolDoSCVE, TemplateInjection, TranslateBug,
UnsafeReflection, UnsafeReflectionMethods, ValidationRegex, VerbConfusion, WeakRSAKey, WithoutProtection,
XMLDoS, YAMLParsing
Slide 63
Slide 63 text
Brakeman
1. Static code analysis
2. Dozens of checks
3. Some false positives
Slide 64
Slide 64 text
Attack Vectors
1. Vulnerable dependencies
2. Exploitable application code
Slide 65
Slide 65 text
Rails Security
Audit by
FastRuby.io
Slide 66
Slide 66 text
FastRuby.IO/
security-audit
Slide 68
Slide 68 text
TL;DR
1. Use `bundler-audit`
Slide 69
Slide 69 text
TL;DR
1. Use `bundler-audit`
2. Use `brakeman`
Slide 70
Slide 70 text
TL;DR
1. Use `bundler-audit`
2. Use `brakeman`
3. Don’t just use them,
add them to your
development workflow (e.g. CI)
Slide 71
Slide 71 text
Resources
1. https://guides.rubyonrails.org/security.html
2. https://rubyonrails.org/security
3. https://rubysec.com/
4. https://brakemanscanner.org/
5. https://www.fastruby.io/newsletter
6. https://www.fastruby.io/blog/rails/security/ruby-security-toolkit.html
7. https://www.fastruby.io/security-audit
8. https://audit.fastruby.io/
9. https://bundler.io/v2.4/man/bundle-outdated.1.html