WEB APPLICATION
SECURITY IN RAILS
Uri Nativ
RailsIsrael 2012
Slide 2
Slide 2 text
Uri Nativ
@unativ
Head of Engineering
Klarna Tel Aviv
#railsisrael
Slide 3
Slide 3 text
Buy Now, Pay Later
1. Shop online
2. Receive your goods
3. Pay
Slide 4
Slide 4 text
Alice
Slide 5
Slide 5 text
Bob
Slide 6
Slide 6 text
Alice and Bob
Slide 7
Slide 7 text
Alice and Bob
Slide 8
Slide 8 text
Alice and Bob
Like Duh?
Slide 9
Slide 9 text
Alice and Bob
MicroBlogging
...
#$@#
%#@&*#$
Slide 10
Slide 10 text
Alice and Bob
Hack it!
Slide 11
Slide 11 text
SQL INJECTION
Slide 12
Slide 12 text
@results = Micropost.where(
"content LIKE '%#{params[:query]%’”).all
SELECT 'microposts'.*
FROM 'microposts’
WHERE (content LIKE ’%SEARCHSTRING%’)
SQL Injection
Slide 13
Slide 13 text
SELECT 'microposts'.*
FROM 'microposts'
WHERE (content LIKE '%SEARCHSTRING%')
SQL Injection
XXX')
UNION
SELECT 1, email, 1, 1, 1
FROM users --
Slide 14
Slide 14 text
SELECT 'microposts'.*
FROM 'microposts'
WHERE (content LIKE '%XXX')
UNION
SELECT 1, email, 1, 1, 1
FROM users -- %')
SQL Injection
Slide 15
Slide 15 text
SELECT 'microposts'.*
FROM 'microposts'
WHERE (content LIKE '%XXX')
UNION
SELECT 1, email, 1, 1, 1
FROM users -- %')
SQL Injection
The Attack:
Execute arbitrary code / defacement
JSON is not escaped by default
CSS can be injected as well
Countermeasures:
Never trust data from the users
Use Markdown (e.g. Redcarpet gem)
XSS
Slide 22
Slide 22 text
CROSS
SITE
REQUEST
FORGERY
CSRF
Slide 23
Slide 23 text
www.blog.com
CSRF
1
Slide 24
Slide 24 text
www.blog.com
2
Click
here for
free iPad
www.freeiPad.com
…
document.evilform.submit()
CSRF
www.blog.com www.freeiPad.com
…
document.evilform.submit()
POST /blogpost
Content=“Kick Me!”
CSRF
4
Slide 27
Slide 27 text
Slide 28
Slide 28 text
routes.rb
match '/delete_post/:id',
to: 'microposts#destroy'
CSRF
Slide 29
Slide 29 text
class ApplicationController <
ActionController::Base
# commented to easily test forms
# protect_from_forgery
...
end
CSRF
Slide 30
Slide 30 text
The Attack:
Attacker send requests on the victim’s behalf
Doesn’t depend on XSS
Attacked doesn’t need to be logged-in
Countermeasures:
Use Rails CSRF default protection (do not override it)
Use GET for queries
Use POST/DELETE/… when updating data
Add Sign-out link
CSRF
Slide 31
Slide 31 text
RAILS SPECIFIC
ATTACKS
Slide 32
Slide 32 text
MASS
ASSIGNMENT boo[gotcha!]
Slide 33
Slide 33 text
def create
@user = User.new(params[:user])
...
end
Mass Assignment
Slide 34
Slide 34 text
def create
@user = User.new(params[:user])
...
end
Mass Assignment
{ :name => “gotcha”,
:admin => true }
Slide 35
Slide 35 text
Blacklist
class User < ActiveRecord::Base
attr_protected :admin
...
end
Mass Assignment - countermeasures
Slide 36
Slide 36 text
Whitelist
class User < ActiveRecord::Base
attr_accessible
:name,
:email,
:password,
:password_confirmation
...
Mass Assignment - countermeasures
Slide 37
Slide 37 text
Global Config (whitelist)
config.active_record.
whitelist_attributes = true
Mass Assignment - countermeasures
Slide 38
Slide 38 text
The Attack:
Unprotected by default :(
Countermeasures:
Whitelist
Blacklist
Strong Parameters (whitelist)
Rails 4
Logic moved to the controller
Available as a Gem
Mass Assignment
Slide 39
Slide 39 text
SQL INJECTION
VULNERABILITY IN
RUBY ON RAILS
(CVE-2012-2661)
Slide 40
Slide 40 text
User.where(
:id => params[:user_id],
:reset_token => params[:token]
)
SELECT users.*
FROM users
WHERE users.id = 6
AND users.reset_token = ’XYZ'
LIMIT 1
CVE-2012-2661 SQL Injection
Slide 41
Slide 41 text
/users/6/password/edit?token[]
SELECT users.*
FROM users
WHERE users.id = 6
AND users.reset_token IS NULL
LIMIT 1
CVE-2012-2661 SQL Injection
Slide 42
Slide 42 text
The Attack:
SQL Injection - Affected version: Rails < 3.2.4
Countermeasures:
Upgrade to Rails 3.2.4 or higher
CVE-2012-2661 SQL Injection
Slide 43
Slide 43 text
-------------------------------------------------
| Warning Type | Total |
-------------------------------------------------
| Cross Site Scripting | 2 |
| Cross-Site Request Forgery | 1 |
| Denial of Service | 1 |
| Redirect | 1 |
| SQL Injection | 4 |
-------------------------------------------------
Brakeman
Slide 44
Slide 44 text
CONCLUSIONS
Slide 45
Slide 45 text
Make Love not War
Slide 46
Slide 46 text
Know the threats – OWASP top 10
Follow Rails conventions
Ruby on Rails Security Guide
http://guides.rubyonrails.org/security.html
The Ruby on Rails security project
http://www.rorsecurity.info
Rails security mailing list:
http://groups.google.com/group/rubyonrails-security
Conclusions
Slide 47
Slide 47 text
Daniel Amselem for pair programming
Irit Shainzinger for the cool graphics
Michael Hartl for his microblogging app tutorial
Thanks to…
Slide 48
Slide 48 text
Pay Online – Safer and Simpler
https://github.com/unativ/sample_app