Web Application Security with a focus on Ruby on Rails Ivan Storck @ivanoats http://linkedin.com/in/ivanoats Friday, July 19, 13 

Why Me? • You have a web site • You have email addresses and access to SMTP server • You have usernames and passwords • You have credit card data • You're an activist or minority, or majority, left wing or right • You really DO have something to hide Friday, July 19, 13 

Non-technical Exploits http://xkcd.com/538/ Friday, July 19, 13 

Social Engineering • Manipulation • (Spear) Phishing • Urgent Phone calls • USB Flash drives ( can I just print my resume? ) • Quid pro quo ( Hi, this is mike from tech support ) Friday, July 19, 13 

Social Engineering • great read • learn from a master hacker and storyteller Friday, July 19, 13 

More non-technical exploits • break your security model "because it's easier" • Don't send passwords via email (unless you use email encryption) • Use the same password for different services • keep unencrypted customer data on your laptop Friday, July 19, 13 

OWASP Top 10 • Open Web Application Security Project - Yearly ranking of vulnerabilities for 2013 • A1 Injection • A2 Broken Authentication and Session Management • A3 Cross-Site Scripting (XSS) • A4 Insecure Direct Object References • A5 Security Misconfiguration • A6 Sensitive Data Exposure • A7 Missing Function Level Access Control • A8 Cross-Site Request Forgery (CSRF) • A9 Using Components with Known Vulnerabilities • A10 Unvalidated Redirects and Forwards Friday, July 19, 13 

OWASP Rails Cheat Sheet • https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet • Let's take a look at this in detail... after these messages... Friday, July 19, 13 

SQL Injection - Off the Rails http://xkcd.com/327/ User.where("name like '%#{params[:name]}%') Friday, July 19, 13 

SQL Injection - Back on the Rails User.where("name like ?", "%#{params[:name]}%") This is called Parameter Escaping (and it is GOOD) Detailed info: http://rails-sqli.org/ http://railscasts.com/episodes/25-sql-injection Friday, July 19, 13 

XSS - Cross Site Scripting • you can do pretty much anything if you let users get javascript on to the page • Rails by default protects you • But there are many cases where you can bypass it (legitimately) <%= raw @product.name %> <%= @product.name.html_safe %> <%= content_tag @product.name %> WARNING Friday, July 19, 13 

XSS - Mitigation • Consider markup language like Markdown or Textile and disallow HTML tags. • use the #sanitize method BETTER <%= sanitize @article.body %> <%= sanitize @article.body, tags: %w(table tr td), attributes: %w(id class style) %> Friday, July 19, 13 

Practice: Fix Ivan The Terrible's Blog • Start with the "insecure" branch • Use the SQL / search query below to test SQL Injection • Play with XSS by inserting JavaScript into the post and see what chaos you can make! foo%'); INSERT INTO posts (id,title,body,created_at,updated_at) VALUES (99,'hacked','hacked alright','2013-07-18','2013-07-18'); SELECT "posts".* FROM "posts" WHERE (title like '%anything Friday, July 19, 13