Slide 1
Slide 1 text
!
Web Security Basics
(in Rails)
Slide 2
Slide 2 text
!
@alindeman
Posted a cat GIF
Slide 3
Slide 3 text
Users
Slide 4
Slide 4 text
Vectors
Slide 5
Slide 5 text
Cross Site Scripting
Sometimes written as XSS
Slide 6
Slide 6 text
<%# application.html.erb %>
The last user to sign up was
<%= @user.username %>
Slide 7
Slide 7 text
No content
Slide 8
Slide 8 text
Rails 2
The last user to sign up was
alert("Howdy");
Slide 9
Slide 9 text
Rails 3+
The last user to sign up was
<script>alert("Howdy");</script>
Slide 10
Slide 10 text
It's more difficult to write code
vulnerable to XSS in Rails 3+
but not impossible
Slide 11
Slide 11 text
Avoid
<%# create.js.erb %>
$("#welcome").html("Hello <%= @user.username %>");
<%# application.html.erb %>
<%= raw "Hello #{@user.username}" %>
Slide 12
Slide 12 text
never render
user input
directly as HTML
Slide 13
Slide 13 text
SQL Injection
Slide 14
Slide 14 text
No content
Slide 15
Slide 15 text
Avoid
class Post < ActiveRecord::Base
def self.search(term)
where("title LIKE \"%#{term}%\"")
end
end
Slide 16
Slide 16 text
Better
class Post < ActiveRecord::Base
def self.search(term)
where("title LIKE ?", "%#{term}%")
end
end
Slide 17
Slide 17 text
Best?
class Post < ActiveRecord::Base
def self.search(term)
where("title LIKE :title", title: "%#{term}%")
end
end
Slide 18
Slide 18 text
never pass
user input
directly as SQL
Slide 19
Slide 19 text
class PasswordResetsController < ApplicationController
# POST /password_resets/reset
def reset
if user = User.find_by_token(params[:token])
user.password = params[:password]
user.save
else
render status: 404
end
end
end
Slide 20
Slide 20 text
User.find_by_token("validToken")
User.find_by_token("NOTvalidToken")
User.find_by_token(0)
User.find_by_token(nil)
Slide 21
Slide 21 text
class PasswordResetsController < ApplicationController
def reset
if user = User.find_by_token(params[:token])
user.password = params[:password]
user.save
else
render status: 404
end
end
end
Slide 22
Slide 22 text
class PasswordResetsController < ApplicationController
# POST /password_resets/reset
def reset
if params[:token].present? && user =
User.find_by_token(params[:token].to_s)
user.password = params[:password]
user.save
else
render status: 404
end
end
end
Slide 23
Slide 23 text
Cross Site Request Forgery
Sometimes written as CSRF
Slide 24
Slide 24 text
The Old Days (Rails 2)
# config/routes.rb
match ':controller(/:action(/:id))(.:format)'
Slide 25
Slide 25 text
The Old Days (Rails 2)
Slide 26
Slide 26 text
some apps may
still have this route
but it's
terribly insecure
Slide 27
Slide 27 text
Only use the GET
verb for safe actions
Slide 28
Slide 28 text
But what about?
document.getElementById("lol").submit();
Slide 29
Slide 29 text
NOPE
class ApplicationController < ActionController::Base
# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
protect_from_forgery with: :exception
end
Slide 30
Slide 30 text
Authenticity Token
Slide 31
Slide 31 text
Forgery protection is
only enabled for verbs
other than GET
Slide 32
Slide 32 text
Mass Assignment
Slide 33
Slide 33 text
<%= form_for @user do |f| %>
<%= f.label :username %>
<%= f.text_field :username %>
<%= f.label :password %>
<%= f.text_field :password %>
<%- end %>
Slide 34
Slide 34 text
class UsersController < ApplicationController
def create
@user = User.create(user_params)
redirect_to root_url, notice: "Thanks for signing up!"
end
private
def user_params
params.require(:user).permit!
end
end
Slide 35
Slide 35 text
Malicious Users Aren't Limited By
Form Fields
• Malicious users can add extra form fields, either by editing the
HTML page in their browser or by submitting requests via other
tools
• Consider a malicious user who themselves adds
Slide 36
Slide 36 text
class UsersController < ApplicationController
def create
@user = User.create(user_params)
redirect_to root_url, notice: "Thanks for signing up!"
end
private
def user_params
params.require(:user).permit(:username, :password)
end
end
Slide 37
Slide 37 text
Not So Obvious Dangers
Slide 38
Slide 38 text
class GraphsController < ApplicationController
# requests.html.erb
def requests
end
# mysql.html.erb
def mysql
end
# exceptions.html.erb
def exceptions
end
end
Slide 39
Slide 39 text
A Common Refactor
class GraphsController < ApplicationController
# GET /graphs?name=requests
# GET /graphs?name=mysql
# GET /graphs?name=exceptions
def index
render params[:name]
end
end
Slide 40
Slide 40 text
A Vulnerable Refactor
•GET /graphs?name=/etc/passwd
•GET /graphs?name=/proc/self/environ
•GET /graphs?name[inline]="%3C%25%3D%60rm+-rf+
%2F%60%25%3E"
Slide 41
Slide 41 text
Security Folks <3 Whitelists
class GraphsController < ApplicationController
ValidGraphs = ["requests", "mysql", "exceptions"]
def index
if ValidGraphs.include?(params[:name])
render params[:name]
else
render status: 404
end
end
end
Slide 42
Slide 42 text
Web Security
Some Science
Some Art
Slide 43
Slide 43 text
No content
Slide 44
Slide 44 text
No content
Slide 45
Slide 45 text
No content
Slide 46
Slide 46 text
No content