Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The World of Rails Security - RailsConf 2015

The World of Rails Security - RailsConf 2015

Learning to keep your Rails application secure is an often-overlooked part of learning Rails, so let's take a trip through the world of Ruby on Rails security! The journey will start with an overview of security features offered by the popular web framework, then we'll detour through dangerous pitfalls and unsafe defaults, and finally end with suggestions for improving security in Rails itself. As a bonus, we'll talk about how to integrate security into the development process.

Justin Collins

April 23, 2015

More Decks by Justin Collins

Other Decks in Programming


  1. Justin Collins @presidentbeef Justin Collins @presidentbeef RailsConf 2015 The World

    of Ruby on Rails Security The World of Ruby on Rails Security
  2. None
  3. @presidentbeef Agenda What Rails Provides What Rails Doesn’t Provide What

    to Do About It
  4. @presidentbeef What Rails Provides

  5. @presidentbeef Rails 2 Need to use h() everywhere Rails 3/4

    Escape template output by default Cross Site Scripting Protection
  6. @presidentbeef Rails 3/4 Examples Escaped <%= params[:q] %> Not escaped

    <%= raw params[:q] %> Also not <%= params[:q].html_safe %>
  7. @presidentbeef Cross Site Scripting

  8. @presidentbeef Lots of Safe(ish) Helpers audio_tag image_tag button_tag form_for radio_button_tag

    text_area_tag tag …
  9. @presidentbeef Cross Site Request Forgery (CSRF) http://bank.com/transfer?amount=100000&to=attacker1337

  10. @presidentbeef CSRF Protection “Synchronizer Token Pattern” Save a CSRF token

    to the session Insert the CSRF token in forms Match tokens on POSTs
  11. @presidentbeef CSRF Protection <html> <head> <meta content="authenticity_token" name="csrf-param" /> <meta

    content="sM/p9qSKLI/aExm7Qyk2yf5j7ssywzwijLW7/aO1/Y8=" name="csrf-token" /> </head> <body> <form accept-charset="UTF-8" action="login" method="post"> <input name="authenticity_token" type="hidden" value="sM/p9qSKLI/aExm7Qyk2yf5j7ssywzwijLW7/aO1/Y8=" /> </form> </body> </html>
  12. @presidentbeef Mass Assignment User.create(params[:user]).save! /user/new/?user[admin]=true

  13. @presidentbeef Mass Assignment Protection Rails 2 Optional white/black list in

    models Rails 3.1 Option to require whitelist in models Rails 3.2.3 Whitelist is default in new apps Rails 4 Whitelist on assignment instead
  14. @presidentbeef Strong Parameters input = params.require(:name).permit(:email) User.create(input).save!

  15. @presidentbeef Cookie Session Stores Rails 2/3 Signed session cookies Rails

    4 Encrypted session cookies JSON, not Marshal
  16. @presidentbeef SQL Injection Protection Rails 2/3 Parameterized queries Rails 4

    Also Arel
  17. @presidentbeef Security Headers Defaults (Rails 4) X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN

    X-Xss-Protection: 1; mode=block config.force_ssl = true Strict-Transport-Security: max_age=31536000
  18. @presidentbeef What Rails Doesn’t Provide (Not an exhaustive list)

  19. @presidentbeef Back to Cross Site Scripting .html_safe does not make

    strings safe .html_safe does not make strings safe .html_safe does not make strings safe .html_safe does not make strings safe .html_safe does not make strings safe
  20. @presidentbeef JSON Encoding in Rails 3.2 Loading development environment (Rails

    3.2.21) 2.1.5 :001 > {"<x>" => "</script>"}.to_json => "{\"<x>\":\"</script>\"}"
  21. @presidentbeef Loading development environment (Rails 4.2.1) 2.1.5 :001 > {"<x>"

    => "</script>"}.to_json => "{\"<x>\":\"\\u003c/script\\u003e\"} JSON Encoding in Rails 4
  22. @presidentbeef How About Contextual Encoding? h j CGI.escape CGI.escapeHTML escape_once

    escape_javascript html_escape html_escape_once json_escape sanitize sanitize_css
  23. @presidentbeef Not Great CSRF Protection Doesn’t apply to GET Route

    must disallow GET Must use form helpers for CSRF tokens CSRF tokens persist per session
  24. @presidentbeef CSRF Token Failures Rails 2 - 3.0.3 Raise an

    exception Rails 3.0.4 - 3.2.21 Call handle_unverified_request Reset session (default) Rails 4 Raise an exception (default)
  25. @presidentbeef def transfer transfer_monies params[:from], params[:to], params[:amount] end https://bounty.github.com/researchers/LukasReschke.html https://blog.nvisium.com/2014/09/understanding-protectfromforgery.html

    Why Care?
  26. @presidentbeef Server-Side Sessions Not Default But sqlite is required by

  27. @presidentbeef So What? Rails session cookies are forever Impossible to

    manage server-side Pre-Rails 4 cookies are simple to decode
  28. @presidentbeef Decoding Cookies require 'base64' Marshal.load(Base64.decode64(cookie.split('--')[0])) { "session_id"=>"87918133699858fa3f23542affcc7862", "sensitive_stuff"=>"OOPS DON'T

    LOOK HERE!", "password"=>"password123", "_csrf_token"=>"ciWkmnuFQZB7EcipKlX+BMYnze6KzAyw2r3aqWql3fU=" }
  29. @presidentbeef No Account/Session Management has_secure_password?

  30. @presidentbeef No Authorization Framework before_filter?

  31. @presidentbeef No Directory Traversal Protection ?view=../admin/index render params[:view] ?file=/etc/password send_file

  32. @presidentbeef Not Enough SQL Injection Protection calculate exists? having order

    pluck … rails-sqli.org
  33. @presidentbeef Rails-SQLi.org github.com/presidentbeef/inject-some-sql

  34. @presidentbeef Rails-SQLi.org github.com/presidentbeef/inject-some-sql

  35. @presidentbeef class User < ActiveRecord::Base def related_users(name) q = "last_name

    = #{name}" User.where(q) end end Sanitizing SQL
  36. @presidentbeef Manual SQL Escaping Maybe in here? Yes…?

  37. @presidentbeef Sanitizing SQL? class User < ActiveRecord::Base def related_users(name) q

    = "last_name = #{sanitize_sql name}" User.where(q) end end NoMethodError: undefined method `sanitize_sql' for #<User:0x00000007566470>
  38. @presidentbeef Sanitizing SQL?? self.class.sanitize_sql name NoMethodError: protected method `sanitize_sql' called

    for #<Class:0x00000001a20f70>
  39. None
  40. @presidentbeef self.class.__send__(:sanitize_sql, name) Sanitizing SQL???

  41. @presidentbeef name = "') or 1=1 --" self.class.__send__(:sanitize_sql, name) Sanitizing

    SQL???? "') or 1=1 --"
  42. @presidentbeef name = "') or 1=1 --" self.class.__send__(:sanitize_sql, ["?", name])

    Sanitizing SQL "''') or 1=1 --'"
  43. @presidentbeef name = "') or 1=1 --" self.class.__send__(:sanitize_sql, last_name: name)

    Sanitizing SQL "\"users\".\"last_name\" = ''') or 1=1 --'"
  44. @presidentbeef No Rate Limiting

  45. @presidentbeef No Open Redirect Protection Open Redirect redirect_to params[:n] Safe-ish

    Redirect redirect_to URI.parse(params[:n]).path
  46. @presidentbeef Open Redirect redirect_to params[:n] Safe-ish Redirect begin redirect_to URI.parse(params[:n]).path

    rescue URI::InvalidURIError #... end No Open Redirect Protection
  47. @presidentbeef No Protocol Filtering for Links link_to "My home page",

    user.home_url <a href="javascript:alert(1)"> My home page </a>
  48. @presidentbeef Even More Missing Security Features Code Climate Blog: Rails

    Insecure Defaults blog.codeclimate.com/blog/2013/03/27/rails-insecure-defaults/
  49. @presidentbeef @MakotoTheCat

  50. @presidentbeef What To Do About It

  51. @presidentbeef Learn About Security

  52. @presidentbeef Fix All The Rails Things?

  53. @presidentbeef Use Security Libraries Rate Limiting and Blocking rack-attack Moar

    Headers secure_headers Access Control pundit cancan/cancancan Authentication omniauth User Management devise
  54. @presidentbeef Use Static Analysis Tools Brakeman Check for potential vulnerabilities

    bundler-audit Check for vulnerable dependencies
  55. @presidentbeef Cost of Fixing Defects

  56. @presidentbeef Use static analysis Scan all the code all the

    time Don’t fix vulnerabilities, prevent them The Plan
  57. @presidentbeef Some Options File system monitoring (using Guard?) Integration into

    commit tools Continuous integration (with Jenkins?) Integration into release process
  58. @presidentbeef More Info “Using Brakeman and Security Automation in Practice

    in the SDLC and Stuff” youtu.be/kda8RZ5NIlM “Putting Your Robots to Work” vimeo.com/54250716
  59. @presidentbeef Be Safe! @presidentbeef / presidentbeef.com @brakeman / brakemanscanner.org @brakemanpro

    / brakemanpro.com