Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The World of Rails Security - RailsConf 2015

The World of Rails Security - RailsConf 2015

Learning to keep your Rails application secure is an often-overlooked part of learning Rails, so let's take a trip through the world of Ruby on Rails security! The journey will start with an overview of security features offered by the popular web framework, then we'll detour through dangerous pitfalls and unsafe defaults, and finally end with suggestions for improving security in Rails itself. As a bonus, we'll talk about how to integrate security into the development process.

Justin Collins

April 23, 2015

More Decks by Justin Collins

Other Decks in Programming


  1. Justin Collins @presidentbeef Justin Collins @presidentbeef RailsConf 2015 The World

    of Ruby on Rails Security The World of Ruby on Rails Security
  2. @presidentbeef Rails 2 Need to use h() everywhere Rails 3/4

    Escape template output by default Cross Site Scripting Protection
  3. @presidentbeef Rails 3/4 Examples Escaped <%= params[:q] %> Not escaped

    <%= raw params[:q] %> Also not <%= params[:q].html_safe %>
  4. @presidentbeef CSRF Protection “Synchronizer Token Pattern” Save a CSRF token

    to the session Insert the CSRF token in forms Match tokens on POSTs
  5. @presidentbeef CSRF Protection <html> <head> <meta content="authenticity_token" name="csrf-param" /> <meta

    content="sM/p9qSKLI/aExm7Qyk2yf5j7ssywzwijLW7/aO1/Y8=" name="csrf-token" /> </head> <body> <form accept-charset="UTF-8" action="login" method="post"> <input name="authenticity_token" type="hidden" value="sM/p9qSKLI/aExm7Qyk2yf5j7ssywzwijLW7/aO1/Y8=" /> </form> </body> </html>
  6. @presidentbeef Mass Assignment Protection Rails 2 Optional white/black list in

    models Rails 3.1 Option to require whitelist in models Rails 3.2.3 Whitelist is default in new apps Rails 4 Whitelist on assignment instead
  7. @presidentbeef Security Headers Defaults (Rails 4) X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN

    X-Xss-Protection: 1; mode=block config.force_ssl = true Strict-Transport-Security: max_age=31536000
  8. @presidentbeef Back to Cross Site Scripting .html_safe does not make

    strings safe .html_safe does not make strings safe .html_safe does not make strings safe .html_safe does not make strings safe .html_safe does not make strings safe
  9. @presidentbeef JSON Encoding in Rails 3.2 Loading development environment (Rails

    3.2.21) 2.1.5 :001 > {"<x>" => "</script>"}.to_json => "{\"<x>\":\"</script>\"}"
  10. @presidentbeef Loading development environment (Rails 4.2.1) 2.1.5 :001 > {"<x>"

    => "</script>"}.to_json => "{\"<x>\":\"\\u003c/script\\u003e\"} JSON Encoding in Rails 4
  11. @presidentbeef How About Contextual Encoding? h j CGI.escape CGI.escapeHTML escape_once

    escape_javascript html_escape html_escape_once json_escape sanitize sanitize_css
  12. @presidentbeef Not Great CSRF Protection Doesn’t apply to GET Route

    must disallow GET Must use form helpers for CSRF tokens CSRF tokens persist per session
  13. @presidentbeef CSRF Token Failures Rails 2 - 3.0.3 Raise an

    exception Rails 3.0.4 - 3.2.21 Call handle_unverified_request Reset session (default) Rails 4 Raise an exception (default)
  14. @presidentbeef So What? Rails session cookies are forever Impossible to

    manage server-side Pre-Rails 4 cookies are simple to decode
  15. @presidentbeef Sanitizing SQL? class User < ActiveRecord::Base def related_users(name) q

    = "last_name = #{sanitize_sql name}" User.where(q) end end NoMethodError: undefined method `sanitize_sql' for #<User:0x00000007566470>
  16. @presidentbeef name = "') or 1=1 --" self.class.__send__(:sanitize_sql, last_name: name)

    Sanitizing SQL "\"users\".\"last_name\" = ''') or 1=1 --'"
  17. @presidentbeef No Protocol Filtering for Links link_to "My home page",

    user.home_url <a href="javascript:alert(1)"> My home page </a>
  18. @presidentbeef Even More Missing Security Features Code Climate Blog: Rails

    Insecure Defaults blog.codeclimate.com/blog/2013/03/27/rails-insecure-defaults/
  19. @presidentbeef Use Security Libraries Rate Limiting and Blocking rack-attack Moar

    Headers secure_headers Access Control pundit cancan/cancancan Authentication omniauth User Management devise
  20. @presidentbeef Use static analysis Scan all the code all the

    time Don’t fix vulnerabilities, prevent them The Plan
  21. @presidentbeef Some Options File system monitoring (using Guard?) Integration into

    commit tools Continuous integration (with Jenkins?) Integration into release process
  22. @presidentbeef More Info “Using Brakeman and Security Automation in Practice

    in the SDLC and Stuff” youtu.be/kda8RZ5NIlM “Putting Your Robots to Work” vimeo.com/54250716