Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Application Security in Rails

Uri Nativ
November 12, 2012

Web Application Security in Rails

#railsisrael 2012 lecture on web application security in rails

Uri Nativ

November 12, 2012
Tweet

More Decks by Uri Nativ

Other Decks in Programming

Transcript

  1. Bob

  2. The Attack: Execute arbitrary code / defacement JSON is not

    escaped by default CSS can be injected as well Countermeasures: Never trust data from the users Use Markdown (e.g. Redcarpet gem) XSS
  3. www.blog.com 2 Click here for free iPad www.freeiPad.com <form name=“evilform”

    action=“www.blog.com/….”> … <script> document.evilform.submit() </script> CSRF
  4. The Attack: Attacker send requests on the victim’s behalf Doesn’t

    depend on XSS Attacked doesn’t need to be logged-in Countermeasures: Use Rails CSRF default protection (do not override it) Use GET for queries Use POST/DELETE/… when updating data Add Sign-out link CSRF
  5. The Attack: Unprotected by default :( Countermeasures: Whitelist Blacklist Strong

    Parameters (whitelist) Rails 4 Logic moved to the controller Available as a Gem Mass Assignment
  6. User.where( :id => params[:user_id], :reset_token => params[:token] ) SELECT users.*

    FROM users WHERE users.id = 6 AND users.reset_token = ’XYZ' LIMIT 1 CVE-2012-2661 SQL Injection
  7. /users/6/password/edit?token[] SELECT users.* FROM users WHERE users.id = 6 AND

    users.reset_token IS NULL LIMIT 1 CVE-2012-2661 SQL Injection
  8. The Attack: SQL Injection - Affected version: Rails < 3.2.4

    Countermeasures: Upgrade to Rails 3.2.4 or higher CVE-2012-2661 SQL Injection
  9. ------------------------------------------------- | Warning Type | Total | ------------------------------------------------- | Cross

    Site Scripting | 2 | | Cross-Site Request Forgery | 1 | | Denial of Service | 1 | | Redirect | 1 | | SQL Injection | 4 | ------------------------------------------------- Brakeman
  10. Know the threats – OWASP top 10 Follow Rails conventions

    Ruby on Rails Security Guide http://guides.rubyonrails.org/security.html The Ruby on Rails security project http://www.rorsecurity.info Rails security mailing list: http://groups.google.com/group/rubyonrails-security Conclusions
  11. Daniel Amselem for pair programming Irit Shainzinger for the cool

    graphics Michael Hartl for his microblogging app tutorial Thanks to…