Defending your Rails app

Transcript

1. Defending your Rails app Julia López – Brighton Ruby 2025

   How to keep bad actors out without locking users in

2. Julia López From Barcelona ☀ ❤ Rails since 2011 Refactoring

   🧹 & Upgrades ⏫ 🔗 https://julialopez.dev
3. None

4. What is this talk about? 🧐

5. None

6. What is a bad actor? From whom or what are

   we defending our app from? 🦹

7. Summarized by ChatGPT from usage across security documentation by Cloud

   f lare, Stripe, and abuse engineering blogs “A bad actor is any human or automated system that intentionally abuses, misuses, or exploits an application to gain unauthorized access, cause disruption, or commit fraud”

8. 🤖 Bots: credential stu ff ers, signup spam 🥷 Fraudsters:

   use stolen credit cards 🎭 Scammers: impersonation 📣 Spammers: content or message f looding 🌩 DDoS: orchestrate attacks 🙈 Unintentional Chaos monkey: means no harm Kinds of bad actors

9. 🤖 Bots: credential stu ff ers, signup spam 🥷 Fraudsters:

   use stolen credit cards 🎭 Scammers: impersonation 📣 Spammers: content or message f looding 🌩 DDoS: orchestrate attacks 🙈 Unintentional Chaos monkey: means no harm Kinds of bad actors

10. 🤖 Bots: credential stu ff ers, signup spam 🥷 Fraudsters:

    use stolen credit cards 🎭 Scammers: impersonation 📣 Spammers: content or message f looding 🌩 DDoS: orchestrate attacks 🙈 Unintentional Chaos monkey: means no harm Kinds of bad actors

11. 🤖 Bots: credential stu ff ers, signup spam 🥷 Fraudsters:

    use stolen credit cards 🎭 Scammers: impersonation 📣 Spammers: content or message f looding 🌩 DDoS: orchestrate attacks 🙈 Unintentional Chaos monkey: means no harm Kinds of bad actors

12. 🤖 Bots: credential stu ff ers, signup spam 🥷 Fraudsters:

    use stolen credit cards 🎭 Scammers: impersonation 📣 Spammers: content or message f looding 🌩 DDoS: orchestrate attacks 🙈 Unintentional Chaos monkey: means no harm Kinds of bad actors

13. 🤖 Bots: credential stu ff ers, signup spam 🥷 Fraudsters:

    use stolen credit cards 🎭 Scammers: impersonation 📣 Spammers: content or message f looding 🌩 DDoS: orchestrate attacks 🙈 Unintentional chaos monkey: means no harm Kinds of bad actors

14. How do we defend our application? What tools we have

    at our disposal to prevent malicious practices

15. Request Web Application Firewall

16. Request Load Balancer

17. Request Reverse Proxy

18. Request Rack Server

19. None

20. https://guides.rubyonrails.org/security.html

21. rack-attack https://github.com/rack/rack-attack 🚦

22. https://github.com/rack/rack-attack “Rack middleware for blocking & throttling abusive requests”

23. None

24. rack-attack Rack::Attack.throttle("general", limit: 900, period: 1) do |request| request.ip end

25. rack-attack Rack::Attack.throttle("general", limit: 900, period: 1) do |request| request.ip end

26. rack-attack Rack::Attack.throttle("general", limit: 900, period: 1) do |request| request.ip end

27. rack-attack Rack::Attack.blocklist("block bad UA logins") do |request| # Requests are

    blocked if the return value is truthy request.user_agent == "badUA" end

28. rack-attack Rack::Attack.blocklist("block bad UA logins") do |request| # Requests are

    blocked if the return value is truthy request.user_agent == "badUA" end

29. rack-attack Rack::Attack.blocklist("block bad UA logins") do |request| # Requests are

    blocked if the return value is truthy request.user_agent == "badUA" end

30. rack-attack Rack::Attack.throttled_responder = ->(request) do env = request.env match_data =

    env["rack.attack.match_data"] throttle_name = env["rack.attack.matched"] discriminator = env["rack.attack.match_discriminator"] Prom.counters["throttles"].observe 1, name: throttle_name Rails.logger.error "Throttle #{throttle_name} => #{discriminator}: throttling occurred, retry after #{match_data[:period]}" accepts = env["HTTP_ACCEPT"] || "text/html" message = case accepts.split(",").first when /json/ ... when /xml/ ... else ... end [ 429, { "Content-Type" => accepts, "Retry-After" => match_data[:period].to_s, }, [message], ] end

31. rack-attack Rack::Attack.throttled_responder = ->(request) do env = request.env match_data =

    env["rack.attack.match_data"] throttle_name = env["rack.attack.matched"] discriminator = env["rack.attack.match_discriminator"] Prom.counters["throttles"].observe 1, name: throttle_name Rails.logger.error "Throttle #{throttle_name} => #{discriminator}: throttling occurred, retry after #{match_data[:period]}" accepts = env["HTTP_ACCEPT"] || "text/html" message = case accepts.split(",").first when /json/ ... when /xml/ ... else ... end [ 429, { "Content-Type" => accepts, "Retry-After" => match_data[:period].to_s, }, [message], ] end

32. rack-attack Rack::Attack.throttled_responder = ->(request) do env = request.env match_data =

    env["rack.attack.match_data"] throttle_name = env["rack.attack.matched"] discriminator = env["rack.attack.match_discriminator"] Prom.counters["throttles"].observe 1, name: throttle_name Rails.logger.error "Throttle #{throttle_name} => #{discriminator}: throttling occurred, retry after #{match_data[:period]}" accepts = env["HTTP_ACCEPT"] || "text/html" message = case accepts.split(",").first when /json/ ... when /xml/ ... else ... end [ 429, { "Content-Type" => accepts, "Retry-After" => match_data[:period].to_s, }, [message], ] end

33. rack-attack Rack::Attack.throttled_responder = ->(request) do env = request.env match_data =

    env["rack.attack.match_data"] throttle_name = env["rack.attack.matched"] discriminator = env["rack.attack.match_discriminator"] Prom.counters["throttles"].observe 1, name: throttle_name Rails.logger.error "Throttle #{throttle_name} => #{discriminator}: throttling occurred, retry after #{match_data[:period]}" accepts = env["HTTP_ACCEPT"] || "text/html" message = case accepts.split(",").first when /json/ ... when /xml/ ... else ... end [ 429, { "Content-Type" => accepts, "Retry-After" => match_data[:period].to_s, }, [message], ] end

34. rack-attack # app/controllers/application_controller.rb before_action :throttling_info def throttling_info if throttle_data =

    request.env["rack.attack.throttle_data"] throttle_data.each do |name, data| Rails.logger.info "Throttle #{name} => #{data[:discriminator]}: #{data[:count]}/#{data[:limit]} (#{data[:period]}s)" end end end

35. rack-attack # app/controllers/application_controller.rb before_action :throttling_info def throttling_info if throttle_data =

    request.env["rack.attack.throttle_data"] throttle_data.each do |name, data| Rails.logger.info "Throttle #{name} => #{data[:discriminator]}: #{data[:count]}/#{data[:limit]} (#{data[:period]}s)" end end end

36. rack-attack # app/controllers/application_controller.rb before_action :throttling_info def throttling_info if throttle_data =

    request.env["rack.attack.throttle_data"] throttle_data.each do |name, data| Rails.logger.info "Throttle #{name} => #{data[:discriminator]}: #{data[:count]}/#{data[:limit]} (#{data[:period]}s)" end end end
37. None

38. Abuse Prevention What we are up against and how we

    prevent it ✋

39. General abuse 🌍

40. https://docs.stripe.com/rate-limits

41. None

42. https://help.getharvest.com/api-v2/introduction/overview/general

43. General abuse Rack::Attack.throttle(“api/account/user", limit: 100, period: 15.seconds) do |request| discriminator

    = user_discriminator(request) "api-#{request.env['HTTP_HARVEST_ACCOUNT_ID']}-#{discriminator}" end

44. General abuse Rack::Attack.throttle(“api/account/user", limit: 100, period: 15.seconds) do |request| discriminator

    = user_discriminator(request) "api-#{request.env['HTTP_HARVEST_ACCOUNT_ID']}-#{discriminator}" end

45. General abuse Rack::Attack.throttle(“api/account/user", limit: 100, period: 15.seconds) do |request| discriminator

    = user_discriminator(request) "api-#{request.env['HTTP_HARVEST_ACCOUNT_ID']}-#{discriminator}" end

46. General abuse Rack::Attack.throttle(“api/reports/user", limit: 100, period: 15.minutes) do |request| if

    request.path.starts_with?(“/v2/reports") discriminator = user_discriminator(request) "api-#{request.env['HTTP_HARVEST_ACCOUNT_ID']}-#{discriminator}" end end

47. General abuse Rack::Attack.throttle(“api/reports/user", limit: 100, period: 15.minutes) do |request| if

    request.path.starts_with?(“/v2/reports") discriminator = user_discriminator(request) "api-#{request.env['HTTP_HARVEST_ACCOUNT_ID']}-#{discriminator}" end end

48. General abuse Rack::Attack.throttle(“api/reports/user", limit: 100, period: 15.minutes) do |request| if

    request.path.starts_with?(“/v2/reports") discriminator = user_discriminator(request) "api-#{request.env['HTTP_HARVEST_ACCOUNT_ID']}-#{discriminator}" end end

49. General abuse Rack::Attack.safelist("internal requests") do |request| internal_request?(request) end

50. General abuse Rack::Attack.safelist("internal requests") do |request| internal_request?(request) end

51. General abuse Rack::Attack.safelist("internal requests") do |request| internal_request?(request) end

52. Credential stu ff ing 🔐

53. https://haveibeenpwned.com/

54. Credential stu ff ing Rack::Attack.throttle("logins", limit: 10, period: 1.minute) do

    |request| if request.post? && request.path.start_with?("/sessions") request.ip end end

55. Credential stu ff ing Rack::Attack.throttle("logins", limit: 10, period: 1.minute) do

    |request| if request.post? && request.path.start_with?("/sessions") request.ip end end

56. Credential stu ff ing Rack::Attack.throttle("logins", limit: 10, period: 1.minute) do

    |request| if request.post? && request.path.start_with?("/sessions") request.ip end end
57. None

58. Credential stu ff ing

59. Credential stu ff ing Rack::Attack.blocklist("banned ips") do |request| IpBan.cached?(request.ip) end

60. Credential stu ff ing Rack::Attack.blocklist("banned ips") do |request| IpBan.cached?(request.ip) end

61. Credential stu ff ing Rack::Attack.blocklist("banned ips") do |request| IpBan.cached?(request.ip) end

62. Signup spam 🗑

63. Signup spam Rack::Attack.throttle("possibly spammy signup", limit: 10, period: 24.hours) do

    |request| if request.post? && request.path.start_with?("/signup") && looks_spammy?(request) "spammy_signup" end end

64. Signup spam Rack::Attack.throttle("possibly spammy signup", limit: 10, period: 24.hours) do

    |request| if request.post? && request.path.start_with?("/signup") && looks_spammy?(request) "spammy_signup" end end

65. Signup spam Rack::Attack.throttle("possibly spammy signup", limit: 10, period: 24.hours) do

    |request| if request.post? && request.path.start_with?("/signup") && looks_spammy?(request) "spammy_signup" end end
66. None

67. Signup spam

68. Business logic abuse 🧠

69. None
70. None
71. None

72. Business logic abuse ThrottlingRule::RULES.each do |rule_name, rule| rule[:throttle_discriminator].each do |disc|

    name = "#{rule_name}/#{disc}" limit = proc { |request| ThrottlingRule.new(request, rule).limit(disc) } Rack::Attack.throttle(name, limit: limit, period: rule[:period]) do |request| conditions = ThrottlingRule.new(request, rule) if conditions.run conditions.get_discriminator(disc) end end end end

73. Business logic abuse ThrottlingRule::RULES.each do |rule_name, rule| rule[:throttle_discriminator].each do |disc|

    name = "#{rule_name}/#{disc}" limit = proc { |request| ThrottlingRule.new(request, rule).limit(disc) } Rack::Attack.throttle(name, limit: limit, period: rule[:period]) do |request| conditions = ThrottlingRule.new(request, rule) if conditions.run conditions.get_discriminator(disc) end end end end

74. Business logic abuse ThrottlingRule::RULES.each do |rule_name, rule| rule[:throttle_discriminator].each do |disc|

    name = "#{rule_name}/#{disc}" limit = proc { |request| ThrottlingRule.new(request, rule).limit(disc) } Rack::Attack.throttle(name, limit: limit, period: rule[:period]) do |request| conditions = ThrottlingRule.new(request, rule) if conditions.run conditions.get_discriminator(disc) end end end end

75. Business logic abuse ThrottlingRule::RULES.each do |rule_name, rule| rule[:throttle_discriminator].each do |disc|

    name = "#{rule_name}/#{disc}" limit = proc { |request| ThrottlingRule.new(request, rule).limit(disc) } Rack::Attack.throttle(name, limit: limit, period: rule[:period]) do |request| conditions = ThrottlingRule.new(request, rule) if conditions.run conditions.get_discriminator(disc) end end end end

76. Business logic abuse create_invoice_non_api_new_company: { limit: 100, period: 24.hours, throttle_discriminator:

    [:subdomain], methods: [:post], path_match: { type: :exact, discriminator: "/invoices", }, api_check: :is_non_api, suspicious_check: :new_nonpaying_company, }

77. Business logic abuse create_invoice_non_api_new_company: { limit: 100, period: 24.hours, throttle_discriminator:

    [:subdomain], methods: [:post], path_match: { type: :exact, discriminator: "/invoices", }, api_check: :is_non_api, suspicious_check: :new_nonpaying_company, }

78. Business logic abuse create_invoice_non_api_new_company: { limit: 100, period: 24.hours, throttle_discriminator:

    [:subdomain], methods: [:post], path_match: { type: :exact, discriminator: "/invoices", }, api_check: :is_non_api, suspicious_check: :new_nonpaying_company, }

79. Business logic abuse create_invoice_non_api_new_company: { limit: 100, period: 24.hours, throttle_discriminator:

    [:subdomain], methods: [:post], path_match: { type: :exact, discriminator: "/invoices", }, api_check: :is_non_api, suspicious_check: :new_nonpaying_company, }

80. Business logic abuse create_invoice_non_api_new_company: { limit: 100, period: 24.hours, throttle_discriminator:

    [:subdomain], methods: [:post], path_match: { type: :exact, discriminator: "/invoices", }, api_check: :is_non_api, suspicious_check: :new_nonpaying_company, }

81. Business logic abuse create_invoice_non_api_new_company: { limit: 100, period: 24.hours, throttle_discriminator:

    [:subdomain], methods: [:post], path_match: { type: :exact, discriminator: "/invoices", }, api_check: :is_non_api, suspicious_check: :new_nonpaying_company, }

82. Business logic abuse ActiveSupport::Notifications.subscribe("throttle.rack_attack") do |_, _, _, _, payload|

    request = payload[:request] throttle_name = request.env["rack.attack.matched"] # Removes the discriminator suffix (e.g. "/signup_ip", "/subdomain", "/ip", etc) rule_name = throttle_name.sub(%r{/\w+\z}, "").to_sym rule = ThrottlingRule::RULES.find { |name, _| name == rule_name } next unless rule rule_config = rule.second throttling_rule = ThrottlingRule.new(request, rule_config) notes = "Throttled by rule #{rule_name}" discriminators = rule_config[:throttle_discriminator] discriminators.each.with_index do |discriminator, index| flag_discriminator_as_suspicious(discriminator, throttling_rule, notes) end end

83. Business logic abuse ActiveSupport::Notifications.subscribe("throttle.rack_attack") do |_, _, _, _, payload|

    request = payload[:request] throttle_name = request.env["rack.attack.matched"] # Removes the discriminator suffix (e.g. "/signup_ip", "/subdomain", "/ip", etc) rule_name = throttle_name.sub(%r{/\w+\z}, "").to_sym rule = ThrottlingRule::RULES.find { |name, _| name == rule_name } next unless rule rule_config = rule.second throttling_rule = ThrottlingRule.new(request, rule_config) notes = "Throttled by rule #{rule_name}" discriminators = rule_config[:throttle_discriminator] discriminators.each.with_index do |discriminator, index| flag_discriminator_as_suspicious(discriminator, throttling_rule, notes) end end

84. Business logic abuse ActiveSupport::Notifications.subscribe("throttle.rack_attack") do |_, _, _, _, payload|

    request = payload[:request] throttle_name = request.env["rack.attack.matched"] # Removes the discriminator suffix (e.g. "/signup_ip", "/subdomain", "/ip", etc) rule_name = throttle_name.sub(%r{/\w+\z}, "").to_sym rule = ThrottlingRule::RULES.find { |name, _| name == rule_name } next unless rule rule_config = rule.second throttling_rule = ThrottlingRule.new(request, rule_config) notes = "Throttled by rule #{rule_name}" discriminators = rule_config[:throttle_discriminator] discriminators.each.with_index do |discriminator, index| flag_discriminator_as_suspicious(discriminator, throttling_rule, notes) end end

85. Business logic abuse ActiveSupport::Notifications.subscribe("throttle.rack_attack") do |_, _, _, _, payload|

    request = payload[:request] throttle_name = request.env["rack.attack.matched"] # Removes the discriminator suffix (e.g. "/signup_ip", "/subdomain", "/ip", etc) rule_name = throttle_name.sub(%r{/\w+\z}, "").to_sym rule = ThrottlingRule::RULES.find { |name, _| name == rule_name } next unless rule rule_config = rule.second throttling_rule = ThrottlingRule.new(request, rule_config) notes = "Throttled by rule #{rule_name}" discriminators = rule_config[:throttle_discriminator] discriminators.each.with_index do |discriminator, index| flag_discriminator_as_suspicious(discriminator, throttling_rule, notes) end end

86. ActiveSupport::Notifications.subscribe("throttle.rack_attack") do |_, _, _, _, payload| request = payload[:request]

    throttle_name = request.env["rack.attack.matched"] # Removes the discriminator suffix (e.g. "/signup_ip", "/subdomain", "/ip", etc) rule_name = throttle_name.sub(%r{/\w+\z}, "").to_sym rule = ThrottlingRule::RULES.find { |name, _| name == rule_name } next unless rule rule_config = rule.second throttling_rule = ThrottlingRule.new(request, rule_config) notes = "Throttled by rule #{rule_name}" discriminators = rule_config[:throttle_discriminator] discriminators.each.with_index do |discriminator, index| flag_discriminator_as_suspicious(discriminator, throttling_rule, notes) end end Business logic abuse

87. Business logic abuse ThrottlingRule::RULES.each do |rule_name, rule| rule[:throttle_discriminator].each do |disc|

    name = "#{rule_name}/#{disc}" limit = proc { |request| ThrottlingRule.new(request, rule).limit(disc) } Rack::Attack.throttle(name, limit: limit, period: rule[:period]) do |request| conditions = ThrottlingRule.new(request, rule) if conditions.run conditions.get_discriminator(disc) end end end end

88. Business logic abuse # lib/throttling_rule.rb def limit(discriminator) level = level_for_discriminator(discriminator)

    case level when SUSPICIOUS_LEVEL limit / 2 when MALICIOUS_LEVEL 0 else limit end end

89. Business logic abuse # lib/throttling_rule.rb def limit(discriminator) level = level_for_discriminator(discriminator)

    case level when SUSPICIOUS_LEVEL limit / 2 when MALICIOUS_LEVEL 0 else limit end end

90. Business logic abuse # lib/throttling_rule.rb def limit(discriminator) level = level_for_discriminator(discriminator)

    case level when SUSPICIOUS_LEVEL limit / 2 when MALICIOUS_LEVEL 0 else limit end end
91. None

92. Business logic abuse

93. Business logic abuse

94. Stolen card testing 💳

95. Stolen card testing # "charge.failed", "charge.succeeded" Stripe events charge =

    event.data.charge note = "Stripe #{charge.outcome.type} with risk score = #{charge.outcome.risk_score.to_i}” case charge.outcome.type when "blocked" company.flag_as_malicious(notes: note) when "manual_review" company.flag_as_suspicious(notes: note) end

96. Stolen card testing # "charge.failed", "charge.succeeded" Stripe events charge =

    event.data.charge note = "Stripe #{charge.outcome.type} with risk score = #{charge.outcome.risk_score.to_i}” case charge.outcome.type when "blocked" company.flag_as_malicious(notes: note) when "manual_review" company.flag_as_suspicious(notes: note) end

97. Stolen card testing # "charge.failed", "charge.succeeded" Stripe events charge =

    event.data.charge note = "Stripe #{charge.outcome.type} with risk score = #{charge.outcome.risk_score.to_i}” case charge.outcome.type when "blocked" company.flag_as_malicious(notes: note) when "manual_review" company.flag_as_suspicious(notes: note) end

98. Stolen card testing # "charge.failed", "charge.succeeded" Stripe events charge =

    event.data.charge note = "Stripe #{charge.outcome.type} with risk score = #{charge.outcome.risk_score.to_i}” case charge.outcome.type when "blocked" company.flag_as_malicious(notes: note) when "manual_review" company.flag_as_suspicious(notes: note) end

99. Stolen card testing # "charge.failed", "charge.succeeded" Stripe events charge =

    event.data.charge note = "Stripe #{charge.outcome.type} with risk score = #{charge.outcome.risk_score.to_i}” case charge.outcome.type when "blocked" company.flag_as_malicious(notes: note) when "manual_review" company.flag_as_suspicious(notes: note) end

100. Distributed Denial of Service 🙅

101. None

102. THANK YOU 🥰 Any questions? Wanna share experiences? Find me

     around! 🔗 https://julialopez.dev