Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Security Basics (in Rails)

Web Security Basics (in Rails)

Andy Lindeman

May 08, 2014
Tweet

More Decks by Andy Lindeman

Other Decks in Programming

Transcript

  1. class PasswordResetsController < ApplicationController
 # POST /password_resets/reset
 def reset
 if

    user = User.find_by_token(params[:token])
 user.password = params[:password]
 user.save
 else
 render status: 404
 end
 end
 end
  2. class PasswordResetsController < ApplicationController
 def reset
 if user = User.find_by_token(params[:token])


    user.password = params[:password]
 user.save
 else
 render status: 404
 end
 end
 end
  3. class PasswordResetsController < ApplicationController
 # POST /password_resets/reset
 def reset
 if

    params[:token].present? && user = User.find_by_token(params[:token].to_s)
 user.password = params[:password]
 user.save
 else
 render status: 404
 end
 end
 end
  4. But what about? <form id="lol" method="post" action="https://example.com/ comments">
 <input type="hidden"

    name="comment[body]" value="lol">
 </form> 
 <script>document.getElementById("lol").submit();</script>
  5. NOPE class ApplicationController < ActionController::Base
 # Prevent CSRF attacks by

    raising an exception.
 # For APIs, you may want to use :null_session instead.
 protect_from_forgery with: :exception
 end
  6. <%= form_for @user do |f| %>
 <%= f.label :username %>


    <%= f.text_field :username %>
 
 <%= f.label :password %>
 <%= f.text_field :password %>
 <%- end %>
  7. class UsersController < ApplicationController
 def create
 @user = User.create(user_params)
 redirect_to

    root_url, notice: "Thanks for signing up!"
 end
 
 private
 def user_params
 params.require(:user).permit!
 end
 end
  8. Malicious Users Aren't Limited By Form Fields • Malicious users

    can add extra form fields, either by editing the HTML page in their browser or by submitting requests via other tools • Consider a malicious user who themselves adds
 <input type="hidden" name="user[admin]" value="1">
  9. class UsersController < ApplicationController
 def create
 @user = User.create(user_params)
 redirect_to

    root_url, notice: "Thanks for signing up!"
 end
 
 private
 def user_params
 params.require(:user).permit(:username, :password)
 end
 end
  10. class GraphsController < ApplicationController
 # requests.html.erb
 def requests
 end
 


    # mysql.html.erb
 def mysql
 end
 
 # exceptions.html.erb
 def exceptions
 end
 end
  11. A Common Refactor class GraphsController < ApplicationController
 # GET /graphs?name=requests


    # GET /graphs?name=mysql
 # GET /graphs?name=exceptions
 def index
 render params[:name]
 end
 end
  12. Security Folks <3 Whitelists class GraphsController < ApplicationController
 ValidGraphs =

    ["requests", "mysql", "exceptions"]
 
 def index
 if ValidGraphs.include?(params[:name])
 render params[:name]
 else
 render status: 404
 end
 end
 end