Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Fortify Rails Webinar

Fortify Rails Webinar

In a joint webinar with CTO of FastRuby.io, Ernesto Tagwerker, and Founder of Expedited Security's Mike Buckbee, learn how to build airtight security in your Rails application by exposing vulnerabilities before deployment to production.

What we talked about:

✅ Common issues when writing Rails/ActiveRecord code that could be a potential attack vector
✅ Tools that you can use today to check what code and dependencies in your app could be exploited
✅ How an attacker would exploit one of your endpoints
✅ A case study on common threats and how to alleviate them
✅ Introduction to Wafris, an open source service to prevent attackers and dark traffic to you application
FastRuby.io's Ruby on Rails Security Audit

Ernesto Tagwerker

June 12, 2023
Tweet

More Decks by Ernesto Tagwerker

Other Decks in Technology

Transcript

  1. Fortify Rails
    Defending Your Ruby on Rails
    Applications from Bad Actors
    FastRuby.io & Wafris.org


    Rails Security Webinar, June 2023

    View full-size slide

  2. Founder &


    CTO


    @FastRubyIO

    View full-size slide

  3. 🇦🇷 Hi, I’m from Argentina

    View full-size slide

  4. 🇦🇷 Hi, I’m from Argentina


    🦅 I live in Philadelphia

    View full-size slide

  5. 🇦🇷 Hi, I’m from Argentina


    🦅 I live in Philadelphia


    👨💻 I love Ruby & Open Source!

    View full-size slide

  6. 🇦🇷 Hi, I’m from Argentina


    🦅 I live in Philadelphia


    👨💻 I love Ruby & Open Source!


    🤓 My pronouns are he/him

    View full-size slide

  7. FastRuby.io


    1. Ruby/Rails Upgrade Services


    View full-size slide

  8. FastRuby.io


    1. Ruby/Rails Upgrade Services


    2. Fixed-cost, Monthly Maintenance Services


    View full-size slide

  9. FastRuby.io


    1. Ruby/Rails Upgrade Services


    2. Fixed-cost, Monthly Maintenance Services


    3. Ruby/Rails Performance Optimization


    View full-size slide

  10. FastRuby.io


    1. Ruby/Rails Upgrade Services


    2. Fixed-cost, Monthly Maintenance Services


    3. Ruby/Rails Performance Optimization


    4. Ruby/Rails Security Audits

    View full-size slide

  11. I ❤ Ruby & Rails

    View full-size slide

  12. Rails ❤


    1. Convention over Configuration


    View full-size slide

  13. Rails ❤


    1. Convention over Configuration


    2. Development Speed


    View full-size slide

  14. Rails ❤


    1. Convention over Configuration


    2. Development Speed


    3. Security Goodies


    View full-size slide

  15. Rails ❤


    1. Convention over Configuration


    2. Development Speed


    3. Security Goodies


    View full-size slide

  16. Native Rails Security
    Countermeasures

    View full-size slide

  17. Native Rails Security
    Countermeasures


    1. Cross-Site Scripting (XSS)


    View full-size slide

  18. Native Rails Security
    Countermeasures


    1. Cross-Site Scripting (XSS)


    2. SQL Injection


    View full-size slide

  19. Native Rails Security
    Countermeasures


    1. Cross-Site Scripting (XSS)


    2. SQL Injection


    3. CSRF


    View full-size slide

  20. Native Rails Security
    Countermeasures


    1. Cross-Site Scripting (XSS)


    2. SQL Injection


    3. CSRF


    4. Content-Security-Policy Header


    5. Encrypted Credentials


    6. Unsafe Query Generation


    7. CSS Injection


    8. Session Hijacking


    9. ...

    View full-size slide

  21. Rails Security
    Policy

    View full-size slide

  22. Ruby / Rails
    Security Risks

    View full-size slide

  23. Attack Vectors


    1. Vulnerable dependencies


    View full-size slide

  24. Attack Vectors


    1. Vulnerable dependencies


    2. Exploitable application code

    View full-size slide

  25. Attack Vectors


    1. Vulnerable dependencies


    2. Exploitable application code

    View full-size slide

  26. Vulnerable Dependencies

    View full-size slide

  27. Vulnerable Dependencies

    View full-size slide

  28. Vulnerable Dependencies


    bundle update rails


    git commit -m “Patched version of Rails.”


    git push production master


    View full-size slide

  29. Vulnerable Dependencies
    $ gem install bundler-stats


    $ bundle-stats


    .. .. .. .. .. .. .. .. ..


    | pg | 0 | 0 |


    | spring | 0 | 0 |


    | stripe | 0 | 0 |


    | timecop | 0 | 0 |


    | tzinfo-data | 0 | 0 |


    +------------------------------------|------------|----------------+


    Declared Gems 62


    Total Gems 218


    Unpinned Versions 39


    Github Refs 3


    View full-size slide

  30. bundler-audit

    View full-size slide

  31. Vulnerable Dependencies
    $ gem install bundler-audit


    $ bundle-audit


    No vulnerabilities found

    View full-size slide

  32. Vulnerable Dependencies

    View full-size slide

  33. For patch versions
    (e.g. 1.0.X):


    - Dependabot


    - Depfu

    View full-size slide

  34. For minor/major
    versions (e.g. A.B.0):


    Fixed-cost


    Monthly Maintenance
    by FastRuby.io

    View full-size slide

  35. Attack Vectors


    1. Vulnerable dependencies


    2. Exploitable application code

    View full-size slide

  36. Exploitable Code


    1. Poorly scoped queries


    2. SQL-injectable code


    3. Poorly filtered parameters


    3. Too many un-rescued exceptions


    4. Etc…

    View full-size slide

  37. Sharp knives:


    - Ruby (e.g. monkey patches)

    View full-size slide

  38. Sharp knives:


    - Ruby (e.g. monkey patches)


    - ActiveRecord

    View full-size slide

  39. Sharp knives:


    - Ruby (e.g. monkey patches)


    - ActiveRecord


    - N+1 Performance Issues


    - Slow queries


    - SQL-injection, and more…

    View full-size slide

  40. ActiveRecord


    def find_estimate


    @estimate = Estimate.where(story_id:
    params[:story_id]).find(params[:id])


    end


    View full-size slide

  41. GET /stories/2/estimates/
    235/edit

    View full-size slide

  42. ActiveRecord


    def find_estimate


    @estimate = current_user.estimates.where(story_id:
    params[:story_id]).find(params[:id])


    end


    View full-size slide

  43. ActiveRecord


    def find_estimate


    @estimate = current_user.estimates.where("story_id =
    '#{params[:story_id]}'").find(params[:id])


    end


    View full-size slide

  44. GET /stories/`1'; DROP
    TABLE users; —`/
    estimates/123/edit

    View full-size slide

  45. ActiveRecord


    def find_estimate


    @estimate = current_user.estimates.where(story_id:
    params[:story_id]).find(params[:id])


    end


    View full-size slide

  46. Dozens of known Rails
    idioms are exploitable

    View full-size slide

  47. ActiveRecord


    def find_estimate


    @estimate = current_user.estimates.where("story_id =
    '#{params[:story_id]}'").find(params[:id])


    end


    View full-size slide

  48. Brakeman
    $ gem install brakeman


    $ brakeman


    .. .. .. .. .. .. ..


    == Warnings ==


    Confidence: Medium


    Category: SQL Injection


    Check: SQL


    Message: Possible SQL injection


    Code: current_user.estimates.where("story_id = '#{params[:story_id]}'")


    File: app/controllers/estimates_controller.rb


    Line: 64

    View full-size slide

  49. Brakeman
    $ gem install brakeman


    $ brakeman


    .. .. .. .. .. .. ..


    == Brakeman Report ==


    Application Path: /Users/etagwerker/Projects/fastruby/points


    Rails Version: 7.0.4.3


    Brakeman Version: 6.0.0


    Scan Date: 2023-06-09 09:47:32 -0400


    Duration: 0.961275 seconds


    Checks Run: BasicAuth, BasicAuthTimingAttack, CSRFTokenForgeryCVE, ContentTag, CookieSerialization,
    CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, DynamicFinders,
    EOLRails, EOLRuby, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping,
    ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONEntityEscape, JSONParsing, LinkTo,
    LinkToHref, MailTo, MassAssignment, MimeTypeDoS, ModelAttrAccessible, ModelAttributes, ModelSerialize,
    NestedAttributes, NestedAttributesBypass, NumberToCurrency, PageCachingCVE, Pathname, PermitAttributes,
    QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, RouteDoS, SQL,
    SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeConfigCve, SanitizeMethods, SelectTag,
    SelectVulnerability, Send, SendFile, SessionManipulation, SessionSettings, SimpleFormat, SingleQuotes,
    SkipBeforeFilter, SprocketsPathTraversal, StripTags, SymbolDoSCVE, TemplateInjection, TranslateBug,
    UnsafeReflection, UnsafeReflectionMethods, ValidationRegex, VerbConfusion, WeakRSAKey, WithoutProtection,
    XMLDoS, YAMLParsing

    View full-size slide

  50. Brakeman


    1. Static code analysis


    2. Dozens of checks


    3. Some false positives

    View full-size slide

  51. Attack Vectors


    1. Vulnerable dependencies


    2. Exploitable application code

    View full-size slide

  52. Rails Security
    Audit by
    FastRuby.io

    View full-size slide

  53. FastRuby.IO/
    security-audit

    View full-size slide

  54. Rails Security
    Audit by
    FastRuby.io


    👉 Email: [email protected]

    View full-size slide

  55. TL;DR


    1. Use `bundler-audit`


    View full-size slide

  56. TL;DR


    1. Use `bundler-audit`


    2. Use `brakeman`

    View full-size slide

  57. TL;DR


    1. Use `bundler-audit`


    2. Use `brakeman`


    3. Don’t just use them,


    add them to your


    development workflow (e.g. CI)

    View full-size slide

  58. Resources
    1. https://guides.rubyonrails.org/security.html


    2. https://rubyonrails.org/security


    3. https://rubysec.com/


    4. https://brakemanscanner.org/


    5. https://www.fastruby.io/newsletter


    6. https://www.fastruby.io/blog/rails/security/ruby-security-toolkit.html


    7. https://www.fastruby.io/security-audit


    8. https://audit.fastruby.io/


    9. https://bundler.io/v2.4/man/bundle-outdated.1.html

    View full-size slide