nil authenticate_user! else key = ApiKey.find_by_token(token) if key != nil and key.worker == true return true else puts "Invalid token" return false end end end In command controller: before_filter :authenticate_user!, :except => [:show] In show method: worker = restrict_access_by_token_to_worker Tuesday, December 4, 12
on variable input that is passed down to a command line call. • Most easily demonstrated like so… http://example.com/page.php?id=123;ifconfig Tuesday, December 4, 12
by casting the parameter to an expected value. For example, change this: Post.where(:id => params[:id]).all to this: Post.where(:id => params[:id].to_s).all CVE-2012-2661 Tuesday, December 4, 12
HERE user.reset_password! end Workarounds ----------- This problem can be mitigated by testing for `[nil]`. For example: unless params[:token].nil? || params[:token] == [nil] user = User.find_by_token(params[:token]) user.reset_password! end Another possible workaround is to cast to a known type and test against that type. unless params[:token].to_s.empty? user = User.find_by_token(params[:token]) user.reset_password! end CVE-2012-2660 Tuesday, December 4, 12
do |format| format.html { redirect_to service_requests_url } format.json { head :no_content } end end def show @service_request = ServiceRequest.find(params[:id]) respond_to do |format| format.html # show.html.erb format.json { render json: @service_request } end end Tuesday, December 4, 12
respond_to do |format| format.html { redirect_to service_requests_url } format.json { head :no_content } end end def show @service_request = ServiceRequest.find(params[:id]) respond_to do |format| if (user_can_access_service_request(@service_request)) format.html # show.html.erb format.json { render json: @service_request } else @service_request = ServiceRequest.new @service_request.errors.add(:base, "You do not have access to this object.") flash[:error] = "Unable to access specified instance." format.html { render action: "new" } format.json { render json: @service_request.errors, status: :unprocessable_entit end end end Tuesday, December 4, 12
AHacker convinces user to click a link, Javascript is executed in target browser. • Most easily demonstrated like so… • hHp://example.com/page?id=<script>alert(‘xss’)</ script> Tuesday, December 4, 12
Quantum: Story Static Analysis Code Review Pen Test Architecture Security Requirements Security in the Story Threat Model Security Training Scanners Change Mgmt More ... Tuesday, December 4, 12