Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Application Security in Rails

Avatar for Uri Nativ Uri Nativ
November 12, 2012

Web Application Security in Rails

#railsisrael 2012 lecture on web application security in rails

Avatar for Uri Nativ

Uri Nativ

November 12, 2012
Tweet

More Decks by Uri Nativ

Other Decks in Programming

Transcript

  1. Bob

  2. The Attack: Execute arbitrary code / defacement JSON is not

    escaped by default CSS can be injected as well Countermeasures: Never trust data from the users Use Markdown (e.g. Redcarpet gem) XSS
  3. www.blog.com 2 Click here for free iPad www.freeiPad.com <form name=“evilform”

    action=“www.blog.com/….”> … <script> document.evilform.submit() </script> CSRF
  4. The Attack: Attacker send requests on the victim’s behalf Doesn’t

    depend on XSS Attacked doesn’t need to be logged-in Countermeasures: Use Rails CSRF default protection (do not override it) Use GET for queries Use POST/DELETE/… when updating data Add Sign-out link CSRF
  5. The Attack: Unprotected by default :( Countermeasures: Whitelist Blacklist Strong

    Parameters (whitelist) Rails 4 Logic moved to the controller Available as a Gem Mass Assignment
  6. User.where( :id => params[:user_id], :reset_token => params[:token] ) SELECT users.*

    FROM users WHERE users.id = 6 AND users.reset_token = ’XYZ' LIMIT 1 CVE-2012-2661 SQL Injection
  7. /users/6/password/edit?token[] SELECT users.* FROM users WHERE users.id = 6 AND

    users.reset_token IS NULL LIMIT 1 CVE-2012-2661 SQL Injection
  8. The Attack: SQL Injection - Affected version: Rails < 3.2.4

    Countermeasures: Upgrade to Rails 3.2.4 or higher CVE-2012-2661 SQL Injection
  9. ------------------------------------------------- | Warning Type | Total | ------------------------------------------------- | Cross

    Site Scripting | 2 | | Cross-Site Request Forgery | 1 | | Denial of Service | 1 | | Redirect | 1 | | SQL Injection | 4 | ------------------------------------------------- Brakeman
  10. Know the threats – OWASP top 10 Follow Rails conventions

    Ruby on Rails Security Guide http://guides.rubyonrails.org/security.html The Ruby on Rails security project http://www.rorsecurity.info Rails security mailing list: http://groups.google.com/group/rubyonrails-security Conclusions
  11. Daniel Amselem for pair programming Irit Shainzinger for the cool

    graphics Michael Hartl for his microblogging app tutorial Thanks to…