Sei sulla pagina 1di 41

“Somebody guessed my password, so I had to rename my dog.”

This is an intro talk. If you think you might get bored please check out:

Rails Security Training app

Intro to Rails Security

Nicholas Klick Engineer, Estimize.com

Why does security matter?

Tuesday, July 28, 15
Tuesday, July 28, 15
Tuesday, July 28, 15
Tuesday, July 28, 15
Tuesday, July 28, 15
Tuesday, July 28, 15
Tuesday, July 28, 15

Where do you start looking for security vulnerabilities?

Open Web Application Security Project Tuesday, July 28, 15

Open Web Application Security Project

OWASP Top 10

Injection Auth and Sessions Cross Site Scripting Insecure Object References Security Misconfiguration

Sensitive Data Exposure Function level access control Cross Site Request Forgery Using Insecure Components Redirection / Forwarding

OWASP Top 10

Injection

Auth and Sessions

Cross Site Scripting Insecure Object References

Security Misconfiguration

Sensitive Data Exposure Function level access control

Cross Site Request Forgery

Using Insecure Components Redirection / Forwarding

Injection attacks

Injection flaws allow attackers to relay malicious code through an application to another system

These attacks include calls to the operating system via system calls, the use of external programs via shell commands, as well as calls to backend databases via SQL

SQL Injection

Attacker must find a parameter that the web application passes through to a database

Carefully embedding malicious SQL commands into the content of the parameter, the attacker can trick the web application into forwarding a malicious query to the database

SQL Injection

SQL Injection Tuesday, July 28, 15

SQL Injection Mitigation

SQL Injection Mitigation Tuesday, July 28, 15

Command Injection

Execution of arbitrary commands on the host operating system

Possible when an application passes unsafe user supplied data to a system shell

Command Injection

Command Injection Tuesday, July 28, 15
Command Injection Tuesday, July 28, 15

Command Injection Mitigation

Command Injection Mitigation Tuesday, July 28, 15

Cross Site Scripting - XSS

Occurs whenever an application takes untrusted data and sends it to a web browser without validation and escaping.

XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

XSS examples

XSS examples Tuesday, July 28, 15

Rails & XSS

Rails handles basic XSS threats. When string data is shown in views, it is escaped by ActiveSupport::SafeBuffer prior to being sent back to the browser*

Rails & XSS Rails handles basic XSS threats. When string data is shown in views, ithttps://github.com/rails/rails/blob/72ffeb9fe58c46bd556a85bed5214d8f482737a5/activesupport/lib/active_support/core_ext/string/output_safety.rb Tuesday, July 28, 15 " id="pdf-obj-20-6" src="pdf-obj-20-6.jpg">

XSS Mitigation

Avoid using: raw, .html_safe etc for where user input is displayed

Consider a markup language for rich text in an application which will sanitize input

Use the #sanitize method that let's you whitelist allowed tags

Cross Site Request Forgery - CSRF

Forces an end user to execute unwanted actions on a web application in which they're currently authenticated

Cross Site Request Forgery - CSRF

2. minutes ago. 3. with the valid session id. 4. 5.
2.
minutes ago.
3.
with the valid session id.
4.
5.

1. User browses a message board and views a post from a hacker with HTML image element. The element references a command in Bob's project management application, rather than an image file.

User session at www.webapp.com is still alive, because they didn't log out a few

By viewing the post, the browser finds an image tag. It tries to load the suspected

image from www.webapp.com. As explained before, it will also send along the cookie

The web application at www.webapp.com verifies the user information in the

corresponding session hash and destroys the project with the ID 1. It then returns a result page which is an unexpected result for the browser, so it will not display the image.

User doesn't notice the attack - but a few days later they find out that project

number one is gone.

Cross Site Request Forgery - CSRF

User must be logged in

Malicious request sent server with users valid credentials

Cryptographically random token bound to the user's session. Within each form a hidden input field,
Cryptographically random token bound to the user's session. Within each form a hidden input field,

Cryptographically random token bound to the user's session. Within each form a hidden input field, authenticity_token, is injected; this field contains the token. The token is sent with the form submission request and is processed by the web application.

Rails CSRF Mitigation

Rails CSRF Mitigation Upon processing the POST request, the server compares the value submitted for the

Upon processing the POST request, the server compares the value submitted for the authenticity_token parameter to the value associated with the user’s session.

If it doesn’t match, this indicates that the request may be a malicious request forged by an attacker and the request fails

Insecure Direct Object Reference

Allowing a User to access data they should not access

Insufficient authorization checks

Insecure Direct Object Reference

Insecure Direct Object Reference Tuesday, July 28, 15

Insecure Direct Object Reference

By default, Ruby on Rails apps use a RESTful uri structure.

That means that paths are often intuitive and guessable.

To protect against a user trying to access or modify data that belongs to another user, it is important to specifically control actions.

Insecure Direct Object Reference Mitigation

Use a resource-based access control library Ex: CanCan or Pundit

Ensure all operations on a database object are authorized by the business logic of the application

There are often overlooked areas where security is a concern

Recommedation:

Beware of sensitive files

/config/database.yml /config/initializers/secret_token.rb /db/seeds.rb

/db/development.sqlite3

Add files you wish to hide to .gitignore file?

Recommedation:

Use ENV variables

Recommedation: Use ENV variables Tuesday, July 28, 15

Recommedation:

Audit your code

Recommedation: Audit your code Tuesday, July 28, 15
Recommedation: Audit your code Tuesday, July 28, 15
Recommedation: Audit your code Tuesday, July 28, 15

Brakeman

Brakeman Tuesday, July 28, 15

Gemfile auditing with bundler-audit

Checks for vulnerable versions of gems in Gemfile.lock.

Checks for insecure gem sources (http://). Allows ignoring certain advisories that have been manually worked around. Prints advisory information.

Recommedation:

Run a vulnerability scanner

Recommedation: Run a vulnerability scanner Tuesday, July 28, 15
Recommedation: Run a vulnerability scanner Tuesday, July 28, 15
Recommedation: Run a vulnerability scanner Tuesday, July 28, 15

Recommedation:

Subscribe to Security Alerts

Ruby Security Announcements Google Group

Ruby on Rails Security Google Group

More Resources

More Resources Tuesday, July 28, 15
More Resources Tuesday, July 28, 15
More Resources Tuesday, July 28, 15

Homework:

Learn about Rails Security interactively

Rails Security Training app