Download - Security on Rails
Security On RailsDavid Paluy October 2012
"Ruby is simple in appearance, but is very complex inside, just like our human body." Yukihiro "matz" Matsumoto
Agenda
Session Hijacking CSRF Mass Assignment SQL Injection
Websites are all about the data!
When is a user not a user?
You have no way of knowing who or where the data that hits your application is coming from.
Session Hijacking
Session Hijacking
Sniff the cookie in an insecure network. Most people dont clear out the cookies after working at a public terminal Cross-Site Scripting (XSS) CSS Injection Header Injection
config.force_ssl = true
If you have http assets on an https page, the users browser will display a mixed-content warning in the browser bar. Rails does most of the work for you, but if you have any hard-coded http:// internal-links or images, make sure you change them.
Session Expiryclass Session < ActiveRecord::Base def self.sweep(time = 1.hour) if time.is_a?(String) time = time.split.inject { |count, unit| count.to_i.send(unit) } end delete_all "updated_at < '#{time.ago.to_s(:db)}' OR created_at < '#{2.days.ago.to_s(:db)}'" end end
Provide the user with a log-out button in the web application, and make it prominent.
XSS Countermeasuresstrip_tags("somealert('hello')") RESULT: somealert(hello) view SanitizeHelper
CSS Injection
alert(eval('document.body.inne' + 'rHTML'));
Header Injectionredirect_to params[:referer]http://www.yourapplication.com/controller/action? referer=http://www.malicious.tld
Make sure you do it yourself when you build other header fields with user input.
Session Storageconfig.action_dispatch.session = { :key } => '_app_session', :secret => '0dkfj3927dkc7djdh36rkckdfzsg...'
Cross-Site Request Forgery (CSRF)
Most Rails applications use cookie-based sessions
CSRF CountermeasuresBe RESTfulUse GET if:
The interaction is more like a question (i.e., it is a safe operation such as a query, read operation, or lookup).
Use POST if:
The interaction is more like an order, or The interaction changes the state of the resource in a way that the user would perceive (e.g., a subscription to a service), or The user is held accountable for the results of the interaction.protect_from_forgery :secret => "123456789012345678901234567890..."
Mass Assignment
attr_accessible :name attr_accessible :is_admin, :as => :admin
Mass Assignment
SQL Injection
Project.where("name = '#{params[:name]}'")SELECT * FROM projects WHERE name = '' OR 1'
User.first("login = '#{params[:name]}' AND password = '#{params[:password]}'")SELECT * FROM users WHERE login = '' OR '1'='1' AND password = '' OR '2'>'1' LIMIT 1
SQL Injection Countermeasures
Model.where("login = ? AND password = ?", entered_user_name, entered_password).first Model.where(:login => entered_user_name, :password => entered_password).first
Tools
Brakeman - A static analysis security vulnerability scanner for Ruby on Rails applications RoRSecurity explore Rails security Techniques to Secure your Website with RoR
Summary
The security landscape shifts and it is important to keep up to date, because missing a new vulnerability can be catastrophic.