Download secureRubyonRails.ppt

Post on 12-Sep-2014




0 download

Embed Size (px)




  • Securing Ruby on Rails

    CIS 6939 Web Engineering with Ruby on RailsUniversity of North FloridaStephen Jones 8 July 2007

  • Securing Ruby on RailsSANS Top-20 Internet Security Attack Targets (2006 Annual Update) Top of the list for the Cross-platform Applications category is:

    C1 Web Applications C1.1 Description Applications such as Content Management Systems (CMS), Wikis, Portals, Bulletin Boards, and discussion forums are being used by small and large organizations. Every week hundreds of vulnerabilities are being reported in these web applications, and are being actively exploited. The number of attempted attacks every day for some of the large web hosting farms range from hundreds of thousands to even millions. All web frameworks (PHP, .NET, J2EE, Ruby on Rails, ColdFusion, Perl, etc) and all types of web applications are at risk from web application security defects, ranging from insufficient validation through to application logic errors.

  • Securing Ruby on RailsUser InputRegular form fieldsHidden form fieldsCookiesURL ParametersPOST dataHTTP headersAJAX requestsScoped Queries

  • Securing Ruby on Railsclass User < ActiveRecord::Basehas_many :contactsendclass Contact < ActiveRecord::Basebelongs_to :userend

    class ContactsController < ApplicationController before_filter :require_signindef new@contact = Contact.newenddef createcontact = params[:contact]contact.user_id = session[:user_id]contact.saveredirect_to contact_url(contact)enddef show @contact = Contact.find params[:id]end # accessed in URL path like /contacts/42privatedef require_signin return false unless session[:user_id]end


    Record IDs used right in the URL?

  • Securing Ruby on Railsclass ContactsController < ApplicationController # gives us a @current_user objectbefore_filter :require_signin # safely looks up the contactbefore_filter :find_contact, :except => [ :index, :new, :create ]def index@contacts = @current_user.contacts.find :allenddef new @contact = @current_user.contacts.newenddef create @current_user.contacts.create params[:contact] redirect_to contacts_urlenddef showenddef editend

    def update @contact.update_attributes params[:contact] redirect_to contact_urlenddef destroy @contact.destroy redirect_to contacts_urlendprivatedef require_signin @current_user = User.find session[:user_id] redirect_to(home_url) and return false unless@current_userenddef find_contact @contact = @current_user.contacts.find.params[:id]endend

  • Securing Ruby on RailsRecord IDs in URLs verified? (HTTP authentication) Is the ID guessable? How about a token?

    class User < ActiveRecord::Basedef before_create token = Digest::SHA1.hexdigest("#{id}#{rand.to_s}")[0..15] write_attribute 'token', tokenendendclass FeedsController < ApplicationControllerdef show @user = User.find_by_token(params[:id]) or raise ActiveRecord::RecordNotFoundendend

  • Securing Ruby on RailsMass Assignment

    contact = current_user.contacts.create params[:contact]contact.update_attributes params[:contact]

    class UsersController < ApplicationControllerdef edit @user = current_userenddef update current_user.update_attributes params[:user] redirect_to edit_user_urlendendedit.rhtml: user_url, :html => { :method => :put } do |u| %>Login: Password:

    require 'net/http'http = 'localhost', "/users/1", 'user[is_administrator]=1&_method=put',{ 'Content-Type' => 'application/x-www-form-urlencoded' }

    class User < ActiveRecord::Base attr_protected :is_administrator has_many :contactsend

    class User < ActiveRecord::Base attr_accessible :login, :password has_many :contactsend

  • Securing Ruby on RailsForm ValidationClient-side validation with javascriptimmediate feedbackThe data should still be validated on the server side as well.

  • Securing Ruby on RailsSQL Injectionpassing input directly from user to databasemalicious users hijack your queries

    # unsafeUser.find(:first, :conditions => "login = '#{params[:login]}' ANDpassword = '#{params[:password]}'")SELECT * FROM users WHERE (login='alice' and password='secret') LIMIT 1 ' or login='bob' and password !=

    SELECT * FROM users WHERE (login='' andpassword='' or login='bob' and password != ) LIMIT 1 #Logs in as any user

  • Securing Ruby on RailsSQL Injection

    # safe (pass a hash to :conditions)User.find(:first, :conditions => { :login => params[:login],:password => params[:password] })# safe (shorter form)User.find(:first, :conditions =>[ "login = ? AND password = ?", params[:login], params[:password] ])

  • Securing Ruby on RailsSession Fixationcross-site cooking

    Mitigationuse reset_session in your sign-in and sign-out methods# signindef create if u = User.find_by_login_and_password(params[:login], params[:password]) reset_session # create a new sess id, to thwart fixation session[:user_id] = redirect_to home_urlelse render :action => 'new'endend

  • Securing Ruby on RailsCross-site Scripting (XSS)unescaped user data included in HTML outputWhats the problem? Javascript!'XSS')%3B%3C%2Fscript%3E

  • Securing Ruby on RailsCross-site Scripting (XSS)#unsafe :get %>

    class SearchController < ApplicationController def index @q = params[:q] @posts = Post.find :all, :conditions => ["body like :query", { :query => params[:q]}] endend

    Your search for returned :

    post) %>:

    Solution: h helper, also known as html escape.

    converts &, ", >, and < into &, " >, and :password_required? validates_confirmation_of :password, :if => :password_required? before_save :hash_password# Authenticates a user by login/password. Returns the user or nil.def self.authenticate login, password find_by_login_and_hashed_password(login, Digest::SHA1.hexdigest(login+password))endprotecteddef hash_password return if password.blank? self.hashed_password = Digest::SHA1.hexdigest(login+password)enddef password_required? hashed_password.blank? || !password.blank?endend

  • Securing Ruby on RailsSilencing Logs

    class OrdersController < ApplicationController filter_parameter_logging :cc_number, :cvv, :cc_date # ...end

  • Securing Ruby on Rails


    Third party widgets

  • Securing Ruby on RailsAttributation1. The Ghost In The Browser: Analysis of Web-based MalwareNiels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc. 2. Ajax on Rails by Scott Raymond3. Sans Institute Internet Security Attack Targets Rails Security Mailing List: