Somebody guessed my password, so I had to rename my dog.- @teknoteacher Tuesday, July 28, 15This is an intro talk. If you think you might get bored please check out:https://insecurerails.herokuapp.com/Rails Security Training appTuesday, July 28, 15Intro to Rails SecurityNicholas KlickEngineer, Estimize.comTuesday, July 28, 15Why does security matter?Tuesday, July 28, 15Tuesday, July 28, 15Tuesday, July 28, 15Where do you start looking for security vulnerabilities?Tuesday, July 28, 15Open Web Application Security ProjectTuesday, July 28, 15OWASPTop 10InjectionAuth and SessionsCross Site ScriptingInsecure Object ReferencesSecurity MiscongurationSensitive Data ExposureFunction level access controlCross Site Request ForgeryUsing Insecure ComponentsRedirection / ForwardingTuesday, July 28, 15OWASPTop 10InjectionAuth and SessionsCross Site ScriptingInsecure Object ReferencesSecurity MiscongurationSensitive Data ExposureFunction level access controlCross Site Request ForgeryUsing Insecure ComponentsRedirection / ForwardingTuesday, July 28, 15Injection attacksInjection aws allow attackers to relay malicious code through an application to another systemThese attacks include calls to the operating system via system calls, the use of external programs via shell commands, as well as calls to backend databases via SQLTuesday, July 28, 15SQL InjectionAttacker must nd a parameter that the web application passes through to a databaseCarefully embedding malicious SQL commands into the content of the parameter, the attacker can trick the web application into forwarding a malicious query to the databaseTuesday, July 28, 15SQL InjectionTuesday, July 28, 15SQL Injection MitigationTuesday, July 28, 15Command InjectionExecution of arbitrary commands on the host operating systemPossible when an application passes unsafe user supplied data to a system shellTuesday, July 28, 15Command InjectionTuesday, July 28, 15Command Injection MitigationTuesday, July 28, 15Cross Site Scripting - XSSOccurs whenever an application takes untrusted data and sends it to a web browser without validation and escaping. XSS allows attackers to execute scripts in the victims browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.Tuesday, July 28, 15Source: http://www.acunetix.com/blog/articles/blind-xss/Tuesday, July 28, 15XSS examplesTuesday, July 28, 15Rails & XSSRails handles basic XSS threats.When string data is shown in views, it is escaped by ActiveSupport::SafeBuffer prior to being sent back to the browser*https://github.com/rails/rails/blob/72ffeb9fe58c46bd556a85bed5214d8f482737a5/activesupport/lib/active_support/core_ext/string/output_safety.rbTuesday, July 28, 15XSS MitigationAvoid using:raw, .html_safe etc for where user input is displayedConsider a markup language for rich text in an application which will sanitize inputUse the #sanitize method that let's you whitelist allowed tagsTuesday, July 28, 15Cross Site Request Forgery - CSRF Forces an end user to execute unwanted actions on a web application in which they're currently authenticatedTuesday, July 28, 15Cross Site Request Forgery - CSRF1. User browses a message board and views a post from a hacker with HTML image element. The element references a command in Bob's project management application, rather than an image le.2. User session at www.webapp.com is still alive, because they didn't log out a few minutes ago.3. By viewing the post, the browser nds an image tag. It tries to load the suspected image from www.webapp.com. As explained before, it will also send along the cookie with the valid session id.4. The web application at www.webapp.com veries the user information in the corresponding session hash and destroys the project with the ID 1. It then returns a result page which is an unexpected result for the browser, so it will not display the image.5. User doesn't notice the attack - but a few days later they nd out that project number one is gone.Tuesday, July 28, 15User must be logged inMalicious request sent server with users valid credentialsCross Site Request Forgery - CSRFTuesday, July 28, 15 Cryptographically random token bound to the user's session. Within each form a hidden input eld, authenticity_token, is injected; this eld contains the token. The token is sent with the form submission request and is processed by the web application.Tuesday, July 28, 15Rails CSRF Mitigation Upon processing the POST request, the server compares the value submitted for the authenticity_token parameter to the value associated with the users session. If it doesnt match, this indicates that the request may be a malicious request forged by an attacker and the request failsTuesday, July 28, 15Insecure Direct Object ReferenceAllowing a User to access data they should not accessInsufcient authorization checksTuesday, July 28, 15Insecure Direct Object ReferenceTuesday, July 28, 15Insecure Direct Object ReferenceBy default, Ruby on Rails apps use a RESTful uri structure. That means that paths are often intuitive and guessable. To protect against a user trying to access or modify data that belongs to another user, it is important to specically control actions. Tuesday, July 28, 15Insecure Direct Object Reference MitigationUse a resource-based access control libraryEx: CanCan or PunditEnsure all operations on a database object are authorized by the business logic of the applicationTuesday, July 28, 15There are often overlooked areas where security is a concernTuesday, July 28, 15Recommedation:Beware of sensitive les/cong/database.yml/cong/initializers/secret_token.rb /db/seeds.rb/db/development.sqlite3Add les you wish to hide to .gitignore le?Tuesday, July 28, 15Recommedation:Use ENV variablesTuesday, July 28, 15Recommedation:Audit your codeTuesday, July 28, 15BrakemanTuesday, July 28, 15Gemle auditing with bundler-auditChecks for vulnerable versions of gems in Gemle.lock.Checks for insecure gem sources (http://).Allows ignoring certain advisories that have been manually worked around.Prints advisory information.Tuesday, July 28, 15Recommedation:Run a vulnerability scannerTuesday, July 28, 15Recommedation: Subscribe to Security AlertsRuby Security Announcements Google GroupRuby on Rails Security Google GroupTuesday, July 28, 15More ResourcesTuesday, July 28, 15Homework: Learn about Rails Security interactivelyhttps://insecurerails.herokuapp.com/Rails Security Training appTuesday, July 28, 15