Rails Security - Bart ten Brinke

60 %
40 %
Information about Rails Security - Bart ten Brinke

Published on September 20, 2007

Author: BCC

Source: slideshare.net

Description

A few slides common holes in rails applications. Finished it to late for reject conf.

RAILS SECURITY Bart ten Brinke movesonrails.com bart.tenbrinke@movesonrails.com

Why I did this After a security presentation at RailsConfEurope 2007, I found a lot was missing, so I made this. I didn’t finish it in time for reject conf, so I posted it on my blog. No, I am not australian :)

SQL Injection (Old, but even Jason still does this wrong) Don’t do this Person.find(:first, :conditions => “name = #{name}”) Do this Person.find(:first, :conditions => [“name = ?”, name]) Or Person.find_by_name(name)

Cross Site Scripting (XXS) Don’t do this in a view <p>Name: <%= @name %></p> Do this <p>Name: <%= h @name %></p> Don’t forget your link_to’s and images. If you forget just one you are an easy victim.

Skipping security Don’t do this skip_before_filter :check_auth Do this skip_before_filter :check_auth, :only =>[:login] Explicitly specify the actions that skip security. Otherwise new ones will be unsecure by default

Watch out for the TO_JSON XSS exploit Don’t do this in a view <script>posts = <%= @posts.to_json %></script> This is fixed in edge rails (6893) So if you are on 1.2.3, you have a problem. Write your own to_json for the model or mixin the patch for ticket 8371 of rails.

Obfuscate passwords in logging If your log looks like this Processing LoginController#create (for 127.0.0.1 at 2007-09-20 18:16:32) [POST] Session ID: 023b70d61b76c29a0e123e79c8772f4d Parameters: {quot;sign_inquot;=>quot;Sign inquot;, quot;rememberquot;=>quot;quot;, quot;actionquot;=>quot;createquot;, quot;usernamequot;=>quot;Administratorquot;, quot;controllerquot;=>quot;loginquot;, quot;passwordquot;=>quot;im1337quot;} Add this to your application.rb filter_parameter_logging quot;passwordquot;

Are you accessable? Don’t have everything XML or JSON /mykillerapp/users.xml <users> <user> <id type=quot;integerquot;>3</id> <username>administrator</username> <password-hash> 4fc62477c37b2880646336e5b753daef6ae3377b36cab20ddc27c7b933ca6ecd </password-hash> <password-salt>ntoRnlDr</password-salt> </user> </users>

Production deploy Don’t do this production: adapter: mysql database: my_killer_app username: root password: host: localhost Do this Use decent security in a production environment. Also strip all the stuff you don’t need from your tags (like /test).

CONCLUSIONS These are all examples of things I ran into during about one year of full-time Rails development. Realize that there are more! Greetings to everyone who came to RailsConf Europe 2007. It was inspiring! If you have any questions, feel free to email me. Bart ten Brinke movesonrails.com bart.tenbrinke@movesonrails.com

Add a comment

Related pages

Bart ten Brinke | LinkedIn

View Bart ten Brinke’s professional profile on LinkedIn. ... Also performance and security ... Bart ten Brinke; Skills. Ruby on Rails; MySQL; Ruby; Git;
Read more

Retrosync; I build web applications

... Bart ten Brinke, am a developer, security expert ... Rails, Angular, Meteor or ... The easiest way is to send me an email at info@retrosync.com or just ...
Read more

barttenbrinke (Bart ten Brinke) · GitHub

Follow their code on GitHub. ... Sign up Sign in. Pricing Blog Support Search GitHub. Bart ten Brinke. barttenbrinke. ... reception 8 Rails frontend for ...
Read more

Bart ten Brinke | PACKT Books

Packt is a modern publishing company, producing cutting-edge books, eBooks, and articles for communities of developers, administrators, and newbies alike.
Read more

Moves on Rails - Journal

Bart ten Brinke | 17 Comments | 87 References | Share Article . ... I wanted rails to generate them from my original partial. Enter the nastyness.
Read more

Instant Munin Plugin Starter: Bart ten Brinke ...

Bart ten Brinke. Bart ten Brinke is an ... mainly focusing on Ruby on Rails. ... He is also a Certified Information Systems Security ...
Read more

Instant Munin Plugin Starter eBook: Bart ten Brinke ...

... Bart ten Brinke: Amazon.it: ... The Instant Munin Plugin Starter is a practical, ... mainly focusing on Ruby on Rails.
Read more

GitHub - barttenbrinke/browser-prof: Profiler for Rails ...

browser-prof - Profiler for Rails using ruby-prof. ... or Bart ten Brinke ... Security; Status; Help;
Read more

request-log-analyzer

request-log-analyzer : ... including Rails, nginx, ... feel free to contact either Willem van Bergen or Bart ten Brinke.
Read more