Triangle.rb - How Secure is Your Rails Site, Anyway?

100 %
0 %
Information about Triangle.rb - How Secure is Your Rails Site, Anyway?
Technology

Published on March 12, 2014

Author: CoryFoy

Source: slideshare.net

Description

In this talk from Triangle.rb, Cory Foy details the state of Rails security, including paying attention to libraries you use. He includes real world examples of exploits, and links to resources

http://www.flickr.com/photos/mthierry/4595284293 http://www.flickr.com/photos/111692634@N04 How Secure isYour Rails Site, Anyway? Cory Foy foyc@coryfoy.com @cory_foy Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 Security in a Web World http://blogs.msdn.com/blogfiles/rds/WindowsLiveWriter/RDGatewaydeploymentinaperimeternetworkFi_CBD0/clip_image002_thumb.jpg http://www.comtelindia.com/images/network_diagram_largepic.jpg Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 Heartland Payment Systems - 134 Million Credit Cards Exposed via a SQL Injection attack and spyware TJX Companies - 94 Million Credit Cards Exposed via weak WiFi or In-Store Kiosk Security was compromised LivingSocial - 50 Million records stolen including names, date of birth and salted password Federal Reserve - 4,000 records of key bank executives containing personal information stolen via a vulnerability in an internal website Smuckers - Names, Addresses, Credit and Debit Card Numbers, Expiration Dates andVerification Codes stolen from online store Target - 40-70 million Credit Cards, PIN and CVVs stolen Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 Cory Foy foyc@coryfoy.com @cory_foy blog.coryfoy.com prettykoolapps.com Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 OWASP Open Web Application Security Project Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 2003 Unvalidated Parameters Command Injection Flaws Cross Site Scripting Flaws Buffer Overflows Error Handling Problems Insecure Use of Cryptology Broken Access Control Web and Application Server Misconfiguration OpenWebApplicationSecurityProject Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 2013 Injection Cross Site Scripting Cross Site Request Forgery Insecure Direct Object References Unvalidated Redirects and Forwards Sensitive Data Exposure Missing Function Level Access Control Broken Authentication and Session Management Security Misconfiguration Using Components with Known Vulnerabilities 2003 Unvalidated Parameters Command Injection Flaws Cross Site Scripting Flaws Buffer Overflows Error Handling Problems Insecure Use of Cryptology Broken Access Control Web and Application Server Misconfiguration OpenWebApplicationSecurityProject Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 Rails Security Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 2013 Injection Cross Site Scripting Cross Site Request Forgery Insecure Direct Object References Unvalidated Redirects and Forwards Sensitive Data Exposure Missing Function Level Access Control Broken Authentication and Session Management Security Misconfiguration Using Components with Known Vulnerabilities Rails Built in filter to escape SQL Characters By default, Rails escapes HTML REST / protect_from_forgery Manual Manual Manual Manual / Partials secret_key_base / reset_session Manual Manual / Gems Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 Injection http://xkcd.com/327/ http://localhost:3000/bad/injection?id=1 Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 Cross Site Scripting http://localhost:3000/bad/comments Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 Cross Site Request Forgery http://localhost:3000/bad/comments Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 Insecure Direct Object References http://localhost:3000/bad/upload_file Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 Unvalidated Redirects and Forwards http://localhost:3000/bad/index Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 Sensitive Data Exposure http://plaintextoffenders.com/ http://localhost:3000/bad/make_payment http://ghost.teario.com/how-not-to-write-an-api/ Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 Missing Function Level Access Control http://localhost:3000/bad/index Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 Broken Authentication and Session Management Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 Security Misconfiguration https://github.com/CoryFoy/railssecurityexample Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 Using Components with KnownVulnerabilities Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 Standard Rails 684,805 Lines of default included Gem code Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 Real Examples http://thunderboltlabs.com/blog/2013/12/04/giving-back-to- open-source-security-edition/ Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 Responsible Disclosure Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 Sorcery Config.send https://github.com/NoamB/sorcery/ Problem: Sorcery allows the configuration of multiple providers. It figured out the right one by calling Config.send(provider_name.to_sym) rails c Object.ancestors Kernel.methods(false).sort Why’s that a problem? Fix: Don’t trust user-modifiable input, ever Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 Doorkeeper Symbol GC https://github.com/applicake/doorkeeper/ Problem: Doorkeeper and Sorcery converted user input to symbols. Symbols are not GC’d, so can use up a lot of memory quickly Why’s that a problem? loop { (Time.now.to_f.to_s * 100000).to_sym } Fix: Inspect User input as a string before converting to a symbol.Whitelist where possible Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 I18n Injection Issue https://github.com/rails/rails https://github.com/svenfuchs/i18n Problem: Missing locales showed an error message which exposed a Cross-Site Scripting attack vector Why’s that a problem? http://mysite.com/?locale=”<script>alert(‘Hi Mom’)</script>” Fix: Don’t trust user-modifiable input, ever Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 Summary DON’T EVER TRUST USER INPUT Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 Rails Security Resources Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 OWASP https://www.owasp.org/index.php/Main_Page Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 Rails Security Page and Mailing List http://guides.rubyonrails.org/security.html http://rubyonrails.org/security Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 OAuth RFC http://tools.ietf.org/html/rfc6819 Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 Books Tuesday, March 11, 14

http://www.flickr.com/photos/mthierry/4595284293 Cory Foy foyc@coryfoy.com @cory_foy blog.coryfoy.com prettykoolapps.com Tuesday, March 11, 14

Add a comment

Related presentations

Related pages

Installing Stair Rails - Menards - YouTube

... and whether it's time to replace your current railing or you just ... Installing Stair Rails ... How To Secure A Newel Post ...
Read more

A Guide for Upgrading Ruby on Rails — Ruby on Rails Guides

A Guide for Upgrading Ruby on Rails. ... although leaving this line in your helper is not harmful in any way. ... Signed cookies are "secure" in that they ...
Read more

How To Secure A Newel Post - YouTube

How To Secure A Newel Post ... How-to secure a hand railing newel post to the floor using a fully ... Stair and Rail Renovation_Spring 2012 ...
Read more

Ruby on Rails Guides

If you want to understand how to use routing in your own Rails applications, start here. ... What versions of Ruby on Rails are currently supported, ...
Read more

Fad or the Future? The KeyMod Rail System - The Shooter's Log

The KeyMod Rail System. By Suzanne ... secure the rail or accessory down and you are good ... you can purchase additional KeyMod rails to add to the side ...
Read more

Rails Routing from the Outside In — Ruby on Rails Guides

Rails Routing from the Outside In. This guide covers the user-facing features of Rails routing. ... When your Rails application receives an incoming ...
Read more

4 Easy Ways to Burglarproof Your Doors (with Pictures)

How to Burglarproof Your Doors. ... Secure your door frames to the walls ... Make sure you have your chain lock on the right side of the door this might ...
Read more

Top 10 Garage Door Security Tips to Prevent Break-Ins ...

Secure your garage door emergency ... I did put a screwdriver in the side rail of the door ... It seems that the best answer to garage door security is to ...
Read more