security on rails
play

Security on Rails Jonathan Weiss, 03.09.2008 Peritor GmbH Who are - PowerPoint PPT Presentation

Feb 02, 2024 •328 likes •816 views

Security on Rails Jonathan Weiss, 03.09.2008 Peritor GmbH Who are we? Jonathan W Jonathan Weiss eiss Consultant for Peritor GmbH in Berlin Specialized in Rails, Scaling, Security, and Code Review Webistrano - Rails deployment tool

  1. Security on Rails Jonathan Weiss, 03.09.2008 Peritor GmbH

  2. Who are we? Jonathan W Jonathan Weiss eiss • Consultant for Peritor GmbH in Berlin • Specialized in Rails, Scaling, Security, and Code Review • Webistrano - Rails deployment tool • FreeBSD Rubygems and Ruby on Rails maintainer http://www.peritor.com http://blog.innerewut.de 2

  3. Agenda Follow the application stack Follow the application stack and look for and look for Setup and deployment • Information leaks Application code • Possible vulnerabilities • Security best practices Framework code Rails Application Stack 3 3

  4. Rails Application Setup 4

  5. Rails Setup 5

  6. Rails Setup - FastCGI 6

  7. Rails Setup - Mongrel 7

  8. Rails Setup – mod_rails 8

  9. Information leaks and vulnerabilities 9

  10. Information leaks Is the target application a Rails application? • Default setup for static files: /javascripts/application.js /stylesheets/application.css /images/foo.png • Pretty URLs /project/show/12 /messages/create /folder/delete/43 /users/83 10

  11. Information leaks Is the target application a Rails application? • Rails provides default templates for 404 and 500 status pages • Different Rails versions use different default pages • 422.html only present in applications generated with Rails >= 2.0 11

  12. Sample Status Pages http://www.twitter.com/500.html http://www.43people.com/500.html http://www.strongspace.com/500.html Rails >= 1.2 status 500 page 12

  13. Server Header GET http://www.43people.com Date: Wed, 03 Sep 2008 11:23:24 GMT Server: Apache/1.3.34 (Unix) mod_deflate/1.0.21 mod_fastcgi/2.4.2 mod_ssl/2.8.25 OpenSSL/0.9.7e-p1 Cache-Control: no-cache … GET https://signup.37signals.com/highrise/solo/signup/new Date: Wed, 03 Sep 2008 11:54:24 GMT Server: Mongrel 1.1.5 Status: 200 OK … Disable Server header # httpd.conf Header unset Server 13

  14. Information leaks Subversion metadata • Typically Rails applications are deployed with Capistrano / Webistrano • The default deployment will push .svn directories to the servers GET http://www.strongspace.com/.svn/entries … dir 25376 http://svn.joyent.com/joyent/deprecated_repositories/www.strongspace/trunk/public http://svn.joyent.com/joyent Prevent .svn download 2006-04-14T03:06:39.902218Z <DirectoryMatch "^/.*/\.svn/"> ErrorDocument 403 /404.html 34 Order allow,deny justin@joyent.com Deny from all … Satisfy All </DirectoryMatch> 14

  15. Cookie Session Storage Since Rails 2.0 by default the session data is stored in the cookie Base64(CGI::escape(SESSION-DATA))--HMAC(secret_key, SESSION-DATA) 15

  16. Cookie Session Storage Security implications • The user can view the session data in plain text • The HMAC can be brute-forced and arbitrary session data could be created • Replay attacks are easier as you cannot flush the client-side session Countermeasures • Don’t store important data in the session! • Use a strong password, Rails already forces at least 30 characters • Invalidate sessions after certain time on the server side … or just switch to another session storage 16

  17. Cookie Session Storage Rails default session secret Set HTTPS only cookies 17

  18. Cross-Site Scripting - XSS “The injection of HTML or client-side Scripts (e.g. JavaScript) by malicious users into web pages viewed by other users.” 18

  19. Cross-Site Scripting - XSS Cases of accepted user input • No formatting allowed search query, user name, post title, … • Formatting allowed post body, wiki page, … 19

  20. XSS - No Formatting Allowed Use the Rails `h()` helper to HTML escape user input But using `h()` everywhere is easy to forget • Use safeERB or XSS Shield plugin • safeERB will raise an exception whenever a tainted string is not escaped • Explicitly untaint string in order to not escape it http://agilewebdevelopment.com/plugins/safe_erb http://code.google.com/p/xss-shield/ 20

  21. XSS - Formatting Allowed Two approaches Use custom tags that will translate to HTML (vBulletin tags, RedCloth, Textile, …) Use HTML and remove unwanted tags and attributes • Blacklist - Rails 1.2 • Whitelist - Rails 2.0 21

  22. XSS - Custom Tags Relying on the external syntax is not really secure Filter HTML anyhow 22

  23. XSS - HTML Filtering Use the Rails `sanitize()` helper Only effective with Rails 2.0 (Whitelisting): • Filters HTML nodes and attributes • Removes protocols like “javascript:” • Handles unicode/ascii/hex hacks 23

  24. XSS - HTML Filtering sanitize(html, options = {}) http://api.rubyonrails.com/classes/ActionView/Helpers/SanitizeHelper.html 24

  25. XSS - HTML Filtering Utilize Tidy if you want to be more cautious 25

  26. Session Fixation Provide the user with a session that he shares with the attacker: 26

  27. Session Fixation Rails uses only cookie-based sessions Still, you should reset the session after a login The popular authentication plugins like restful_authentication are not doing this! 27

  28. Cross-Site Request Forgery - CSRF You visit a malicious site which has an image like this Only accepting POST does not really help 28

  29. CSRF Protection in Rails By default Rails 2.0 will check all POST requests for a session token All forms generated by Rails will supply this token 29

  30. CSRF Protection in Rails Very useful and on-by-default, but make sure that • GET requests are safe and idempotent • Session cookies are not persistent (expires-at) 30

  31. SQL Injection The user’s input is not correctly escaped before using it in SQL statements 31

  32. SQL Injection Protection in Rails Always use the escaped form If you have to manually use a user-submitted value, use `quote()` 32

  33. SQL Injection Protection in Rails Take care with Rails < 2.1 Limit and offset are only escaped in Rails >= 2.1 ( MySQL special case ) 33

  34. JavaScript Hijacking http://my.evil.site/ JSON response The JSON response will be evaled by the Browser’s JavaScript engine. With a redefined `Array()` function this data can be sent back to http://my.evil.site 34

  35. JavaScript Hijacking Prevention • Don’t put important data in JSON responses • Use unguessable URLs • Use a Browser that does not support the redefinition of Array & co, currently only FireFox 3.0 • Don’t return a straight JSON response, prefix it with garbage: The Rails JavaScript helpers don’t support prefixed JSON responses 35

  36. Mass Assignment User model 36

  37. Mass Assignment Handling in Controller A malicious user could just submit any value he wants 37

  38. Mass Assignment Use `attr_protected` and `attr_accessible` Vs. Start with `attr_protected` and migrate to `attr_accessible` because of the different default policies for new attributes. 38

  39. Rails Plugins Re-using code through plugins is very popular in Rails Plugins can have their problems too • Just because somebody wrote and published a plugin it doesn’t mean the plugin is proven to be mature, stable or secure • Popular plugins can also have security problems, e.g. restful_authentication • Don’t use svn:externals to track external plugins, if the plugin’s home page is unavailable you cannot deploy your site 39

  40. Rails Plugins How to handle plugins • Always do a code review of new plugins and look for obvious problems • Track plugin announcements • Track external sources with Piston, a wrapper around svn:externals http://piston.rubyforge.org/ 40

  41. Rails Denial of Service Attacks Rails is single-threaded and a typical setup concludes: • Limited number of Rails instances • ~8 per CPU • Even quite active sites (~500.000 PI/day ) use 10-20 CPUs • All traffic is handled by Rails 41

  42. Rails Denial of Service Attacks A denial of service attack is very easy if Rails is handling down/uploads. Just start X (= Rails instances count) simultaneous down/uploads over a throttled line. This is valid for all slow requests, e.g. • Image processing • Report generation • Mass mailing 42

  43. Rails Slow Request DoS Prevention Serve static files directly through the web server • Apache, Lighttpd, nginx (use x-sendfile for private files) • Amazon S3 Contaminate slow requests • Define several clusters for several tasks • Redirect depending on URL Put slow requests into the background • Fast request to create a background job • Query job status with Ajax 43

  44. Conclusion 44

  45. Conclusion Rails has many security features enabled by default • SQL quoting • HTML sanitization • CSRF protection The setup can be tricky to get right Rails is by no means a “web app security silver bullet” but adding security is easy and not a pain like in many other frameworks 45

  46. Questions? 46

  47. Peritor GmbH Teutonenstraße 16 14129 Berlin Telefon: +49 (0)30 69 20 09 84 0 Telefax: +49 (0)30 69 20 09 84 9 Internet: www.peritor.com E-Mail: kontakt@peritor.com 47  Peritor GmbH - Alle Rechte vorbehalten 47

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Useful Rails Concepts May 20, 2013 1 Yet another list Rails API, active_model_serializers,

Useful Rails Concepts May 20, 2013 1 Yet another list Rails API, active_model_serializers,

Useful Rails Concepts May 20, 2013 1 Yet another list Rails API, active_model_serializers, JSON API, Ember.Data, token access Rails 2, Rails 3, Rails 4 RubyMine Rails Admin, Active Admin kaminari, paging gem

548 views • 23 slides
Ruby On Rails CSCI 5449 Submitted by: Bhaskar Vaish What is Ruby on Rails ? Ruby on Rails is a

Ruby On Rails CSCI 5449 Submitted by: Bhaskar Vaish What is Ruby on Rails ? Ruby on Rails is a

Ruby On Rails CSCI 5449 Submitted by: Bhaskar Vaish What is Ruby on Rails ? Ruby on Rails is a web application framework written in Ruby, a dynamic programming language. Ruby on Rails uses the Model-View-Controller (MVC) architecture pattern

645 views • 39 slides
Rails-with-T rails: Lessons Learned Best Practices for Developing, Designing, and Maintaining

Rails-with-T rails: Lessons Learned Best Practices for Developing, Designing, and Maintaining

Rails-with-T rails: Lessons Learned Best Practices for Developing, Designing, and Maintaining Rails-with-Trails Blackstone River Bikeway, Lincoln/Cumberland, RI Source: Rails-to-Trails Conservancy 4/30/2019 The National Transportation Systems

767 views • 20 slides
Performance Rails Writing Rails applications with sustainable performance Ruby en Rails 2006

Performance Rails Writing Rails applications with sustainable performance Ruby en Rails 2006

0/58 Performance Rails Writing Rails applications with sustainable performance Ruby en Rails 2006 Stefan Kaes www.railsexpress.de skaes@gmx.net Back Close The most boring talk, ever! 1/58 No DHTML visual effects!

1.13k views • 59 slides
Lets Get on Rails Venkat Subramaniam svenkat@cs.uh.edu 1 Whats Rails? Web

Lets Get on Rails Venkat Subramaniam svenkat@cs.uh.edu 1 Whats Rails? Web

Lets Get on Rails Venkat Subramaniam svenkat@cs.uh.edu 1 Whats Rails? Web Development Frameworks Build on Ruby (so called Ruby on Rails) Agile Lightweight Heavily relies on Convention over configuration Venkat

957 views • 4 slides
Ruby On Rails James Reynolds Today Ruby on Rails introduction Run Enviornments MVC A little

Ruby On Rails James Reynolds Today Ruby on Rails introduction Run Enviornments MVC A little

Ruby On Rails James Reynolds Today Ruby on Rails introduction Run Enviornments MVC A little Ruby Exercises Installation Mac OS X 10.5 will include Rails Mac OS X 10.4 includes Ruby Most people reinstall it anyway From scratch Drag and

1.26k views • 66 slides
Do Containers Enhance Application Level Security? Benjy Portnoy, CISA, CISSP # whoami

Do Containers Enhance Application Level Security? Benjy Portnoy, CISA, CISSP # whoami

Do Containers Enhance Application Level Security? Benjy Portnoy, CISA, CISSP # whoami BlueCoat-&gt; Symantec Director, DevSecOps @AquaSecTeam I know, Ill use Ruby on Rails! * Thanks To Jim Brickman@gruntwork.io &gt; gem install rails

960 views • 53 slides
Ruby On Rails Boris Nadion astrails.com Ruby On Rails

Ruby On Rails Boris Nadion astrails.com Ruby On Rails

Ruby On Rails Boris Nadion astrails.com Ruby On Rails http://www.flickr.com/photos/jocelyndurston/ why Ruby on Rails? it is beautiful credit: http://www.flickr.com/photos/psilver/ it is almost pure english read the english, not a code

1.59k views • 121 slides
Rails Girls Rails Girls workshop workshop Sebastian Witowski 1 test 2

Rails Girls Rails Girls workshop workshop Sebastian Witowski 1 test 2

I went to a I went to a Rails Girls Rails Girls workshop workshop Sebastian Witowski 1 test 2 http://railsgirls.com/geneva 3 Our aim is to give tools and a community for women to understand technology and to build their ideas. We do

738 views • 14 slides
Beautiful Code in Rails 3 by Gregg Pollack Starting a new app New Router API ActionController

Beautiful Code in Rails 3 by Gregg Pollack Starting a new app New Router API ActionController

Beautiful Code in Rails 3 by Gregg Pollack Starting a new app New Router API ActionController - respond_with ActionMailer Syntax ActiveRelation (arel) ERB Strings Escaped Unobtrusive Javascript Starting a New App $ rails Usage: rails

593 views • 45 slides
Rails Response to COVID-19 A Joint Webinar from FTR &amp; RFC Rails Response to COVID-19 A

Rails Response to COVID-19 A Joint Webinar from FTR &amp; RFC Rails Response to COVID-19 A

Rails Response to COVID-19 A Joint Webinar from FTR &amp; RFC Rails Response to COVID-19 A Joint Webinar from FTR &amp; RFC Eric Starks Todd Tranausky David Nahass William Geiger FTR Chairman &amp; CEO FTR VP of Rail &amp; Intermodal

680 views • 40 slides
RAILS LLSAP Overview LLSAP stands for Local Library System Automation Program. An LLSAP is a

RAILS LLSAP Overview LLSAP stands for Local Library System Automation Program. An LLSAP is a

Document 10.4 RAILS Board September 28, 2011 RAILS LLSAP Overview Presentation to RAILS Board of Trustees RAILS LLSAP Overview LLSAP stands for Local Library System Automation Program. An LLSAP is a multitype library consortium working in

124 views • 11 slides
Rails Performance Michael Koziarski michael@koziarski.com Rails Performance Relax Programmers

Rails Performance Michael Koziarski michael@koziarski.com Rails Performance Relax Programmers

Rails Performance Michael Koziarski michael@koziarski.com Rails Performance Relax Programmers Love Optimisation Science Based Objective Provable Opportunity Cost Is this optimisation really the best use of your time? Two Justifications

1.73k views • 141 slides
CS 142 Section October 11, 2010 Rails Basics Controllers and Views View Helpers

CS 142 Section October 11, 2010 Rails Basics Controllers and Views View Helpers

CS 142 Section October 11, 2010 Rails Basics Controllers and Views View Helpers Layouts Partials &gt;&gt; rails &lt;dirname&gt; where &lt;dirname&gt; is your desired project folder Note: if you are using Rails 3.0,

456 views • 20 slides
Introduction to The Open Source E-commerce Platform for Rails Monday 23 May 2011 Sean Schofield

Introduction to The Open Source E-commerce Platform for Rails Monday 23 May 2011 Sean Schofield

Introduction to The Open Source E-commerce Platform for Rails Monday 23 May 2011 Sean Schofield CEO of Rails Dog Creator of Spree @uberzealot github.com/schof Monday 23 May 2011 Brian Quinn Senior Developer w/Rails Dog Longtime

944 views • 45 slides
Basic Rails Projects Professor Larry Heimann Application Design &amp; Development Information

Basic Rails Projects Professor Larry Heimann Application Design &amp; Development Information

Basic Rails Projects Professor Larry Heimann Application Design &amp; Development Information Systems Program Why Ruby on Rails? Ruby on Rails is astounding. Using it is like watching a kung-fu movie, where a dozen bad-ass frameworks

569 views • 16 slides
GUI Applications Announcements for This Lecture Prelim 2 Assignments A6 due TOMORROW

GUI Applications Announcements for This Lecture Prelim 2 Assignments A6 due TOMORROW

Lecture 24 GUI Applications Announcements for This Lecture Prelim 2 Assignments A6 due TOMORROW Difficulty was reasonable Complete it by midnight Mean : 71, Median : 74 Also, fill out survey Just 2 points below target

452 views • 27 slides
View Helper Context The system creates presentation content, which requires processing of dynamic

View Helper Context The system creates presentation content, which requires processing of dynamic

View Helper Context The system creates presentation content, which requires processing of dynamic business data. Problem Presentation tier changes occur often and are difficult to develop and maintain when business data access logic and

58 views • 3 slides
Social Login for SAS Visual Analytics Michael Dixon Please Come In! Social Login for SAS Visual

Social Login for SAS Visual Analytics Michael Dixon Please Come In! Social Login for SAS Visual

Social Login for SAS Visual Analytics Michael Dixon Please Come In! Social Login for SAS Visual Analytics Paper availa ilable at http:/ ://bit.l .ly/socia ialsas What is Social Login? From Wikipedia: So Socia ial lo login in, also

276 views • 12 slides
EMEA IT S POTLIGHT DRAFT Keynote Presentation by Michael Kagan, Chief Technology Officer,

EMEA IT S POTLIGHT DRAFT Keynote Presentation by Michael Kagan, Chief Technology Officer,

N ET E VENTS EMEA IT S POTLIGHT DRAFT Keynote Presentation by Michael Kagan, Chief Technology Officer, Mellanox Technologies Think outside the computer Michael Kagan Okay, so good morning, everyone. It's actually great to be the first speaker

315 views • 15 slides
Heterogeneous Networks Mustafa Emara, Miltiades C. Filippou, Dario Sabella 2018 IEEE Wireless

Heterogeneous Networks Mustafa Emara, Miltiades C. Filippou, Dario Sabella 2018 IEEE Wireless

MEC-aware Cell Association for 5G Heterogeneous Networks Mustafa Emara, Miltiades C. Filippou, Dario Sabella 2018 IEEE Wireless Communications and Networking Conference Workshops (WCNCW): The First Workshop on Control and management of Vertical

334 views • 17 slides
Cr Cross L Laye yer Co Control ( (CL CLC) C) ba base sed d on n SDN and nd SDR R

Cr Cross L Laye yer Co Control ( (CL CLC) C) ba base sed d on n SDN and nd SDR R

Cr Cross L Laye yer Co Control ( (CL CLC) C) ba base sed d on n SDN and nd SDR R Sokratis Barmpounakis George Tsiatsios to towards rds 5G Ul Ultra D Dense Nikolaos Maroulis Heter Het erog ogen eneou eous Ne Networ orks

861 views • 17 slides
Machine Learning as Enabler for Cross-Layer Resource Allocation: Opportunities and Challenges

Machine Learning as Enabler for Cross-Layer Resource Allocation: Opportunities and Challenges

| 1 Machine Learning as Enabler for Cross-Layer Resource Allocation: Opportunities and Challenges with Deep Reinforcement Learning Fatemeh Shah-Mohammadi and Andres Kwasinski Rochester Institute of Technology | 2 Outline Benefits for

524 views • 18 slides
A Massively Scalable Architecture for Learning Representations from Heterogeneous Graphs NVIDIA

A Massively Scalable Architecture for Learning Representations from Heterogeneous Graphs NVIDIA

A Massively Scalable Architecture for Learning Representations from Heterogeneous Graphs NVIDIA GPU Technology Conference 2019 - San Jose, CA C. Bayan Bruss Anish Khazane 1. Overview &amp; Background TODAYS TALK 2. Our Approach How to

680 views • 54 slides

More recommend