Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Security Talk

    Hochgeladen von

    nk
    16 Ansichten41 Seiten
    This document appears to be a transcript of a presentation on Rails security. The presentation covers common Rails security vulnerabilities like SQL injection, cross-site scripting, cross-site request forgery, and insecure direct object references. It provides examples of each vulnerability and discusses mitigation strategies in Rails like escaping output, using CSRF tokens, and authorization libraries. The presentation also recommends best practices like auditing code for issues, using environment variables, and staying up to date on security announcements and releases.

    Originalbeschreibung:

    security talk

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    This document appears to be a transcript of a presentation on Rails security. The presentation covers common Rails security vulnerabilities like SQL injection, cross-site scripting, cross-site request forgery, and insecure direct object references. It provides examples of each vulnerability and discusses mitigation strategies in Rails like escaping output, using CSRF tokens, and authorization libraries. The presentation also recommends best practices like auditing code for issues, using environment variables, and staying up to date on security announcements and releases.

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    16 Ansichten41 Seiten

    Security Talk

    Hochgeladen von

    nk
    This document appears to be a transcript of a presentation on Rails security. The presentation covers common Rails security vulnerabilities like SQL injection, cross-site scripting, cross-site request forgery, and insecure direct object references. It provides examples of each vulnerability and discusses mitigation strategies in Rails like escaping output, using CSRF tokens, and authorization libraries. The presentation also recommends best practices like auditing code for issues, using environment variables, and staying up to date on security announcements and releases.

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 41

    Somebody guessed my

    password,
    so I had to rename my
    dog.
    - @teknoteacher
    Tuesday, July 28, 15

    This is an intro talk.


    If you think you might get
    bored please check out:
    https://insecurerails.herokuapp.com/

    Rails Security Training app

    Tuesday, July 28, 15

    Intro to Rails Security


    Nicholas Klick
    Engineer, Estimize.com

    Tuesday, July 28, 15

    Why does security matter?

    Tuesday, July 28, 15

    Tuesday, July 28, 15

    Tuesday, July 28, 15

    Where do you start looking


    for security vulnerabilities?

    Tuesday, July 28, 15

    Open Web Application Security Project

    Tuesday, July 28, 15

    OWASP Top 10
    Injection

    Sensitive Data Exposure

    Auth and Sessions

    Function level access control

    Cross Site Scripting

    Cross Site Request Forgery

    Insecure Object References

    Using Insecure Components

    Security Misconfiguration

    Redirection / Forwarding

    Tuesday, July 28, 15

    OWASP Top 10
    Injection

    Sensitive Data Exposure

    Auth and Sessions

    Function level access control

    Cross Site Scripting

    Cross Site Request Forgery

    Insecure Object References

    Using Insecure Components

    Security Misconfiguration

    Redirection / Forwarding

    Tuesday, July 28, 15

    Injection attacks
    Injection flaws allow attackers to relay

    malicious code through an application to


    another system

    These attacks include calls to the operating


    system via system calls, the use of external
    programs via shell commands, as well as
    calls to backend databases via SQL

    Tuesday, July 28, 15

    SQL Injection
    Attacker must find a parameter that the web
    application passes through to a database

    Carefully embedding malicious SQL

    commands into the content of the


    parameter, the attacker can trick the web
    application into forwarding a malicious query
    to the database

    Tuesday, July 28, 15

    SQL Injection

    Tuesday, July 28, 15

    SQL Injection Mitigation

    Tuesday, July 28, 15

    Command Injection
    Execution of arbitrary commands on the host operating
    system
    Possible when an application passes unsafe user supplied
    data to a system shell

    Tuesday, July 28, 15

    Command Injection

    Tuesday, July 28, 15

    Command Injection Mitigation

    Tuesday, July 28, 15

    Cross Site Scripting - XSS


    Occurs whenever an application takes

    untrusted data and sends it to a web


    browser without validation and escaping.

    XSS allows attackers to execute scripts in

    the victims browser which can hijack user


    sessions, deface web sites, or redirect the
    user to malicious sites.

    Tuesday, July 28, 15

    Source: http://www.acunetix.com/blog/articles/blind-xss/
    Tuesday, July 28, 15

    XSS examples

    Tuesday, July 28, 15

    Rails & XSS


    Rails handles basic XSS threats.
    When string data is shown in views, it is escaped by
    ActiveSupport::SafeBuffer prior to being sent back to
    the browser*

    https://github.com/rails/rails/blob/72ffeb9fe58c46bd556a85bed5214d8f482737a5/activesupport/lib/active_support/core_ext/string/output_safety.rb
    Tuesday, July 28, 15

    XSS Mitigation

    Avoid using: raw, .html_safe etc for where


    user input is displayed

    Consider a markup language for rich text in


    an application which will sanitize input

    Use the #sanitize method that let's you


    whitelist allowed tags

    Tuesday, July 28, 15

    Cross Site Request Forgery CSRF


    Forces an end user to execute unwanted actions on
    a web application in which they're currently
    authenticated

    Tuesday, July 28, 15

    Cross Site Request Forgery - CSRF

    1. User browses a message board and views a post from a hacker with HTML image
    element. The element references a command in Bob's project management application,
    rather than an image file.
    2. User session at www.webapp.com is still alive, because they didn't log out a few
    minutes ago.
    3. By viewing the post, the browser finds an image tag. It tries to load the suspected
    image from www.webapp.com. As explained before, it will also send along the cookie
    with the valid session id.
    4. The web application at www.webapp.com verifies the user information in the
    corresponding session hash and destroys the project with the ID 1. It then returns a
    result page which is an unexpected result for the browser, so it will not display the
    image.
    5. User doesn't notice the attack - but a few days later they find out that project
    number one is gone.
    Tuesday, July 28, 15

    Cross Site Request Forgery CSRF

    User must be logged in


    Malicious request sent server with users
    valid credentials

    Tuesday, July 28, 15

    Cryptographically random token bound to the user's session.


    Within each form a hidden input field, authenticity_token, is
    injected; this field contains the token.

    The token is sent with the form submission request and is


    processed by the web application.
    Tuesday, July 28, 15

    Rails CSRF Mitigation

    Upon processing the POST request, the server compares the value
    submitted for the authenticity_token parameter to the value
    associated with the users session.

    If it doesnt match, this indicates that the request may be a


    malicious request forged by an attacker and the request fails
    Tuesday, July 28, 15

    Insecure Direct Object


    Reference
    Allowing a User to access data they should not access
    Insufficient authorization checks

    Tuesday, July 28, 15

    Insecure Direct Object


    Reference

    Tuesday, July 28, 15

    Insecure Direct Object


    Reference
    By default, Ruby on Rails apps use a RESTful
    uri structure.

    That means that paths are often intuitive and


    guessable.

    To protect against a user trying to access or

    modify data that belongs to another user, it is


    important to specifically control actions.

    Tuesday, July 28, 15

    Insecure Direct Object


    Reference Mitigation
    Use a resource-based access control library
    Ex: CanCan or Pundit
    Ensure all operations on a database object
    are authorized by the business logic of the
    application

    Tuesday, July 28, 15

    There are often


    overlooked areas
    where security is a
    concern
    Tuesday, July 28, 15

    Recommedation:
    Beware of sensitive files
    /config/database.yml
    /config/initializers/secret_token.rb
    /db/seeds.rb
    /db/development.sqlite3

    Add files you wish to hide to .gitignore file?


    Tuesday, July 28, 15

    Recommedation:
    Use ENV variables

    Tuesday, July 28, 15

    Recommedation:
    Audit your code

    Tuesday, July 28, 15

    Brakeman

    Tuesday, July 28, 15

    Gemfile auditing with


    bundler-audit
    Checks for vulnerable versions of gems in
    Gemfile.lock.

    Checks for insecure gem sources (http://).


    Allows ignoring certain advisories that have
    been manually worked around.

    Prints advisory information.


    Tuesday, July 28, 15

    Recommedation:
    Run a vulnerability scanner

    Tuesday, July 28, 15

    Recommedation:
    Subscribe to Security Alerts
    Ruby Security Announcements Google Group
    Ruby on Rails Security Google Group

    Tuesday, July 28, 15

    More Resources

    Tuesday, July 28, 15

    Homework:
    Learn about Rails Security
    interactively
    https://insecurerails.herokuapp.com/
    Rails Security Training app

    Tuesday, July 28, 15

    Das könnte Ihnen auch gefallen