Beruflich Dokumente
Kultur Dokumente
password,
so I had to rename my
dog.
- @teknoteacher
Tuesday, July 28, 15
OWASP Top 10
Injection
Security Misconfiguration
Redirection / Forwarding
OWASP Top 10
Injection
Security Misconfiguration
Redirection / Forwarding
Injection attacks
Injection flaws allow attackers to relay
SQL Injection
Attacker must find a parameter that the web
application passes through to a database
SQL Injection
Command Injection
Execution of arbitrary commands on the host operating
system
Possible when an application passes unsafe user supplied
data to a system shell
Command Injection
Source: http://www.acunetix.com/blog/articles/blind-xss/
Tuesday, July 28, 15
XSS examples
https://github.com/rails/rails/blob/72ffeb9fe58c46bd556a85bed5214d8f482737a5/activesupport/lib/active_support/core_ext/string/output_safety.rb
Tuesday, July 28, 15
XSS Mitigation
1. User browses a message board and views a post from a hacker with HTML image
element. The element references a command in Bob's project management application,
rather than an image file.
2. User session at www.webapp.com is still alive, because they didn't log out a few
minutes ago.
3. By viewing the post, the browser finds an image tag. It tries to load the suspected
image from www.webapp.com. As explained before, it will also send along the cookie
with the valid session id.
4. The web application at www.webapp.com verifies the user information in the
corresponding session hash and destroys the project with the ID 1. It then returns a
result page which is an unexpected result for the browser, so it will not display the
image.
5. User doesn't notice the attack - but a few days later they find out that project
number one is gone.
Tuesday, July 28, 15
Upon processing the POST request, the server compares the value
submitted for the authenticity_token parameter to the value
associated with the users session.
Recommedation:
Beware of sensitive files
/config/database.yml
/config/initializers/secret_token.rb
/db/seeds.rb
/db/development.sqlite3
Recommedation:
Use ENV variables
Recommedation:
Audit your code
Brakeman
Recommedation:
Run a vulnerability scanner
Recommedation:
Subscribe to Security Alerts
Ruby Security Announcements Google Group
Ruby on Rails Security Google Group
More Resources
Homework:
Learn about Rails Security
interactively
https://insecurerails.herokuapp.com/
Rails Security Training app