Rails Security - Bart ten Brinke

•

4 likes•922 views

A few slides common holes in rails applications. Finished it to late for reject conf.

RAILS SECURITY
Bart ten Brinke
movesonrails.com
bart.tenbrinke@movesonrails.com

Why I did this
After a security presentation at RailsConfEurope 2007, I
found a lot was missing, so I made this.

I didn’t ﬁnish it in time for reject conf, so I posted
it on my blog.

No, I am not australian :)

$SQL Injection (Old, but even Jason still does this wrong) Don’t do this Person.find(:first, :conditions => “name = #{name}”) Do this Person.find(:first, :conditions => [“name = ?”, name]) Or Person.find_by_name(name)$

Cross Site
Scripting (XXS)
Don’t do this in a view
<p>Name: <%= @name %></p>

Do this
<p>Name: <%= h @name %></p>

Don’t forget your link_to’s and images.
If you forget just one you are an easy victim.

Skipping security
Don’t do this
skip_before_filter :check_auth

Do this
skip_before_filter :check_auth, :only =>[:login]

Explicitly specify the actions that skip security.
Otherwise new ones will be unsecure by default

Watch out for the
TO_JSON XSS exploit

Don’t do this in a view
<script>posts = <%= @posts.to_json %></script>

This is ﬁxed in edge rails (6893)
So if you are on 1.2.3, you have a problem.
Write your own to_json for the model or mixin
the patch for ticket 8371 of rails.

$Obfuscate passwords in logging If your log looks like this Processing LoginController#create (for 127.0.0.1 at 2007-09-20 18:16:32) [POST] Session ID: 023b70d61b76c29a0e123e79c8772f4d Parameters: {quot;sign_inquot;=>quot;Sign inquot;, quot;rememberquot;=>quot;quot;, quot;actionquot;=>quot;createquot;, quot;usernamequot;=>quot;Administratorquot;, quot;controllerquot;=>quot;loginquot;, quot;passwordquot;=>quot;im1337quot;} Add this to your application.rb filter_parameter_logging quot;passwordquot;$

Are you accessable?
Don’t have everything XML or JSON
/mykillerapp/users.xml

<users>
<user>
<id type=quot;integerquot;>3</id>
<username>administrator</username>
<password-hash>
4fc62477c37b2880646336e5b753daef6ae3377b36cab20ddc27c7b933ca6ecd
</password-hash>
<password-salt>ntoRnlDr</password-salt>
</user>
</users>

Production deploy
Don’t do this
production:
adapter: mysql
database: my_killer_app
username: root
password:
host: localhost

Do this
Use decent security in a production environment.
Also strip all the stuff you don’t need from your
tags (like /test).

CONCLUSIONS

These are all examples of things I ran into during about
one year of full-time Rails development. Realize that
there are more! Greetings to everyone who came to
RailsConf Europe 2007. It was inspiring!

If you have any questions, feel free to email me.

Bart ten Brinke
movesonrails.com
bart.tenbrinke@movesonrails.com

Viewers also liked

Durga

Neelanjan Bhattacharyya

la rappresentazione dei numeri

Innovatsioonimudel

Src Voc

Cmb

Ppt For Symp - test

リーンソフトウェア

How a bunch of normal people Used Technology To Repair a Rigged Election

Natuk

Differences

2007p&o1milieu

V型人才

Viewers also liked (12)

Durga

la rappresentazione dei numeri

Innovatsioonimudel

Src Voc

Cmb

Ppt For Symp - test

リーンソフトウェア

How a bunch of normal people Used Technology To Repair a Rigged Election

Natuk

Differences

2007p&o1milieu

V型人才

Recently uploaded

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

A Beginners Guide to Building a RAG App Using Open Source Milvus

Zilliz

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Scalable LLM APIs for AI and Generative AI Application Development Ettikan Karuppiah, Director/Technologist - NVIDIA Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...

apidays

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

AXA XL - Insurer Innovation Award Americas 2024

The Digital Insurer

Manulife - Insurer Transformation Award 2024

The Digital Insurer

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

DBX First Quarter 2024 Investor Presentation

Dropbox

MINDCTI Revenue Release Quarter One 2024

MIND CTI

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

Recently uploaded (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

A Beginners Guide to Building a RAG App Using Open Source Milvus

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

How to Troubleshoot Apps for the Modern Connected Worker

Boost Fertility New Invention Ups Success Rates.pdf

Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

Artificial Intelligence Chap.5 : Uncertainty

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

AXA XL - Insurer Innovation Award Americas 2024

Manulife - Insurer Transformation Award 2024

MS Copilot expands with MS Graph connectors

AWS Community Day CPH - Three problems of Terraform

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

DBX First Quarter 2024 Investor Presentation

MINDCTI Revenue Release Quarter One 2024

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Automating Google Workspace (GWS) & more with Apps Script

Apidays New York 2024 - The value of a flexible API Management solution for O...

Rails Security - Bart ten Brinke

1. RAILS SECURITY Bart ten Brinke movesonrails.com bart.tenbrinke@movesonrails.com

2. Why I did this After a security presentation at RailsConfEurope 2007, I found a lot was missing, so I made this. I didn’t ﬁnish it in time for reject conf, so I posted it on my blog. No, I am not australian :)

3. SQL Injection (Old, but even Jason still does this wrong) Don’t do this Person.find(:first, :conditions => “name = #{name}”) Do this Person.find(:first, :conditions => [“name = ?”, name]) Or Person.find_by_name(name)

4. Cross Site Scripting (XXS) Don’t do this in a view <p>Name: <%= @name %></p> Do this <p>Name: <%= h @name %></p> Don’t forget your link_to’s and images. If you forget just one you are an easy victim.

5. Skipping security Don’t do this skip_before_filter :check_auth Do this skip_before_filter :check_auth, :only =>[:login] Explicitly specify the actions that skip security. Otherwise new ones will be unsecure by default

6. Watch out for the TO_JSON XSS exploit Don’t do this in a view <script>posts = <%= @posts.to_json %></script> This is ﬁxed in edge rails (6893) So if you are on 1.2.3, you have a problem. Write your own to_json for the model or mixin the patch for ticket 8371 of rails.

7. Obfuscate passwords in logging If your log looks like this Processing LoginController#create (for 127.0.0.1 at 2007-09-20 18:16:32) [POST] Session ID: 023b70d61b76c29a0e123e79c8772f4d Parameters: {quot;sign_inquot;=>quot;Sign inquot;, quot;rememberquot;=>quot;quot;, quot;actionquot;=>quot;createquot;, quot;usernamequot;=>quot;Administratorquot;, quot;controllerquot;=>quot;loginquot;, quot;passwordquot;=>quot;im1337quot;} Add this to your application.rb filter_parameter_logging quot;passwordquot;

8. Are you accessable? Don’t have everything XML or JSON /mykillerapp/users.xml <users> <user> <id type=quot;integerquot;>3</id> <username>administrator</username> <password-hash> 4fc62477c37b2880646336e5b753daef6ae3377b36cab20ddc27c7b933ca6ecd </password-hash> <password-salt>ntoRnlDr</password-salt> </user> </users>

9. Production deploy Don’t do this production: adapter: mysql database: my_killer_app username: root password: host: localhost Do this Use decent security in a production environment. Also strip all the stuff you don’t need from your tags (like /test).

10. CONCLUSIONS These are all examples of things I ran into during about one year of full-time Rails development. Realize that there are more! Greetings to everyone who came to RailsConf Europe 2007. It was inspiring! If you have any questions, feel free to email me. Bart ten Brinke movesonrails.com bart.tenbrinke@movesonrails.com

Rails Security - Bart ten Brinke

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (12)

Recently uploaded

Recently uploaded (20)

Rails Security - Bart ten Brinke