SlideShare ist ein Scribd-Unternehmen logo

Ruby on Rails Security Updated (Rails 3) at RailsWayCon

H
heikowebers
Technologie
1 von 24
Downloaden Sie, um offline zu lesen
Heiko Webers, bauland42 Ruby on Rails Security Updated
Heiko Webers  CEO of bauland42: Secure and innovative web applications, security code audits: http://www.bauland42.de http://www.werkstatt42.de  Ruby on Rails Security Project: Blog and Book at http://www.rorsecurity.info
Cross-Site Scripting in Rails 3  Before: <%= h @project.name %> @project.name #=> <script> h(@project.name) #=> &lt;script&gt;  After: <%= @project.name %>  Unless you want to allow HTML/JS: <%= raw @project.name %>
Cross-Site Scripting in Rails 3  @project.name.html_safe? #=> false  h(@project.name).html_safe? #=> true  link_to(...).html_safe? #=> true  "<br />".html_safe # => "<br />" 4
Cross-Site Scripting in Rails 3  safe + safe = safe  safe.concat(safe) = safe  (safe << safe) = safe  safe + unsafe = unsafe ... 5
Cross-Site Scripting in Rails 3  String interpolation  <%= "#{link_to(@product.title, @product)} #{link_to(@product.title, @product)}" %>  Deliberately unsafe 6
Cross-Site Scripting in Rails 3  textilize() and simple_format() do not return safe strings textilize(‘*bold*‘) #=><strong>bold</strong>  <%= textilize(@product.description) %>  NO <%=raw textilize(@product.description)%>  OK <%=sanitize textilize(@product.description) %> 7
Cross-Site Scripting in Rails 3  Know what you‘re doing  <%= auto_link(@product.description) %> # => unsafe, so escaped  <%= raw auto_link(@product.description) %> # => safe, but may contain HTML  sanitize() it 8
Cross-Site Scripting in Rails 3  Know what you‘re doing  Strings aren't magic: value = sanitize(@product.description) value.html_safe? #=> true value.gsub!(/--product_name--/, @product.title) value.html_safe? #=> true <%= value %> 9
Cross-Site Scripting in Rails 3  Rails helper are becoming stable now  There were problems with content_tag(), tag(), submit_tag(), ...  SafeErb plugin doesn‘t work yet/anymore 10
Cross-Site Scripting in Rails 3  xml.instruct! xml.description do xml << "The description: " xml << @product.description end  Use xml.description @product.description to automatically escape 11
Ajax and XSS  No automatic escaping in RJS templates  page.replace_html :notice, "Updated product #{@product.title}" 12
Sanitization  Don‘t write it on your own: value = self.description.gsub("<script>", "") <scr<script>ipt>  sanitize(), strip_tags(), ... use the HTML::Tokenizer  Based on regular expressions  Doesn‘t always render valid HTML  Last vulnerability in Rails 2.3.5 regarding non- printable ascii characters 13
Sanitization  Use parsers like Nokogiri or Woodstox (JRuby)  Gem sanitize: http://github.com/rgrove/sanitize Sanitize.clean(unsafe_html)  Gem Loofah: http://github.com/flavorjones/ loofah Loofah.fragment(unsafe_html).scrub!(:strip) 14
Sql-Injection in Rails 3  No find() anymore, no :conditions hash, ... But: Product.find(params[:id])  User.order('users.id DESC').limit(20).all  NO: Product.where("id = #{params[:id]}")  Product.where(["id = ?", params[:id]])  Product.where({:id => params[:id]}) 15
Sql-Injection in Rails 3  NO: User.order(params[:order]).all  raise "SQLi" unless ["id asc", "id desc"].include? (params[:order])  Escape it yourself: Product.order(Product.connection.quote(params [:order])).all 16
Other changes in Rails 3  config/initializers/session_store.rb Rails.application.config.session_store :cookie_store, :key => "_app_name_session"  config/initializers/cookie_verification_secret.rb Rails.application.config.cookie_secret = 'somereallylongrandomkey'  Don‘t keep it in your SCM 17
Other changes in Rails 3  Keep a value in a signed cookie: cookies.signed[:discount] = "12"  filter_parameter_logging deprecated  config.filter_parameters << :password in config/application.rb 18
Respond_with in Rails 3  class ProductsController < ApplicationController respond_to :html, :xml, :json def index respond_with(@products = Product.all) end end  How to define what attributes to render in XML? @product.to_xml(:only => [:id]) 19
Bits and pieces  You can deploy with a SSH key: ssh_options[:keys] = ["/path/to/id_rsa.ppk"]  Secure the admin panel with a client SSL certificate  Remove secrets from your SCM: database.yml, ssh_config.rb 20
Bits and pieces  Check what they‘re downloading File.dirname(requested_filename) == expected_directory  /download?file=../config/database.yml  validates_format_of :filename, :with => /^[a-z.]+$/i  hello.txt <script>alert(1)</script>  Use A and z 21
Privilege escalation  def update  @doc = Doc.find(params[:id])  end  before_filter :load_project  before_filter :deny_if_not_full_access  before_filter :load_doc @doc = @project.docs.find(params[:id])  before_filter :deny_if_no_access_to_doc 22
Authorization  def deny_if_no_access_to_doc  @doc.may_edit?(current_user)  end  def may_edit?(usr)  self.creator == usr  end  <%= link_to(“Edit“,...) if @doc.may_edit? (current_user) %> 23
That‘s it  Questions?  42@bauland42.de 24

Empfohlen

Building Web Interface On Rails
Building Web Interface On RailsBuilding Web Interface On Rails
Building Web Interface On RailsWen-Tien Chang
 
Rails Best Practices
Rails Best PracticesRails Best Practices
Rails Best PracticesWen-Tien Chang
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Securityjemond
 
Rails 3 Beautiful Code
Rails 3 Beautiful CodeRails 3 Beautiful Code
Rails 3 Beautiful CodeGreggPollack
 
Rails 3 overview
Rails 3 overviewRails 3 overview
Rails 3 overviewYehuda Katz
 
Migrating legacy data
Migrating legacy dataMigrating legacy data
Migrating legacy dataPatrick Huesler
 
Rails Best Practices
Rails Best PracticesRails Best Practices
Rails Best PracticesIcalia Labs
 
SenchaCon 2016: Keynote Presentation - Art Landro, Gautam Agrawal, Mark Brocato
SenchaCon 2016: Keynote Presentation - Art Landro, Gautam Agrawal, Mark BrocatoSenchaCon 2016: Keynote Presentation - Art Landro, Gautam Agrawal, Mark Brocato
SenchaCon 2016: Keynote Presentation - Art Landro, Gautam Agrawal, Mark BrocatoSencha
 

Empfohlen

Building Web Interface On Rails
Building Web Interface On RailsBuilding Web Interface On Rails
Building Web Interface On RailsWen-Tien Chang
 
Rails Best Practices
Rails Best PracticesRails Best Practices
Rails Best PracticesWen-Tien Chang
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Securityjemond
 
Rails 3 Beautiful Code
Rails 3 Beautiful CodeRails 3 Beautiful Code
Rails 3 Beautiful CodeGreggPollack
 
Rails 3 overview
Rails 3 overviewRails 3 overview
Rails 3 overviewYehuda Katz
 
Migrating legacy data
Migrating legacy dataMigrating legacy data
Migrating legacy dataPatrick Huesler
 
Rails Best Practices
Rails Best PracticesRails Best Practices
Rails Best PracticesIcalia Labs
 
SenchaCon 2016: Keynote Presentation - Art Landro, Gautam Agrawal, Mark Brocato
SenchaCon 2016: Keynote Presentation - Art Landro, Gautam Agrawal, Mark BrocatoSenchaCon 2016: Keynote Presentation - Art Landro, Gautam Agrawal, Mark Brocato
SenchaCon 2016: Keynote Presentation - Art Landro, Gautam Agrawal, Mark BrocatoSencha
 
Rails Security
Rails SecurityRails Security
Rails SecurityWen-Tien Chang
 
CodeIgniter 3.0
CodeIgniter 3.0CodeIgniter 3.0
CodeIgniter 3.0Phil Sturgeon
 
Asp.net identity 2.0
Asp.net identity 2.0Asp.net identity 2.0
Asp.net identity 2.0Gelis Wu
 
Workshop 8: Templating: Handlebars, DustJS
Workshop 8: Templating: Handlebars, DustJSWorkshop 8: Templating: Handlebars, DustJS
Workshop 8: Templating: Handlebars, DustJSVisual Engineering
 
Introduction to ASP.Net Viewstate
Introduction to ASP.Net ViewstateIntroduction to ASP.Net Viewstate
Introduction to ASP.Net Viewstaten|u - The Open Security Community
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and FallaciesKarwin Software Solutions LLC
 
Workshop 27: Isomorphic web apps with ReactJS
Workshop 27: Isomorphic web apps with ReactJSWorkshop 27: Isomorphic web apps with ReactJS
Workshop 27: Isomorphic web apps with ReactJSVisual Engineering
 
Angular 2 introduction
Angular 2 introductionAngular 2 introduction
Angular 2 introductionChristoffer Noring
 
&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />tutorialsruby
 
Single Page Web Applications with CoffeeScript, Backbone and Jasmine
Single Page Web Applications with CoffeeScript, Backbone and JasmineSingle Page Web Applications with CoffeeScript, Backbone and Jasmine
Single Page Web Applications with CoffeeScript, Backbone and JasminePaulo Ragonha
 
HTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R Auge
HTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R AugeHTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R Auge
HTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R Augemfrancis
 
The JavaFX Ecosystem
The JavaFX EcosystemThe JavaFX Ecosystem
The JavaFX EcosystemAndres Almiray
 
Practical Protocol-Oriented-Programming
Practical Protocol-Oriented-ProgrammingPractical Protocol-Oriented-Programming
Practical Protocol-Oriented-ProgrammingNatasha Murashev
 
ASP.NET MVC 4 - Routing Internals
ASP.NET MVC 4 - Routing InternalsASP.NET MVC 4 - Routing Internals
ASP.NET MVC 4 - Routing InternalsLukasz Lysik
 
25 Real Life Tips In Ruby on Rails Development
25 Real Life Tips In Ruby on Rails Development25 Real Life Tips In Ruby on Rails Development
25 Real Life Tips In Ruby on Rails DevelopmentBelighted
 
Idoc script beginner guide
Idoc script beginner guide Idoc script beginner guide
Idoc script beginner guide Vinay Kumar
 
Trustparency web doc spring 2.5 & hibernate
Trustparency web doc spring 2.5 & hibernateTrustparency web doc spring 2.5 & hibernate
Trustparency web doc spring 2.5 & hibernatetrustparency
 
Html server control - ASP. NET with c#
Html server control - ASP. NET with c#Html server control - ASP. NET with c#
Html server control - ASP. NET with c#priya Nithya
 
Practical JavaScript Programming - Session 8/8
Practical JavaScript Programming - Session 8/8Practical JavaScript Programming - Session 8/8
Practical JavaScript Programming - Session 8/8Wilson Su
 
The Rails Way
The Rails WayThe Rails Way
The Rails WayMichał Orman
 
Application Security from the Inside - OWASP
Application Security from the Inside - OWASPApplication Security from the Inside - OWASP
Application Security from the Inside - OWASPSqreen
 
Rails and security
Rails and securityRails and security
Rails and securityAndrey Tokarchuk
 

Weitere ähnliche Inhalte

Was ist angesagt?

Asp.net identity 2.0
Asp.net identity 2.0Asp.net identity 2.0
Asp.net identity 2.0Gelis Wu
 
Workshop 8: Templating: Handlebars, DustJS
Workshop 8: Templating: Handlebars, DustJSWorkshop 8: Templating: Handlebars, DustJS
Workshop 8: Templating: Handlebars, DustJSVisual Engineering
 
Workshop 27: Isomorphic web apps with ReactJS
Workshop 27: Isomorphic web apps with ReactJSWorkshop 27: Isomorphic web apps with ReactJS
Workshop 27: Isomorphic web apps with ReactJSVisual Engineering
 
&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />tutorialsruby
 
Single Page Web Applications with CoffeeScript, Backbone and Jasmine
Single Page Web Applications with CoffeeScript, Backbone and JasmineSingle Page Web Applications with CoffeeScript, Backbone and Jasmine
Single Page Web Applications with CoffeeScript, Backbone and JasminePaulo Ragonha
 
HTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R Auge
HTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R AugeHTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R Auge
HTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R Augemfrancis
 
Practical Protocol-Oriented-Programming
Practical Protocol-Oriented-ProgrammingPractical Protocol-Oriented-Programming
Practical Protocol-Oriented-ProgrammingNatasha Murashev
 
ASP.NET MVC 4 - Routing Internals
ASP.NET MVC 4 - Routing InternalsASP.NET MVC 4 - Routing Internals
ASP.NET MVC 4 - Routing InternalsLukasz Lysik
 
25 Real Life Tips In Ruby on Rails Development
25 Real Life Tips In Ruby on Rails Development25 Real Life Tips In Ruby on Rails Development
25 Real Life Tips In Ruby on Rails DevelopmentBelighted
 
Idoc script beginner guide
Idoc script beginner guide Idoc script beginner guide
Idoc script beginner guide Vinay Kumar
 
Trustparency web doc spring 2.5 & hibernate
Trustparency web doc spring 2.5 & hibernateTrustparency web doc spring 2.5 & hibernate
Trustparency web doc spring 2.5 & hibernatetrustparency
 
Html server control - ASP. NET with c#
Html server control - ASP. NET with c#Html server control - ASP. NET with c#
Html server control - ASP. NET with c#priya Nithya
 
Practical JavaScript Programming - Session 8/8
Practical JavaScript Programming - Session 8/8Practical JavaScript Programming - Session 8/8
Practical JavaScript Programming - Session 8/8Wilson Su
 

Was ist angesagt? (20)

Rails Security
Rails SecurityRails Security
Rails Security
 
CodeIgniter 3.0
CodeIgniter 3.0CodeIgniter 3.0
CodeIgniter 3.0
 
Asp.net identity 2.0
Asp.net identity 2.0Asp.net identity 2.0
Asp.net identity 2.0
 
Workshop 8: Templating: Handlebars, DustJS
Workshop 8: Templating: Handlebars, DustJSWorkshop 8: Templating: Handlebars, DustJS
Workshop 8: Templating: Handlebars, DustJS
 
Introduction to ASP.Net Viewstate
Introduction to ASP.Net ViewstateIntroduction to ASP.Net Viewstate
Introduction to ASP.Net Viewstate
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and Fallacies
 
Workshop 27: Isomorphic web apps with ReactJS
Workshop 27: Isomorphic web apps with ReactJSWorkshop 27: Isomorphic web apps with ReactJS
Workshop 27: Isomorphic web apps with ReactJS
 
Angular 2 introduction
Angular 2 introductionAngular 2 introduction
Angular 2 introduction
 
&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />
 
Single Page Web Applications with CoffeeScript, Backbone and Jasmine
Single Page Web Applications with CoffeeScript, Backbone and JasmineSingle Page Web Applications with CoffeeScript, Backbone and Jasmine
Single Page Web Applications with CoffeeScript, Backbone and Jasmine
 
HTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R Auge
HTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R AugeHTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R Auge
HTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R Auge
 
The JavaFX Ecosystem
The JavaFX EcosystemThe JavaFX Ecosystem
The JavaFX Ecosystem
 
Practical Protocol-Oriented-Programming
Practical Protocol-Oriented-ProgrammingPractical Protocol-Oriented-Programming
Practical Protocol-Oriented-Programming
 
ASP.NET MVC 4 - Routing Internals
ASP.NET MVC 4 - Routing InternalsASP.NET MVC 4 - Routing Internals
ASP.NET MVC 4 - Routing Internals
 
25 Real Life Tips In Ruby on Rails Development
25 Real Life Tips In Ruby on Rails Development25 Real Life Tips In Ruby on Rails Development
25 Real Life Tips In Ruby on Rails Development
 
Idoc script beginner guide
Idoc script beginner guide Idoc script beginner guide
Idoc script beginner guide
 
Trustparency web doc spring 2.5 & hibernate
Trustparency web doc spring 2.5 & hibernateTrustparency web doc spring 2.5 & hibernate
Trustparency web doc spring 2.5 & hibernate
 
Html server control - ASP. NET with c#
Html server control - ASP. NET with c#Html server control - ASP. NET with c#
Html server control - ASP. NET with c#
 
Practical JavaScript Programming - Session 8/8
Practical JavaScript Programming - Session 8/8Practical JavaScript Programming - Session 8/8
Practical JavaScript Programming - Session 8/8
 
The Rails Way
The Rails WayThe Rails Way
The Rails Way
 

Ähnlich wie Ruby on Rails Security Updated (Rails 3) at RailsWayCon

Application Security from the Inside - OWASP
Application Security from the Inside - OWASPApplication Security from the Inside - OWASP
Application Security from the Inside - OWASPSqreen
 
RubyOnRails-Cheatsheet-BlaineKendall
RubyOnRails-Cheatsheet-BlaineKendallRubyOnRails-Cheatsheet-BlaineKendall
RubyOnRails-Cheatsheet-BlaineKendalltutorialsruby
 
RubyOnRails-Cheatsheet-BlaineKendall
RubyOnRails-Cheatsheet-BlaineKendallRubyOnRails-Cheatsheet-BlaineKendall
RubyOnRails-Cheatsheet-BlaineKendalltutorialsruby
 
Phoenix for Rails Devs
Phoenix for Rails DevsPhoenix for Rails Devs
Phoenix for Rails DevsDiacode
 
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 202010 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020Matt Raible
 
AEM Sightly Deep Dive
AEM Sightly Deep DiveAEM Sightly Deep Dive
AEM Sightly Deep DiveGabriel Walt
 
AEM Sightly Template Language
AEM Sightly Template LanguageAEM Sightly Template Language
AEM Sightly Template LanguageGabriel Walt
 
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)Igor Bronovskyy
 
TurboGears2 Pluggable Applications
TurboGears2 Pluggable ApplicationsTurboGears2 Pluggable Applications
TurboGears2 Pluggable ApplicationsAlessandro Molina
 
Migrating Legacy Rails Apps to Rails 3
Migrating Legacy Rails Apps to Rails 3Migrating Legacy Rails Apps to Rails 3
Migrating Legacy Rails Apps to Rails 3Clinton Dreisbach
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
Designing REST API automation tests in Kotlin
Designing REST API automation tests in KotlinDesigning REST API automation tests in Kotlin
Designing REST API automation tests in KotlinDmitriy Sobko
 
using Mithril.js + postgREST to build and consume API's
using Mithril.js + postgREST to build and consume API'susing Mithril.js + postgREST to build and consume API's
using Mithril.js + postgREST to build and consume API'sAntônio Roberto Silva
 
Ajax Performance Tuning and Best Practices
Ajax Performance Tuning and Best PracticesAjax Performance Tuning and Best Practices
Ajax Performance Tuning and Best PracticesDoris Chen
 
Crossing the Bridge: Connecting Rails and your Front-end Framework
Crossing the Bridge: Connecting Rails and your Front-end FrameworkCrossing the Bridge: Connecting Rails and your Front-end Framework
Crossing the Bridge: Connecting Rails and your Front-end FrameworkDaniel Spector
 

Ähnlich wie Ruby on Rails Security Updated (Rails 3) at RailsWayCon (20)

Application Security from the Inside - OWASP
Application Security from the Inside - OWASPApplication Security from the Inside - OWASP
Application Security from the Inside - OWASP
 
Rails and security
Rails and securityRails and security
Rails and security
 
RubyOnRails-Cheatsheet-BlaineKendall
RubyOnRails-Cheatsheet-BlaineKendallRubyOnRails-Cheatsheet-BlaineKendall
RubyOnRails-Cheatsheet-BlaineKendall
 
RubyOnRails-Cheatsheet-BlaineKendall
RubyOnRails-Cheatsheet-BlaineKendallRubyOnRails-Cheatsheet-BlaineKendall
RubyOnRails-Cheatsheet-BlaineKendall
 
Play!ng with scala
Play!ng with scalaPlay!ng with scala
Play!ng with scala
 
Phoenix for Rails Devs
Phoenix for Rails DevsPhoenix for Rails Devs
Phoenix for Rails Devs
 
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 202010 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
 
AEM Sightly Deep Dive
AEM Sightly Deep DiveAEM Sightly Deep Dive
AEM Sightly Deep Dive
 
AEM Sightly Template Language
AEM Sightly Template LanguageAEM Sightly Template Language
AEM Sightly Template Language
 
Ruby For Startups
Ruby For StartupsRuby For Startups
Ruby For Startups
 
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
 
TurboGears2 Pluggable Applications
TurboGears2 Pluggable ApplicationsTurboGears2 Pluggable Applications
TurboGears2 Pluggable Applications
 
Migrating Legacy Rails Apps to Rails 3
Migrating Legacy Rails Apps to Rails 3Migrating Legacy Rails Apps to Rails 3
Migrating Legacy Rails Apps to Rails 3
 
Play vs Rails
Play vs RailsPlay vs Rails
Play vs Rails
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
Designing REST API automation tests in Kotlin
Designing REST API automation tests in KotlinDesigning REST API automation tests in Kotlin
Designing REST API automation tests in Kotlin
 
using Mithril.js + postgREST to build and consume API's
using Mithril.js + postgREST to build and consume API'susing Mithril.js + postgREST to build and consume API's
using Mithril.js + postgREST to build and consume API's
 
Codegnitorppt
CodegnitorpptCodegnitorppt
Codegnitorppt
 
Ajax Performance Tuning and Best Practices
Ajax Performance Tuning and Best PracticesAjax Performance Tuning and Best Practices
Ajax Performance Tuning and Best Practices
 
Crossing the Bridge: Connecting Rails and your Front-end Framework
Crossing the Bridge: Connecting Rails and your Front-end FrameworkCrossing the Bridge: Connecting Rails and your Front-end Framework
Crossing the Bridge: Connecting Rails and your Front-end Framework
 

Kürzlich hochgeladen

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 

Kürzlich hochgeladen (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 

Ruby on Rails Security Updated (Rails 3) at RailsWayCon

  • 1. Heiko Webers, bauland42 Ruby on Rails Security Updated
  • 2. Heiko Webers  CEO of bauland42: Secure and innovative web applications, security code audits: http://www.bauland42.de http://www.werkstatt42.de  Ruby on Rails Security Project: Blog and Book at http://www.rorsecurity.info
  • 3. Cross-Site Scripting in Rails 3  Before: <%= h @project.name %> @project.name #=> <script> h(@project.name) #=> &lt;script&gt;  After: <%= @project.name %>  Unless you want to allow HTML/JS: <%= raw @project.name %>
  • 4. Cross-Site Scripting in Rails 3  @project.name.html_safe? #=> false  h(@project.name).html_safe? #=> true  link_to(...).html_safe? #=> true  "<br />".html_safe # => "<br />" 4
  • 5. Cross-Site Scripting in Rails 3  safe + safe = safe  safe.concat(safe) = safe  (safe << safe) = safe  safe + unsafe = unsafe ... 5
  • 6. Cross-Site Scripting in Rails 3  String interpolation  <%= "#{link_to(@product.title, @product)} #{link_to(@product.title, @product)}" %>  Deliberately unsafe 6
  • 7. Cross-Site Scripting in Rails 3  textilize() and simple_format() do not return safe strings textilize(‘*bold*‘) #=><strong>bold</strong>  <%= textilize(@product.description) %>  NO <%=raw textilize(@product.description)%>  OK <%=sanitize textilize(@product.description) %> 7
  • 8. Cross-Site Scripting in Rails 3  Know what you‘re doing  <%= auto_link(@product.description) %> # => unsafe, so escaped  <%= raw auto_link(@product.description) %> # => safe, but may contain HTML  sanitize() it 8
  • 9. Cross-Site Scripting in Rails 3  Know what you‘re doing  Strings aren't magic: value = sanitize(@product.description) value.html_safe? #=> true value.gsub!(/--product_name--/, @product.title) value.html_safe? #=> true <%= value %> 9
  • 10. Cross-Site Scripting in Rails 3  Rails helper are becoming stable now  There were problems with content_tag(), tag(), submit_tag(), ...  SafeErb plugin doesn‘t work yet/anymore 10
  • 11. Cross-Site Scripting in Rails 3  xml.instruct! xml.description do xml << "The description: " xml << @product.description end  Use xml.description @product.description to automatically escape 11
  • 12. Ajax and XSS  No automatic escaping in RJS templates  page.replace_html :notice, "Updated product #{@product.title}" 12
  • 13. Sanitization  Don‘t write it on your own: value = self.description.gsub("<script>", "") <scr<script>ipt>  sanitize(), strip_tags(), ... use the HTML::Tokenizer  Based on regular expressions  Doesn‘t always render valid HTML  Last vulnerability in Rails 2.3.5 regarding non- printable ascii characters 13
  • 14. Sanitization  Use parsers like Nokogiri or Woodstox (JRuby)  Gem sanitize: http://github.com/rgrove/sanitize Sanitize.clean(unsafe_html)  Gem Loofah: http://github.com/flavorjones/ loofah Loofah.fragment(unsafe_html).scrub!(:strip) 14
  • 15. Sql-Injection in Rails 3  No find() anymore, no :conditions hash, ... But: Product.find(params[:id])  User.order('users.id DESC').limit(20).all  NO: Product.where("id = #{params[:id]}")  Product.where(["id = ?", params[:id]])  Product.where({:id => params[:id]}) 15
  • 16. Sql-Injection in Rails 3  NO: User.order(params[:order]).all  raise "SQLi" unless ["id asc", "id desc"].include? (params[:order])  Escape it yourself: Product.order(Product.connection.quote(params [:order])).all 16
  • 17. Other changes in Rails 3  config/initializers/session_store.rb Rails.application.config.session_store :cookie_store, :key => "_app_name_session"  config/initializers/cookie_verification_secret.rb Rails.application.config.cookie_secret = 'somereallylongrandomkey'  Don‘t keep it in your SCM 17
  • 18. Other changes in Rails 3  Keep a value in a signed cookie: cookies.signed[:discount] = "12"  filter_parameter_logging deprecated  config.filter_parameters << :password in config/application.rb 18
  • 19. Respond_with in Rails 3  class ProductsController < ApplicationController respond_to :html, :xml, :json def index respond_with(@products = Product.all) end end  How to define what attributes to render in XML? @product.to_xml(:only => [:id]) 19
  • 20. Bits and pieces  You can deploy with a SSH key: ssh_options[:keys] = ["/path/to/id_rsa.ppk"]  Secure the admin panel with a client SSL certificate  Remove secrets from your SCM: database.yml, ssh_config.rb 20
  • 21. Bits and pieces  Check what they‘re downloading File.dirname(requested_filename) == expected_directory  /download?file=../config/database.yml  validates_format_of :filename, :with => /^[a-z.]+$/i  hello.txt <script>alert(1)</script>  Use A and z 21
  • 22. Privilege escalation  def update  @doc = Doc.find(params[:id])  end  before_filter :load_project  before_filter :deny_if_not_full_access  before_filter :load_doc @doc = @project.docs.find(params[:id])  before_filter :deny_if_no_access_to_doc 22
  • 23. Authorization  def deny_if_no_access_to_doc  @doc.may_edit?(current_user)  end  def may_edit?(usr)  self.creator == usr  end  <%= link_to(“Edit“,...) if @doc.may_edit? (current_user) %> 23
  • 24. That‘s it  Questions?  42@bauland42.de 24