SlideShare a Scribd company logo

Rails Security - Bart ten Brinke

B
BCC

A few slides common holes in rails applications. Finished it to late for reject conf.

Technology
1 of 10
Download to read offline
RAILS SECURITY Bart ten Brinke movesonrails.com bart.tenbrinke@movesonrails.com
Why I did this After a security presentation at RailsConfEurope 2007, I found a lot was missing, so I made this. I didn’t finish it in time for reject conf, so I posted it on my blog. No, I am not australian :)
SQL Injection (Old, but even Jason still does this wrong) Don’t do this Person.find(:first, :conditions => “name = #{name}”) Do this Person.find(:first, :conditions => [“name = ?”, name]) Or Person.find_by_name(name)
Cross Site Scripting (XXS) Don’t do this in a view <p>Name: <%= @name %></p> Do this <p>Name: <%= h @name %></p> Don’t forget your link_to’s and images. If you forget just one you are an easy victim.
Skipping security Don’t do this skip_before_filter :check_auth Do this skip_before_filter :check_auth, :only =>[:login] Explicitly specify the actions that skip security. Otherwise new ones will be unsecure by default
Watch out for the TO_JSON XSS exploit Don’t do this in a view <script>posts = <%= @posts.to_json %></script> This is fixed in edge rails (6893) So if you are on 1.2.3, you have a problem. Write your own to_json for the model or mixin the patch for ticket 8371 of rails.
Obfuscate passwords in logging If your log looks like this Processing LoginController#create (for 127.0.0.1 at 2007-09-20 18:16:32) [POST] Session ID: 023b70d61b76c29a0e123e79c8772f4d Parameters: {quot;sign_inquot;=>quot;Sign inquot;, quot;rememberquot;=>quot;quot;, quot;actionquot;=>quot;createquot;, quot;usernamequot;=>quot;Administratorquot;, quot;controllerquot;=>quot;loginquot;, quot;passwordquot;=>quot;im1337quot;} Add this to your application.rb filter_parameter_logging quot;passwordquot;
Are you accessable? Don’t have everything XML or JSON /mykillerapp/users.xml <users> <user> <id type=quot;integerquot;>3</id> <username>administrator</username> <password-hash> 4fc62477c37b2880646336e5b753daef6ae3377b36cab20ddc27c7b933ca6ecd </password-hash> <password-salt>ntoRnlDr</password-salt> </user> </users>
Production deploy Don’t do this production: adapter: mysql database: my_killer_app username: root password: host: localhost Do this Use decent security in a production environment. Also strip all the stuff you don’t need from your tags (like /test).
CONCLUSIONS These are all examples of things I ran into during about one year of full-time Rails development. Realize that there are more! Greetings to everyone who came to RailsConf Europe 2007. It was inspiring! If you have any questions, feel free to email me. Bart ten Brinke movesonrails.com bart.tenbrinke@movesonrails.com

Recommended

Ch10
Ch10Ch10
Ch10Khalid Rafiq
 
Nina
NinaNina
Ninaeka
 
Prdata
PrdataPrdata
Prdatamdelaro2
 
Social Media: Where Brand is Tags
Social Media: Where Brand is TagsSocial Media: Where Brand is Tags
Social Media: Where Brand is TagsJon Gatrell
 
Charges of the Corruption in Brazil - Senator Renan Calheiros
Charges of the Corruption in Brazil - Senator Renan CalheirosCharges of the Corruption in Brazil - Senator Renan Calheiros
Charges of the Corruption in Brazil - Senator Renan CalheirosRobson Silva Espig
 
Ch06
Ch06Ch06
Ch06Khalid Rafiq
 
5. open innov ict-platf
5. open innov ict-platf5. open innov ict-platf
5. open innov ict-platfMichele Missikoff
 
Flex and the city in London - Keynote
Flex and the city in London - KeynoteFlex and the city in London - Keynote
Flex and the city in London - KeynoteMichael Chaize
 

Recommended

Ch10
Ch10Ch10
Ch10Khalid Rafiq
 
Nina
NinaNina
Ninaeka
 
Prdata
PrdataPrdata
Prdatamdelaro2
 
Social Media: Where Brand is Tags
Social Media: Where Brand is TagsSocial Media: Where Brand is Tags
Social Media: Where Brand is TagsJon Gatrell
 
Charges of the Corruption in Brazil - Senator Renan Calheiros
Charges of the Corruption in Brazil - Senator Renan CalheirosCharges of the Corruption in Brazil - Senator Renan Calheiros
Charges of the Corruption in Brazil - Senator Renan CalheirosRobson Silva Espig
 
Ch06
Ch06Ch06
Ch06Khalid Rafiq
 
5. open innov ict-platf
5. open innov ict-platf5. open innov ict-platf
5. open innov ict-platfMichele Missikoff
 
Flex and the city in London - Keynote
Flex and the city in London - KeynoteFlex and the city in London - Keynote
Flex and the city in London - KeynoteMichael Chaize
 
Durga
DurgaDurga
DurgaNeelanjan Bhattacharyya
 
la rappresentazione dei numeri
la rappresentazione dei numerila rappresentazione dei numeri
la rappresentazione dei numerierossina
 
Innovatsioonimudel
InnovatsioonimudelInnovatsioonimudel
Innovatsioonimudelkiq
 
Src Voc
Src VocSrc Voc
Src Vocguest7066cc
 
Cmb
CmbCmb
CmbGlen Gatin
 
Ppt For Symp - test
Ppt For Symp - testPpt For Symp - test
Ppt For Symp - testkatoreena_7
 
リーンソフトウェア
リーンソフトウェアリーンソフトウェア
リーンソフトウェアAtsushi Nakatsugawa
 
How a bunch of normal people Used Technology To Repair a Rigged Election
How a bunch of normal people Used Technology To Repair a Rigged ElectionHow a bunch of normal people Used Technology To Repair a Rigged Election
How a bunch of normal people Used Technology To Repair a Rigged ElectionSelena Deckelmann
 
Natuk
NatukNatuk
Natukeka
 
Differences
DifferencesDifferences
Differencesnonnon
 
2007p&o1milieu
2007p&o1milieu2007p&o1milieu
2007p&o1milieuguest4703df
 
V型人才
V型人才V型人才
V型人才nonnon
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 

More Related Content

Viewers also liked

la rappresentazione dei numeri
la rappresentazione dei numerila rappresentazione dei numeri
la rappresentazione dei numerierossina
 
Innovatsioonimudel
InnovatsioonimudelInnovatsioonimudel
Innovatsioonimudelkiq
 
Ppt For Symp - test
Ppt For Symp - testPpt For Symp - test
Ppt For Symp - testkatoreena_7
 
How a bunch of normal people Used Technology To Repair a Rigged Election
How a bunch of normal people Used Technology To Repair a Rigged ElectionHow a bunch of normal people Used Technology To Repair a Rigged Election
How a bunch of normal people Used Technology To Repair a Rigged ElectionSelena Deckelmann
 
Natuk
NatukNatuk
Natukeka
 
Differences
DifferencesDifferences
Differencesnonnon
 
V型人才
V型人才V型人才
V型人才nonnon
 

Viewers also liked (12)

Durga
DurgaDurga
Durga
 
la rappresentazione dei numeri
la rappresentazione dei numerila rappresentazione dei numeri
la rappresentazione dei numeri
 
Innovatsioonimudel
InnovatsioonimudelInnovatsioonimudel
Innovatsioonimudel
 
Src Voc
Src VocSrc Voc
Src Voc
 
Cmb
CmbCmb
Cmb
 
Ppt For Symp - test
Ppt For Symp - testPpt For Symp - test
Ppt For Symp - test
 
リーンソフトウェア
リーンソフトウェアリーンソフトウェア
リーンソフトウェア
 
How a bunch of normal people Used Technology To Repair a Rigged Election
How a bunch of normal people Used Technology To Repair a Rigged ElectionHow a bunch of normal people Used Technology To Repair a Rigged Election
How a bunch of normal people Used Technology To Repair a Rigged Election
 
Natuk
NatukNatuk
Natuk
 
Differences
DifferencesDifferences
Differences
 
2007p&o1milieu
2007p&o1milieu2007p&o1milieu
2007p&o1milieu
 
V型人才
V型人才V型人才
V型人才
 

Recently uploaded

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 

Recently uploaded (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 

Rails Security - Bart ten Brinke

  • 1. RAILS SECURITY Bart ten Brinke movesonrails.com bart.tenbrinke@movesonrails.com
  • 2. Why I did this After a security presentation at RailsConfEurope 2007, I found a lot was missing, so I made this. I didn’t finish it in time for reject conf, so I posted it on my blog. No, I am not australian :)
  • 3. SQL Injection (Old, but even Jason still does this wrong) Don’t do this Person.find(:first, :conditions => “name = #{name}”) Do this Person.find(:first, :conditions => [“name = ?”, name]) Or Person.find_by_name(name)
  • 4. Cross Site Scripting (XXS) Don’t do this in a view <p>Name: <%= @name %></p> Do this <p>Name: <%= h @name %></p> Don’t forget your link_to’s and images. If you forget just one you are an easy victim.
  • 5. Skipping security Don’t do this skip_before_filter :check_auth Do this skip_before_filter :check_auth, :only =>[:login] Explicitly specify the actions that skip security. Otherwise new ones will be unsecure by default
  • 6. Watch out for the TO_JSON XSS exploit Don’t do this in a view <script>posts = <%= @posts.to_json %></script> This is fixed in edge rails (6893) So if you are on 1.2.3, you have a problem. Write your own to_json for the model or mixin the patch for ticket 8371 of rails.
  • 7. Obfuscate passwords in logging If your log looks like this Processing LoginController#create (for 127.0.0.1 at 2007-09-20 18:16:32) [POST] Session ID: 023b70d61b76c29a0e123e79c8772f4d Parameters: {quot;sign_inquot;=>quot;Sign inquot;, quot;rememberquot;=>quot;quot;, quot;actionquot;=>quot;createquot;, quot;usernamequot;=>quot;Administratorquot;, quot;controllerquot;=>quot;loginquot;, quot;passwordquot;=>quot;im1337quot;} Add this to your application.rb filter_parameter_logging quot;passwordquot;
  • 8. Are you accessable? Don’t have everything XML or JSON /mykillerapp/users.xml <users> <user> <id type=quot;integerquot;>3</id> <username>administrator</username> <password-hash> 4fc62477c37b2880646336e5b753daef6ae3377b36cab20ddc27c7b933ca6ecd </password-hash> <password-salt>ntoRnlDr</password-salt> </user> </users>
  • 9. Production deploy Don’t do this production: adapter: mysql database: my_killer_app username: root password: host: localhost Do this Use decent security in a production environment. Also strip all the stuff you don’t need from your tags (like /test).
  • 10. CONCLUSIONS These are all examples of things I ran into during about one year of full-time Rails development. Realize that there are more! Greetings to everyone who came to RailsConf Europe 2007. It was inspiring! If you have any questions, feel free to email me. Bart ten Brinke movesonrails.com bart.tenbrinke@movesonrails.com