SlideShare ist ein Scribd-Unternehmen logo

Ruby on Rails Security Updated (Rails 3) at RailsWayCon

H
heikowebers
Technologie
1 von 24
Downloaden Sie, um offline zu lesen
Heiko Webers, bauland42 Ruby on Rails Security Updated
Heiko Webers  CEO of bauland42: Secure and innovative web applications, security code audits: http://www.bauland42.de http://www.werkstatt42.de  Ruby on Rails Security Project: Blog and Book at http://www.rorsecurity.info
Cross-Site Scripting in Rails 3  Before: <%= h @project.name %> @project.name #=> <script> h(@project.name) #=> &lt;script&gt;  After: <%= @project.name %>  Unless you want to allow HTML/JS: <%= raw @project.name %>
Cross-Site Scripting in Rails 3  @project.name.html_safe? #=> false  h(@project.name).html_safe? #=> true  link_to(...).html_safe? #=> true  "<br />".html_safe # => "<br />" 4
Cross-Site Scripting in Rails 3  safe + safe = safe  safe.concat(safe) = safe  (safe << safe) = safe  safe + unsafe = unsafe ... 5
Cross-Site Scripting in Rails 3  String interpolation  <%= "#{link_to(@product.title, @product)} #{link_to(@product.title, @product)}" %>  Deliberately unsafe 6
Cross-Site Scripting in Rails 3  textilize() and simple_format() do not return safe strings textilize(‘*bold*‘) #=><strong>bold</strong>  <%= textilize(@product.description) %>  NO <%=raw textilize(@product.description)%>  OK <%=sanitize textilize(@product.description) %> 7
Cross-Site Scripting in Rails 3  Know what you‘re doing  <%= auto_link(@product.description) %> # => unsafe, so escaped  <%= raw auto_link(@product.description) %> # => safe, but may contain HTML  sanitize() it 8
Cross-Site Scripting in Rails 3  Know what you‘re doing  Strings aren't magic: value = sanitize(@product.description) value.html_safe? #=> true value.gsub!(/--product_name--/, @product.title) value.html_safe? #=> true <%= value %> 9
Cross-Site Scripting in Rails 3  Rails helper are becoming stable now  There were problems with content_tag(), tag(), submit_tag(), ...  SafeErb plugin doesn‘t work yet/anymore 10
Cross-Site Scripting in Rails 3  xml.instruct! xml.description do xml << "The description: " xml << @product.description end  Use xml.description @product.description to automatically escape 11
Ajax and XSS  No automatic escaping in RJS templates  page.replace_html :notice, "Updated product #{@product.title}" 12
Sanitization  Don‘t write it on your own: value = self.description.gsub("<script>", "") <scr<script>ipt>  sanitize(), strip_tags(), ... use the HTML::Tokenizer  Based on regular expressions  Doesn‘t always render valid HTML  Last vulnerability in Rails 2.3.5 regarding non- printable ascii characters 13
Sanitization  Use parsers like Nokogiri or Woodstox (JRuby)  Gem sanitize: http://github.com/rgrove/sanitize Sanitize.clean(unsafe_html)  Gem Loofah: http://github.com/flavorjones/ loofah Loofah.fragment(unsafe_html).scrub!(:strip) 14
Sql-Injection in Rails 3  No find() anymore, no :conditions hash, ... But: Product.find(params[:id])  User.order('users.id DESC').limit(20).all  NO: Product.where("id = #{params[:id]}")  Product.where(["id = ?", params[:id]])  Product.where({:id => params[:id]}) 15
Sql-Injection in Rails 3  NO: User.order(params[:order]).all  raise "SQLi" unless ["id asc", "id desc"].include? (params[:order])  Escape it yourself: Product.order(Product.connection.quote(params [:order])).all 16
Other changes in Rails 3  config/initializers/session_store.rb Rails.application.config.session_store :cookie_store, :key => "_app_name_session"  config/initializers/cookie_verification_secret.rb Rails.application.config.cookie_secret = 'somereallylongrandomkey'  Don‘t keep it in your SCM 17
Other changes in Rails 3  Keep a value in a signed cookie: cookies.signed[:discount] = "12"  filter_parameter_logging deprecated  config.filter_parameters << :password in config/application.rb 18
Respond_with in Rails 3  class ProductsController < ApplicationController respond_to :html, :xml, :json def index respond_with(@products = Product.all) end end  How to define what attributes to render in XML? @product.to_xml(:only => [:id]) 19
Bits and pieces  You can deploy with a SSH key: ssh_options[:keys] = ["/path/to/id_rsa.ppk"]  Secure the admin panel with a client SSL certificate  Remove secrets from your SCM: database.yml, ssh_config.rb 20
Bits and pieces  Check what they‘re downloading File.dirname(requested_filename) == expected_directory  /download?file=../config/database.yml  validates_format_of :filename, :with => /^[a-z.]+$/i  hello.txt <script>alert(1)</script>  Use A and z 21
Privilege escalation  def update  @doc = Doc.find(params[:id])  end  before_filter :load_project  before_filter :deny_if_not_full_access  before_filter :load_doc @doc = @project.docs.find(params[:id])  before_filter :deny_if_no_access_to_doc 22
Authorization  def deny_if_no_access_to_doc  @doc.may_edit?(current_user)  end  def may_edit?(usr)  self.creator == usr  end  <%= link_to(“Edit“,...) if @doc.may_edit? (current_user) %> 23
That‘s it  Questions?  42@bauland42.de 24

Empfohlen

Building Web Interface On Rails
Building Web Interface On RailsBuilding Web Interface On Rails
Building Web Interface On RailsWen-Tien Chang
 
Rails Best Practices
Rails Best PracticesRails Best Practices
Rails Best PracticesWen-Tien Chang
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Securityjemond
 
Rails 3 Beautiful Code
Rails 3 Beautiful CodeRails 3 Beautiful Code
Rails 3 Beautiful CodeGreggPollack
 
Rails 3 overview
Rails 3 overviewRails 3 overview
Rails 3 overviewYehuda Katz
 
Migrating legacy data
Migrating legacy dataMigrating legacy data
Migrating legacy dataPatrick Huesler
 
Rails Best Practices
Rails Best PracticesRails Best Practices
Rails Best PracticesIcalia Labs
 
SenchaCon 2016: Keynote Presentation - Art Landro, Gautam Agrawal, Mark Brocato
SenchaCon 2016: Keynote Presentation - Art Landro, Gautam Agrawal, Mark BrocatoSenchaCon 2016: Keynote Presentation - Art Landro, Gautam Agrawal, Mark Brocato
SenchaCon 2016: Keynote Presentation - Art Landro, Gautam Agrawal, Mark BrocatoSencha
 

Empfohlen

Building Web Interface On Rails
Building Web Interface On RailsBuilding Web Interface On Rails
Building Web Interface On RailsWen-Tien Chang
 
Rails Best Practices
Rails Best PracticesRails Best Practices
Rails Best PracticesWen-Tien Chang
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Securityjemond
 
Rails 3 Beautiful Code
Rails 3 Beautiful CodeRails 3 Beautiful Code
Rails 3 Beautiful CodeGreggPollack
 
Rails 3 overview
Rails 3 overviewRails 3 overview
Rails 3 overviewYehuda Katz
 
Migrating legacy data
Migrating legacy dataMigrating legacy data
Migrating legacy dataPatrick Huesler
 
Rails Best Practices
Rails Best PracticesRails Best Practices
Rails Best PracticesIcalia Labs
 
SenchaCon 2016: Keynote Presentation - Art Landro, Gautam Agrawal, Mark Brocato
SenchaCon 2016: Keynote Presentation - Art Landro, Gautam Agrawal, Mark BrocatoSenchaCon 2016: Keynote Presentation - Art Landro, Gautam Agrawal, Mark Brocato
SenchaCon 2016: Keynote Presentation - Art Landro, Gautam Agrawal, Mark BrocatoSencha
 
Rails Security
Rails SecurityRails Security
Rails SecurityWen-Tien Chang
 
CodeIgniter 3.0
CodeIgniter 3.0CodeIgniter 3.0
CodeIgniter 3.0Phil Sturgeon
 
Asp.net identity 2.0
Asp.net identity 2.0Asp.net identity 2.0
Asp.net identity 2.0Gelis Wu
 
Workshop 8: Templating: Handlebars, DustJS
Workshop 8: Templating: Handlebars, DustJSWorkshop 8: Templating: Handlebars, DustJS
Workshop 8: Templating: Handlebars, DustJSVisual Engineering
 
Introduction to ASP.Net Viewstate
Introduction to ASP.Net ViewstateIntroduction to ASP.Net Viewstate
Introduction to ASP.Net Viewstaten|u - The Open Security Community
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and FallaciesKarwin Software Solutions LLC
 
Workshop 27: Isomorphic web apps with ReactJS
Workshop 27: Isomorphic web apps with ReactJSWorkshop 27: Isomorphic web apps with ReactJS
Workshop 27: Isomorphic web apps with ReactJSVisual Engineering
 
Angular 2 introduction
Angular 2 introductionAngular 2 introduction
Angular 2 introductionChristoffer Noring
 
&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />tutorialsruby
 
Single Page Web Applications with CoffeeScript, Backbone and Jasmine
Single Page Web Applications with CoffeeScript, Backbone and JasmineSingle Page Web Applications with CoffeeScript, Backbone and Jasmine
Single Page Web Applications with CoffeeScript, Backbone and JasminePaulo Ragonha
 
HTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R Auge
HTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R AugeHTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R Auge
HTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R Augemfrancis
 
The JavaFX Ecosystem
The JavaFX EcosystemThe JavaFX Ecosystem
The JavaFX EcosystemAndres Almiray
 
Practical Protocol-Oriented-Programming
Practical Protocol-Oriented-ProgrammingPractical Protocol-Oriented-Programming
Practical Protocol-Oriented-ProgrammingNatasha Murashev
 
ASP.NET MVC 4 - Routing Internals
ASP.NET MVC 4 - Routing InternalsASP.NET MVC 4 - Routing Internals
ASP.NET MVC 4 - Routing InternalsLukasz Lysik
 
25 Real Life Tips In Ruby on Rails Development
25 Real Life Tips In Ruby on Rails Development25 Real Life Tips In Ruby on Rails Development
25 Real Life Tips In Ruby on Rails DevelopmentBelighted
 
Idoc script beginner guide
Idoc script beginner guide Idoc script beginner guide
Idoc script beginner guide Vinay Kumar
 
Trustparency web doc spring 2.5 & hibernate
Trustparency web doc spring 2.5 & hibernateTrustparency web doc spring 2.5 & hibernate
Trustparency web doc spring 2.5 & hibernatetrustparency
 
Html server control - ASP. NET with c#
Html server control - ASP. NET with c#Html server control - ASP. NET with c#
Html server control - ASP. NET with c#priya Nithya
 
Practical JavaScript Programming - Session 8/8
Practical JavaScript Programming - Session 8/8Practical JavaScript Programming - Session 8/8
Practical JavaScript Programming - Session 8/8Wilson Su
 
The Rails Way
The Rails WayThe Rails Way
The Rails WayMichał Orman
 
Application Security from the Inside - OWASP
Application Security from the Inside - OWASPApplication Security from the Inside - OWASP
Application Security from the Inside - OWASPSqreen
 
Rails and security
Rails and securityRails and security
Rails and securityAndrey Tokarchuk
 

Weitere ähnliche Inhalte

Was ist angesagt?

Asp.net identity 2.0
Asp.net identity 2.0Asp.net identity 2.0
Asp.net identity 2.0Gelis Wu
 
Workshop 8: Templating: Handlebars, DustJS
Workshop 8: Templating: Handlebars, DustJSWorkshop 8: Templating: Handlebars, DustJS
Workshop 8: Templating: Handlebars, DustJSVisual Engineering
 
Workshop 27: Isomorphic web apps with ReactJS
Workshop 27: Isomorphic web apps with ReactJSWorkshop 27: Isomorphic web apps with ReactJS
Workshop 27: Isomorphic web apps with ReactJSVisual Engineering
 
&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />tutorialsruby
 
Single Page Web Applications with CoffeeScript, Backbone and Jasmine
Single Page Web Applications with CoffeeScript, Backbone and JasmineSingle Page Web Applications with CoffeeScript, Backbone and Jasmine
Single Page Web Applications with CoffeeScript, Backbone and JasminePaulo Ragonha
 
HTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R Auge
HTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R AugeHTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R Auge
HTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R Augemfrancis
 
Practical Protocol-Oriented-Programming
Practical Protocol-Oriented-ProgrammingPractical Protocol-Oriented-Programming
Practical Protocol-Oriented-ProgrammingNatasha Murashev
 
ASP.NET MVC 4 - Routing Internals
ASP.NET MVC 4 - Routing InternalsASP.NET MVC 4 - Routing Internals
ASP.NET MVC 4 - Routing InternalsLukasz Lysik
 
25 Real Life Tips In Ruby on Rails Development
25 Real Life Tips In Ruby on Rails Development25 Real Life Tips In Ruby on Rails Development
25 Real Life Tips In Ruby on Rails DevelopmentBelighted
 
Idoc script beginner guide
Idoc script beginner guide Idoc script beginner guide
Idoc script beginner guide Vinay Kumar
 
Trustparency web doc spring 2.5 & hibernate
Trustparency web doc spring 2.5 & hibernateTrustparency web doc spring 2.5 & hibernate
Trustparency web doc spring 2.5 & hibernatetrustparency
 
Html server control - ASP. NET with c#
Html server control - ASP. NET with c#Html server control - ASP. NET with c#
Html server control - ASP. NET with c#priya Nithya
 
Practical JavaScript Programming - Session 8/8
Practical JavaScript Programming - Session 8/8Practical JavaScript Programming - Session 8/8
Practical JavaScript Programming - Session 8/8Wilson Su
 

Was ist angesagt? (20)

Rails Security
Rails SecurityRails Security
Rails Security
 
CodeIgniter 3.0
CodeIgniter 3.0CodeIgniter 3.0
CodeIgniter 3.0
 
Asp.net identity 2.0
Asp.net identity 2.0Asp.net identity 2.0
Asp.net identity 2.0
 
Workshop 8: Templating: Handlebars, DustJS
Workshop 8: Templating: Handlebars, DustJSWorkshop 8: Templating: Handlebars, DustJS
Workshop 8: Templating: Handlebars, DustJS
 
Introduction to ASP.Net Viewstate
Introduction to ASP.Net ViewstateIntroduction to ASP.Net Viewstate
Introduction to ASP.Net Viewstate
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and Fallacies
 
Workshop 27: Isomorphic web apps with ReactJS
Workshop 27: Isomorphic web apps with ReactJSWorkshop 27: Isomorphic web apps with ReactJS
Workshop 27: Isomorphic web apps with ReactJS
 
Angular 2 introduction
Angular 2 introductionAngular 2 introduction
Angular 2 introduction
 
&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />
 
Single Page Web Applications with CoffeeScript, Backbone and Jasmine
Single Page Web Applications with CoffeeScript, Backbone and JasmineSingle Page Web Applications with CoffeeScript, Backbone and Jasmine
Single Page Web Applications with CoffeeScript, Backbone and Jasmine
 
HTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R Auge
HTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R AugeHTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R Auge
HTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R Auge
 
The JavaFX Ecosystem
The JavaFX EcosystemThe JavaFX Ecosystem
The JavaFX Ecosystem
 
Practical Protocol-Oriented-Programming
Practical Protocol-Oriented-ProgrammingPractical Protocol-Oriented-Programming
Practical Protocol-Oriented-Programming
 
ASP.NET MVC 4 - Routing Internals
ASP.NET MVC 4 - Routing InternalsASP.NET MVC 4 - Routing Internals
ASP.NET MVC 4 - Routing Internals
 
25 Real Life Tips In Ruby on Rails Development
25 Real Life Tips In Ruby on Rails Development25 Real Life Tips In Ruby on Rails Development
25 Real Life Tips In Ruby on Rails Development
 
Idoc script beginner guide
Idoc script beginner guide Idoc script beginner guide
Idoc script beginner guide
 
Trustparency web doc spring 2.5 & hibernate
Trustparency web doc spring 2.5 & hibernateTrustparency web doc spring 2.5 & hibernate
Trustparency web doc spring 2.5 & hibernate
 
Html server control - ASP. NET with c#
Html server control - ASP. NET with c#Html server control - ASP. NET with c#
Html server control - ASP. NET with c#
 
Practical JavaScript Programming - Session 8/8
Practical JavaScript Programming - Session 8/8Practical JavaScript Programming - Session 8/8
Practical JavaScript Programming - Session 8/8
 
The Rails Way
The Rails WayThe Rails Way
The Rails Way
 

Ähnlich wie Ruby on Rails Security Updated (Rails 3) at RailsWayCon

Application Security from the Inside - OWASP
Application Security from the Inside - OWASPApplication Security from the Inside - OWASP
Application Security from the Inside - OWASPSqreen
 
RubyOnRails-Cheatsheet-BlaineKendall
RubyOnRails-Cheatsheet-BlaineKendallRubyOnRails-Cheatsheet-BlaineKendall
RubyOnRails-Cheatsheet-BlaineKendalltutorialsruby
 
RubyOnRails-Cheatsheet-BlaineKendall
RubyOnRails-Cheatsheet-BlaineKendallRubyOnRails-Cheatsheet-BlaineKendall
RubyOnRails-Cheatsheet-BlaineKendalltutorialsruby
 
Phoenix for Rails Devs
Phoenix for Rails DevsPhoenix for Rails Devs
Phoenix for Rails DevsDiacode
 
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 202010 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020Matt Raible
 
AEM Sightly Deep Dive
AEM Sightly Deep DiveAEM Sightly Deep Dive
AEM Sightly Deep DiveGabriel Walt
 
AEM Sightly Template Language
AEM Sightly Template LanguageAEM Sightly Template Language
AEM Sightly Template LanguageGabriel Walt
 
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)Igor Bronovskyy
 
TurboGears2 Pluggable Applications
TurboGears2 Pluggable ApplicationsTurboGears2 Pluggable Applications
TurboGears2 Pluggable ApplicationsAlessandro Molina
 
Migrating Legacy Rails Apps to Rails 3
Migrating Legacy Rails Apps to Rails 3Migrating Legacy Rails Apps to Rails 3
Migrating Legacy Rails Apps to Rails 3Clinton Dreisbach
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
Designing REST API automation tests in Kotlin
Designing REST API automation tests in KotlinDesigning REST API automation tests in Kotlin
Designing REST API automation tests in KotlinDmitriy Sobko
 
using Mithril.js + postgREST to build and consume API's
using Mithril.js + postgREST to build and consume API'susing Mithril.js + postgREST to build and consume API's
using Mithril.js + postgREST to build and consume API'sAntônio Roberto Silva
 
Ajax Performance Tuning and Best Practices
Ajax Performance Tuning and Best PracticesAjax Performance Tuning and Best Practices
Ajax Performance Tuning and Best PracticesDoris Chen
 
Crossing the Bridge: Connecting Rails and your Front-end Framework
Crossing the Bridge: Connecting Rails and your Front-end FrameworkCrossing the Bridge: Connecting Rails and your Front-end Framework
Crossing the Bridge: Connecting Rails and your Front-end FrameworkDaniel Spector
 

Ähnlich wie Ruby on Rails Security Updated (Rails 3) at RailsWayCon (20)

Application Security from the Inside - OWASP
Application Security from the Inside - OWASPApplication Security from the Inside - OWASP
Application Security from the Inside - OWASP
 
Rails and security
Rails and securityRails and security
Rails and security
 
RubyOnRails-Cheatsheet-BlaineKendall
RubyOnRails-Cheatsheet-BlaineKendallRubyOnRails-Cheatsheet-BlaineKendall
RubyOnRails-Cheatsheet-BlaineKendall
 
RubyOnRails-Cheatsheet-BlaineKendall
RubyOnRails-Cheatsheet-BlaineKendallRubyOnRails-Cheatsheet-BlaineKendall
RubyOnRails-Cheatsheet-BlaineKendall
 
Play!ng with scala
Play!ng with scalaPlay!ng with scala
Play!ng with scala
 
Phoenix for Rails Devs
Phoenix for Rails DevsPhoenix for Rails Devs
Phoenix for Rails Devs
 
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 202010 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
 
AEM Sightly Deep Dive
AEM Sightly Deep DiveAEM Sightly Deep Dive
AEM Sightly Deep Dive
 
AEM Sightly Template Language
AEM Sightly Template LanguageAEM Sightly Template Language
AEM Sightly Template Language
 
Ruby For Startups
Ruby For StartupsRuby For Startups
Ruby For Startups
 
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
 
TurboGears2 Pluggable Applications
TurboGears2 Pluggable ApplicationsTurboGears2 Pluggable Applications
TurboGears2 Pluggable Applications
 
Migrating Legacy Rails Apps to Rails 3
Migrating Legacy Rails Apps to Rails 3Migrating Legacy Rails Apps to Rails 3
Migrating Legacy Rails Apps to Rails 3
 
Play vs Rails
Play vs RailsPlay vs Rails
Play vs Rails
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
Designing REST API automation tests in Kotlin
Designing REST API automation tests in KotlinDesigning REST API automation tests in Kotlin
Designing REST API automation tests in Kotlin
 
using Mithril.js + postgREST to build and consume API's
using Mithril.js + postgREST to build and consume API'susing Mithril.js + postgREST to build and consume API's
using Mithril.js + postgREST to build and consume API's
 
Codegnitorppt
CodegnitorpptCodegnitorppt
Codegnitorppt
 
Ajax Performance Tuning and Best Practices
Ajax Performance Tuning and Best PracticesAjax Performance Tuning and Best Practices
Ajax Performance Tuning and Best Practices
 
Crossing the Bridge: Connecting Rails and your Front-end Framework
Crossing the Bridge: Connecting Rails and your Front-end FrameworkCrossing the Bridge: Connecting Rails and your Front-end Framework
Crossing the Bridge: Connecting Rails and your Front-end Framework
 

Kürzlich hochgeladen

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 

Kürzlich hochgeladen (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 

Ruby on Rails Security Updated (Rails 3) at RailsWayCon

  • 1. Heiko Webers, bauland42 Ruby on Rails Security Updated
  • 2. Heiko Webers  CEO of bauland42: Secure and innovative web applications, security code audits: http://www.bauland42.de http://www.werkstatt42.de  Ruby on Rails Security Project: Blog and Book at http://www.rorsecurity.info
  • 3. Cross-Site Scripting in Rails 3  Before: <%= h @project.name %> @project.name #=> <script> h(@project.name) #=> &lt;script&gt;  After: <%= @project.name %>  Unless you want to allow HTML/JS: <%= raw @project.name %>
  • 4. Cross-Site Scripting in Rails 3  @project.name.html_safe? #=> false  h(@project.name).html_safe? #=> true  link_to(...).html_safe? #=> true  "<br />".html_safe # => "<br />" 4
  • 5. Cross-Site Scripting in Rails 3  safe + safe = safe  safe.concat(safe) = safe  (safe << safe) = safe  safe + unsafe = unsafe ... 5
  • 6. Cross-Site Scripting in Rails 3  String interpolation  <%= "#{link_to(@product.title, @product)} #{link_to(@product.title, @product)}" %>  Deliberately unsafe 6
  • 7. Cross-Site Scripting in Rails 3  textilize() and simple_format() do not return safe strings textilize(‘*bold*‘) #=><strong>bold</strong>  <%= textilize(@product.description) %>  NO <%=raw textilize(@product.description)%>  OK <%=sanitize textilize(@product.description) %> 7
  • 8. Cross-Site Scripting in Rails 3  Know what you‘re doing  <%= auto_link(@product.description) %> # => unsafe, so escaped  <%= raw auto_link(@product.description) %> # => safe, but may contain HTML  sanitize() it 8
  • 9. Cross-Site Scripting in Rails 3  Know what you‘re doing  Strings aren't magic: value = sanitize(@product.description) value.html_safe? #=> true value.gsub!(/--product_name--/, @product.title) value.html_safe? #=> true <%= value %> 9
  • 10. Cross-Site Scripting in Rails 3  Rails helper are becoming stable now  There were problems with content_tag(), tag(), submit_tag(), ...  SafeErb plugin doesn‘t work yet/anymore 10
  • 11. Cross-Site Scripting in Rails 3  xml.instruct! xml.description do xml << "The description: " xml << @product.description end  Use xml.description @product.description to automatically escape 11
  • 12. Ajax and XSS  No automatic escaping in RJS templates  page.replace_html :notice, "Updated product #{@product.title}" 12
  • 13. Sanitization  Don‘t write it on your own: value = self.description.gsub("<script>", "") <scr<script>ipt>  sanitize(), strip_tags(), ... use the HTML::Tokenizer  Based on regular expressions  Doesn‘t always render valid HTML  Last vulnerability in Rails 2.3.5 regarding non- printable ascii characters 13
  • 14. Sanitization  Use parsers like Nokogiri or Woodstox (JRuby)  Gem sanitize: http://github.com/rgrove/sanitize Sanitize.clean(unsafe_html)  Gem Loofah: http://github.com/flavorjones/ loofah Loofah.fragment(unsafe_html).scrub!(:strip) 14
  • 15. Sql-Injection in Rails 3  No find() anymore, no :conditions hash, ... But: Product.find(params[:id])  User.order('users.id DESC').limit(20).all  NO: Product.where("id = #{params[:id]}")  Product.where(["id = ?", params[:id]])  Product.where({:id => params[:id]}) 15
  • 16. Sql-Injection in Rails 3  NO: User.order(params[:order]).all  raise "SQLi" unless ["id asc", "id desc"].include? (params[:order])  Escape it yourself: Product.order(Product.connection.quote(params [:order])).all 16
  • 17. Other changes in Rails 3  config/initializers/session_store.rb Rails.application.config.session_store :cookie_store, :key => "_app_name_session"  config/initializers/cookie_verification_secret.rb Rails.application.config.cookie_secret = 'somereallylongrandomkey'  Don‘t keep it in your SCM 17
  • 18. Other changes in Rails 3  Keep a value in a signed cookie: cookies.signed[:discount] = "12"  filter_parameter_logging deprecated  config.filter_parameters << :password in config/application.rb 18
  • 19. Respond_with in Rails 3  class ProductsController < ApplicationController respond_to :html, :xml, :json def index respond_with(@products = Product.all) end end  How to define what attributes to render in XML? @product.to_xml(:only => [:id]) 19
  • 20. Bits and pieces  You can deploy with a SSH key: ssh_options[:keys] = ["/path/to/id_rsa.ppk"]  Secure the admin panel with a client SSL certificate  Remove secrets from your SCM: database.yml, ssh_config.rb 20
  • 21. Bits and pieces  Check what they‘re downloading File.dirname(requested_filename) == expected_directory  /download?file=../config/database.yml  validates_format_of :filename, :with => /^[a-z.]+$/i  hello.txt <script>alert(1)</script>  Use A and z 21
  • 22. Privilege escalation  def update  @doc = Doc.find(params[:id])  end  before_filter :load_project  before_filter :deny_if_not_full_access  before_filter :load_doc @doc = @project.docs.find(params[:id])  before_filter :deny_if_no_access_to_doc 22
  • 23. Authorization  def deny_if_no_access_to_doc  @doc.may_edit?(current_user)  end  def may_edit?(usr)  self.creator == usr  end  <%= link_to(“Edit“,...) if @doc.may_edit? (current_user) %> 23
  • 24. That‘s it  Questions?  42@bauland42.de 24