OWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.com
4 likes•1,765 views
The document discusses security vulnerabilities in web applications, particularly focusing on the OWASP Top 10 list of vulnerabilities for 2013. It highlights specific examples of issues such as injection, cross-site scripting, and insecure direct object references, as well as solutions to mitigate these risks. Additionally, it mentions resources for analyzing code security, like the Brakeman gem and Code Climate.
![Injection
Most obvious example
User.where("email LIKE '%#{params[:email]}%'")
Less obvious example
User.find(params[:id]).update_attributes(params[:user])](https://image.slidesharecdn.com/owaspmeetup1210-131211002648-phpapp01/85/OWASP-Top-10-and-Securing-Rails-Sean-Todd-PayNearMe-com-10-320.jpg)
![Injection
Solution is to use scopes or Squeel
Turn this bad code
User.where("email LIKE '%#{params[:email]}%'")
into this sanitized code
User.where{email =~ “%#{params[:email]}%”}](https://image.slidesharecdn.com/owaspmeetup1210-131211002648-phpapp01/85/OWASP-Top-10-and-Securing-Rails-Sean-Todd-PayNearMe-com-11-320.jpg)
![Injection
This update allows them to get the admin role
User.update_attributes(params[:user])
This does not
good_params = params[:user].slice(:name, :email)
User.update_attributes(good_params)](https://image.slidesharecdn.com/owaspmeetup1210-131211002648-phpapp01/85/OWASP-Top-10-and-Securing-Rails-Sean-Todd-PayNearMe-com-12-320.jpg)
![Insecure Direct Object Reference
Using file references
send_file “docs/#{params[:id]}.pdf”
Using a UNIX command
`rake gen:test_data[#{params[:test_id]}]`](https://image.slidesharecdn.com/owaspmeetup1210-131211002648-phpapp01/85/OWASP-Top-10-and-Securing-Rails-Sean-Todd-PayNearMe-com-17-320.jpg)
![Unvalidated Redirects
render params[:page]](https://image.slidesharecdn.com/owaspmeetup1210-131211002648-phpapp01/85/OWASP-Top-10-and-Securing-Rails-Sean-Todd-PayNearMe-com-25-320.jpg)
![Unvalidated Redirects
Dynamic Rendering
case params[:page]
when ‘show’
render :show
when ‘edit’
render :edit
else
render :index
end](https://image.slidesharecdn.com/owaspmeetup1210-131211002648-phpapp01/85/OWASP-Top-10-and-Securing-Rails-Sean-Todd-PayNearMe-com-27-320.jpg)
OWASP Top 10 and Securing Rails - Sean Todd - PayNearMe.com
- 1. OWASP and Rails Security RoR Meetup, December 10, 2013
- 2. What could happen if your source code was leaked?
- 3. MongoDB Hacked • CI and Static Analysis companies used them to store GitHub Keys • Those GitHub keys could have granted the attacker access to your source code
- 4. Prezi Source Leaked • One of their developers inadvertently posted his repo credentials • White hat hacker was able to grab all of their source without their knowledge
- 6. OWASP Background • Founded in 2001 • Non-profit organization • Produces lots of material on how to secure web applications • Top 10 is an ongoing list of the most important web app vulnerabilities
- 7. OWASP Top 10, 2013 1. Injection 6. Sensitive Data Exposure 2. Broken Authentication 7. Missing Function Level Access Control 3. Cross Site Scripting 8. CSRF 4. Insecure Direct Object References 9. Vulnerable Components 5. Security Misconfiguration 10.Unvalidated Forward/Redirect
- 8. OWASP Top 10, 2013 1. Injection 6. Sensitive Data Exposure 2. Broken Authentication 7. Missing Function Level Access Control 3. Cross Site Scripting 8. CSRF 4. Insecure Direct Object References 9. Vulnerable Components 5. Security Misconfiguration 10.Unvalidated Redirects
- 9. Injection Allowing non-sanitized user data into persistent data queries.
- 10. Injection Most obvious example User.where("email LIKE '%#{params[:email]}%'") Less obvious example User.find(params[:id]).update_attributes(params[:user])
- 11. Injection Solution is to use scopes or Squeel Turn this bad code User.where("email LIKE '%#{params[:email]}%'") into this sanitized code User.where{email =~ “%#{params[:email]}%”}
- 12. Injection This update allows them to get the admin role User.update_attributes(params[:user]) This does not good_params = params[:user].slice(:name, :email) User.update_attributes(good_params)
- 13. Cross Site Scripting Allowing user injected Javascript to run in your site.
- 14. Cross Site Scripting Most obvious example %[email protected]_safe Less obvious example %p=link_to @user.name.html_safe, @user.homepage
- 15. Cross Site Scripting Solution #1 Don’t use html_safe Solution #2 Use a sanitizer gem like rgrove/sanitize
- 16. Insecure Direct Object Reference Allowing a user to access data they should not access.
- 17. Insecure Direct Object Reference Using file references send_file “docs/#{params[:id]}.pdf” Using a UNIX command `rake gen:test_data[#{params[:test_id]}]`
- 18. Insecure Direct Object Reference Use whitelists for file references Use thoughtbot/cocaine for UNIX commands Or just don’t use UNIX commands
- 19. Missing Authorization Every secure page needs to authorize the user against the used data
- 20. Missing Authorization ! 1.Non-admin user can read, but not update an order 2.They navigate to the order show page • /site/123/order/456 3. They hand edit the url to this • /site/123/order/456/edit With authorization they should not see that page
- 21. Cross Site Request Forgery Accepting potentially dangerous data from other domains
- 22. Cross Site Request Forgery Logs in Admin Navigates to Your site Via hidden image Posts back to Malicious site Your site
- 23. Cross Site Request Forgery Solution Part 1 Disable posting from other domains. See rhk/rack_protection. Solution Part 2 Always use POST for editing data
- 24. Unvalidated Redirects Redirecting a user to an unvalidated URL
- 27. Unvalidated Redirects Dynamic Rendering case params[:page] when ‘show’ render :show when ‘edit’ render :edit else render :index end
- 28. Unvalidated Redirects Dynamic Redirect Either avoid doing it or use an interstitial page.
- 29. Never trust user input!
- 30. How many vulnerabilities in your code?
- 31. Tools to Answer That • Brakeman gem • • good to get started Code Climate • good for ongoing analysis • Coupon! IFU15MA2
- 32. Demo Time