![–
@users = User.find(:all, :conditions =>
"name like #{params[:name]}")
–
input_name = params[:name]
@users = User.where(" name like
#{input_name}")](https://image.slidesharecdn.com/rubyonrailssecurityguidekjg1-160814182252/85/Ruby-on-rails-security-guide-10-320.jpg)
![–
params[:name] = "name=') OR admin = 't' --"
User.find(:first, :conditions => "name =
'#{params[:name]}'")
SELECT "users".* FROM "users" WHERE (name = 'name=') OR
admin = 't' --') LIMIT 1
Result
#<User id: 1650, name: "Admin", password: "supersecretpass", age: 51, admin: true, created_at: "2013-02-
11 17:03:47", updated_at: "2013-02-11 17:03:47">](https://image.slidesharecdn.com/rubyonrailssecurityguidekjg1-160814182252/85/Ruby-on-rails-security-guide-11-320.jpg)
![–
•
•
•
•
•
•
params[:column] = "age) FROM
users WHERE name = 'Bob';"
Order.calculate(:sum,
params[:column])
SELECT SUM(age) FROM users WHERE name
= 'Bob';) AS sum_id FROM "orders"
Result: 27](https://image.slidesharecdn.com/rubyonrailssecurityguidekjg1-160814182252/85/Ruby-on-rails-security-guide-12-320.jpg)
![–
•
params[:admin] = "') OR 1=1--'"
User.destroy_all(["id = ? AND admin =
'#{params[:admin]}", params[:id]])](https://image.slidesharecdn.com/rubyonrailssecurityguidekjg1-160814182252/85/Ruby-on-rails-security-guide-13-320.jpg)
![–
•
params[:admin] = "') OR 1=1--'"
User.destroy_all(["id = ? AND admin =
'#{params[:admin]}", params[:id]])](https://image.slidesharecdn.com/rubyonrailssecurityguidekjg1-160814182252/85/Ruby-on-rails-security-guide-14-320.jpg)
![–
params[:column] = "* FROM users WHERE admin = 't' ;"
User.first(:conditions => { :name => params[:name], :password =>
params[:password] }, :select => params[:column])
SELECT * FROM users WHERE admin = 't' ; FROM "users" WHERE "users"."name" IS
NULL AND "users"."password" IS NULL LIMIT 1
Result
#<User id: 1716, name: "Admin", password: "supersecretpass", age: 68, admin: true, created_at:
"2013-02-11 17:03:47", updated_at: "2013-02-11 17:03:47">](https://image.slidesharecdn.com/rubyonrailssecurityguidekjg1-160814182252/85/Ruby-on-rails-security-guide-15-320.jpg)
Ruby on rails security guide
- 2. AGENDA
- 3. – – Injection Broken Authentication and Session Management Cross Site Scripting (XSS) Insecure Redirect Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross Site Request Forgery Using Components with Known Vulnerabilities Unvalidated Redirect and Forwards
- 4. –
- 5. –
- 6. – – Command Injection SQL Injection Attack Surface Cross Site Scripting (XSS) Sessions Business Logic Bugs Authentication Mass Assignment Cross Origin Resource Sharing Redirects and Forwards Cross Site Request Forgery Encryption Dynamic Render Paths Sensitive Files
- 8. –
- 9. –
- 10. – @users = User.find(:all, :conditions => "name like #{params[:name]}") – input_name = params[:name] @users = User.where(" name like #{input_name}")
- 11. – params[:name] = "name=') OR admin = 't' --" User.find(:first, :conditions => "name = '#{params[:name]}'") SELECT "users".* FROM "users" WHERE (name = 'name=') OR admin = 't' --') LIMIT 1 Result #<User id: 1650, name: "Admin", password: "supersecretpass", age: 51, admin: true, created_at: "2013-02- 11 17:03:47", updated_at: "2013-02-11 17:03:47">
- 12. – • • • • • • params[:column] = "age) FROM users WHERE name = 'Bob';" Order.calculate(:sum, params[:column]) SELECT SUM(age) FROM users WHERE name = 'Bob';) AS sum_id FROM "orders" Result: 27
- 13. – • params[:admin] = "') OR 1=1--'" User.destroy_all(["id = ? AND admin = '#{params[:admin]}", params[:id]])
- 14. – • params[:admin] = "') OR 1=1--'" User.destroy_all(["id = ? AND admin = '#{params[:admin]}", params[:id]])
- 15. – params[:column] = "* FROM users WHERE admin = 't' ;" User.first(:conditions => { :name => params[:name], :password => params[:password] }, :select => params[:column]) SELECT * FROM users WHERE admin = 't' ; FROM "users" WHERE "users"."name" IS NULL AND "users"."password" IS NULL LIMIT 1 Result #<User id: 1716, name: "Admin", password: "supersecretpass", age: 68, admin: true, created_at: "2013-02-11 17:03:47", updated_at: "2013-02-11 17:03:47">
- 16. – – Model.where("login = ? AND password = ?", entered_user_name, entered_password).first
- 17. – – – Model.where("login = ? AND password = ?", entered_user_name, entered_password).first Model.where(login: entered_user_name, password: entered_password).first
- 18. – –
- 20. –
- 21. – input = "<script>alert('XSS')</script>" – <p><%= input %></p> – <p><script>alert('XSS')</script& gt;</p>
- 22. – <script>var user = <%= @user.to_json %></script>
- 23. – <script>var user = <%= @user.to_json %></script> <script> var user = {"name": "</script> <script>alert(1)</script>"};</script>
- 24. – <script>var user = <%= @user.to_json.html_safe %></script> – <script> var user = {"name": "</script> <script>alert(1)</script>"}; </script>
- 25. – • •
- 26. – • – tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p) s = sanitize(user_input, tags: tags, attributes: %w(href title))
- 27. – • – tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p) s = sanitize(user_input, tags: tags, attributes: %w(href title))
- 28. – • – strip_tags("some<<b>script>alert('hello')<</b>/script>") some<script>alert('hello')</script>
- 29. – – • <%=h @stuff %>
- 30. – –
- 31. – { attribute_name => value }
- 32. – • •
- 33. – – {:id => 42, :user => {:first => "NewJohn", :email => "[email protected]"}}
- 34. – – {:id => 42, :user => {:first => "NewJohn", :email => "[email protected]"}}
- 35. – –
- 36. – • –
- 37. – • –
- 38. –
- 39. – • . def person_params params.require(:person).permit(:name, :age) end https://github.com/rvalenciano/r24e/blob/master/app/controllers/users_controller.rb#L6 9-L80
- 40. –
- 41. –
- 44. ● – –
- 45. ● –
- 46. – • –
- 47. – •
- 49. – • • •
- 50. –
- 51. –
- 54. ● – ● – ● – ● –