By Phil Misiowiec [email protected]
Ruby on Rails Security
By Phil Misiowiec [email protected]
As a developer, I should be concerned about...
As a developer, I should be concerned about... • Writing good (secure) code
As a developer, I should be concerned about... • Writing good (secure) code • Understanding how to use Rails to protect my app against common exploits
As a developer, I should be concerned about... • Writing good (secure) code • Understanding how to use Rails to protect my app against common exploits
• Vulnerabilities in open source libraries
As a developer, I should be concerned about... • Writing good (secure) code • Understanding how to use Rails to protect my app against common exploits
• Vulnerabilities in open source libraries • Best way to share sensitive information
Writing Secure Code
Scoping Queries to the Owner Bad:
Good:
Scoping Queries to the Owner Bad:
Good:
Scoping Queries to the Owner Bad:
Good:
Use SSL All the time:
As needed:
Use SSL All the time:
As needed:
User authentication: Fewer hurdles = less secure
User authentication: Fewer hurdles = less secure
• Validate password length (at least 8 chars)
User authentication: Fewer hurdles = less secure
• Validate password length (at least 8 chars) • Check password strength (custom Ruby script or devise_security_extension gem)
User authentication: Fewer hurdles = less secure
• Validate password length (at least 8 chars) • Check password strength (custom Ruby script or devise_security_extension gem)
• The social Web - consider usernames instead of emails as logins.
User authentication: Fewer hurdles = less secure
• Validate password length (at least 8 chars) • Check password strength (custom Ruby script or devise_security_extension gem)
• The social Web - consider usernames instead of emails as logins.
• Timeout session after 20 minutes
User authentication: Fewer hurdles = less secure
• Validate password length (at least 8 chars) • Check password strength (custom Ruby script or devise_security_extension gem)
• The social Web - consider usernames instead of emails as logins.
• Timeout session after 20 minutes • Don’t “remember” credentials
User authentication: Fewer hurdles = less secure
• Validate password length (at least 8 chars) • Check password strength (custom Ruby script or devise_security_extension gem)
• The social Web - consider usernames instead of emails as logins.
• Timeout session after 20 minutes • Don’t “remember” credentials • Lock out user after too many attempts
Authentication Gems
Authentication Gems
• Devise
Authentication Gems
• Devise • OmniAuth with Identity “strategy”
Consider two-factor authentication
Consider two-factor authentication
• two_factor_authentication gem (Devise)
Consider two-factor authentication
• two_factor_authentication gem (Devise) • Requires writing SMS integration code (e.g. Twilio or Telapi gems)
Consider two-factor authentication
• two_factor_authentication gem (Devise) • Requires writing SMS integration code (e.g. Twilio or Telapi gems)
• Good read - Kill the Password: Why a
String of Characters Can’t Protect Us Anymore http://www.wired.com/gadgetlab/ 2012/11/ff-mat-honan-password-hacker/
Cookies • Don’t store sensitive data in cookie[:key] objects
• If using the Rails cookie store for sessions, be careful what you store in session[:key] objects! In general, don’t store entire objects, don’t store financial data, order details, credits/coupons, etc.
Encrypt Sensitive Data • bcrypt • OpenSSL lib
Rails Security-Minded Features
Mass Assignment
Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF)
• Use GET for non-destructive actions • Use POST, PUT, DELETE for others • Rails protects you against spoofed POST/ PUT requests by checking for a CSRF token:
Automatically generated inside your views:
SQL Injection Bad:
Good:
SQL Injection Bad:
Good:
Cross-Site Scripting (XSS)
• See ActionView::Helpers::SanitizeHelper, e.g. strip_tags, sanitize
Vulnerabilities in Ruby Libraries/Gems
YAML • YAML popular format for configuration, object serialization
• YAML can be used to dynamically instantiate Ruby objects
• Vulnerability: when embedded inside XML,
it could be posted to a Web app and cause damage
• “Up to 250K” sites vulnerable • Patched in recent versions of Rails
YAML in action HTTP POST
YAML PARSED AND INTERPRETED:
https://community.rapid7.com/community/metasploit/ blog/2013/01/09/serialization-mischief-in-ruby-landcve-2013-0156?x=1
JSON Parser • Converts JSON to YAML • YAML parser problems • Patched in recent versions of Rails
Stay Informed • http://weblog.rubyonrails.org • http://www.ruby-lang.org/ • http://cve.mitre.org/
Good Practices • Don’t embed credentials inside source code • Don’t email passwords • Access servers using SSH keys
https://s3.amazonaws.com/atlashealth.com/meetups/ rails-security.pdf
By Phil Misiowiec [email protected]
As a developer, I should be concerned about...
As a developer, I should be concerned about... • Writing good (secure) code
As a developer, I should be concerned about... • Writing good (secure) code • Understanding how to use Rails to protect my app against common exploits
As a developer, I should be concerned about... • Writing good (secure) code • Understanding how to use Rails to protect my app against common exploits
• Vulnerabilities in open source libraries
As a developer, I should be concerned about... • Writing good (secure) code • Understanding how to use Rails to protect my app against common exploits
• Vulnerabilities in open source libraries • Best way to share sensitive information
Writing Secure Code
Scoping Queries to the Owner Bad:
Good:
Scoping Queries to the Owner Bad:
Good:
Scoping Queries to the Owner Bad:
Good:
Use SSL All the time:
As needed:
Use SSL All the time:
As needed:
User authentication: Fewer hurdles = less secure
User authentication: Fewer hurdles = less secure
• Validate password length (at least 8 chars)
User authentication: Fewer hurdles = less secure
• Validate password length (at least 8 chars) • Check password strength (custom Ruby script or devise_security_extension gem)
User authentication: Fewer hurdles = less secure
• Validate password length (at least 8 chars) • Check password strength (custom Ruby script or devise_security_extension gem)
• The social Web - consider usernames instead of emails as logins.
User authentication: Fewer hurdles = less secure
• Validate password length (at least 8 chars) • Check password strength (custom Ruby script or devise_security_extension gem)
• The social Web - consider usernames instead of emails as logins.
• Timeout session after 20 minutes
User authentication: Fewer hurdles = less secure
• Validate password length (at least 8 chars) • Check password strength (custom Ruby script or devise_security_extension gem)
• The social Web - consider usernames instead of emails as logins.
• Timeout session after 20 minutes • Don’t “remember” credentials
User authentication: Fewer hurdles = less secure
• Validate password length (at least 8 chars) • Check password strength (custom Ruby script or devise_security_extension gem)
• The social Web - consider usernames instead of emails as logins.
• Timeout session after 20 minutes • Don’t “remember” credentials • Lock out user after too many attempts
Authentication Gems
Authentication Gems
• Devise
Authentication Gems
• Devise • OmniAuth with Identity “strategy”
Consider two-factor authentication
Consider two-factor authentication
• two_factor_authentication gem (Devise)
Consider two-factor authentication
• two_factor_authentication gem (Devise) • Requires writing SMS integration code (e.g. Twilio or Telapi gems)
Consider two-factor authentication
• two_factor_authentication gem (Devise) • Requires writing SMS integration code (e.g. Twilio or Telapi gems)
• Good read - Kill the Password: Why a
String of Characters Can’t Protect Us Anymore http://www.wired.com/gadgetlab/ 2012/11/ff-mat-honan-password-hacker/
Cookies • Don’t store sensitive data in cookie[:key] objects
• If using the Rails cookie store for sessions, be careful what you store in session[:key] objects! In general, don’t store entire objects, don’t store financial data, order details, credits/coupons, etc.
Encrypt Sensitive Data • bcrypt • OpenSSL lib
Rails Security-Minded Features
Mass Assignment
Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF)
• Use GET for non-destructive actions • Use POST, PUT, DELETE for others • Rails protects you against spoofed POST/ PUT requests by checking for a CSRF token:
Automatically generated inside your views:
SQL Injection Bad:
Good:
SQL Injection Bad:
Good:
Cross-Site Scripting (XSS)
• See ActionView::Helpers::SanitizeHelper, e.g. strip_tags, sanitize
Vulnerabilities in Ruby Libraries/Gems
YAML • YAML popular format for configuration, object serialization
• YAML can be used to dynamically instantiate Ruby objects
• Vulnerability: when embedded inside XML,
it could be posted to a Web app and cause damage
• “Up to 250K” sites vulnerable • Patched in recent versions of Rails
YAML in action HTTP POST
YAML PARSED AND INTERPRETED:
https://community.rapid7.com/community/metasploit/ blog/2013/01/09/serialization-mischief-in-ruby-landcve-2013-0156?x=1
JSON Parser • Converts JSON to YAML • YAML parser problems • Patched in recent versions of Rails
Stay Informed • http://weblog.rubyonrails.org • http://www.ruby-lang.org/ • http://cve.mitre.org/
Good Practices • Don’t embed credentials inside source code • Don’t email passwords • Access servers using SSH keys
https://s3.amazonaws.com/atlashealth.com/meetups/ rails-security.pdf
