Daniel Peláez dpelaez@gdssecurity.com

Similar documents
Ruby on Rails Secure Coding Recommendations

Ruby on Rails Security. Jonathan Weiss, Peritor Wissensmanagement GmbH

Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Web Development Frameworks

Check list for web developers

Criteria for web application security check. Version

OWASP TOP 10 ILIA

Rails Cookbook. Rob Orsini. O'REILLY 8 Beijing Cambridge Farnham Koln Paris Sebastopol Taipei Tokyo

A benchmark approach to analyse the security of web frameworks

Where every interaction matters.

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Pentesting Web Frameworks (preview of next year's SEC642 update)

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

JVA-122. Secure Java Web Development

Cross Site Scripting (XSS) and PHP Security. Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011

Adobe Systems Incorporated

Web Application Guidelines

REDCap Technical Overview

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Intrusion detection for web applications

(WAPT) Web Application Penetration Testing

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

Evaluation. Chapter 1: An Overview Of Ruby Rails. Copy. 6) Static Pages Within a Rails Application

Ruby on Rails. Object Oriented Analysis & Design CSCI-5448 University of Colorado, Boulder. -Dheeraj Potlapally

From the Intranet to Mobile. By Divya Mehra and Stian Thorgersen

Hack Proof Your Webapps

Executive Summary On IronWASP

Project 2: Web Security Pitfalls

Lecture 11 Web Application Security (part 1)

Enterprise Application Security Workshop Series

Safewhere*Identify 3.4. Release Notes

Thomas Röthlisberger IT Security Analyst

From centralized to single sign on

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Web Application Frameworks. Robert M. Dondero, Ph.D. Princeton University

Certified Secure Web Application Secure Development Checklist

Portals and Hosted Files

Certified Secure Web Application Security Test Checklist

Onegini Token server / Web API Platform

Web Application Security Assessment and Vulnerability Mitigation Tests

Still Aren't Doing. Frank Kim

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Sichere Software- Entwicklung für Java Entwickler

Hack-proof Your Drupal App. Key Habits of Secure Drupal Coding

What is Web Security? Motivation

REDCap General Security Overview

Secure development and the SDLC. Presented By Jerry

Magento Security and Vulnerabilities. Roman Stepanov

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

Web Application Security

elearning for Secure Application Development

SECURITY DOCUMENT. BetterTranslationTechnology

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

OWASP Top Ten Tools and Tactics

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Secure Application Development with the Zend Framework

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A.

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Secure Coding SSL, SOAP and REST. Astha Singhal Product Security Engineer salesforce.com

Sitefinity Security and Best Practices

Secure Coding in Node.js

Columbia University Web Security Standards and Practices. Objective and Scope

Secure Coding. External App Integrations. Tim Bach Product Security Engineer salesforce.com. Astha Singhal Product Security Engineer salesforce.

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Hacking de aplicaciones Web

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Single Sign-on (SSO) technologies for the Domino Web Server

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

05.0 Application Development

Single Sign On. SSO & ID Management for Web and Mobile Applications

An introduction of several development activities related to Shibboleth and Web browser-based simple PKI

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

CA Performance Center

Intunex Oy Skillhive Service Description 1 / 6

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

WordPress Security Scan Configuration

Chapter 1 Web Application (In)security 1

Hacking the WordpressEcosystem

Exploring the Relationship Between Web Application Development Tools and Security

Data Breaches and Web Servers: The Giant Sucking Sound

Outline. Lecture 18: Ruby on Rails MVC. Introduction to Rails

Multi Factor Authentication API

Pete Helgren Ruby On Rails on i

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Kerberos and Single Sign On with HTTP

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Copyright 2014 Jaspersoft Corporation. All rights reserved. Printed in the U.S.A. Jaspersoft, the Jaspersoft

Cyber Security Challenge Australia 2014

Ruby on Rails is a web application framework written in Ruby, a dynamically typed programming language The amazing productivity claims of Rails is

Collax Web Security. Howto. This howto describes the setup of a Web proxy server as Web content filter.

Web Application Security

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Getting Started Guide for Developing tibbr Apps

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

Transcription:

Daniel Peláez dpelaez@gdssecurity.com Security Goodness with Ruby On Rails SOURCE BARCELONA 16th November 2011 2011 Gotham Digital Science, Ltd

AGENDA Who Am I? Brief Introduction to Rails How Secure is Ruby On Rails? Auditing Applications Building Secure Rails WebSites Best practices, tools, security APIs. How to identify and fix common vulnerabilities. - 2 -

WHO AM I? IT Security Consultant at Gotham Digital Science (GDS) o o Another crazy Spaniard who recently moved to London I have some experience with Rails & also with Security: Pentests Source Code Reviews Consulting Blablabla :) - 3 -

ABOUT GDS o Gotham Digital Science (GDS) is an international security services company specializing in Application and Network Infrastructure security, and Information Security Risk Management. GDS clients number among the largest financial services institutions and software development companies in the world. o Offices in London and New York City - 4 -

ABOUT GDS o Tools & Papers: o Padbuster, Blazentoo, GwtEnum etc o Publications with GDS Contributing Authors: - 5 -

Overview of what is Rails BRIEF INTRODUCTION SECURITY GOODNESS WITH RUBY ON RAILS - 6 -

BRIEF INTRODUCTION TO RAILS www.rubyonrails.org - 7 -

BRIEF INTRODUCTION TO RAILS WebSite Industries - 8 -

BRIEF INTRODUCTION TO RAILS Who uses Rails? Twitter (In the early days) Groupon Linkedin Github Basecamp SlideShare Funny or Die Scribd CrunchBase Hulu Zendesk YellowPages OneHub Jobster Heroku Rackspace Engine Yard Shopify - 9 -

BRIEF INTRODUCTION TO RAILS Hulu.com - 10 -

BRIEF INTRODUCTION TO RAILS basecamphq.com - 11 -

BRIEF INTRODUCTION TO RAILS GitHub.com - 12 -

Philosophy and Design BRIEF INTRODUCTION SECURITY GOODNESS WITH RUBY ON RAILS - 13 -

BRIEF INTRODUCTION TO RAILS Ruby PHP Java Python Rails Zend Struts Django Sinatra CakePHP Spring Pylons Merb* Symfony Stripes Zope Zoop Hivemind TurboGears Akelos JBoss FRAMEWORK Model-View-Controller (MVC) architecture pattern CONVENTION OVER CONFIGURATION (COC) DON T REPEAT YOURSELF (DRY) - 14 -

BRIEF INTRODUCTION TO RAILS Rails Components & MVC - 15 -

BRIEF INTRODUCTION TO RAILS Rails Components & MVC - 16 -

BRIEF INTRODUCTION TO RAILS Model-View-Controller (MVC) architecture pattern Action Controller Processes incoming requests to a Rails application, extracts parameters, and dispatches them to the intended action. Services provided by Action Controller include session management, template rendering, and redirect management. Action View It can create both HTML and XML output by default. Manages rendering templates, including nested and partial templates, and includes built-in AJAX support. Action Dispatch Handles routing of web requests and dispatches them as you want, either to your application or any other Rack application. Active Record It provides database independence, basic CRUD functionality, advanced finding capabilities, and the ability to relate models to one another, among other services. Active Model Interface between the Action Pack gem services and Object Relationship Mapping gems such as Active Record. Active Model allows Rails to utilize other ORM frameworks in place of Active Record. - 17 -

BRIEF INTRODUCTION TO RAILS Generic Rails Architecture Diagram - 18 -

BRIEF INTRODUCTION TO RAILS REST (Representational State Transfer) Using resource identifiers such as URLs to represent resources. Transferring representations of the state of that resource between system components. GET /orders/17 PUT /orders/26 POST /orders/17 DELETE /orders/26-19 -

BRIEF INTRODUCTION TO RAILS - 20 -

BRIEF INTRODUCTION TO RAILS - 21 -

BRIEF INTRODUCTION TO RAILS - 22 -

BRIEF INTRODUCTION TO RAILS - 23 -

BRIEF INTRODUCTION TO RAILS - 24 -

Tools Vulnerabilities - Recommendations AUDITING APPLICATIONS SECURITY GOODNESS WITH RUBY ON RAILS - 25 -

AUDITING RAILS APPLICATIONS The Basic Defense Points Authentication: Is the application enforcing an acceptable password policy for users? Can the authentication process be bypassed? Authorization: Does the application have authorization checks for all default and custom actions? Data Protection: Are sensitive database fields encrypted or hashed? Is TLS / SSL enforced during the transmission of sensitive information such as passwords or credit card numbers? Input Validation & Sanitization: Is all input validated on the server? When displaying information, are we sanitizing the output? - 26 -

AUDITING RAILS APPLICATIONS MONGREL Server: Mongrel 1.1.5 APACHE Server: Apache/1.3.34 (Unix) mod_deflate/1.0.21 mod_fastcgi/2.4.2 mod_ssl/2.8.25 OpenSSL/0.9.7e-p1 NGINX Information Leaks: How to Identify Rails WebSites X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.7 X-Runtime: 0.008653 Server: nginx/1.0.0 + Phusion Passenger 3.0.7 (mod_rails/mod_rack) - 27 -

AUDITING RAILS APPLICATIONS APACHE Add these lines to httpd.conf NGINX Removing HTTP Headers Header always unset "X-Powered-By" Header always unset "X-Runtime" Header always unset "Server" Add this directive to HttpHeadersMoreModule more_clear_headers Server X-Powered-By X-Runtime; - 28 -

AUDITING RAILS APPLICATIONS Default Static Files: /javascripts/application.js /javascripts/prototype.js /stylesheets/application.css /images/rails.png Pretty URLs (RESTful): /posts/32/edit /project/create /folders/delete/54 /users/81 Information Leaks: How to Identify Rails WebSites - 29 -

AUDITING RAILS APPLICATIONS Information Leaks: How to Identify Rails WebSites Different default pages depending on Rails version Default templates for 404 and 500 status pages 422.html only in applications generated with Rails >= 2.0-30 -

AUDITING RAILS APPLICATIONS Information Leaks: How to Identify Rails WebSites Stack Traces / error pages - 31 -

AUDITING RAILS APPLICATIONS Vulnerabilities: Mass Assignment Assign all the values received from a Form to model attributes Example: User sign-up process - 32 -

AUDITING RAILS APPLICATIONS Vulnerabilities: Mass Assignment What if... - 33 -

AUDITING RAILS APPLICATIONS REMEDIATION: Vulnerabilities: Mass Assignment Use attr_protected or attr_accessible - 34 -

AUDITING RAILS APPLICATIONS Vulnerabilities: Cross Site Scripting (XSS) <script>alert( Hello:I am not just a popup )</script> Formatting Allowed? Use HTML and remove unwanted tags and attributes Earlier versions of Rails: Blacklist approach for the strip_tags(), strip_links() and sanitize() helpers. Injection was possible: strip_tags("some<<b>script>alert('hello')<</b>/script>") - 35 -

AUDITING RAILS APPLICATIONS Vulnerabilities: Cross Site Scripting (XSS) Updated Rails 2 sanitize() helper Removes protocols like javascript: Filters HTML nodes and attributes Handles unicode/ascii/hex hacks Second step to protect against xss: Rails h() helper to HTML escape user input (easy to forget) escape_javascript() safeerb plugin. Raises an exception whenever a tainted string is not escaped rails_xss plugin (Rails 2.3) - 36 -

AUDITING RAILS APPLICATIONS Sanitize method: Whitelisting (since Rails 2) Vulnerabilities: Cross Site Scripting (XSS) Rails 3: Strings inside views are automagically scaped Tainted strings? --> Call "tainted text".html_safe Show the string as it is? raw("i am tainted, you know... ) XSS protection based on rails_xss plugin - 37 -

AUDITING RAILS APPLICATIONS Vulnerabilities: SQL Injection - 38 -

AUDITING RAILS APPLICATIONS Vulnerabilities: SQL Injection SELECT * FROM usuarios WHERE (nombre = '' AND password = '' ) LIMIT 1 INPUT: something ' OR 'a'='a SELECT * FROM usuarios WHERE (nombre = 'GDS' AND password = 'something' OR 'a' = 'a' ) LIMIT 1-39 -

AUDITING RAILS APPLICATIONS Vulnerabilities: SQL Injection The right way: Use the methods find_(id) or dynamic methods such as: find_by_something(something) Use find conditions with named bind variables: Usuario.find(:first, :conditions => ["nombre =? AND password =?", nombre_usuario, clave]) Usuario.find(:first, :conditions => {:nombre => nombre_usuario, :password => clave}) If using connection.execute() or Model.find_by_sql() custom filtering needs to be implemented - 40 -

AUDITING RAILS APPLICATIONS Vulnerabilities: Cross Site Request Forgery (CSRF) Is the security token active in the controller? protect_from_forgery :secret => "123456789012345678901234567890" This does not check requests to XML APIs Restrict specific actions to specific HTTP methods: verify :method => :delete, :only => [:destroy], :redirect_to => {:action => :denegar} <img src="http://dominio/projecto/1/destroy"> - 41 -

AUDITING RAILS APPLICATIONS Ruby command execution: exec(command) system(command) syscall(command) `command` Vulnerabilities: Command Execution system(command, parameters) - 42 -

AUDITING RAILS APPLICATIONS Vulnerabilities: Command Execution Redmine SCM Repository Arbitrary Command Execution: http://redminehost/projects/$project/repository/diff/?rev=`cmd` - 43 -

AUDITING RAILS APPLICATIONS Checklist (Sort of) Search erb files for <%= if its user input ensure it is HTML escaped Secure Access: check controllers and public actions Search for "forgery" make sure that config.action_controller.allow_forgery_protection = false is only disabled in test config Are passwords saved as clear-text in the db?, are being logged? filter_parameter_logging - 44 -

AUDITING RAILS APPLICATIONS Ensure private data is not stored in cookies Appropriate use of attr_accessible/attr_protected Is the application using validations inside models to prevent bad input? Are non-action controller methods private? Check for params[:id] usage Gems are up to date for latest security patches (rails security mailing list) Word search for "find", "first", and "all" "sql" Check for mass assignment Checklist (Sort of) - 45 -

AUDITING RAILS APPLICATIONS Tools: Brakeman Static analysis security scanner for Ruby on Rails www.brakemanscanner.org Vulnerabilities Detected: Cross site scripting SQL injection Command injection Unprotected redirects Unsafe file access Version-specific security issues Unrestricted mass assignment Dangerous use of eval() Default routes Insufficient model validation - 46 -

AUDITING RAILS APPLICATIONS Using Brakeman Tools: Brakeman gem install brakeman brakeman p /path_to_your_rails_app - 47 -

AUDITING RAILS APPLICATIONS Tools: Brakeman - 48 -

Tips Gems Plugins BUILDING SECURE APPLICATIONS SECURITY GOODNESS WITH RUBY ON RAILS - 49 -

BUILDING SECURE APPLICATIONS Recommendations: File uploads Analyze the files with Antivirus Random name. Save outside DocumentRoot Avoid potential DOS (asyncronous tasks). Resque to the rescue! Validate the MIME type Ruby binding to libmagic (ruby-filemagic) shared-mime-info gem. Not recognized? Modify MIME.check(file) Serving the files later? send_file :disposition => 'attachment - 50 -

BUILDING SECURE APPLICATIONS Popular authentication plugins: RestfulAuthentication Authlogic Popular SSO systems: Tips: Authentication OpenID CAS Kerberos GSS-API SPNEGO OAuth (gem install oauth) LDAP (gem install ruby-net-ldap) - 51 -

BUILDING SECURE APPLICATIONS Tips: Authorization Mandatory access control (MAC): Grants access based on the sensitivity of the information (i.e., clearance) Example: Government information classification, such as Secret or Top Secret Discretionary access control (DAC): Grants access to objects based on the identity of subjects and/or groups to which they belong. Example: Windows and Unix file permissions Role-based access control (RBAC): Access to actions is controlled through permission based on role assignments, not at the level of individual data objects. Example: Active Directory - 52 -

BUILDING SECURE APPLICATIONS Tips: Authorization Simple Solutions: role_requirement (http://code.google.com/p/rolerequirement/). Complex Scenarios: DeclarativeAuthorization plugin (RBAC) (http://github.com/stffn/declarative_authorization) Other interesting plugins: ActiveRbac (http://active-rbac.rubyforge.org/). ModelSecurity (http://perens.com/freesoftware/modelsecurity/). - 53 -

BUILDING SECURE APPLICATIONS Tips: Admin Interface & good practices Isolate administrative interface (subdomain, authentication, restricted) Check request.remote_ip Digital Certificates Two factor auth (ROTP - The Ruby One Time Password Library https://github.com/mdp/rotp) Alerts (invalid logins, suspicious activity) Mandatory use of secure protocols (ActionController::Base.session_options[:session_secure] = true) Cookies with httponly and secure flags Deployment: Passwords inside database.yml Subversion files Test files - 54 -

THANKS FOR COMING! ANY QUESTIONS? dpelaez@gdssecurity.com - 55 -

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information