Ruby on Rails Secure Coding Recommendations



Similar documents
Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Check list for web developers

What is Web Security? Motivation

Intrusion detection for web applications

Magento Security and Vulnerabilities. Roman Stepanov

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

JVA-122. Secure Java Web Development

Certified Secure Web Application Secure Development Checklist

Sitefinity Security and Best Practices

Web Application Vulnerability Testing with Nessus

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Where every interaction matters.

Adobe Systems Incorporated

Web Application Security

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Enterprise Application Security Workshop Series

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Last update: February 23, 2004

Penetration Test Report

Web Application Security

OWASP TOP 10 ILIA

Hack Proof Your Webapps

Criteria for web application security check. Version

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

REDCap Technical Overview

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Web application security

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Identity Theft Prevention Program (FACTA Identity Theft Red Flags Rule)

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Hardening Moodle. Concept and Realization of a Security Component in Moodle. a project by

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

05.0 Application Development

Client logo placeholder XXX REPORT. Page 1 of 37

Encryption Security Recommendations

Certified Secure Web Application Security Test Checklist

(WAPT) Web Application Penetration Testing

Cloud Computing Thunder and Lightning on Your Horizon?

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Web Application Guidelines

Annual Web Application Security Report 2011

Hardening Joomla 1. HARDENING PHP. 1.1 Installing Suhosin. 1.2 Disable Remote Includes. 1.3 Disable Unneeded Functions & Classes

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Data Breaches and Web Servers: The Giant Sucking Sound

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers

OWASP Top Ten Tools and Tactics

Basic & Advanced Administration for Citrix NetScaler 9.2

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Top 10 Web Application Security Vulnerabilities - with focus on PHP

Web Plus Security Features and Recommendations

Web Application Security Assessment and Vulnerability Mitigation Tests

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Ethical Hacking as a Professional Penetration Testing Technique

Lecture 11 Web Application Security (part 1)

Web Security Testing Cookbook*

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

Guidelines for Web applications protection with dedicated Web Application Firewall

Project 2: Web Security Pitfalls

Chapter 1 Web Application (In)security 1

WEB APPLICATION SECURITY

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Application Design and Development

Application Security Testing. Generic Test Strategy

CS 558 Internet Systems and Technologies

Perl In Secure Web Development

elearning for Secure Application Development

Hacking the WordpressEcosystem

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Security vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Cyber Security Challenge Australia 2014

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

QualysGuard WAS. Getting Started Guide Version 3.3. March 21, 2014

Common Criteria Web Application Security Scoring CCWAPSS

External Network & Web Application Assessment. For The XXX Group LLC October 2012

Online Vulnerability Scanner Quick Start Guide

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Security Testing with Selenium

Web Application Firewall on SonicWALL SRA

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Using Foundstone CookieDigger to Analyze Web Session Management

Security features of ZK Framework

Chapter 4 Application, Data and Host Security

Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

An Insight into Cookie Security

Transcription:

Introduction Altius IT s list of Ruby on Rails Secure Coding Recommendations is based upon security best practices. This list may not be complete and Altius IT recommends this list be augmented with additional controls. While not all risk can be eliminated, secure coding practices can include preventive, detective, and corrective safeguards that help reduce risks to acceptable levels. Ensure the appropriate use of attr_accessible/attr-protected: Use attr_accessible in every class, thereby defining what you have access to in the model. Don t pass user data to.new or.create. The attr_protected method in Ruby on Rails will prevent the fields from being assigned via mass assignment. Don't use mass assignments for user tables. When a user account is created, assign each field individually. One additional way to handle mass-assignment is through strong_parameters. The strong_parameters gem is an improvement over attr_accessible to securely handle mass assignment even when you have complex authorization logic. It is also a whitelist-based approach, but moves the responsibility to the controller making it easier to authorize what is and isn't allowed based on the current user's role. Use white-list filtering as early as possible. White lists describe what is allowed, rather than what is not allowed. Using a plugin does not mean that the code is mature, stable, or secure. Popular plugins may be vulnerable to security attacks (e.g. restful_authentication) and need to be augmented with secure coding practices. Ensure applications (Gems) are up-to-date with latest security patches. Subscribe to Ruby on Rails security mailing list (https://groups.google.com/forum/?fromgroups#!forum/rubyonrails-security). Always perform a code review of new plugins for issues. Track plugin announcements. Consider tracking external sources with Piston (http://piston.rubyforge.org), a wrapper around svn:externals. Prevent application leaks by overriding defaults. Hackers can check for default configurations to find out more about the target: Server header - When Apache HTTPD web server generates web pages or error pages, important information about the version and other details implemented on the system are displayed in the web site server header. Disable the server header. Determine if the target is a Rails application By default, static files include /javascripts/application.js, /stylesheets/application.css, /images/foo.png. Rails 151 Kalmus Drive Suite L-4 Costa Mesa California 92626 (714) 794-5210 www.altiusit.com 1

default templates for 404 (404.html, 422.html) and 500 (500.html) status pages. Rails applications deployed with Capistrano / Webistrano push.svn directories to the severs (http://svn.altiusit.com). Do not use svn:externals to track external plugins. If the plugins home page is unavailable, you may not be able to deploy your site. Ensure error messages are generated by the application, not the server. Error messages should be short and give user information without providing details to a hacker. Where appropriate, filter certain parameters from being shown in plain text in the log file by using filter_parameter_logging. Protect against Cross Site Request Forgery (CSRF). Use the protect_from_forgery feature in Rails that protects against Cross-site Request Forgery (CSRF) attacks. This feature makes all generated forms have a hidden id field. This id field must match the stored id or the form submission is not accepted. This prevents malicious forms on other sites or forms inserted with XSS from submitting to the Rails application. Protect against Cross Site Scripting (XSS). Sanitize input when appropriate (e.g. search queries, user name, description). Use the Rails h() helper to HTML escape user input. Using h() may be difficult to use everywhere. Consider using safeerb (http://agilewebdevelopment.com/plugins/safe_erb) plugin. SafeERB will raise an exception whenever a tainted string is not escaped. If formatting is allowed, consider using custom tags that will translate to HTML. Use the Rails sanitize() helper. Sanitize filters HTML nodes and attributes, removes protocols (e.g. JavaScript), and handles unicode/ascii/hex attacks. For more information see (http://api.rubyonrails.org/classes/actionview/helpers/sanitizehelper.html). Use XSSshield. Protect against SQL injection attacks. Consider all input to be malicious. Sanitize/escape input using procedures identified in this document. If the code must manually use a user-submitted value, use quote(). Use bind variables and an array for SQL queries that use.find. Prevent against JavaScript hijacking. Use the following coding techniques to minimize JavaScript hijacking attacks: Do not store important data in JavaScript Object Notation (JSON) responses. Do not return a straight JSON response, prefix it with extraneous characters. Rails JavaScript helpers may not support pre-fixed JSON responses. Use hard to guess URLs. 151 Kalmus Drive Suite L-4 Costa Mesa California 92626 (714) 794-5210 www.altiusit.com 2

Protect against Denial of Service (DoS) attacks. Rails applications are singled threaded with a limited number of Rails instances. Rails is particularly vulnerable to DoS attacks during file uploads/downloads, image processing, report generation, mass mailing, etc. Minimize DoS attacks by reducing these types of activities and maximizing additional resources such as serving static files directly through the web server (e.g. Apache, Amazon S3). By using RESTful (Representational State Transfer) resources, the interface to database objects is clear and consistent throughout the application and follows clear rules. Consider popular authentication plugins such as restful_authentication and authlogic. Cookie sessions. By default, session data is stored in a cookie. This presents several security implications including user viewing session data in plain text, the HMAC can be brute-forced and arbirtray session data created, replay attacks are easier as the clientside session cannot be flushed. Protect against cookie vulnerabilities: Do not store important data in the session. Sessions are stored by default in a browser cookie that s cryptographically signed, but unencrypted. This prevents the user from tampering with the session while allowing the contents to be viewed. Ensure the use of strong passwords. Servers should timeout inactive sessions. Ensure session cookies are not persistent (expires-at). File uploads. All file uploads should be analyzed for possible malware. Files should be saved outside of DocumentRoot. Consider using the hash of a file name instead of the real file name or store the file name in a database and use an ID number. Deny the direct download of files. Deny file name suffixes such as rb, cgi, php, erb, html, htm. Ensure secure authentication. Ensure the application enforces an acceptable password policy for users: Use reset_session at login. Ensure the authentication process cannot by bypassed. Ensure credentials are encrypted with SSL. Salt passwords. Storing a hash of the passwords isn t enough as it would still leave the application vulnerable attack via rainbow tables; where an attacker precalculates hashes of millions of passwords, then compares the hashes with the values stolen from your database. To prevent this you need to salt them. This requires storing a small random value against each of your users and adding that to the password before it is hashed. Bind the IP address to the session ID. 151 Kalmus Drive Suite L-4 Costa Mesa California 92626 (714) 794-5210 www.altiusit.com 3

Reauthenticate the user before performing security relevant actions such as changing a password. Limit the use of very dangerous methods/functions including system(), popen(), `` (backticks), eval(), and deserialize(). Limit administrative interfaces to a sub-net or localhost. Consider CAPTHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) to reduce risks related to scripted attacks. A CAPTCHA is a type of challenge-response test used to ensure that the response is generated by a person. Ensure sensitive information is protected: Use appropriate encryption. Keep sensitive data in memory only as long as required. Create audit records when sensitive information is created, accessed, modified, or deleted. Avoid leaking by not logging sensitive data itself. Refer to Altius IT s Recommended Software Security Controls for additional safeguards and security best practices. Resources Security toolboxes can help developers ensure code is secure. Altius IT provides the following resources as a client convenience. We recommend that the resources be reviewed for applicability and appropriateness in your specific environment. ActiveRbac (http://active-rbac.rubyforge.org) a Ruby On Rails plugin that supports Role Based Access Control (RBAC) in the application. Brakeman (http://www.brakemanscanner.org) - an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Ruby on Rails code to find potential security vulnerabilities. Command injection Cross site scripting Dangerous use of eval() Default routes Insufficient model validation SQL injection Unprotected redirects Unrestricted mass assignment Unsafe file access Version-specific security issues 151 Kalmus Drive Suite L-4 Costa Mesa California 92626 (714) 794-5210 www.altiusit.com 4

Rails testing (http://willbryant.net/software/rails/application_testing_top_to_bottom/) testing contributes to the success of software development efforts. What we want to test MVC testing Model testing Controller testing Ruby on Rails Security Blog (http://www.rorsecurity.info/) blog posts and information on security related topics. Ruby on Rails Security Guide (http://guides.rubyonrails.org/security.html) this guide describes common security problems in web applications and how to avoid them with Ruby on Rails. The Ruby Toolbox (https://www.ruby-toolbox.com/categories/security_tools) includes links to plugins including: Tarantula crawls Ruby on Rails applications using fuzzing data to determine if errors are encountered Rails xss replaces the default ERB template handlers with erubis, and escapes by default rather than requiring programmer to escape. Find mass assignment finds mass assignment vulnerabilities Audit mass assignment checks for use of the attr_accessible white list Xss_terminate (http://github.com/look/xss_terminate) strips and sanitizes HTML code. Publication and Author Information Jim Kelton is Managing Principal of Altius IT (www.altiusit.com), an IT security audit, security consulting, and risk management company based in Costa Mesa, California. Mr. Kelton has over 30 years of experience in the Information Technology industry and is recognized as a security expert. He is certified by the Information Systems Audit and Control Association (ISACA) as: Certified Information Systems Auditor (CISA) Certified in Risk and Information Systems Controls (CRISC) Certified in the Governance of Enterprise IT (CGEIT) He sits on the Board of Directors of the following associations and organizations: Association of Professional Consultants (APC) International Association of Professional Security Consultants (IAPSC) Technology Professionals Association (TPA) 151 Kalmus Drive Suite L-4 Costa Mesa California 92626 (714) 794-5210 www.altiusit.com 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information