WHAT WE TALK ABOUT WHEN WE TALK ABOUT WEB SECURITY @RRC
Published on Feb 07, 2016
WHAT WE TALK ABOUT WHEN WE TALK ABOUT WEB SECURITY & RAILS
Simplify some of the major security issues affecting web applications today, with a strong focus on Rails vulnerabilities and the OWASP top ten.
@RUBY REMOTE CONF [2016/03]
by Dan Schanler hello@danschanler.com
MORE DECKS TO EXPLORE
PRESENTATION OUTLINE
WHAT WE TALK ABOUT WHEN WE TALK ABOUT
WEB SECURITY & RAILS
DAN SCHANLER
RUBY REMOTE CONF 2016-03-23
Photo by Stuck in Customs
Untitled Slide
Photo by chrisinplymouth
IS THAT MY JOB?
YES.
"DEVS ARE RESPONSIBLE FOR INSECURITY"
Photo by JonoMueller
WHAT WE WON'T DISCUSS
- AUTHENTICATION GEMS - DEVISE, OMNIAUTH, ETC
- BASIC DATA SECURITY - HTTPS, PASSWORDS, ENCRYPTION
- INFRASTRUCTURE SECURITY - FIREWALLS, LDAP, SSH KEYS
Photo by sboneham
WHAT WE WILL DISCUSS
- OWASP VULNERABILITIES
- RAILS SPECIFIC EXAMPLES
- GENERAL CONCEPTS TO SIMPLIFY DEV SECURITY KNOWLEDGE
Photo by Jeremy Brooks
Untitled Slide
RAILS PARAMETERS HASH
AVAILABLE now IN YOUR CONTROLLERs
SQL INJECTION ATTACK
XSS - 3RD PARTY JAVASCRIPT RUNNING ON YOUR DOMAIN
Photo by Keith Allison
Untitled Slide
XSS ATTACKS:
- STEAL USER COOKIES
- SESSION HIJACKING
- REDIRECT TO FAKE WEBSITE
- CHANGE FORMS TO SNAG CONFIDENTIAL INFO
- LOTS OF OTHER BAD THINGS
Photo by Connor Tarter
XSS ATTACK EXAMPLES
If thIS runS in your form, attack IS possible
Untitled Slide
XSS PREVENTION
SANITIZE INPUT AND OUTPUT
RESPONSE
Untitled Slide
DEFAULT HEADERS
& SEE TWITTER'S SECURE HEADERS
MASS ASSIGNMENT ATTACK
MASS ASSIGNMENT MITIGATION
STRONG PARAMS
CSRF: ATTACKER FORCES USER TO EXECUTE UNWANTED ACTIONS ON WEB APP THEY'RE AUTHENTICATED TO
Photo by aldoaldoz
CSRF
VICTIM HAS JUST:
- TWEETED, FOLLOWED, LIKED
- RESET THEIR EMAIL
- RESET THEIR PASSWORD
- ANY NUMBER OF OTHER BAD THINGS
Photo by kevin dooley
CSRF MITIGATION
DON'T LET THEM CREEP UP ON YOU
Untitled Slide
TAKE-AWAYS
- SHAKE WELL BEFORE USER DATA
- WHITELISTS > BLACKLISTS
- FOLLOW WEB & RAILS STANDARDS
- WATCH THE NEWS
Photo by JohannesLundberg
LOW HANGING FRUIT
- DO SOME AUDITING
- SCAN CODE
- SCAN APP
- READ MORE ABOUT SPECIFICS
GEM AUDITING
- BUNDLER AUDIT
- HAKIRI
- GEMNASIUM
--GEM AUDITING--
bundler-audit: https://github.com/rubysec/bundler-audit
Hakiri: https://hakiri.io/facets Gemnasium: https://gemnasium.com/
bundler-audit: https://github.com/rubysec/bundler-audit
Hakiri: https://hakiri.io/facets Gemnasium: https://gemnasium.com/
SCANNERS:
- BRAKEMAN
- DAWNSCANNER
- W3AF
- TARANTULA
--SCANNERS--
Brakeman Scanner: http://brakemanscanner.org/
Dawnscanner:
https://github.com/thesp0nge/dawnscanner
w3af: http://w3af.org/
Tarantula: https://github.com/relevance/tarantula
Brakeman Scanner: http://brakemanscanner.org/
Dawnscanner:
https://github.com/thesp0nge/dawnscanner
w3af: http://w3af.org/
Tarantula: https://github.com/relevance/tarantula
ARTICLES:
- ROR SECURITY GUIDE
- OWASP ROR CHEATSHEET
- RAILS-SQLI.ORG
- PHRACK - ATTACKING ROR APPLICATIONS
--ARTICLES--
Ruby on Rails Security Guide: http://guides.rubyonrails.org/security.html
OWASP RoR Cheatsheet: https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet
Rails SQL Injection Examples: http://rails-sqli.org/
Phrack - Attacking Ruby on Rails Applications: http://www.phrack.org/papers/attacking_ruby_on_rails.html
Ruby on Rails Security Guide: http://guides.rubyonrails.org/security.html
OWASP RoR Cheatsheet: https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet
Rails SQL Injection Examples: http://rails-sqli.org/
Phrack - Attacking Ruby on Rails Applications: http://www.phrack.org/papers/attacking_ruby_on_rails.html
Untitled Slide
THANKS ALL.
DAN SCHANLER
HIT ME WITH QUESTIONS:
HELLO@DANSCHANLER.COM
DAN SCHANLER
hello@danschanler.com
hello@danschanler.com
