SlideShare una empresa de Scribd logo

Ruby on Rails Security Updated (Rails 3) at RailsWayCon

H
heikowebers
Tecnología
1 de 24
Descargar para leer sin conexión
Heiko Webers, bauland42 Ruby on Rails Security Updated
Heiko Webers  CEO of bauland42: Secure and innovative web applications, security code audits: http://www.bauland42.de http://www.werkstatt42.de  Ruby on Rails Security Project: Blog and Book at http://www.rorsecurity.info
Cross-Site Scripting in Rails 3  Before: <%= h @project.name %> @project.name #=> <script> h(@project.name) #=> &lt;script&gt;  After: <%= @project.name %>  Unless you want to allow HTML/JS: <%= raw @project.name %>
Cross-Site Scripting in Rails 3  @project.name.html_safe? #=> false  h(@project.name).html_safe? #=> true  link_to(...).html_safe? #=> true  "<br />".html_safe # => "<br />" 4
Cross-Site Scripting in Rails 3  safe + safe = safe  safe.concat(safe) = safe  (safe << safe) = safe  safe + unsafe = unsafe ... 5
Cross-Site Scripting in Rails 3  String interpolation  <%= "#{link_to(@product.title, @product)} #{link_to(@product.title, @product)}" %>  Deliberately unsafe 6
Cross-Site Scripting in Rails 3  textilize() and simple_format() do not return safe strings textilize(‘*bold*‘) #=><strong>bold</strong>  <%= textilize(@product.description) %>  NO <%=raw textilize(@product.description)%>  OK <%=sanitize textilize(@product.description) %> 7
Cross-Site Scripting in Rails 3  Know what you‘re doing  <%= auto_link(@product.description) %> # => unsafe, so escaped  <%= raw auto_link(@product.description) %> # => safe, but may contain HTML  sanitize() it 8
Cross-Site Scripting in Rails 3  Know what you‘re doing  Strings aren't magic: value = sanitize(@product.description) value.html_safe? #=> true value.gsub!(/--product_name--/, @product.title) value.html_safe? #=> true <%= value %> 9
Cross-Site Scripting in Rails 3  Rails helper are becoming stable now  There were problems with content_tag(), tag(), submit_tag(), ...  SafeErb plugin doesn‘t work yet/anymore 10
Cross-Site Scripting in Rails 3  xml.instruct! xml.description do xml << "The description: " xml << @product.description end  Use xml.description @product.description to automatically escape 11
Ajax and XSS  No automatic escaping in RJS templates  page.replace_html :notice, "Updated product #{@product.title}" 12
Sanitization  Don‘t write it on your own: value = self.description.gsub("<script>", "") <scr<script>ipt>  sanitize(), strip_tags(), ... use the HTML::Tokenizer  Based on regular expressions  Doesn‘t always render valid HTML  Last vulnerability in Rails 2.3.5 regarding non- printable ascii characters 13
Sanitization  Use parsers like Nokogiri or Woodstox (JRuby)  Gem sanitize: http://github.com/rgrove/sanitize Sanitize.clean(unsafe_html)  Gem Loofah: http://github.com/flavorjones/ loofah Loofah.fragment(unsafe_html).scrub!(:strip) 14
Sql-Injection in Rails 3  No find() anymore, no :conditions hash, ... But: Product.find(params[:id])  User.order('users.id DESC').limit(20).all  NO: Product.where("id = #{params[:id]}")  Product.where(["id = ?", params[:id]])  Product.where({:id => params[:id]}) 15
Sql-Injection in Rails 3  NO: User.order(params[:order]).all  raise "SQLi" unless ["id asc", "id desc"].include? (params[:order])  Escape it yourself: Product.order(Product.connection.quote(params [:order])).all 16
Other changes in Rails 3  config/initializers/session_store.rb Rails.application.config.session_store :cookie_store, :key => "_app_name_session"  config/initializers/cookie_verification_secret.rb Rails.application.config.cookie_secret = 'somereallylongrandomkey'  Don‘t keep it in your SCM 17
Other changes in Rails 3  Keep a value in a signed cookie: cookies.signed[:discount] = "12"  filter_parameter_logging deprecated  config.filter_parameters << :password in config/application.rb 18
Respond_with in Rails 3  class ProductsController < ApplicationController respond_to :html, :xml, :json def index respond_with(@products = Product.all) end end  How to define what attributes to render in XML? @product.to_xml(:only => [:id]) 19
Bits and pieces  You can deploy with a SSH key: ssh_options[:keys] = ["/path/to/id_rsa.ppk"]  Secure the admin panel with a client SSL certificate  Remove secrets from your SCM: database.yml, ssh_config.rb 20
Bits and pieces  Check what they‘re downloading File.dirname(requested_filename) == expected_directory  /download?file=../config/database.yml  validates_format_of :filename, :with => /^[a-z.]+$/i  hello.txt <script>alert(1)</script>  Use A and z 21
Privilege escalation  def update  @doc = Doc.find(params[:id])  end  before_filter :load_project  before_filter :deny_if_not_full_access  before_filter :load_doc @doc = @project.docs.find(params[:id])  before_filter :deny_if_no_access_to_doc 22
Authorization  def deny_if_no_access_to_doc  @doc.may_edit?(current_user)  end  def may_edit?(usr)  self.creator == usr  end  <%= link_to(“Edit“,...) if @doc.may_edit? (current_user) %> 23
That‘s it  Questions?  42@bauland42.de 24

Recomendados

Building Web Interface On Rails
Building Web Interface On RailsBuilding Web Interface On Rails
Building Web Interface On RailsWen-Tien Chang
 
Rails Best Practices
Rails Best PracticesRails Best Practices
Rails Best PracticesWen-Tien Chang
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Securityjemond
 
Rails 3 Beautiful Code
Rails 3 Beautiful CodeRails 3 Beautiful Code
Rails 3 Beautiful CodeGreggPollack
 
Rails 3 overview
Rails 3 overviewRails 3 overview
Rails 3 overviewYehuda Katz
 
Migrating legacy data
Migrating legacy dataMigrating legacy data
Migrating legacy dataPatrick Huesler
 
Rails Best Practices
Rails Best PracticesRails Best Practices
Rails Best PracticesIcalia Labs
 
SenchaCon 2016: Keynote Presentation - Art Landro, Gautam Agrawal, Mark Brocato
SenchaCon 2016: Keynote Presentation - Art Landro, Gautam Agrawal, Mark BrocatoSenchaCon 2016: Keynote Presentation - Art Landro, Gautam Agrawal, Mark Brocato
SenchaCon 2016: Keynote Presentation - Art Landro, Gautam Agrawal, Mark BrocatoSencha
 

Recomendados

Building Web Interface On Rails
Building Web Interface On RailsBuilding Web Interface On Rails
Building Web Interface On RailsWen-Tien Chang
 
Rails Best Practices
Rails Best PracticesRails Best Practices
Rails Best PracticesWen-Tien Chang
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Securityjemond
 
Rails 3 Beautiful Code
Rails 3 Beautiful CodeRails 3 Beautiful Code
Rails 3 Beautiful CodeGreggPollack
 
Rails 3 overview
Rails 3 overviewRails 3 overview
Rails 3 overviewYehuda Katz
 
Migrating legacy data
Migrating legacy dataMigrating legacy data
Migrating legacy dataPatrick Huesler
 
Rails Best Practices
Rails Best PracticesRails Best Practices
Rails Best PracticesIcalia Labs
 
SenchaCon 2016: Keynote Presentation - Art Landro, Gautam Agrawal, Mark Brocato
SenchaCon 2016: Keynote Presentation - Art Landro, Gautam Agrawal, Mark BrocatoSenchaCon 2016: Keynote Presentation - Art Landro, Gautam Agrawal, Mark Brocato
SenchaCon 2016: Keynote Presentation - Art Landro, Gautam Agrawal, Mark BrocatoSencha
 
Rails Security
Rails SecurityRails Security
Rails SecurityWen-Tien Chang
 
CodeIgniter 3.0
CodeIgniter 3.0CodeIgniter 3.0
CodeIgniter 3.0Phil Sturgeon
 
Asp.net identity 2.0
Asp.net identity 2.0Asp.net identity 2.0
Asp.net identity 2.0Gelis Wu
 
Workshop 8: Templating: Handlebars, DustJS
Workshop 8: Templating: Handlebars, DustJSWorkshop 8: Templating: Handlebars, DustJS
Workshop 8: Templating: Handlebars, DustJSVisual Engineering
 
Introduction to ASP.Net Viewstate
Introduction to ASP.Net ViewstateIntroduction to ASP.Net Viewstate
Introduction to ASP.Net Viewstaten|u - The Open Security Community
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and FallaciesKarwin Software Solutions LLC
 
Workshop 27: Isomorphic web apps with ReactJS
Workshop 27: Isomorphic web apps with ReactJSWorkshop 27: Isomorphic web apps with ReactJS
Workshop 27: Isomorphic web apps with ReactJSVisual Engineering
 
Angular 2 introduction
Angular 2 introductionAngular 2 introduction
Angular 2 introductionChristoffer Noring
 
&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />tutorialsruby
 
Single Page Web Applications with CoffeeScript, Backbone and Jasmine
Single Page Web Applications with CoffeeScript, Backbone and JasmineSingle Page Web Applications with CoffeeScript, Backbone and Jasmine
Single Page Web Applications with CoffeeScript, Backbone and JasminePaulo Ragonha
 
HTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R Auge
HTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R AugeHTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R Auge
HTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R Augemfrancis
 
The JavaFX Ecosystem
The JavaFX EcosystemThe JavaFX Ecosystem
The JavaFX EcosystemAndres Almiray
 
Practical Protocol-Oriented-Programming
Practical Protocol-Oriented-ProgrammingPractical Protocol-Oriented-Programming
Practical Protocol-Oriented-ProgrammingNatasha Murashev
 
ASP.NET MVC 4 - Routing Internals
ASP.NET MVC 4 - Routing InternalsASP.NET MVC 4 - Routing Internals
ASP.NET MVC 4 - Routing InternalsLukasz Lysik
 
25 Real Life Tips In Ruby on Rails Development
25 Real Life Tips In Ruby on Rails Development25 Real Life Tips In Ruby on Rails Development
25 Real Life Tips In Ruby on Rails DevelopmentBelighted
 
Idoc script beginner guide
Idoc script beginner guide Idoc script beginner guide
Idoc script beginner guide Vinay Kumar
 
Trustparency web doc spring 2.5 & hibernate
Trustparency web doc spring 2.5 & hibernateTrustparency web doc spring 2.5 & hibernate
Trustparency web doc spring 2.5 & hibernatetrustparency
 
Html server control - ASP. NET with c#
Html server control - ASP. NET with c#Html server control - ASP. NET with c#
Html server control - ASP. NET with c#priya Nithya
 
Practical JavaScript Programming - Session 8/8
Practical JavaScript Programming - Session 8/8Practical JavaScript Programming - Session 8/8
Practical JavaScript Programming - Session 8/8Wilson Su
 
The Rails Way
The Rails WayThe Rails Way
The Rails WayMichał Orman
 
Application Security from the Inside - OWASP
Application Security from the Inside - OWASPApplication Security from the Inside - OWASP
Application Security from the Inside - OWASPSqreen
 
Rails and security
Rails and securityRails and security
Rails and securityAndrey Tokarchuk
 

Más contenido relacionado

La actualidad más candente

Asp.net identity 2.0
Asp.net identity 2.0Asp.net identity 2.0
Asp.net identity 2.0Gelis Wu
 
Workshop 8: Templating: Handlebars, DustJS
Workshop 8: Templating: Handlebars, DustJSWorkshop 8: Templating: Handlebars, DustJS
Workshop 8: Templating: Handlebars, DustJSVisual Engineering
 
Workshop 27: Isomorphic web apps with ReactJS
Workshop 27: Isomorphic web apps with ReactJSWorkshop 27: Isomorphic web apps with ReactJS
Workshop 27: Isomorphic web apps with ReactJSVisual Engineering
 
&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />tutorialsruby
 
Single Page Web Applications with CoffeeScript, Backbone and Jasmine
Single Page Web Applications with CoffeeScript, Backbone and JasmineSingle Page Web Applications with CoffeeScript, Backbone and Jasmine
Single Page Web Applications with CoffeeScript, Backbone and JasminePaulo Ragonha
 
HTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R Auge
HTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R AugeHTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R Auge
HTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R Augemfrancis
 
Practical Protocol-Oriented-Programming
Practical Protocol-Oriented-ProgrammingPractical Protocol-Oriented-Programming
Practical Protocol-Oriented-ProgrammingNatasha Murashev
 
ASP.NET MVC 4 - Routing Internals
ASP.NET MVC 4 - Routing InternalsASP.NET MVC 4 - Routing Internals
ASP.NET MVC 4 - Routing InternalsLukasz Lysik
 
25 Real Life Tips In Ruby on Rails Development
25 Real Life Tips In Ruby on Rails Development25 Real Life Tips In Ruby on Rails Development
25 Real Life Tips In Ruby on Rails DevelopmentBelighted
 
Idoc script beginner guide
Idoc script beginner guide Idoc script beginner guide
Idoc script beginner guide Vinay Kumar
 
Trustparency web doc spring 2.5 & hibernate
Trustparency web doc spring 2.5 & hibernateTrustparency web doc spring 2.5 & hibernate
Trustparency web doc spring 2.5 & hibernatetrustparency
 
Html server control - ASP. NET with c#
Html server control - ASP. NET with c#Html server control - ASP. NET with c#
Html server control - ASP. NET with c#priya Nithya
 
Practical JavaScript Programming - Session 8/8
Practical JavaScript Programming - Session 8/8Practical JavaScript Programming - Session 8/8
Practical JavaScript Programming - Session 8/8Wilson Su
 

La actualidad más candente (20)

Rails Security
Rails SecurityRails Security
Rails Security
 
CodeIgniter 3.0
CodeIgniter 3.0CodeIgniter 3.0
CodeIgniter 3.0
 
Asp.net identity 2.0
Asp.net identity 2.0Asp.net identity 2.0
Asp.net identity 2.0
 
Workshop 8: Templating: Handlebars, DustJS
Workshop 8: Templating: Handlebars, DustJSWorkshop 8: Templating: Handlebars, DustJS
Workshop 8: Templating: Handlebars, DustJS
 
Introduction to ASP.Net Viewstate
Introduction to ASP.Net ViewstateIntroduction to ASP.Net Viewstate
Introduction to ASP.Net Viewstate
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and Fallacies
 
Workshop 27: Isomorphic web apps with ReactJS
Workshop 27: Isomorphic web apps with ReactJSWorkshop 27: Isomorphic web apps with ReactJS
Workshop 27: Isomorphic web apps with ReactJS
 
Angular 2 introduction
Angular 2 introductionAngular 2 introduction
Angular 2 introduction
 
&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />
 
Single Page Web Applications with CoffeeScript, Backbone and Jasmine
Single Page Web Applications with CoffeeScript, Backbone and JasmineSingle Page Web Applications with CoffeeScript, Backbone and Jasmine
Single Page Web Applications with CoffeeScript, Backbone and Jasmine
 
HTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R Auge
HTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R AugeHTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R Auge
HTTP Whiteboard - OSGI Compendium 6.0 - How web apps should have been! - R Auge
 
The JavaFX Ecosystem
The JavaFX EcosystemThe JavaFX Ecosystem
The JavaFX Ecosystem
 
Practical Protocol-Oriented-Programming
Practical Protocol-Oriented-ProgrammingPractical Protocol-Oriented-Programming
Practical Protocol-Oriented-Programming
 
ASP.NET MVC 4 - Routing Internals
ASP.NET MVC 4 - Routing InternalsASP.NET MVC 4 - Routing Internals
ASP.NET MVC 4 - Routing Internals
 
25 Real Life Tips In Ruby on Rails Development
25 Real Life Tips In Ruby on Rails Development25 Real Life Tips In Ruby on Rails Development
25 Real Life Tips In Ruby on Rails Development
 
Idoc script beginner guide
Idoc script beginner guide Idoc script beginner guide
Idoc script beginner guide
 
Trustparency web doc spring 2.5 & hibernate
Trustparency web doc spring 2.5 & hibernateTrustparency web doc spring 2.5 & hibernate
Trustparency web doc spring 2.5 & hibernate
 
Html server control - ASP. NET with c#
Html server control - ASP. NET with c#Html server control - ASP. NET with c#
Html server control - ASP. NET with c#
 
Practical JavaScript Programming - Session 8/8
Practical JavaScript Programming - Session 8/8Practical JavaScript Programming - Session 8/8
Practical JavaScript Programming - Session 8/8
 
The Rails Way
The Rails WayThe Rails Way
The Rails Way
 

Similar a Ruby on Rails Security Updated (Rails 3) at RailsWayCon

Application Security from the Inside - OWASP
Application Security from the Inside - OWASPApplication Security from the Inside - OWASP
Application Security from the Inside - OWASPSqreen
 
RubyOnRails-Cheatsheet-BlaineKendall
RubyOnRails-Cheatsheet-BlaineKendallRubyOnRails-Cheatsheet-BlaineKendall
RubyOnRails-Cheatsheet-BlaineKendalltutorialsruby
 
RubyOnRails-Cheatsheet-BlaineKendall
RubyOnRails-Cheatsheet-BlaineKendallRubyOnRails-Cheatsheet-BlaineKendall
RubyOnRails-Cheatsheet-BlaineKendalltutorialsruby
 
Phoenix for Rails Devs
Phoenix for Rails DevsPhoenix for Rails Devs
Phoenix for Rails DevsDiacode
 
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 202010 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020Matt Raible
 
AEM Sightly Deep Dive
AEM Sightly Deep DiveAEM Sightly Deep Dive
AEM Sightly Deep DiveGabriel Walt
 
AEM Sightly Template Language
AEM Sightly Template LanguageAEM Sightly Template Language
AEM Sightly Template LanguageGabriel Walt
 
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)Igor Bronovskyy
 
TurboGears2 Pluggable Applications
TurboGears2 Pluggable ApplicationsTurboGears2 Pluggable Applications
TurboGears2 Pluggable ApplicationsAlessandro Molina
 
Migrating Legacy Rails Apps to Rails 3
Migrating Legacy Rails Apps to Rails 3Migrating Legacy Rails Apps to Rails 3
Migrating Legacy Rails Apps to Rails 3Clinton Dreisbach
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
Designing REST API automation tests in Kotlin
Designing REST API automation tests in KotlinDesigning REST API automation tests in Kotlin
Designing REST API automation tests in KotlinDmitriy Sobko
 
using Mithril.js + postgREST to build and consume API's
using Mithril.js + postgREST to build and consume API'susing Mithril.js + postgREST to build and consume API's
using Mithril.js + postgREST to build and consume API'sAntônio Roberto Silva
 
Ajax Performance Tuning and Best Practices
Ajax Performance Tuning and Best PracticesAjax Performance Tuning and Best Practices
Ajax Performance Tuning and Best PracticesDoris Chen
 
Crossing the Bridge: Connecting Rails and your Front-end Framework
Crossing the Bridge: Connecting Rails and your Front-end FrameworkCrossing the Bridge: Connecting Rails and your Front-end Framework
Crossing the Bridge: Connecting Rails and your Front-end FrameworkDaniel Spector
 

Similar a Ruby on Rails Security Updated (Rails 3) at RailsWayCon (20)

Application Security from the Inside - OWASP
Application Security from the Inside - OWASPApplication Security from the Inside - OWASP
Application Security from the Inside - OWASP
 
Rails and security
Rails and securityRails and security
Rails and security
 
RubyOnRails-Cheatsheet-BlaineKendall
RubyOnRails-Cheatsheet-BlaineKendallRubyOnRails-Cheatsheet-BlaineKendall
RubyOnRails-Cheatsheet-BlaineKendall
 
RubyOnRails-Cheatsheet-BlaineKendall
RubyOnRails-Cheatsheet-BlaineKendallRubyOnRails-Cheatsheet-BlaineKendall
RubyOnRails-Cheatsheet-BlaineKendall
 
Play!ng with scala
Play!ng with scalaPlay!ng with scala
Play!ng with scala
 
Phoenix for Rails Devs
Phoenix for Rails DevsPhoenix for Rails Devs
Phoenix for Rails Devs
 
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 202010 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
 
AEM Sightly Deep Dive
AEM Sightly Deep DiveAEM Sightly Deep Dive
AEM Sightly Deep Dive
 
AEM Sightly Template Language
AEM Sightly Template LanguageAEM Sightly Template Language
AEM Sightly Template Language
 
Ruby For Startups
Ruby For StartupsRuby For Startups
Ruby For Startups
 
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
 
TurboGears2 Pluggable Applications
TurboGears2 Pluggable ApplicationsTurboGears2 Pluggable Applications
TurboGears2 Pluggable Applications
 
Migrating Legacy Rails Apps to Rails 3
Migrating Legacy Rails Apps to Rails 3Migrating Legacy Rails Apps to Rails 3
Migrating Legacy Rails Apps to Rails 3
 
Play vs Rails
Play vs RailsPlay vs Rails
Play vs Rails
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
Designing REST API automation tests in Kotlin
Designing REST API automation tests in KotlinDesigning REST API automation tests in Kotlin
Designing REST API automation tests in Kotlin
 
using Mithril.js + postgREST to build and consume API's
using Mithril.js + postgREST to build and consume API'susing Mithril.js + postgREST to build and consume API's
using Mithril.js + postgREST to build and consume API's
 
Codegnitorppt
CodegnitorpptCodegnitorppt
Codegnitorppt
 
Ajax Performance Tuning and Best Practices
Ajax Performance Tuning and Best PracticesAjax Performance Tuning and Best Practices
Ajax Performance Tuning and Best Practices
 
Crossing the Bridge: Connecting Rails and your Front-end Framework
Crossing the Bridge: Connecting Rails and your Front-end FrameworkCrossing the Bridge: Connecting Rails and your Front-end Framework
Crossing the Bridge: Connecting Rails and your Front-end Framework
 

Último

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 

Último (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

Ruby on Rails Security Updated (Rails 3) at RailsWayCon

  • 1. Heiko Webers, bauland42 Ruby on Rails Security Updated
  • 2. Heiko Webers  CEO of bauland42: Secure and innovative web applications, security code audits: http://www.bauland42.de http://www.werkstatt42.de  Ruby on Rails Security Project: Blog and Book at http://www.rorsecurity.info
  • 3. Cross-Site Scripting in Rails 3  Before: <%= h @project.name %> @project.name #=> <script> h(@project.name) #=> &lt;script&gt;  After: <%= @project.name %>  Unless you want to allow HTML/JS: <%= raw @project.name %>
  • 4. Cross-Site Scripting in Rails 3  @project.name.html_safe? #=> false  h(@project.name).html_safe? #=> true  link_to(...).html_safe? #=> true  "<br />".html_safe # => "<br />" 4
  • 5. Cross-Site Scripting in Rails 3  safe + safe = safe  safe.concat(safe) = safe  (safe << safe) = safe  safe + unsafe = unsafe ... 5
  • 6. Cross-Site Scripting in Rails 3  String interpolation  <%= "#{link_to(@product.title, @product)} #{link_to(@product.title, @product)}" %>  Deliberately unsafe 6
  • 7. Cross-Site Scripting in Rails 3  textilize() and simple_format() do not return safe strings textilize(‘*bold*‘) #=><strong>bold</strong>  <%= textilize(@product.description) %>  NO <%=raw textilize(@product.description)%>  OK <%=sanitize textilize(@product.description) %> 7
  • 8. Cross-Site Scripting in Rails 3  Know what you‘re doing  <%= auto_link(@product.description) %> # => unsafe, so escaped  <%= raw auto_link(@product.description) %> # => safe, but may contain HTML  sanitize() it 8
  • 9. Cross-Site Scripting in Rails 3  Know what you‘re doing  Strings aren't magic: value = sanitize(@product.description) value.html_safe? #=> true value.gsub!(/--product_name--/, @product.title) value.html_safe? #=> true <%= value %> 9
  • 10. Cross-Site Scripting in Rails 3  Rails helper are becoming stable now  There were problems with content_tag(), tag(), submit_tag(), ...  SafeErb plugin doesn‘t work yet/anymore 10
  • 11. Cross-Site Scripting in Rails 3  xml.instruct! xml.description do xml << "The description: " xml << @product.description end  Use xml.description @product.description to automatically escape 11
  • 12. Ajax and XSS  No automatic escaping in RJS templates  page.replace_html :notice, "Updated product #{@product.title}" 12
  • 13. Sanitization  Don‘t write it on your own: value = self.description.gsub("<script>", "") <scr<script>ipt>  sanitize(), strip_tags(), ... use the HTML::Tokenizer  Based on regular expressions  Doesn‘t always render valid HTML  Last vulnerability in Rails 2.3.5 regarding non- printable ascii characters 13
  • 14. Sanitization  Use parsers like Nokogiri or Woodstox (JRuby)  Gem sanitize: http://github.com/rgrove/sanitize Sanitize.clean(unsafe_html)  Gem Loofah: http://github.com/flavorjones/ loofah Loofah.fragment(unsafe_html).scrub!(:strip) 14
  • 15. Sql-Injection in Rails 3  No find() anymore, no :conditions hash, ... But: Product.find(params[:id])  User.order('users.id DESC').limit(20).all  NO: Product.where("id = #{params[:id]}")  Product.where(["id = ?", params[:id]])  Product.where({:id => params[:id]}) 15
  • 16. Sql-Injection in Rails 3  NO: User.order(params[:order]).all  raise "SQLi" unless ["id asc", "id desc"].include? (params[:order])  Escape it yourself: Product.order(Product.connection.quote(params [:order])).all 16
  • 17. Other changes in Rails 3  config/initializers/session_store.rb Rails.application.config.session_store :cookie_store, :key => "_app_name_session"  config/initializers/cookie_verification_secret.rb Rails.application.config.cookie_secret = 'somereallylongrandomkey'  Don‘t keep it in your SCM 17
  • 18. Other changes in Rails 3  Keep a value in a signed cookie: cookies.signed[:discount] = "12"  filter_parameter_logging deprecated  config.filter_parameters << :password in config/application.rb 18
  • 19. Respond_with in Rails 3  class ProductsController < ApplicationController respond_to :html, :xml, :json def index respond_with(@products = Product.all) end end  How to define what attributes to render in XML? @product.to_xml(:only => [:id]) 19
  • 20. Bits and pieces  You can deploy with a SSH key: ssh_options[:keys] = ["/path/to/id_rsa.ppk"]  Secure the admin panel with a client SSL certificate  Remove secrets from your SCM: database.yml, ssh_config.rb 20
  • 21. Bits and pieces  Check what they‘re downloading File.dirname(requested_filename) == expected_directory  /download?file=../config/database.yml  validates_format_of :filename, :with => /^[a-z.]+$/i  hello.txt <script>alert(1)</script>  Use A and z 21
  • 22. Privilege escalation  def update  @doc = Doc.find(params[:id])  end  before_filter :load_project  before_filter :deny_if_not_full_access  before_filter :load_doc @doc = @project.docs.find(params[:id])  before_filter :deny_if_no_access_to_doc 22
  • 23. Authorization  def deny_if_no_access_to_doc  @doc.may_edit?(current_user)  end  def may_edit?(usr)  self.creator == usr  end  <%= link_to(“Edit“,...) if @doc.may_edit? (current_user) %> 23
  • 24. That‘s it  Questions?  42@bauland42.de 24