SlideShare una empresa de Scribd logo

Web Appliction Security - Scotland on Rails presentation

Descargar como KEY, PDF
R
raesene

My presentation for the Scotland on Rails 2009 conference. There will be a video of it later which will (hopefully) make more sense also look out for related blog entries at http://www.mccune.org.uk

Tecnología
1 de 104
Web Application Security Rails & the OWASP Top-10 Rory McCune - rorym@mccune.org.uk
Background - Who am I?
Background - Who am I? IT Security Professional 14 years in IT, 9 Years in IT Security, 3 in “Ethical Hacking” I get to break into websites for a living
Why is this Important?
Why is this Important? 1. Bad guys will try to break into your applications
Why is this Important? 1. Bad guys will try to break into your applications 2. Good guys will try to break into your applications
Why is this Important? 1. Bad guys will try to break into your applications 2. Good guys will try to break into your applications 3. Depending on your industry , regulators will be interested in the security of your code.
OWASP & the Top-10
OWASP & the Top-10 OWASP - Open Web Application Security Project
OWASP & the Top-10 OWASP - Open Web Application Security Project Hosts and sponsors web application security projects
OWASP & the Top-10 OWASP - Open Web Application Security Project Hosts and sponsors web application security projects Also has a chapter organisation around the world
OWASP & the Top-10 OWASP - Open Web Application Security Project Hosts and sponsors web application security projects Also has a chapter organisation around the world OWASP Top-10
OWASP & the Top-10 OWASP - Open Web Application Security Project Hosts and sponsors web application security projects Also has a chapter organisation around the world OWASP Top-10 Listing of the “most critical” Web Application Security flaws
No Silver Bullets
No Silver Bullets - “We’ve got a Firewall, so we don’t need to worry” - “We use SSL, so we don’t need to worry” - “We use a framework, so we don’t need to worry”
No Silver Bullets - “We’ve got a Firewall, so we don’t need to worry” - “We use SSL, so we don’t need to worry” - “We use a framework, so we don’t need to worry”
No Silver Bullets - “We’ve got a Firewall, so we don’t need to worry” - “We use SSL, so we don’t need to worry” - “We use a framework, so we don’t need to worry”
No Silver Bullets - “We’ve got a Firewall, so we don’t need to worry” - “We use SSL, so we don’t need to worry” - “We use a framework, so we don’t need to worry”
Public Enemy Number 1
Public Enemy Number 1 INPUT
Dealing with Input
Dealing with Input Two main approaches
Dealing with Input Two main approaches Input Validation
Dealing with Input Two main approaches Input Validation Output Normalization
Dealing with Input Two main approaches Input Validation Output Normalization Things to Think about
Dealing with Input Two main approaches Input Validation Output Normalization Things to Think about Need to deal with All inputs/outputs (form fields, cookie, headers...)
Dealing with Input Two main approaches Input Validation Output Normalization Things to Think about Need to deal with All inputs/outputs (form fields, cookie, headers...) Where to validate
Dealing with Input Two main approaches Input Validation Output Normalization Things to Think about Need to deal with All inputs/outputs (form fields, cookie, headers...) Where to validate How to validate (Black List/White List)
Specific Problems - XSS
Specific Problems - XSS “Allowing a malicious user of your application to execute scripts in other users browsers”
Specific Problems - XSS “Allowing a malicious user of your application to execute scripts in other users browsers” Very common in web applications 90%+ of sites
Specific Problems - XSS “Allowing a malicious user of your application to execute scripts in other users browsers” Very common in web applications 90%+ of sites Can have serious consequences - cookie stealing, page defacement...
Example - Rails Weblog
Example - Rails Weblog XSS in the Comment section of a popular rails weblog application
Example - Rails Weblog XSS in the Comment section of a popular rails weblog application Comment body, e-mail address,website address escaped ok with h()
Example - Rails Weblog XSS in the Comment section of a popular rails weblog application Comment body, e-mail address,website address escaped ok with h() <%= link_to_unless item.url.blank?, ((item.author || '(unknown)').slice(0,40)), item.url %>
Example - Rails Weblog XSS in the Comment section of a popular rails weblog application Comment body, e-mail address,website address escaped ok with h() <%= link_to_unless item.url.blank?, ((item.author || '(unknown)').slice(0,40)), item.url %> <%= link_to_unless item.url.blank?, ((h(item.author) || '(unknown)').slice(0,40)), item.url %>
Fixing XSS - 1
Fixing XSS - 1 Standard recommended approach
Fixing XSS - 1 Standard recommended approach Use h() function on all your views
Fixing XSS - 1 Standard recommended approach Use h() function on all your views Problem - The bad data goes into your database
Fixing XSS - 1 Standard recommended approach Use h() function on all your views Problem - The bad data goes into your database Problem - You need to remember *EVERY* time
Fixing XSS - 1 Standard recommended approach Use h() function on all your views Problem - The bad data goes into your database Problem - You need to remember *EVERY* time Safe ERB can help with this.
Fixing XSS - 2
Fixing XSS - 2 Input Validation
Fixing XSS - 2 Input Validation Loads of Options here
Fixing XSS - 2 Input Validation Loads of Options here sanitize helper
Fixing XSS - 2 Input Validation Loads of Options here sanitize helper plugin - sanitize_params
Fixing XSS - 2 Input Validation Loads of Options here sanitize helper plugin - sanitize_params plugin - xss_terminate
SQL Injection * * Comic courtesy of xkcd.com
SQL Injection * SQL Injection * Comic courtesy of xkcd.com
SQL Injection * SQL Injection Allowing SQL statements to be inserted into your application by a user. * Comic courtesy of xkcd.com
SQL Injection * SQL Injection Allowing SQL statements to be inserted into your application by a user. Potentially devastating, allow for an attacker to take over the server. * Comic courtesy of xkcd.com
SQL Injection in Rails
SQL Injection in Rails Limited problem due to use of ActiveRecord
SQL Injection in Rails Limited problem due to use of ActiveRecord Never directly insert strings into queries
SQL Injection in Rails Limited problem due to use of ActiveRecord Never directly insert strings into queries User.find(:all, :conditions => quot;name = '#{params[:name]}'quot;)
SQL Injection in Rails Limited problem due to use of ActiveRecord Never directly insert strings into queries User.find(:all, :conditions => quot;name = '#{params[:name]}'quot;) Who knew someone’s name could be ‘ OR 1=1--
SQL Injection in Rails Limited problem due to use of ActiveRecord Never directly insert strings into queries User.find(:all, :conditions => quot;name = '#{params[:name]}'quot;) Who knew someone’s name could be ‘ OR 1=1-- one other thing - Framework bugs...
Session Management
Session Management Web Applications are innately stateless
Session Management Web Applications are innately stateless We use session id’s to manage this
Session Management Web Applications are innately stateless We use session id’s to manage this Problem - The Session ID needs to be secured
Cookie Store
Cookie Store Default Session handling method in Rails 2+
Cookie Store Default Session handling method in Rails 2+ Stores session on the client machine
Cookie Store Default Session handling method in Rails 2+ Stores session on the client machine Uses a signature to prevent tampering
Cookie Store - Problems?
Cookie Store - Problems? Generated some controversy when it was first released
Cookie Store - Problems? Generated some controversy when it was first released Concerns around Security of storing session client side
Cookie Store - Problems? Generated some controversy when it was first released Concerns around Security of storing session client side Actually not too much of a problem, so long as you....
Cookie Store - Problems? Generated some controversy when it was first released Concerns around Security of storing session client side Actually not too much of a problem, so long as you.... use a strong secret
Cookie Store - Problems? Generated some controversy when it was first released Concerns around Security of storing session client side Actually not too much of a problem, so long as you.... use a strong secret Don’t store anything sensitive in session
Cookie Store - Problems? Generated some controversy when it was first released Concerns around Security of storing session client side Actually not too much of a problem, so long as you.... use a strong secret Don’t store anything sensitive in session Watch out for session replay
Things to think about
Things to think about Session Expiry
Things to think about Session Expiry Set as short as practical (consider shared machines!)
Things to think about Session Expiry Set as short as practical (consider shared machines!) Transmission in the clear
Things to think about Session Expiry Set as short as practical (consider shared machines!) Transmission in the clear anyone using the conference wi-fi?
Things to think about Session Expiry Set as short as practical (consider shared machines!) Transmission in the clear anyone using the conference wi-fi? Cookie Options
Things to think about Session Expiry Set as short as practical (consider shared machines!) Transmission in the clear anyone using the conference wi-fi? Cookie Options Set Secure session cookie option
Authentication & Authorization
Authentication & Authorization Authentication
Authentication & Authorization Authentication http authentication
Authentication & Authorization Authentication http authentication restful_authentication & Others
Authentication & Authorization Authentication http authentication restful_authentication & Others Authorization
Authentication & Authorization Authentication http authentication restful_authentication & Others Authorization dealing with forceful browsing
Password Management
Password Management Common Password Security Problems
Password Management Common Password Security Problems Passing in the clear
Password Management Common Password Security Problems Passing in the clear ssl_requirement
Password Management Common Password Security Problems Passing in the clear ssl_requirement Storing in the clear
Password Management Common Password Security Problems Passing in the clear ssl_requirement Storing in the clear always store hashes with Salt and Pepper
More Password Management
More Password Management Brute Forcing
More Password Management Brute Forcing password strength (validates_format_of)
More Password Management Brute Forcing password strength (validates_format_of) Account lockout?
More Password Management Brute Forcing password strength (validates_format_of) Account lockout? Password change forms
More Password Management Brute Forcing password strength (validates_format_of) Account lockout? Password change forms Always ask for the original password
More Password Management Brute Forcing password strength (validates_format_of) Account lockout? Password change forms Always ask for the original password Password Reset
Conclusion Rails Provides a lot of tools to help develop secure applications Doesn’t remove the need to think about this during development
More information OWASP - Ruby On Rails Security Guide, Secure Coding Guide ... (www.owasp.org) Rails wiki Blogs
Questions?
Bonus Box - How to Test Where to start OWASP Testing guide Web Application Hackers Handbook Tools Proxy (eg, WebScarab, Burp) Automation - Ronin, Metasploit

Recomendados

Including security in devops
Including security in devopsIncluding security in devops
Including security in devopsJérémy Matos
 
ISO 27001 control A17 (Continuity on Information Security), and ISO 22301: co...
ISO 27001 control A17 (Continuity on Information Security), and ISO 22301: co...ISO 27001 control A17 (Continuity on Information Security), and ISO 22301: co...
ISO 27001 control A17 (Continuity on Information Security), and ISO 22301: co...PECB
 
The Security Framework for Workflow Management Systems
The Security Framework for Workflow Management SystemsThe Security Framework for Workflow Management Systems
The Security Framework for Workflow Management SystemsSwanky Hsiao
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approachtschraider
 
OSI Model - Every Detail Explained
OSI Model - Every Detail ExplainedOSI Model - Every Detail Explained
OSI Model - Every Detail ExplainedAshish Malik
 
The importance of information security risk management
The importance of information security risk managementThe importance of information security risk management
The importance of information security risk managementMichael Francis
 
Integrating Multiple IT Security Standards
Integrating Multiple IT Security StandardsIntegrating Multiple IT Security Standards
Integrating Multiple IT Security StandardsMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 

Recomendados

Including security in devops
Including security in devopsIncluding security in devops
Including security in devopsJérémy Matos
 
ISO 27001 control A17 (Continuity on Information Security), and ISO 22301: co...
ISO 27001 control A17 (Continuity on Information Security), and ISO 22301: co...ISO 27001 control A17 (Continuity on Information Security), and ISO 22301: co...
ISO 27001 control A17 (Continuity on Information Security), and ISO 22301: co...PECB
 
The Security Framework for Workflow Management Systems
The Security Framework for Workflow Management SystemsThe Security Framework for Workflow Management Systems
The Security Framework for Workflow Management SystemsSwanky Hsiao
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approachtschraider
 
OSI Model - Every Detail Explained
OSI Model - Every Detail ExplainedOSI Model - Every Detail Explained
OSI Model - Every Detail ExplainedAshish Malik
 
The importance of information security risk management
The importance of information security risk managementThe importance of information security risk management
The importance of information security risk managementMichael Francis
 
Integrating Multiple IT Security Standards
Integrating Multiple IT Security StandardsIntegrating Multiple IT Security Standards
Integrating Multiple IT Security StandardsMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 

Más contenido relacionado

Último

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Último (20)

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Destacado

Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 

Destacado (20)

Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 

Web Appliction Security - Scotland on Rails presentation

  • 1. Web Application Security Rails & the OWASP Top-10 Rory McCune - rorym@mccune.org.uk
  • 3. Background - Who am I? IT Security Professional 14 years in IT, 9 Years in IT Security, 3 in “Ethical Hacking” I get to break into websites for a living
  • 4. Why is this Important?
  • 5. Why is this Important? 1. Bad guys will try to break into your applications
  • 6. Why is this Important? 1. Bad guys will try to break into your applications 2. Good guys will try to break into your applications
  • 7. Why is this Important? 1. Bad guys will try to break into your applications 2. Good guys will try to break into your applications 3. Depending on your industry , regulators will be interested in the security of your code.
  • 8. OWASP & the Top-10
  • 9. OWASP & the Top-10 OWASP - Open Web Application Security Project
  • 10. OWASP & the Top-10 OWASP - Open Web Application Security Project Hosts and sponsors web application security projects
  • 11. OWASP & the Top-10 OWASP - Open Web Application Security Project Hosts and sponsors web application security projects Also has a chapter organisation around the world
  • 12. OWASP & the Top-10 OWASP - Open Web Application Security Project Hosts and sponsors web application security projects Also has a chapter organisation around the world OWASP Top-10
  • 13. OWASP & the Top-10 OWASP - Open Web Application Security Project Hosts and sponsors web application security projects Also has a chapter organisation around the world OWASP Top-10 Listing of the “most critical” Web Application Security flaws
  • 15. No Silver Bullets - “We’ve got a Firewall, so we don’t need to worry” - “We use SSL, so we don’t need to worry” - “We use a framework, so we don’t need to worry”
  • 16. No Silver Bullets - “We’ve got a Firewall, so we don’t need to worry” - “We use SSL, so we don’t need to worry” - “We use a framework, so we don’t need to worry”
  • 17. No Silver Bullets - “We’ve got a Firewall, so we don’t need to worry” - “We use SSL, so we don’t need to worry” - “We use a framework, so we don’t need to worry”
  • 18. No Silver Bullets - “We’ve got a Firewall, so we don’t need to worry” - “We use SSL, so we don’t need to worry” - “We use a framework, so we don’t need to worry”
  • 22. Dealing with Input Two main approaches
  • 23. Dealing with Input Two main approaches Input Validation
  • 24. Dealing with Input Two main approaches Input Validation Output Normalization
  • 25. Dealing with Input Two main approaches Input Validation Output Normalization Things to Think about
  • 26. Dealing with Input Two main approaches Input Validation Output Normalization Things to Think about Need to deal with All inputs/outputs (form fields, cookie, headers...)
  • 27. Dealing with Input Two main approaches Input Validation Output Normalization Things to Think about Need to deal with All inputs/outputs (form fields, cookie, headers...) Where to validate
  • 28. Dealing with Input Two main approaches Input Validation Output Normalization Things to Think about Need to deal with All inputs/outputs (form fields, cookie, headers...) Where to validate How to validate (Black List/White List)
  • 30. Specific Problems - XSS “Allowing a malicious user of your application to execute scripts in other users browsers”
  • 31. Specific Problems - XSS “Allowing a malicious user of your application to execute scripts in other users browsers” Very common in web applications 90%+ of sites
  • 32. Specific Problems - XSS “Allowing a malicious user of your application to execute scripts in other users browsers” Very common in web applications 90%+ of sites Can have serious consequences - cookie stealing, page defacement...
  • 33. Example - Rails Weblog
  • 34. Example - Rails Weblog XSS in the Comment section of a popular rails weblog application
  • 35. Example - Rails Weblog XSS in the Comment section of a popular rails weblog application Comment body, e-mail address,website address escaped ok with h()
  • 36. Example - Rails Weblog XSS in the Comment section of a popular rails weblog application Comment body, e-mail address,website address escaped ok with h() <%= link_to_unless item.url.blank?, ((item.author || '(unknown)').slice(0,40)), item.url %>
  • 37. Example - Rails Weblog XSS in the Comment section of a popular rails weblog application Comment body, e-mail address,website address escaped ok with h() <%= link_to_unless item.url.blank?, ((item.author || '(unknown)').slice(0,40)), item.url %> <%= link_to_unless item.url.blank?, ((h(item.author) || '(unknown)').slice(0,40)), item.url %>
  • 39. Fixing XSS - 1 Standard recommended approach
  • 40. Fixing XSS - 1 Standard recommended approach Use h() function on all your views
  • 41. Fixing XSS - 1 Standard recommended approach Use h() function on all your views Problem - The bad data goes into your database
  • 42. Fixing XSS - 1 Standard recommended approach Use h() function on all your views Problem - The bad data goes into your database Problem - You need to remember *EVERY* time
  • 43. Fixing XSS - 1 Standard recommended approach Use h() function on all your views Problem - The bad data goes into your database Problem - You need to remember *EVERY* time Safe ERB can help with this.
  • 45. Fixing XSS - 2 Input Validation
  • 46. Fixing XSS - 2 Input Validation Loads of Options here
  • 47. Fixing XSS - 2 Input Validation Loads of Options here sanitize helper
  • 48. Fixing XSS - 2 Input Validation Loads of Options here sanitize helper plugin - sanitize_params
  • 49. Fixing XSS - 2 Input Validation Loads of Options here sanitize helper plugin - sanitize_params plugin - xss_terminate
  • 50. SQL Injection * * Comic courtesy of xkcd.com
  • 51. SQL Injection * SQL Injection * Comic courtesy of xkcd.com
  • 52. SQL Injection * SQL Injection Allowing SQL statements to be inserted into your application by a user. * Comic courtesy of xkcd.com
  • 53. SQL Injection * SQL Injection Allowing SQL statements to be inserted into your application by a user. Potentially devastating, allow for an attacker to take over the server. * Comic courtesy of xkcd.com
  • 55. SQL Injection in Rails Limited problem due to use of ActiveRecord
  • 56. SQL Injection in Rails Limited problem due to use of ActiveRecord Never directly insert strings into queries
  • 57. SQL Injection in Rails Limited problem due to use of ActiveRecord Never directly insert strings into queries User.find(:all, :conditions => quot;name = '#{params[:name]}'quot;)
  • 58. SQL Injection in Rails Limited problem due to use of ActiveRecord Never directly insert strings into queries User.find(:all, :conditions => quot;name = '#{params[:name]}'quot;) Who knew someone’s name could be ‘ OR 1=1--
  • 59. SQL Injection in Rails Limited problem due to use of ActiveRecord Never directly insert strings into queries User.find(:all, :conditions => quot;name = '#{params[:name]}'quot;) Who knew someone’s name could be ‘ OR 1=1-- one other thing - Framework bugs...
  • 61. Session Management Web Applications are innately stateless
  • 62. Session Management Web Applications are innately stateless We use session id’s to manage this
  • 63. Session Management Web Applications are innately stateless We use session id’s to manage this Problem - The Session ID needs to be secured
  • 65. Cookie Store Default Session handling method in Rails 2+
  • 66. Cookie Store Default Session handling method in Rails 2+ Stores session on the client machine
  • 67. Cookie Store Default Session handling method in Rails 2+ Stores session on the client machine Uses a signature to prevent tampering
  • 68. Cookie Store - Problems?
  • 69. Cookie Store - Problems? Generated some controversy when it was first released
  • 70. Cookie Store - Problems? Generated some controversy when it was first released Concerns around Security of storing session client side
  • 71. Cookie Store - Problems? Generated some controversy when it was first released Concerns around Security of storing session client side Actually not too much of a problem, so long as you....
  • 72. Cookie Store - Problems? Generated some controversy when it was first released Concerns around Security of storing session client side Actually not too much of a problem, so long as you.... use a strong secret
  • 73. Cookie Store - Problems? Generated some controversy when it was first released Concerns around Security of storing session client side Actually not too much of a problem, so long as you.... use a strong secret Don’t store anything sensitive in session
  • 74. Cookie Store - Problems? Generated some controversy when it was first released Concerns around Security of storing session client side Actually not too much of a problem, so long as you.... use a strong secret Don’t store anything sensitive in session Watch out for session replay
  • 76. Things to think about Session Expiry
  • 77. Things to think about Session Expiry Set as short as practical (consider shared machines!)
  • 78. Things to think about Session Expiry Set as short as practical (consider shared machines!) Transmission in the clear
  • 79. Things to think about Session Expiry Set as short as practical (consider shared machines!) Transmission in the clear anyone using the conference wi-fi?
  • 80. Things to think about Session Expiry Set as short as practical (consider shared machines!) Transmission in the clear anyone using the conference wi-fi? Cookie Options
  • 81. Things to think about Session Expiry Set as short as practical (consider shared machines!) Transmission in the clear anyone using the conference wi-fi? Cookie Options Set Secure session cookie option
  • 85. Authentication & Authorization Authentication http authentication restful_authentication & Others
  • 86. Authentication & Authorization Authentication http authentication restful_authentication & Others Authorization
  • 87. Authentication & Authorization Authentication http authentication restful_authentication & Others Authorization dealing with forceful browsing
  • 90. Password Management Common Password Security Problems Passing in the clear
  • 91. Password Management Common Password Security Problems Passing in the clear ssl_requirement
  • 92. Password Management Common Password Security Problems Passing in the clear ssl_requirement Storing in the clear
  • 93. Password Management Common Password Security Problems Passing in the clear ssl_requirement Storing in the clear always store hashes with Salt and Pepper
  • 95. More Password Management Brute Forcing
  • 96. More Password Management Brute Forcing password strength (validates_format_of)
  • 97. More Password Management Brute Forcing password strength (validates_format_of) Account lockout?
  • 98. More Password Management Brute Forcing password strength (validates_format_of) Account lockout? Password change forms
  • 99. More Password Management Brute Forcing password strength (validates_format_of) Account lockout? Password change forms Always ask for the original password
  • 100. More Password Management Brute Forcing password strength (validates_format_of) Account lockout? Password change forms Always ask for the original password Password Reset
  • 101. Conclusion Rails Provides a lot of tools to help develop secure applications Doesn’t remove the need to think about this during development
  • 102. More information OWASP - Ruby On Rails Security Guide, Secure Coding Guide ... (www.owasp.org) Rails wiki Blogs
  • 104. Bonus Box - How to Test Where to start OWASP Testing guide Web Application Hackers Handbook Tools Proxy (eg, WebScarab, Burp) Automation - Ronin, Metasploit

Notas del editor

  2. Things to mention Lots of Ruby and Rails usage in the penetration testing community (eg, Dradis, Metasploit, ronin)
  3. 1. Increasing attacks on the application layer. Examples are the automated SQL injection bots that scan the Internet, attacks on specific web applications (eg, roundcube, phpBB). Not just looking for CC numbers or personal information, sites are now getting infected to host malware (infecting your customers is probably bad business!) 2. Ethical hacking is a growing industry and is largely focused on web applications. If you&#x2019;re developing applications for use by large (and indeed some small) companies, they may well commission a web application security review as part of the work, which will lead to a team of testers spending about a week trying to find security flaws in your application . 3. Anyone want to process Credit Card details? if so then you need to comply with PCI-DSS which specifically requires web applications to comply with the &#x201C;OWASP top-10&#x201D;
  4. 1. Increasing attacks on the application layer. Examples are the automated SQL injection bots that scan the Internet, attacks on specific web applications (eg, roundcube, phpBB). Not just looking for CC numbers or personal information, sites are now getting infected to host malware (infecting your customers is probably bad business!) 2. Ethical hacking is a growing industry and is largely focused on web applications. If you&#x2019;re developing applications for use by large (and indeed some small) companies, they may well commission a web application security review as part of the work, which will lead to a team of testers spending about a week trying to find security flaws in your application . 3. Anyone want to process Credit Card details? if so then you need to comply with PCI-DSS which specifically requires web applications to comply with the &#x201C;OWASP top-10&#x201D;
  5. 1. Increasing attacks on the application layer. Examples are the automated SQL injection bots that scan the Internet, attacks on specific web applications (eg, roundcube, phpBB). Not just looking for CC numbers or personal information, sites are now getting infected to host malware (infecting your customers is probably bad business!) 2. Ethical hacking is a growing industry and is largely focused on web applications. If you&#x2019;re developing applications for use by large (and indeed some small) companies, they may well commission a web application security review as part of the work, which will lead to a team of testers spending about a week trying to find security flaws in your application . 3. Anyone want to process Credit Card details? if so then you need to comply with PCI-DSS which specifically requires web applications to comply with the &#x201C;OWASP top-10&#x201D;
  15. The number one security problem for all web applications is input. If you take nothing else about web app security from this presentation then just take one concept . Input Validation. 95%+ (very unscientifically assessed) of all web application security problems come down to problems with unvalidated input to the application. There are various problems with input validation, and we&#x2019;ll walk through some of the more common ones now.
  16. First question is where to do Validation Important to note that client side is never the answer (for security). Client Side validation can be trivially bypassed by an attacker (commonly using proxy software (burp, webscarab etc) Controller - Has the advantage of validating your data as soon as it gets server-side. Disadvantage is that it&#x2019;s not well tied to the model (so you end up potentially doing the validation multiple times as data enters the application from different angles) Model - Makes most sense, only problem is where input isn&#x2019;t persisted to the database (so validation isn&#x2019;t invoked) A lot of validation will try to block &#x201C;known bad&#x201D; input. This is ultimately a failing strategy 1. You need to keep up to date with the bad stuff (fancy changing your application every time something new comes out) 2. The bad guys think up new ways pretty frequently (ha.ckers.org/xss.html) White list is the right way to go...
  17. First question is where to do Validation Important to note that client side is never the answer (for security). Client Side validation can be trivially bypassed by an attacker (commonly using proxy software (burp, webscarab etc) Controller - Has the advantage of validating your data as soon as it gets server-side. Disadvantage is that it&#x2019;s not well tied to the model (so you end up potentially doing the validation multiple times as data enters the application from different angles) Model - Makes most sense, only problem is where input isn&#x2019;t persisted to the database (so validation isn&#x2019;t invoked) A lot of validation will try to block &#x201C;known bad&#x201D; input. This is ultimately a failing strategy 1. You need to keep up to date with the bad stuff (fancy changing your application every time something new comes out) 2. The bad guys think up new ways pretty frequently (ha.ckers.org/xss.html) White list is the right way to go...
  18. First question is where to do Validation Important to note that client side is never the answer (for security). Client Side validation can be trivially bypassed by an attacker (commonly using proxy software (burp, webscarab etc) Controller - Has the advantage of validating your data as soon as it gets server-side. Disadvantage is that it&#x2019;s not well tied to the model (so you end up potentially doing the validation multiple times as data enters the application from different angles) Model - Makes most sense, only problem is where input isn&#x2019;t persisted to the database (so validation isn&#x2019;t invoked) A lot of validation will try to block &#x201C;known bad&#x201D; input. This is ultimately a failing strategy 1. You need to keep up to date with the bad stuff (fancy changing your application every time something new comes out) 2. The bad guys think up new ways pretty frequently (ha.ckers.org/xss.html) White list is the right way to go...
  19. First question is where to do Validation Important to note that client side is never the answer (for security). Client Side validation can be trivially bypassed by an attacker (commonly using proxy software (burp, webscarab etc) Controller - Has the advantage of validating your data as soon as it gets server-side. Disadvantage is that it&#x2019;s not well tied to the model (so you end up potentially doing the validation multiple times as data enters the application from different angles) Model - Makes most sense, only problem is where input isn&#x2019;t persisted to the database (so validation isn&#x2019;t invoked) A lot of validation will try to block &#x201C;known bad&#x201D; input. This is ultimately a failing strategy 1. You need to keep up to date with the bad stuff (fancy changing your application every time something new comes out) 2. The bad guys think up new ways pretty frequently (ha.ckers.org/xss.html) White list is the right way to go...
  20. First question is where to do Validation Important to note that client side is never the answer (for security). Client Side validation can be trivially bypassed by an attacker (commonly using proxy software (burp, webscarab etc) Controller - Has the advantage of validating your data as soon as it gets server-side. Disadvantage is that it&#x2019;s not well tied to the model (so you end up potentially doing the validation multiple times as data enters the application from different angles) Model - Makes most sense, only problem is where input isn&#x2019;t persisted to the database (so validation isn&#x2019;t invoked) A lot of validation will try to block &#x201C;known bad&#x201D; input. This is ultimately a failing strategy 1. You need to keep up to date with the bad stuff (fancy changing your application every time something new comes out) 2. The bad guys think up new ways pretty frequently (ha.ckers.org/xss.html) White list is the right way to go...
  21. First question is where to do Validation Important to note that client side is never the answer (for security). Client Side validation can be trivially bypassed by an attacker (commonly using proxy software (burp, webscarab etc) Controller - Has the advantage of validating your data as soon as it gets server-side. Disadvantage is that it&#x2019;s not well tied to the model (so you end up potentially doing the validation multiple times as data enters the application from different angles) Model - Makes most sense, only problem is where input isn&#x2019;t persisted to the database (so validation isn&#x2019;t invoked) A lot of validation will try to block &#x201C;known bad&#x201D; input. This is ultimately a failing strategy 1. You need to keep up to date with the bad stuff (fancy changing your application every time something new comes out) 2. The bad guys think up new ways pretty frequently (ha.ckers.org/xss.html) White list is the right way to go...
  22. First question is where to do Validation Important to note that client side is never the answer (for security). Client Side validation can be trivially bypassed by an attacker (commonly using proxy software (burp, webscarab etc) Controller - Has the advantage of validating your data as soon as it gets server-side. Disadvantage is that it&#x2019;s not well tied to the model (so you end up potentially doing the validation multiple times as data enters the application from different angles) Model - Makes most sense, only problem is where input isn&#x2019;t persisted to the database (so validation isn&#x2019;t invoked) A lot of validation will try to block &#x201C;known bad&#x201D; input. This is ultimately a failing strategy 1. You need to keep up to date with the bad stuff (fancy changing your application every time something new comes out) 2. The bad guys think up new ways pretty frequently (ha.ckers.org/xss.html) White list is the right way to go...
  23. Lots of examples of this problem available on the Internet. xssed.com contains an archive of sites that are vulnerable to XSS. If you look there you&#x2019;ll see a wide variety of well known sites A lot of people think of XSS as just being something that a hacker can use to bring up a &#x201C;pop up box&#x201D; but if you consider the power of javascript then you&#x2019;ll realise that there&#x2019;s a lot more to it than that. Examples would be site defacement, phishing attacks, and even things like port scanning.
  24. Lots of examples of this problem available on the Internet. xssed.com contains an archive of sites that are vulnerable to XSS. If you look there you&#x2019;ll see a wide variety of well known sites A lot of people think of XSS as just being something that a hacker can use to bring up a &#x201C;pop up box&#x201D; but if you consider the power of javascript then you&#x2019;ll realise that there&#x2019;s a lot more to it than that. Examples would be site defacement, phishing attacks, and even things like port scanning.
  25. Lots of examples of this problem available on the Internet. xssed.com contains an archive of sites that are vulnerable to XSS. If you look there you&#x2019;ll see a wide variety of well known sites A lot of people think of XSS as just being something that a hacker can use to bring up a &#x201C;pop up box&#x201D; but if you consider the power of javascript then you&#x2019;ll realise that there&#x2019;s a lot more to it than that. Examples would be site defacement, phishing attacks, and even things like port scanning.
  35. so the best way to protect your application from XSS is to filter input before it gets stored. This can be done in a number of ways Blacklist filtering attempts to filter &#x201C;bad stuff&#x201D;. Inherently unreliable as hackers (both white and black hat) are constantly finding new ways to bypass this kind of filter Whitelist filtering. Much more reliable basically takes the approach of only allowing &#x201C;known good&#x201D; input. Next choice is where to filter, in the controller or in the model. Good sense may say that this is a data issue, so the model is the best place to handle it. Unfortunately this can leave edge cases where the data which is input isn&#x2019;t persisted to a model immediately, but is passed onto another view, via the controller (think preview), so I&#x2019;d say controller is the best place for this kind of input validation some plugins to help for your rails app. sanitize_params is a good one and is pretty effective, but it may cause some problems with fields that need html code. xss_terminate is another option. It works at the model level so remember the potential for it not to be brought into play.
  36. so the best way to protect your application from XSS is to filter input before it gets stored. This can be done in a number of ways Blacklist filtering attempts to filter &#x201C;bad stuff&#x201D;. Inherently unreliable as hackers (both white and black hat) are constantly finding new ways to bypass this kind of filter Whitelist filtering. Much more reliable basically takes the approach of only allowing &#x201C;known good&#x201D; input. Next choice is where to filter, in the controller or in the model. Good sense may say that this is a data issue, so the model is the best place to handle it. Unfortunately this can leave edge cases where the data which is input isn&#x2019;t persisted to a model immediately, but is passed onto another view, via the controller (think preview), so I&#x2019;d say controller is the best place for this kind of input validation some plugins to help for your rails app. sanitize_params is a good one and is pretty effective, but it may cause some problems with fields that need html code. xss_terminate is another option. It works at the model level so remember the potential for it not to be brought into play.
  37. so the best way to protect your application from XSS is to filter input before it gets stored. This can be done in a number of ways Blacklist filtering attempts to filter &#x201C;bad stuff&#x201D;. Inherently unreliable as hackers (both white and black hat) are constantly finding new ways to bypass this kind of filter Whitelist filtering. Much more reliable basically takes the approach of only allowing &#x201C;known good&#x201D; input. Next choice is where to filter, in the controller or in the model. Good sense may say that this is a data issue, so the model is the best place to handle it. Unfortunately this can leave edge cases where the data which is input isn&#x2019;t persisted to a model immediately, but is passed onto another view, via the controller (think preview), so I&#x2019;d say controller is the best place for this kind of input validation some plugins to help for your rails app. sanitize_params is a good one and is pretty effective, but it may cause some problems with fields that need html code. xss_terminate is another option. It works at the model level so remember the potential for it not to be brought into play.
  38. so the best way to protect your application from XSS is to filter input before it gets stored. This can be done in a number of ways Blacklist filtering attempts to filter &#x201C;bad stuff&#x201D;. Inherently unreliable as hackers (both white and black hat) are constantly finding new ways to bypass this kind of filter Whitelist filtering. Much more reliable basically takes the approach of only allowing &#x201C;known good&#x201D; input. Next choice is where to filter, in the controller or in the model. Good sense may say that this is a data issue, so the model is the best place to handle it. Unfortunately this can leave edge cases where the data which is input isn&#x2019;t persisted to a model immediately, but is passed onto another view, via the controller (think preview), so I&#x2019;d say controller is the best place for this kind of input validation some plugins to help for your rails app. sanitize_params is a good one and is pretty effective, but it may cause some problems with fields that need html code. xss_terminate is another option. It works at the model level so remember the potential for it not to be brought into play.
  39. so the best way to protect your application from XSS is to filter input before it gets stored. This can be done in a number of ways Blacklist filtering attempts to filter &#x201C;bad stuff&#x201D;. Inherently unreliable as hackers (both white and black hat) are constantly finding new ways to bypass this kind of filter Whitelist filtering. Much more reliable basically takes the approach of only allowing &#x201C;known good&#x201D; input. Next choice is where to filter, in the controller or in the model. Good sense may say that this is a data issue, so the model is the best place to handle it. Unfortunately this can leave edge cases where the data which is input isn&#x2019;t persisted to a model immediately, but is passed onto another view, via the controller (think preview), so I&#x2019;d say controller is the best place for this kind of input validation some plugins to help for your rails app. sanitize_params is a good one and is pretty effective, but it may cause some problems with fields that need html code. xss_terminate is another option. It works at the model level so remember the potential for it not to be brought into play.
  43. One nice thing about rails is that it&#x2019;s pretty hard to make a page susceptible to SQL Injection. As long as you use standard ActiveRecord syntax it will escape the parameters and avoid the problem. It is still possible to come up with problems -- Security focus advisory on Rails Ruby on Rails ':offset' And ':limit' Parameters SQL Injection Vulnerabilities Ruby on Rails is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in SQL queries. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. Versions prior to Ruby on Rails 2.1.1 are affected This only applied to limited cases (where offset or limit where user settable) but demonstrates the problem
  44. One nice thing about rails is that it&#x2019;s pretty hard to make a page susceptible to SQL Injection. As long as you use standard ActiveRecord syntax it will escape the parameters and avoid the problem. It is still possible to come up with problems -- Security focus advisory on Rails Ruby on Rails ':offset' And ':limit' Parameters SQL Injection Vulnerabilities Ruby on Rails is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in SQL queries. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. Versions prior to Ruby on Rails 2.1.1 are affected This only applied to limited cases (where offset or limit where user settable) but demonstrates the problem
  45. One nice thing about rails is that it&#x2019;s pretty hard to make a page susceptible to SQL Injection. As long as you use standard ActiveRecord syntax it will escape the parameters and avoid the problem. It is still possible to come up with problems -- Security focus advisory on Rails Ruby on Rails ':offset' And ':limit' Parameters SQL Injection Vulnerabilities Ruby on Rails is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in SQL queries. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. Versions prior to Ruby on Rails 2.1.1 are affected This only applied to limited cases (where offset or limit where user settable) but demonstrates the problem
  46. One nice thing about rails is that it&#x2019;s pretty hard to make a page susceptible to SQL Injection. As long as you use standard ActiveRecord syntax it will escape the parameters and avoid the problem. It is still possible to come up with problems -- Security focus advisory on Rails Ruby on Rails ':offset' And ':limit' Parameters SQL Injection Vulnerabilities Ruby on Rails is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in SQL queries. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. Versions prior to Ruby on Rails 2.1.1 are affected This only applied to limited cases (where offset or limit where user settable) but demonstrates the problem
  47. One nice thing about rails is that it&#x2019;s pretty hard to make a page susceptible to SQL Injection. As long as you use standard ActiveRecord syntax it will escape the parameters and avoid the problem. It is still possible to come up with problems -- Security focus advisory on Rails Ruby on Rails ':offset' And ':limit' Parameters SQL Injection Vulnerabilities Ruby on Rails is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in SQL queries. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. Versions prior to Ruby on Rails 2.1.1 are affected This only applied to limited cases (where offset or limit where user settable) but demonstrates the problem
  48. Standard problem is that web applications are stateless Problem is that your session ID is essentially the same as your password for the duration of the session. If an attacker steals your session ID they can impersonate you. Session Expiry is also a problem
  49. Standard problem is that web applications are stateless Problem is that your session ID is essentially the same as your password for the duration of the session. If an attacker steals your session ID they can impersonate you. Session Expiry is also a problem
  50. Standard problem is that web applications are stateless Problem is that your session ID is essentially the same as your password for the duration of the session. If an attacker steals your session ID they can impersonate you. Session Expiry is also a problem
  71. On SSL_requirement. If your site is doing the majority of its work over SSL then it&#x2019;s best just to force the whole site to go over SSL and don&#x2019;t have the index/login page unencrypted. This leaves the site open to a wide range of attacks around interception of and/or re-writing of forms.
  72. On SSL_requirement. If your site is doing the majority of its work over SSL then it&#x2019;s best just to force the whole site to go over SSL and don&#x2019;t have the index/login page unencrypted. This leaves the site open to a wide range of attacks around interception of and/or re-writing of forms.
  73. On SSL_requirement. If your site is doing the majority of its work over SSL then it&#x2019;s best just to force the whole site to go over SSL and don&#x2019;t have the index/login page unencrypted. This leaves the site open to a wide range of attacks around interception of and/or re-writing of forms.
  74. On SSL_requirement. If your site is doing the majority of its work over SSL then it&#x2019;s best just to force the whole site to go over SSL and don&#x2019;t have the index/login page unencrypted. This leaves the site open to a wide range of attacks around interception of and/or re-writing of forms.
  75. On SSL_requirement. If your site is doing the majority of its work over SSL then it&#x2019;s best just to force the whole site to go over SSL and don&#x2019;t have the index/login page unencrypted. This leaves the site open to a wide range of attacks around interception of and/or re-writing of forms.