12. SQL Injection
@results = Micropost.where(
"content LIKE '%#{params[:query]%’”).all
SELECT 'microposts'.*
FROM 'microposts’
WHERE (content LIKE ’%SEARCHSTRING%’)
13. SQL Injection
SELECT 'microposts'.*
FROM 'microposts'
WHERE (content LIKE '%SEARCHSTRING%')
XXX')
UNION
SELECT 1, email, 1, 1, 1
FROM users --
14. SQL Injection
SELECT 'microposts'.*
FROM 'microposts'
WHERE (content LIKE '%XXX')
UNION
SELECT 1, email, 1, 1, 1
FROM users -- %')
15. SQL Injection
SELECT 'microposts'.*
FROM 'microposts'
WHERE (content LIKE '%XXX')
UNION
SELECT 1, email, 1, 1, 1
FROM users -- %')
21. XSS
The Attack:
Execute arbitrary code / defacement
JSON is not escaped by default
CSS can be injected as well
Countermeasures:
Never trust data from the users
Use Markdown (e.g. Redcarpet gem)
30. CSRF
The Attack:
Attacker send requests on the victim’s behalf
Doesn’t depend on XSS
Attacked doesn’t need to be logged-in
Countermeasures:
Use Rails CSRF default protection (do not override it)
Use GET for queries
Use POST/DELETE/… when updating data
Add Sign-out link
34. Mass Assignment
def create
@user = User.new(params[:user])
...
end
{ :name => “gotcha”,
:admin => true }
35. Mass Assignment - countermeasures
Blacklist
class User < ActiveRecord::Base
attr_protected :admin
...
end
36. Mass Assignment - countermeasures
Whitelist
class User < ActiveRecord::Base
attr_accessible
:name,
:email,
:password,
:password_confirmation
...
37. Mass Assignment - countermeasures
Global Config (whitelist)
config.active_record.
whitelist_attributes = true
38. Mass Assignment
The Attack:
Unprotected by default :(
Countermeasures:
Whitelist
Blacklist
Strong Parameters (whitelist)
Rails 4
Logic moved to the controller
Available as a Gem