is your ruby application secure? montreal.rb - 2015-12-15
TRANSCRIPT
Is your Ruby application secure?
Frédéric Harper
@fharper
http://immun.io
Sr. Technical Evangelist @ IMMUNIO
Montreal.rb – 2015-12-15
Crea
tive
Com
mon
s: h
ttps
://f
lic.k
r/p/
jtw
BJU
SQL injection vulnerabilities allow attackers to modify the structure of SQL
queries in ways that allow for data exfiltration or manipulation of existing data.
SQL Injection (SQLi)
Cross-Site Scripting (XSS) vulnerabilities allow attackers to run arbitrary code on
your pages in your customers' browsers.
§ Hijack of legitimate user sessions
§ Disclosure of sensitive information
§ Access to privileged services and functionality
§ Delivery of malware and browser exploits from our trusted domain
Cross-Site Scripting
Remote Command Execution vulnerabilities allow attackers to run arbitrary code
on your servers.
There are two classes of Remote Command Execution:
1. Shell Command Execution
2. Eval Execution.
Remote Command Execution
• Brute force
• Common username
• Cookie tampering
• CSRF tampering
• Excessive 4XX & 5XX
• HTTP method tampering
• HTTP response splitting
• Redirect
• Session farming
• Session hijack
• Stolen account
• Shellshock
• Suspicious Exception
• Suspicious HTTP header
• Unauthorized file access
• Username hijack
…
# unsafe Project.where("login='#{params[:name]}' AND password='#{params[:password]}'").first # safe - array or hash w/ ActiveRecord Project.where("login = ? AND password = ?", name, password).first Project.where(login: name, password: password).first
no strings attached
# Clean up an HTML fragment & CSS in <style> elements or style attributes Sanitize.fragment(html, Sanitize::Config::RELAXED) html = '<b><script>alert(“Most terrible XSS ever”)</script></b>' Sanitize.fragment(html, Sanitize::Config::RELAXED) # => '<b>alert(“Most terrible XSS ever”)</b>’ html = '<b><a href="http://foo.com/">foo</a></b><img src="bar.jpg">' Sanitize.fragment(html) # => 'foo’
rgrove/sanitize
whitelist
Developers
§ Use a cryptographically slow hash function
(bcrypt & PBKDF2) to store password
§ Avoid eval() & friends
§ Stored procedures if possible
§ Up-to-date frameworks & libraries
Devops
§ HTTPS
§ Web Application Firewall (WAF)
§ Intrusion prevention systems (IPS)
§ Up-to-date platform & infrastructure
truist… or not
Strengths
• Scales Well
• Find issues like buffer overflows, SQL Injection Flaws with high confidence
Weaknesses
• Many types of security vulnerabilities are very difficult to find automatically, such as
authentication problems, access control issues, insecure use of cryptography, etc.
• High numbers of false positives.
• Frequently can't find configuration issues, since they are not represented in the code.
• Difficulty analyzing code that can't be compiled (using librairies as an example).
static code analysis
Runtime application self-protection (RASP) is a security technology that is built or
linked into an application or application runtime environment, and is capable of
controlling application execution and detecting and preventing real-time attacks.
RASP
IMMUNIO – Real-time web application security - https://www.immun.io/
OWASP Ruby on Rails Cheat Sheet - http://j.mp/1Osv95f
Bobby Tables: A guide to preventing SQL injection - http://bobby-tables.com/
XSS Filter Evasion Cheat Sheet - http://j.mp/1Q97hsW
Brakeman - http://brakemanscanner.org/
CVE (Common Vulnerabilities and Exposures) Details Ruby on Rails - http://j.mp/1OsguHn
Ruby Security - https://www.ruby-lang.org/en/security/
Rails SQL Injection - http://rails-sqli.org/
www