Is your Ruby application secure?

Frédéric Harper

@fharper

http://immun.io

Sr. Technical Evangelist @ IMMUNIO

Montreal.rb – 2015-12-15

Crea

tive

Com

mon

s: h

ttps

://f

lic.k

r/p/

jtw

BJU

is security important?

Creative Commons: https://flic.kr/p/s8hvJo

do you have time?

Crea

tive

Com

mon

s: h

ttps

://f

lic.k

r/p/

b7w

RTX

do you have the expertise?

Creative Commons: https://flic.kr/p/n7qDvJ

do you have the money?

Creative Commons: https://flic.kr/p/rAG5dm

is your app that secure?

Crea

tive

Com

mon

s: h

ttps

://f

lic.k

r/p/

bY6u

U7

what about legacy apps?

Creative Commons: https://flic.kr/p/7fFQug

it’s probably happening, now

Creative Commons: https://flic.kr/p/acnkbU

...

I succeed if…

Creative Commons: https://flic.kr/p/ehZRGj

warning

Creative Commons: https://flic.kr/p/oosB

mess with the best

die like the rest

OWASP/railsgoat

railsgoat

SQL injection vulnerabilities allow attackers to modify the structure of SQL

queries in ways that allow for data exfiltration or manipulation of existing data.

SQL Injection (SQLi)

Creative Commons: https://flic.kr/p/62a8aT

no password required

Creative Commons: https://flic.kr/p/62a8aT

proxy interception

Cross-Site Scripting (XSS) vulnerabilities allow attackers to run arbitrary code on

your pages in your customers' browsers.

§  Hijack of legitimate user sessions

§  Disclosure of sensitive information

§  Access to privileged services and functionality

§  Delivery of malware and browser exploits from our trusted domain

Cross-Site Scripting

Creative Commons: https://flic.kr/p/62a8aT

what’s your name?

Remote Command Execution vulnerabilities allow attackers to run arbitrary code

on your servers.

There are two classes of Remote Command Execution:

1.   Shell Command Execution

2.   Eval Execution.

Remote Command Execution

•  Brute force

•  Common username

•  Cookie tampering

•  CSRF tampering

•  Excessive 4XX & 5XX

•  HTTP method tampering

•  HTTP response splitting

•  Redirect

•  Session farming

•  Session hijack

•  Stolen account

•  Shellshock

•  Suspicious Exception

•  Suspicious HTTP header

•  Unauthorized file access

•  Username hijack

…

follow the

white rabbit

anything from users is unsafe

Creative Commons: https://flic.kr/p/m2BKPn

# unsafe Project.where("login='#{params[:name]}' AND password='#{params[:password]}'").first # safe - array or hash w/ ActiveRecord Project.where("login = ? AND password = ?", name, password).first Project.where(login: name, password: password).first

no strings attached

jeremyevans/sequel rom-rb/rom jgaskins/perpetuity

Object Relational Mapper

# Clean up an HTML fragment & CSS in <style> elements or style attributes Sanitize.fragment(html, Sanitize::Config::RELAXED) html = '<b><script>alert(“Most terrible XSS ever”)</script></b>' Sanitize.fragment(html, Sanitize::Config::RELAXED) # => '<b>alert(“Most terrible XSS ever”)</b>’ html = '<b><a href="http://foo.com/">foo</a></b><img src="bar.jpg">' Sanitize.fragment(html) # => 'foo’

rgrove/sanitize

whitelist

flavorjones/loofah rubyworks/htmlfilter

other sanitization librairies

rubysec/bundler-audit using rubysec/ruby-advisory-db/

audit your gems

Creative Commons: https://flic.kr/p/62a8aT

bundle-audit

other audit tools

Developers

§  Use a cryptographically slow hash function

(bcrypt & PBKDF2) to store password

§  Avoid eval() & friends

§  Stored procedures if possible

§  Up-to-date frameworks & libraries

Devops

§  HTTPS

§  Web Application Firewall (WAF)

§  Intrusion prevention systems (IPS)

§  Up-to-date platform & infrastructure

truist… or not

learn how

inform yourself

OWASP XSS Cheat Sheet

Strengths

•  Scales Well

•  Find issues like buffer overflows, SQL Injection Flaws with high confidence

Weaknesses

•  Many types of security vulnerabilities are very difficult to find automatically, such as

authentication problems, access control issues, insecure use of cryptography, etc.

•  High numbers of false positives.

•  Frequently can't find configuration issues, since they are not represented in the code.

•  Difficulty analyzing code that can't be compiled (using librairies as an example).

static code analysis

Creative Commons: https://flic.kr/p/62a8aT

brakeman

thesp0nge/dawnscanner

other static code analysis

Runtime application self-protection (RASP) is a security technology that is built or

linked into an application or application runtime environment, and is capable of

controlling application execution and detecting and preventing real-time attacks.

RASP

Creative Commons: https://flic.kr/p/62a8aT

immunio

to infinity... and beyond!

Creative Commons: https://flic.kr/p/8Z1Cxm

thanks but

no thanks

stop

Creative Commons: https://flic.kr/p/gpVdD

I’m serious!

Crea

tive

Com

mon

s: h

ttps

://f

lic.k

r/p/

9CG

51N

plan for it

Creative Commons: https://flic.kr/p/5bn2nD

now.

Creative Commons: https://flic.kr/p/fA6vnM

nothing is 100% bulletproof

Creative Commons: https://flic.kr/p/hpE97

IMMUNIO – Real-time web application security - https://www.immun.io/

OWASP Ruby on Rails Cheat Sheet - http://j.mp/1Osv95f

Bobby Tables: A guide to preventing SQL injection - http://bobby-tables.com/

XSS Filter Evasion Cheat Sheet - http://j.mp/1Q97hsW

Brakeman - http://brakemanscanner.org/

CVE (Common Vulnerabilities and Exposures) Details Ruby on Rails - http://j.mp/1OsguHn

Ruby Security - https://www.ruby-lang.org/en/security/

Rails SQL Injection - http://rails-sqli.org/

www

Frédéric Harper

fharper@immun.io

@fharper

http://outofcomfortzone.net

http://immun.io