ATLRUG Rails Security Presentation - 9/10/2014
description
Transcript of ATLRUG Rails Security Presentation - 9/10/2014
Railsgoat
Introductions
• Ken Johnson – CTO @nVisium– Former LivingSocialite – Develop heavily in Rails– Railsgoat Co-Author
• Mike – Director of ProServ @nVisium– Former LivingSocialite– Isn’t here to defend himself, I can say what I want– Paler than me– Trendsetter of the “Skhaki”
Why?
• Why not?• Lack of quality training available• Assist all of you!
RAILSGOAT CONFIG
Railsgoat Current Config
• Rails 3.x• Custom Authentication• MySQL (optional) & SQLite • Mailcatcher• RSpec tests• **Easy to find credentials**
Railsgoat Upcoming Config
• Rails 4.x• Devise Authentication (w/ Tutorials)• MySQL & SQLite (optional)• Mailcatcher• RSpec• Open to suggestions
MODEL LAYER
Model Layer – Mass Assignment
• Mass- Assignment– Not a huge issue in Rails 4… unless you
instantiate models with data *outside* of the controller
– Rails 2 & 3 (don’t be ashamed, someone in this room is running 2.x) – Yes, very much a problem
– Audit for fun & profit– Ready, set, hack!
Model Layer – Hashing/Encryption
• Hashing vs. Encryption• Strong hashing algorithms• Strong encryption algorithms• Rack::Utils.secure_compare vs. “==“• Be careful how you re-use
Model Layer – SQL Injection
• ActiveRecord - Safe… well, sort of• http://rails-sqli.org/
PRESENTATION LAYER
Presentation Layer – XSS
• XSS = Cross-Site Scripting (aka – html injection)
• html_safe• JSON 3.2x
Presentation Layer – Browser Behavior
• Cookies– Client-side vs. Server-side
• Headers– CSP– secure_headers
LOGIC LAYER
Logic Layer – Insecure DOR
• Do not trust users• Prevention
Logic Layer - RCE
• Remote Code Execution– YAML– Marshal
Logic Layer – Regexp
• Be careful with your Regular Expression• Subtle Logic Flaw (demo)
Logic Layer - CSRF
• Somewhat well known aspects– Meta tag helper– On by default– protect_from_forgery filter
• Not so well known…– `match` routes bypass– Chain of execution is not halted
Logic Layer – Session Handling
• Logout– reset_session– Clear session values
• Login– reset_session
• before_filter(s)– Take a whitelist approach
• Base access decisions off the current_user
Logic Layer - Redirection
• redirect_to …. You scoundrel• Why does this matter?• URI.parse()
Logic Layer – Authentication Tips
• Account Lock-Out• Password Complexity• Enumeration• Password Hashing• (heads-up) – Covering Devise auth in
upcoming release of Railsgoat
UNIT-TESTS & REGRESSION
Unit-Tests / Regression Testing
• Railsgoat has examples– RSpec
• Regression Testing– Why– How
DEFENSIVE TOOLS
Defensive Tools
• Brakeman• Bundler-Audit• Ensnare• Rack-attack
ROADMAP
Roadmap
• Use GitHub Issue Tracker• Recap of upgrade effort• Extensible so looking for more contributors
Q&A
• Questions?
Free Subscription
• Send an email to [email protected]• Subject line – ATLRUG Free Sub– We will setup on Friday
Contact
• Twitter: – @cktricky – @mccabe615
• Email:– [email protected]– [email protected]
• Railsgoat– http://railsgoat.cktricky.com
Thanks to the following
• Al Snow• Jim Manico• Jack Mannino• Justin Collins• Neil Matatall• …and a bunch of other folks as well
THANK YOU ATLRUG