ATLRUG Rails Security Presentation - 9/10/2014

Railsgoat

Introductions

• Ken Johnson – CTO @nVisium– Former LivingSocialite – Develop heavily in Rails– Railsgoat Co-Author

• Mike – Director of ProServ @nVisium– Former LivingSocialite– Isn’t here to defend himself, I can say what I want– Paler than me– Trendsetter of the “Skhaki”

Why?

• Why not?• Lack of quality training available• Assist all of you!

RAILSGOAT CONFIG

Railsgoat Current Config

• Rails 3.x• Custom Authentication• MySQL (optional) & SQLite • Mailcatcher• RSpec tests• **Easy to find credentials**

Railsgoat Upcoming Config

• Rails 4.x• Devise Authentication (w/ Tutorials)• MySQL & SQLite (optional)• Mailcatcher• RSpec• Open to suggestions

MODEL LAYER

Model Layer – Mass Assignment

• Mass- Assignment– Not a huge issue in Rails 4… unless you

instantiate models with data *outside* of the controller

– Rails 2 & 3 (don’t be ashamed, someone in this room is running 2.x) – Yes, very much a problem

– Audit for fun & profit– Ready, set, hack!

Model Layer – Hashing/Encryption

• Hashing vs. Encryption• Strong hashing algorithms• Strong encryption algorithms• Rack::Utils.secure_compare vs. “==“• Be careful how you re-use

Model Layer – SQL Injection

• ActiveRecord - Safe… well, sort of• http://rails-sqli.org/

PRESENTATION LAYER

Presentation Layer – XSS

• XSS = Cross-Site Scripting (aka – html injection)

• html_safe• JSON 3.2x

Presentation Layer – Browser Behavior

• Cookies– Client-side vs. Server-side

• Headers– CSP– secure_headers

LOGIC LAYER

Logic Layer – Insecure DOR

• Do not trust users• Prevention

Logic Layer - RCE

• Remote Code Execution– YAML– Marshal

Logic Layer – Regexp

• Be careful with your Regular Expression• Subtle Logic Flaw (demo)

Logic Layer - CSRF

• Somewhat well known aspects– Meta tag helper– On by default– protect_from_forgery filter

• Not so well known…– `match` routes bypass– Chain of execution is not halted

Logic Layer – Session Handling

• Logout– reset_session– Clear session values

• Login– reset_session

• before_filter(s)– Take a whitelist approach

• Base access decisions off the current_user

Logic Layer - Redirection

• redirect_to …. You scoundrel• Why does this matter?• URI.parse()

Logic Layer – Authentication Tips

• Account Lock-Out• Password Complexity• Enumeration• Password Hashing• (heads-up) – Covering Devise auth in

upcoming release of Railsgoat

UNIT-TESTS & REGRESSION

Unit-Tests / Regression Testing

• Railsgoat has examples– RSpec

• Regression Testing– Why– How

DEFENSIVE TOOLS

Defensive Tools

• Brakeman• Bundler-Audit• Ensnare• Rack-attack

ROADMAP

Roadmap

• Use GitHub Issue Tracker• Recap of upgrade effort• Extensible so looking for more contributors

Q&A

• Questions?

Free Subscription

• Send an email to contact@seccasts.com• Subject line – ATLRUG Free Sub– We will setup on Friday

Contact

• Twitter: – @cktricky – @mccabe615

• Email:– ken@nvisium.com– mike@nvisium.com

• Railsgoat– http://railsgoat.cktricky.com

Thanks to the following

• Al Snow• Jim Manico• Jack Mannino• Justin Collins• Neil Matatall• …and a bunch of other folks as well

THANK YOU ATLRUG