Author: Bo
Time: 2008-01-01
Time: 2008-01-01
Because there are safety rails of how, and I do not know much about, so drive2me brother asked at the forum http://www.ruby-lang.org.cn/
on learning a bit, here are some conclusions, the one drive2me brother to help, answer his questions, but also to a memo, I hope more people will study the safety rails, write more secure webapp.
1. ruby security mechanisms
refer to "programming ruby" in Locking ruby in safe chapter.
Mainly illustrates the level of security and dirty objects.
Dirty objects (tainted object): All external data is dangerous, such as the form of the data submitted by the eval operation will cause a very serious security problem.
All incoming ruby interpreter from external data can be marked as dirty objects (tainted),
when the ruby interpreter to run at a certain safe mode, there are dangerous method call will cause the system to throw SecurityException.
Variable $ SAFE decision ruby's "level of suspicion." The lower the number the more insecure.
$ SAFE = 0 does not check to make ruby dirty (tainted) externally provided data usage, which is the default mode for ruby.
$ SAFE> = 1 so that ruby does not allow dirty (tainted) data use potentially dangerous methods such as eval.
$ SAFE> = 2 so that ruby does not allow write-position loader from the global.
$ SAFE> = 3 ruby to make all newly created objects are considered dirty (tainted). And can not put a dirty objects untaint.
$ SAFE> = 4 ruby effectively make the running program is divided into two parts, dirty and clean.
Once a $ SAFE variable value, it is impossible to set a lower value.
$ SAFE value is independent of the thread, a new thread will inherit the current value of $ SAFE, the new thread can change this value, while the other threads unaffected.
Using this mechanism can achieve a sandbox, used to run an external program. For example:
F = Open (filename, "W")
f.print INTO ... # Write Program File Untrusted.
F.close
the Thread.start do
$ SAFE. 4 =
Load (filename, to true) # wrapp module go to an anonymous .
end
when you create a Proc object actual security level is stored in the object. If the object is a dirty Proc (Tainted), and the
current security level is greater than the actual level of security Proc object, then the object can not be Proc this to other methods to be used.
Dirty objects: ruby interpreter automatically sets obtained from any object outside the object are marked as dirty (tainted object) such as obtained from the environment variable.
String object, string objects, etc. read from the file.
Your program from the new object will get dirty objects are marked as dirty objects, such as:
y1 = ENV [ "the HOME"]
? y1.tainted # => to true
y2 = y1 [2, 4]
y2.tainted # => to true?
2. the webapp common security issues
= SQL Injection (SQL injection):
Question: Because not from an external data in accordance with sql the metacharacters, such as not to "/", " '" sql escape characters and the like, so
that a hacker may change the WHERE clause conditions additions and deletions to the data, or even perform any sql statement.
How to avoid: rails automatically handles these characters need to be escaped. If you write a condition, limits, order then you have
the right to escape these dangerous characters.
Examples:
Error Usage: Email.find_all "owner_id = 123 AND subject = '# {@ params [' subject ']}'"
attack: providing content for the subject " 'or 1 -'".
Solution: subject @params = [ 'Subject']
Email.find_all [ "Subject the AND owner_id = 123 =?", Subject]
Or: Email.find_by_sql "the FROM Email the WHERE owner_id the SELECT * = 123 = # {Email.quote the AND Subject (Subject)}"
= Cross Site Scripting (CSS / XSS) (cross-site scripting):
a browser cookie to track users session, CSS is a steal cookie, and finally steal technical session sign-in access.
cookie can only be accessed to create its domain. The easiest way is to put a malicious javascript in target site (site to steal user rights)
, when the user accesses the target site, the page that opens will execute malicious javascript code because from the target site, the malicious code can access
the user's current cookie, then put these data into the url parameter passed to the attacker's Web site to go.
Example:
Wrong wording: <% = @params [ 'text ']%>
method of attack: Parameter submitted written as <script> alert (document.cookie) < / script>, allow the victim to open the target of the attack site
page, so that the victim's cookie passed to the attacker's Web site.
Solution: Each statement will be displayed on the page will be html escaped. With <% = H @params [ 'text']%>
CSS caused by echo service attack: because the contents of the received echo service will go back intact, so the attacker will contain a victim to open
Send javascript script with cookie information passed to the target site when the browser receives the echo service returns the content, IE will render some of these
pages, and executes the javascript code to send the cookie to the attacker's Web site to . Page content for the attack are as follows:
<form Action = "HTTP: //target.domain: 7 /" Method, = "POST">
<the INPUT of the type = "hidden" name = "code" value = "some_javascript_code_here" />
< of the type = the INPUT "the Submit" />
</ form>
solution: Turn off the CSS may cause the echo service attacks and other services (FTP, POP3, etc.) on the target server.
A dedicated website recorded CSS attacks: HTTP: //www.xssed.com/
= the Session Hijacking (the session hijacking):
The attacker sniffing insecure network, get someone else's cookie and use the cookie to log target site.
Solution:
* ssl tells the browser to use when transferring the cookie.
ActionController :: Base.session_options [:
* After a successful login and create a new copy of the session. All objects need to copy the old session. Implemented reset_session method.
= Session fixation (session curing):
the attacker managed to get the victim to use an attacker known a session identifier (session identifier) to login.
The first step, the attacker creates a valid session identifier, rails do not accept any form of session identifier, and php accepted,
so an attacker would have to access the target site to invade the session identifier rails produced, this point of view than the rails php Safety.
The second step, the attacker managed to get the victim's browser to log in using the session identifier, which is called "real session cure."
One way to cure the real session is the victim of a network request to cut off halfway, and then overwrite the destination site returned session identifier.
after the victim, etc. visit the website, an attacker could use the victim's login account before the victim exits.
Solution:
* Create effective session on public pages can not use the session controller:. Off method to close the session all method of production.
* After a successful login, create a new the session. Reset_session.
* Effectively set the expiration time of the cookie.
= Cross-site Request Forgery (CSRF)
The attacker managed to get the victim to open a Web page, or open a message, including image links, this link will let users log on to the website that he has initiated a
request, some of the victims do not know things like change the password, under the order, delete data, and so on. Attack with similar url:
<img src = "http://www.application.com/order/20/delete" />
Solution:
* Proper use GET / POST method, GET reads the data, POST modify data.
* Use CSRF-KILLER plus widget request token (Token).
3. Rails own safety hazards caused by improper use (mass-assignment problem)
= records created directly forms, also referred to as mass-assignment problem
common wording :
<form Method = "POST" Action = "HTTP: //website.domain/user/register">
<INPUT type = "text" name = "User [name]" />
<INPUT type = "text" name = "User [password]" />
</ form>
User.create (@params [ 'User'
<INPUT type = "text" name = "User [name]" />
<INPUT type = "text" name = "User [password]" />
<INPUT type = "text" name = "User [Role]" value = "the Admin" />
<INPUT type = "text" name = "User [Approved]" value = ". 1" />
</ form>
solution:
attr_protected, plus manual assignment, user.approved = sanitize_properly (@params [ 'the User'] [ 'Approved'])
attr_accessible: name,: password, let rails by default not to be able to attribute any "mass-assignment" unless
explicitly stated that the property can batch access (mass-assignment).
= Rails own security issues:
http://blog.evanweaver.com/articles/2006/08/12/anatomy-of-an-attack-against-1-1-4/
4.
rails provide a lot of security features, so the development of a safe webapp will be easier to use than other rails webapp framework.
Most number of security issues facing the webapp is common, is not caused by the application rails, but many of the security provided by means of rails can make webapp become
safer.
Of course, rails and ruby program itself also has some security risks, but it is not fatal and can not be overcome, and the need to release immediately following the rails ruby security official website
statement.
References:
<< >> 2nd Programming Ruby (25.1 De Fi nition of the Table of The Safe Levels.)
Http://www.rorsecurity.info/ruby-on-rails-security-cheatsheet/
http://ianloic.com/insecurity_is_ruby_on_rails_best_practice
HTTP : //www.lonerunners.net/blog/archives/1028-Rails-Security-Secure-your-Ruby-on-Rails-web-application.html
http://sonjayatandon.com/05-2006/how-to- Secured-A--Build-file application Web-with-Ruby-ON-Rails /
http://manuals.rubyonrails.com/read/chapter/47
http://erlend.oftedal.no/blog/?blogid=20
http://manuals.rubyonrails.com/read/book/8
http://www.slideshare.net/amiable_indian/ruby-on-rails-security
About the author:
Yang Bo, hobbyists technical manager, knot letter network Limited, ruby and rails of, SCJP, using java development work.
Research Interests: Search Engine, AI, natural language processing, ruby, rails, OpenGL, OSGi
