Ruby on Rails Security Projecthttp://www.rorsecurity.info/journal/en-US2010-07-30T10:37:03ZSquarespace Site Server v5.11.5 (http://www.squarespace.com/)Ruby on Rails 3 Security Updatedhttp://www.rorsecurity.info/journal/2010/6/8/ruby-on-rails-3-security-updated.htmlHeiko2010-06-08T12:13:13Zcross-site scripting rails ruby on rails security sql injection sqli web security xssI hold a talk about Rails 3 Security at the RailsWayCon10. It is about the new Cross-Site Scription protection in Rails 3, what is going to change in ActiveRecord and other Rails Security topics. You can find the presentation at Slideshare.

Ruby on Rails Security Updated (Rails 3) at RailsWayCon
View more presentations from heikowebers.

]]>XSS Weakness in strip_tags and some notes on parsing HTML/XMLhttp://www.rorsecurity.info/journal/2009/11/27/xss-weakness-in-strip_tags-and-some-notes-on-parsing-htmlxml.htmlHeiko2009-11-27T08:30:35ZThere is another Cross-Site Scripting (XSS) Weakness in the Rails method strip_tag(). The problem was found in the HTML::Tokenizer which has bugs when parsing non-printable ASCII characters.

According to the original post, this has been fixed in Rails 2.3.5 and there is a patch for the 2.2. branch. Earlier versions are unsupported. Upgrade to a newer version if you make use of this method.

The workaround is this:

Users using strip_tags can pass the resulting output to the regular escaping functionality:

  <%= h(strip_tag(...)) %>

However, this is not how it should be. The strip_tags() method should work correctly. The workaround does work, but strip_tags() is based on HTML::Tokenizer which uses a very naive approach to parsing HTML code. It is based on regular expressions to analyze the code. For serious/enterprise implementations, you should not use an error-prone parser library.

  • The REXML is a little better, but not very fast for large amounts of data. It has some bugs and it's not 100% standard compliant. For larger amounts of data, it may even be used to use a pull parser: REXML::Parsers::PullParser. Some people have successfully parsed HTML with it.
  • And there is libxml, which is a real parser, now with ruby bindings. We haven't used it with (X)HTML, though. It has a pull parser too, and its quite like the REXML pull parser. LibXML is an extensive C-library which might not available on exotic Linux-derivates or Windows. Nokogiri is also based on LibXML.
  • Update: If you're using JRuby, you can use tried and tested Java XHTML/XML parsers. For example Apache Xerces or the pull parser Woodstox which supports "almost well-formed" documents (like legacy (X)HTML content).
]]>Two vulnerabilities fixed in Rails 2.3.4http://www.rorsecurity.info/journal/2009/9/4/two-vulnerabilities-fixed-in-rails-234.htmlHeiko2009-09-04T11:11:49ZRails version 2.3.4 has been released to fix two vulnerabilities.

  • A timing weakness in the ClientCookieStore. Rails version 2.1.0 and all subsequent versions are affected. Detailed information can be found here.
  • And a XSS vulnerability in the way Rails handles Unicode. This affects all versions in the Rails 2 branch, but not applications running with Ruby 1.9.

Upgrade to version 2.3.4 now, or apply a patch (available on the pages linked above).

]]>DoS vulnerability in BigDecimalhttp://www.rorsecurity.info/journal/2009/6/10/dos-vulnerability-in-bigdecimal.htmlHeiko2009-06-10T07:40:00ZA Denial of Service (DoS) vulnerability was found in the BigDecimal standard Ruby library. An attacker could cause a segmentation fault and crash the Ruby interpreter. This is due to the BigDecimal method mishandling certain large values. Almost every Rails application is vulnerable to this because ActiveRecord relies on this method.

You are advised to update your Ruby installation. There is a temporary fix on Github. This fix breaks valid formats supported by BigDecimal, so you are advised to plan migrating to a new Ruby version.

]]>Vulnerability in Rails 2.3 HTTP Authenticationhttp://www.rorsecurity.info/journal/2009/6/4/vulnerability-in-rails-23-http-authentication.htmlHeiko2009-06-04T12:57:15ZThere has been a security vulnerability in Rails in the HTTP digest authentication in Rails 2.3. That way someone can authenticate without any user name and password. The HTTP basic authentication seems to be not vulnerable to this problem.

The problem arises in the authenticate_or_request_with_http_digest method which will proceed even if the user name check returns nil.

You can find out more, including countermeasures at Nate's blog and the Rails weblog.

]]>Hacking Ruby on Rails @ RailsWayCon09http://www.rorsecurity.info/journal/2009/5/29/hacking-ruby-on-rails-railswaycon09.htmlHeiko2009-05-29T12:14:24ZI'm back from the nice RailsWayCon(ference) in Berlin. I did a session on Ruby on Rails Security, check out the slides:

 

Hacking Ruby on Rails at Railswaycon09

 

]]>Securing A Website With Client SSL Certificateshttp://www.rorsecurity.info/journal/2009/5/12/securing-a-website-with-client-ssl-certificates.htmlHeiko2009-05-12T12:57:51ZIn the comments of the last article Morgan came up with the idea of client SSL certificates to secure the admin panel. This is not authentication in a classical sense, it is saying which SSL certificates (which you self-signed) you allow to access a particular site. This is a better solution than limiting the access to various IP adresses when you are a work nomad and you have to access it from different parts in the world.

The steps to do this are:

  1. Setup OpenSSL to become a Certificate Authority (CA)
  2. Create a root CA key
  3. Create a key for the (sub)domain in question
  4. Setup your web server
  5. Create a client certificate and install it in your browser

Here is the HOWTO: Securing A Website With Client SSL Certificates

]]>[WebAppSec] Twitter's admin panel compromisedhttp://www.rorsecurity.info/journal/2009/5/1/webappsec-twitters-admin-panel-compromised.htmlHeiko2009-05-01T12:19:42ZOne of the best known Rails application, Twitter, was compromised very recently. A French hacker claimed that he gained access to Twitter's admin panel at https://admin.twitter.com/. Twitter confirmed that an outside individual gained access to details of several accounts, including accounts from Ashton Kutcher, Lily Allen, Britney Spears and Barack Obama.

It seems that the hacker gained access to a Yahoo Mail account of a Twitter employee by answering his "secret question" and thus he could reset the password and access his mail account. In one of the e-mails he found the Twitter administration password.

Here is list of must-have security countermeasures for admin panels:

  • Don't make the admin panel publicly available unless you really have to! It seems that admin.twitter.com was secured with a .htaccess file. I recommend to at least allow access only from several IP addresses.
  • Don't make admin panels pretty, make sure they are Cross-Site Scripting and CSRF-safe! A simple message to the support panel containing Cross-Site Scripting is sometimes already enough to gain access to the panels.
  • Forgotten passwords are a huge problem. Resetting it with a simple answer to an easy question is definitely not enough. Sending a password-reset URL to an e-mail address is currently one of the best solutions (but it isn't totally secure).
  • It seems that everyone with access to the Twitter admin panel may do everything. Why can everyone download "emails to gzipped CSV file"? Why not require to re-enter another password for sensitive actions or use a role-based admin user model?
  • Someone suggested using authentication tokens that provide a randomly generated key upon login

I wrote about this already a while ago.

]]>[Server] Nessus vulnerability scanner for networks and systemshttp://www.rorsecurity.info/journal/2009/4/30/server-nessus-vulnerability-scanner-for-networks-and-systems.htmlHeiko2009-04-30T13:34:09ZTenable Network Security has announced the release of Nessus 4 a short while ago. Nessus is a network vulnerability scanner that can be used to identify potential vulnerabilities in your systems and networks. You can use it to find open ports, unpatched software, configuration errors and possibly leaks of private data.

The software package consists of a client and server. The server keeps the scanner plugins up to date and the client performs the actual scan.

  1. Download the package from the homepage (you need to provide your e-mail address)
  2. Install it, start the server program and download the newest scanner plugins
  3. After you started the server, you can connect to it from the client
  4. Add an IP address on the left side and add scanner types to the right side (choose all plugins for a start)
  5. „Scan now“: The scan takes about 5 minutes


Nessus is available free of charge for non-enterprise and personal use. The commercial version (Professional Feed) costs $1,200 which you can evaluate for 15 days. Even a one-time check gives you a great overview of what a potential attacker would see.

]]>Hidden actions render templateshttp://www.rorsecurity.info/journal/2009/4/24/hidden-actions-render-templates.htmlHeiko2009-04-24T07:37:59ZSometimes you have to temporarely exclude actions from a controller or someone just forgot to remove legacy actions. The hide_action method can be used in controllers to hide the given methods from being callable as actions. However, it might not work as expected, because it still renders the template associated with it, but it doesn't call the code in the action method. This could be a security issue if the template contained only text or if it didn't throw errors on nil objects.

Now, one could think that moving an action to the protected or private part of the controller solves the problem and hides the methods from being callable as actions. No, this is the same problem. The only way to actually hide actions is to remove them altogether or remove the route for it. Remember that there might be the standard route still in place.

]]>