Ruby on Rails Security Project

Gem security updates, AWS auditing & password hash hacking: Rails ? digest #25

Updates — Mon, 26 Jun 2017 11:32:59 +0000

Hacker, Hack Thyself

A good read about the worst-case scenario, stolen password hashes. A rate of 600 passwords in 3 weeks seems to be possible even with slow algorithms.

Free tools for auditing the security of an AWS account

Comparing several authentication approaches and their security

Safari will soon come with an Intelligent Tracking Prevention to prevent privacy violations by advertisers and their tracking cookies.

Understanding the prevalence of web traffic interception

4-10% of encrypted web traffic is intercepted. Not all these interceptions are malicious. Antivirus solutions, firewalls perform interception mostly by installing their own certificate on the user’s machine. But the interception affects security due to basic cryptographic mistakes. Between 16-37% of the outgoing connections are easily vulnerable to man-in-the-middle attacks.

Want to add tests for your cookie and session flags?

Impersonate someone on Github? Use GPG signing.

Opinion on a new Rails commit which effectively introduces a global state to Rails apps

Security updates

All RabbitMQ versions before 3.6.9 have several XSS vulnerabilities and a medium one

The mail gem was vulnerable to header injection in versions < 2.5.5. All 2.6 versions were not vulnerable due to a bug. Install 2.6.6 to get the fix for the vulnerability.

New Apache HTTP Server Release Fixes Authentication Bypass, Denial-of-Service Flaws

The post Gem security updates, AWS auditing & password hash hacking: Rails ? digest #25 appeared first on Ruby on Rails Security Project.

Rails and web security reading list ? #24

Updates — Fri, 19 May 2017 14:12:27 +0000

New Rails 5.1 came out recently

It includes encrypted secrets and supports JS package mangers for easier updates. That’s important too because of JS vulnerabilities.

New version for authorization framework CanCanCan

Check and update your SSH keys with this easy command

Which security implications of the Serverless approach are better or worse?

And another post about serverless security issues

Replacing Disqus with Github Comments for less load time and far less tracking

Don’t repeat these 2FA design mistakes

Another Rails security checklist with a few bits

CloudFlare introduced TLS client-side authorization

Check your nginx config for security issues

Security Updates

PostgreSQL security update

The post Rails and web security reading list ? #24 appeared first on Ruby on Rails Security Project.

Rails and web security digest ⚡ #23

Updates — Mon, 10 Apr 2017 07:00:20 +0000

CodeBuild, Brakeman, and CodePipeline

How to set up AWS CodeBuild (a CI server) to run brakeman

Login/logout CSRF: Time to reconsider?

Rails GEMS Vulnerable to CSRF Show Vulnerability Disclosure in Open-Source Projects Needs a Re-Think

Content-Security-Policy Hackerone bypass

Check the popularity, maintenance and maturity of gems before using

Validation, Database Constraint, or Both?

Vulnerabilities

Update jQuery UI to 1.12.0

The post Rails and web security digest ⚡ #23 appeared first on Ruby on Rails Security Project.

Rails and web application security ? Sunday #22

Updates — Sun, 12 Mar 2017 12:57:34 +0000

Upcoming Rails 5.1 will contain encrypted secrets

The feature came in with this pull request and was inspired by the sekrets gem. This allows you to commit encrypted production secrets. The encryption happens using a master key which will live in an env var (production). Or in a git-ignored file (development). This video explains the process.

This Slack hack shows how not to use addEventListener and postMessage

They fixed it within 5 hours, but the pitfalls of the JS postMessage API might live in your code, as well. In short: Specify which origin may receive the message and validate the origin on the other side.

Used to Rails’ security? Check your plain Ruby code using Net::HTTP

The long discussion here makes clear (again) that we’ve to take good care of user input and Net::HTTP. Hint: Line breaks lead to HTTP header injection.

What about security if SSL/TLS fails?

The recent memory leak in Cloudflare showed various secrets to random visitors of these sites. Also, read these pragmatic thoughts about #Cloudbleed.

But 1Password shows us how important it is to think about the worst-case scenario. They use a Secure Remote Password protocol where the client and server prove their identity to each other.

Google introduces the invisible reCaptcha

Time to finally stop using SHA1

But also read the pragmatic thoughts of Linus Torvalds about the matter.

The post Rails and web application security ? Sunday #22 appeared first on Ruby on Rails Security Project.

Safer debugging, postmortem and security reading list ? #22

Heiko — Mon, 20 Feb 2017 13:45:50 +0000

Lots of web application security articles last week again. So here are the most interesting ones.

Phillip shares a way to color-code the PRY console in a production environment. He always has 2 debugging consoles open side by side. One in production and one in development. You know what can happen.
A good example of a postmortem for the Gitlab disaster, including the issue tickets. Similar steps might be needed after a security incident.
The Mozilla Security Bytes podcast starts with an episode on the ContentSecurity-Policy.
If you’re using Docker, there are now Docker secrets.
And did you ever write a commit message “remove password”? You’re not alone. Don’t use it again, it might be a public repository.

Security updates

These friends of Rails saw security updates last week:

Jenkins released new versions after fixing several security issues, including a high one.

The post Safer debugging, postmortem and security reading list ? #22 appeared first on Ruby on Rails Security Project.

Web application and Rails security reading list #21

Updates — Fri, 03 Feb 2017 14:33:19 +0000

Oh this, „… is the closest I’ve ever come to falling for a Gmail phishing attack.“, shows a real clever attack. An embedded fake attachment image sends you to a data:text/html address. The first part of it then is a plausible-looking Google URL. And only after lots of spaces, it actually loads the phishing site in an iframe. A lot to watch out for in 2017. Including this:

A short story about how encryption can go very wrong with a (Ruby) workflow we’re all guilty of using.

Automatic security update checks in the new Phusion Passenger

The ongoing Content-Security-Policy journey at Github.

This time focusing on images and dangling markup. That’s when an attacker injects an tag without closing it to extract the HTML of the rest of the page.

A new two-factor authentication lockout recovery process at Github: Using Facebook

The HTTPS-traffic via Firefox is now over 50% for the first time

There are now „Not Secure“ warnings for insecure pages with password and credit card input fields in Chrome and Firefox 51.

Mozilla’s coding and security checklist for their services

Ransom attacks turn to web apps, check your MongoDB, Elasticsearch, Redis, Cassandra, Hadoop

The post Web application and Rails security reading list #21 appeared first on Ruby on Rails Security Project.

Rails security reading list, vulnerabilities and browser news (? edition)

Updates — Fri, 13 Jan 2017 10:35:46 +0000

Welcome! Also in 2017 we want to find the right mix of security information, vulnerabilities in Rails’ friends and browser news. Let’s see what was interesting this week:

Several ‘exotic’ security HTTP headers tested

Saves you some time to try out all configuration options.

Invisible Captcha: Spam protection gem

It’s based on the honeypot strategy. That means you know it’s a spam bot if the invisible field is filled out.

Another Rails security checklist

CSRF vulnerability in rails_admin gem

Tool to detect TLS/SSL vulnerabilities and versions

This is probably only useful if you can’t use the Qualys SSL Server Test. For example in a restricted environment.

Version handling differences between RubyGems and npm

If you’re using both Node and Ruby, you might find this guide interesting.

New Content-Security-Policy (CSP) directive require-sri-for coming to Chrome

Subresource Integrity (SRI) is a mechanism by which user agents may verify that fetched scripts/styles have been delivered without manipulation. This CSP directive allows developers to require SRI for certain types of resources.

Important security updates

[ImageMagick] Critical buffer overflow vulnerability before version 7.0.2-7.
There were also several memory problems in the versions before.

The post Rails security reading list, vulnerabilities and browser news (? edition) appeared first on Ruby on Rails Security Project.

(Rails) security reading list and updates #19

Updates — Mon, 21 Nov 2016 14:37:15 +0000

This issue includes for the first time important security updates for Rails’ friends. I’ll include products that we use alongside Rails, for example nginx, Mysql, Redis. Products that have an automatic updater aren’t worth mentioning. Let’s get started with this weeks interesting (Rails) security articles:

Distrusting New WoSign and StartCom Certificates

Email Security – SPF

Protecting from XSS with Rails’ sanitize()

A video introduction to Rails’ sanitize(). While you might already know it, he also looks at how it’s useful against Javascript links in user profiles.

Rails API – throttling with Rack::Attack

An introduction to Rack::Attack and how to throttle requests.

How to quickly audit a Linux system from the command line

Be afraid of HTTP Public Key Pinning (HPKP)

Http Public Key Pinning went wrong for a major site.

Enforcing content security by default within Firefox

If you’re interested in the security internals of browsers, this will be for you. So this is how Firefox now centralizes all content security checks.

Observatory by Mozilla

A central place for all kinds of security checks: TLS, HTTP security headers, HSTS configuration.

Important security updates

[Gitlab] There were several important security update in the past for Gitlab.

[Mysql] Several critical security updates in a massive “Oracle Critical Patch Update Advisory”

[Memcached] Very critical vulnerabilities that allow for remote code execution

The post (Rails) security reading list and updates #19 appeared first on Ruby on Rails Security Project.

? Rails security update #18

Updates — Tue, 25 Oct 2016 11:10:54 +0000

Did you see the Bundler vulnerability recently? It seems Bundler switches to a different source every time it sees a new one in a Gemfile. Even if that source was only for one gem. So Bundler might load gems from unexpected sources. You’ve got that source in your Gemfile, so you already trust it to some extent. But we should probably use the several source blocks as described in the original blog post. And now for something completely different:

Exploiting CORS Misconfigurations for Bitcoins and Bounties

Some Cross-Origin Resource Sharing (CORS) misconfiguration misconceptions

Is Your Site Leaking Password Reset Links?

Password Reset URLs may be leaked to third-party tools via the Referer header. Fix this on your site if you care about a second layer of defense.

CSP Mitigator

A Content-Security-Policy test tool to come up with the best policy in the first place. By Google.

The post ? Rails security update #18 appeared first on Ruby on Rails Security Project.

Rails and web security digest #17

Updates — Thu, 29 Sep 2016 14:32:50 +0000

Since Let’s Encrypt started, the adaption of HTTPS picked up speed. In Firefox the percentage of HTTPS page loads is now at 42%. Browsers also campaign for it. More & more of them mark forms with sensitive information as insecure. More about this in today’s interesting security news: