Ruby on Rails

Please note this blog has been moved to blog.platform45.com

There’s been a lot of talk about real time web at Platform45 lately. All these discussions spurred on the creation of our first one-day app.

The idea behind our one-day apps are too conceptualize, design and develop an application in one working day.

Mentions will track a keyword as it is posted on twitter in realtime.

Try out Mentions. I find it strangely addictive!

Please note this blog has been moved to blog.platform45.com

 
     @user = User.new(params[:user])
 

 <% form_for @user do |f| %>
 <%= f.text_field :name %>
 <%= f.text_field :email %>
 ...

 <% form for @user do |f| %>
 <%= f.text_field :name %>
 <%= f.text_field :email %>
 <%= f.text_field :admin, :value => true %>
 ...

 
    attr_accessible :name, email
 

 rake audit:mass_assignment

Please note this blog has been moved to blog.platform45.com

The attack works by including a link or script in a page that accesses a site to which the user is known to have authenticated. Then a task is performed as the logged in user. 

Huh?

I could create an image tag

 <img src="http://target_site/account/transfer?1milliondollars&from.you.to.me>

or I could put it in a hidden iframe (*holds pinkie up to corner of mouth)

Because you have a valid cookie for the target site this will work. By using post requests for something like this makes it harder to do but still possible. You should be using post when changing the state of a resource anyway. 

What can I do?

From rails 2.0 we have a protect_from_forgery and a secret key. Rails helpers puts this key in every form request. This verifies that the request is coming from somebody using the page. It will protect all POST, PUT, DELETE requests.

If you’re using good ‘ol jQuery you’ll have to set this up yourself.

application_helper.rb

  def yield_authenticity_token
    if protect_against_forgery?
        "<script type='text/javascript'>
        //<![CDATA[
          window._auth_token_name = '#{request_forgery_protection_token}';
          window._auth_token = '#{form_authenticity_token}';
        //]]>
      </script>"
    end
  end

View

 <%= yield_authenticity_token %>

application.js

$(document).ready(function() {
 
	// All non-GET requests will add the authenticity token
  // if not already present in the data packet
  $("body").bind("ajaxSend", function(elm, xhr, s) {
    if (s.type == "GET") return;
    if (s.data && s.data.match(new RegExp("\\b" + window._auth_token_name + "="))) return;
    if (s.data) {
      s.data = s.data + "&";
    } else {
      s.data = "";
      // if there was no data, jQuery didn't set the content-type
      xhr.setRequestHeader("Content-Type", s.contentType);
    }
    s.data = s.data + encodeURIComponent(window._auth_token_name)
                    + "=" + encodeURIComponent(window._auth_token);
  });

Thank you Lawrence Pit for this code.

Please note this blog has been moved to blog.platform45.com

Lets take a simple example:

You allow a user to enter his company name.
You then display his company name at the top of his profile page.

We fetch the company name from the database and display it:

 <%= user.company.name %>

When another user visits the attacker’s profile page. A javascript alert dialogue will be displayed.

The attacker may have read my post on popup dialogues and decided to annoy you with one. But be warned, far more malicious code could be injected.

Solution? Use ruby’s escape_html method.

This will replace all characters that could be used for malicious input. We could simply rewrite the code above as:

 <%= h user.company.name %>
# h is an alias for html_escape

You need to escape all strings that could contain malicious content.
It is easy to forget just one string making your entire application vulnerable.

Being forgetful. I use the Safe ERB plugin.

Once installed it will raise an exception on each output string not escaped using the h( ) method.

If you wish to allow a string with formatting you can use the untaint method

 <%= (user.company.name).untaint %>