This course focuses on building secure Ruby on Rails applications. In addition to covering existing vulnerabilities within the OWASP Project built by the instructor dubbed “Railsgoat”, there will be comprehensive discussion on the implementation of Rails specific defense mechanisms. Students will learn attack techniques, all of which are specific to the Rails framework. The OWASP Top 10 Risks and Controls will be covered at great length as well.
After an overview on the fundamentals of Ruby on Rails, students will be immersed in modifying and improving the security flaws within the Railsgoat application. In addition to Rails-specific manifestations of the OWASP Top 10 vulnerabilities, students will learn about advanced topics such remote code execution and MetaProgramming vulnerabilities.
At the end of this course, attendees should understand how to review and protect their Rails applications, implement proactive defensive measures, and perform penetration testing geared towards Ruby on Rails applications.
High-level Course Outline:
- Secure use of cryptographic libraries
- Authentication system
• Password complexity
• Time-based attacks
• Enumeration
• Lockout
• Insecure forgot password functions
- Authorization
• Insecure direct object reference
• Impersonation functionality
• Role Based Access Controls
- Metaprogramming Issues
• Common flaws
• Secure usage of metaprogramming methods
- SQL Injection
• Scoping
• String interpolation or concatenation
• Insecure use of unsafe methods such as pluck
- Insecure usage of validation functions
- Insecure application configuration(s)
- Cross-Site Scripting (XSS)
• Types of XSS
• XSS Context - JS, HTML, JSON, CSS
• Vulnerable templating language methods
• Demonstrate impact
• CSP + Secure Header RubyGem
- Session management issues
• Client-side cookies
• Improper destruction
• Session Fixation
- Remote Code Execution flaws
• Serialization libraries
- Misconfiguration in application settings
- Denial of Service
- Sensitive Data Exposure
• Model attribute exposure
• Application log handling
- Defensive Measures
• Guard
• Brakeman
• Bundler-Audit
• Security-based Unit-Tests