Not logged in | Login

My Security Planet » Ruby on Rails Security Project » May 2009

Feeds

13616 items (0 unread) in 75 feeds

WebSecurity

Security

SEO

SEO

Tools

Tools

Opensourcetesting.org News

Ruby on Rails Security Project

Hacking Ruby on Rails @ RailsWayCon09

Posted: May 29th, 2009, 7:14am CDT by Heiko

Tags: [edit]

I'm back from the nice RailsWayCon(ference) in Berlin. I did a session on Ruby on Rails Security, check out the slides:

Hacking Ruby on Rails at Railswaycon09
Securing A Website With Client SSL Certificates

Posted: May 12th, 2009, 7:57am CDT by Heiko

Tags: [edit]
In the comments of the last article Morgan came up with the idea of client SSL certificates to secure the admin panel. This is not authentication in a classical sense, it is saying which SSL certificates (which you self-signed) you allow to access a particular site. This is a better solution than limiting the access to various IP adresses when you are a work nomad and you have to access it from different parts in the world.

The steps to do this are:
1. Setup OpenSSL to become a Certificate Authority (CA)
2. Create a root CA key
3. Create a key for the (sub)domain in question
4. Setup your web server
5. Create a client certificate and install it in your browser
Here is the HOWTO: Securing A Website With Client SSL Certificates
[WebAppSec] Twitter's admin panel compromised

Posted: May 1st, 2009, 7:19am CDT by Heiko

Tags: [edit]
One of the best known Rails application, Twitter, was compromised very recently. A French hacker claimed that he gained access to Twitter's admin panel at https://admin.twitter.com/. Twitter confirmed that an outside individual gained access to details of several accounts, including accounts from Ashton Kutcher, Lily Allen, Britney Spears and Barack Obama.

It seems that the hacker gained access to a Yahoo Mail account of a Twitter employee by answering his "secret question" and thus he could reset the password and access his mail account. In one of the e-mails he found the Twitter administration password.

Here is list of must-have security countermeasures for admin panels:
- Don't make the admin panel publicly available unless you really have to! It seems that admin.twitter.com was secured with a .htaccess file. I recommend to at least allow access only from several IP addresses.
- Don't make admin panels pretty, make sure they are Cross-Site Scripting and CSRF-safe! A simple message to the support panel containing Cross-Site Scripting is sometimes already enough to gain access to the panels.
- Forgotten passwords are a huge problem. Resetting it with a simple answer to an easy question is definitely not enough. Sending a password-reset URL to an e-mail address is currently one of the best solutions (but it isn't totally secure).
- It seems that everyone with access to the Twitter admin panel may do everything. Why can everyone download "emails to gzipped CSV file"? Why not require to re-enter another password for sensitive actions or use a role-based admin user model?
- Someone suggested using authentication tokens that provide a randomly generated key upon login
I wrote about this already a while ago.

← April 2009 (3 items) June 2009 (2 items) →