CSC/ECE 517 Fall 2014/ch1a 23 ss: Difference between revisions
Jump to navigation
Jump to search
| Line 11: | Line 11: | ||
==user account hijacking== | ==user account hijacking== | ||
Session Hijacking | ==Session Hijacking== | ||
Vulnerabilities | |||
-Session Hijacking | |||
-Replay Attacks for CookieStore Sessions | |||
Guide to Mitigation | |||
-Do not store large objects in a session. | |||
-Critical data should not be stored in session. | |||
==bypass of access control== | ==bypass of access control== | ||
==reading or modifying sensitive data== | ==reading or modifying sensitive data== | ||
==presenting fraudulent content== | ==presenting fraudulent content== | ||
== Trojan horse == | == Trojan horse == | ||
= Security Enhancements = | = Security Enhancements = | ||
Revision as of 02:25, 17 September 2014
Security Features in Rails 4.x
This wiki aims to highlight all the security features in a popular web application framework: Rails 4.x
Threats Against Web Applications
The threats against web applications include
user account hijacking
Session Hijacking
Vulnerabilities -Session Hijacking -Replay Attacks for CookieStore Sessions
Guide to Mitigation -Do not store large objects in a session. -Critical data should not be stored in session.
bypass of access control
reading or modifying sensitive data
presenting fraudulent content
Trojan horse
Security Enhancements
CSRF via Leaky #match Routes
Regular Expression Anchors in Format Validations
Clickjacking
User-Readable Sessions
Unresolved Issues
Verbose Servers Headers
Binding to 0.0.0.0
Versioned Secret Tokens
Logging Values in SQL statements
Offsite Redirects
Reference
http://blog.codeclimate.com/blog/2013/03/27/rails-insecure-defaults/