CSC/ECE 517 Fall 2014/ch1a 23 ss

From Expertiza_Wiki

Revision as of 02:26, 17 September 2014 by Sfernan2 (talk | contribs) (→‎Session Hijacking)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to navigation Jump to search

Security Features in Rails 4.x

This wiki aims to highlight all the security features in a popular web application framework: Rails 4.x

Threats Against Web Applications

The threats against web applications include

user account hijacking

Session Hijacking

Vulnerabilities

Session Hijacking Replay Attacks for CookieStore Sessions

Guide to Mitigation

Do not store large objects in a session. Critical data should not be stored in session.

bypass of access control

reading or modifying sensitive data

presenting fraudulent content

Trojan horse

Security Enhancements

CSRF via Leaky #match Routes

Regular Expression Anchors in Format Validations

Clickjacking

User-Readable Sessions

Unresolved Issues

Verbose Servers Headers

Binding to 0.0.0.0

Versioned Secret Tokens

Logging Values in SQL statements

Offsite Redirects

Reference

http://blog.codeclimate.com/blog/2013/03/27/rails-insecure-defaults/

http://guides.rubyonrails.org/security.html

Retrieved from "https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1a_23_ss&oldid=85902"