CSC/ECE 517 Fall 2014/ch1a 23 ss

From Expertiza_Wiki
Revision as of 03:22, 18 September 2014 by Sfernan2 (talk | contribs) (Undo revision 86327 by Sfernan2 (talk))
Jump to navigation Jump to search

Security Features in Rails 4.x

This wiki aims to highlight all the security features in a popular web application framework: Rails 4.x


Security Features in Rails 4.x

Background

Web applications can be challenging for a developer to properly secure against threats. There are many attack vectors against web applications that must be carefully considered and mitigated. The developer must be responsible to understand these threats and take the necessary steps to secure the application and data. A web application may be vulnerable due to misconfiguration, poorly written code, or through un-patched vulnerabilities.

Ruby on Rails), or just Rails, is a web application framework written in Ruby. It is a full-stack framework which attempts to ease the development process.

Cookie Management

Cookies are used to maintain stateful sessions in HTTP. The cookies typically contain the user's session id which is used to identify the user. By stealing it, the attacker can use the application in the victim's name. Hence programmers should not store sensitive data in cookies. The fix is

Use SSL

SSL prevents the attacker from sniffing the cookie from the network. config.force_ssl = true

New Session Identifier

Configure Rails to issue a new session identifier and declare the old one invalid after a successful login. This prevents "Session Fixation".

Timeout Cookies

Set the expiry time stamp of the cookie to a small value.

Injection

An attacker can inject client site executable code. When the victim renders it, it can steal the cookie, hijack the session and redirect the victim to a different page.

Cross Site Scripting (XSS)

SQL Injection

Ajax Injection

Header Injection

Cross Site Request Forgery (CSRF)

This attack method works by including malicious code or a link in a page that accesses a web application that the user is believed to have authenticated. If the session for that web application has not timed out, an attacker may execute unauthorized commands.

Security Token

All non GET request should use a security token.

Redirection

File Upload

User Security Policies

Password Protection

Good passwords

Brute Force attack

CAPTCHAs

Security Enhancements

CSRF via Leaky #match Routes

Regular Expression Anchors in Format Validations

Clickjacking

User-Readable Sessions

Unresolved Issues

Verbose Servers Headers

Binding to 0.0.0.0

Versioned Secret Tokens

Logging Values in SQL statements

Offsite Redirects

Reference

http://blog.codeclimate.com/blog/2013/03/27/rails-insecure-defaults/

http://guides.rubyonrails.org/security.html

http://www.infoworld.com/article/2614585/patch-management/hackers-exploit-ruby-on-rails-vulnerability-to-compromise-servers--create-botnet.html