CSC/ECE 517 Fall 2014/ch1a 23 ss: Difference between revisions
Jump to navigation
Jump to search
Line 9: | Line 9: | ||
The threats against web applications include | The threats against web applications include | ||
==user account hijacking== | ==user account hijacking== | ||
Session Hijacking | |||
Cross-Site Request Forgery (CSRF) | |||
==bypass of access control== | ==bypass of access control== | ||
==reading or modifying sensitive data== | ==reading or modifying sensitive data== |
Revision as of 00:37, 17 September 2014
Security Features in Rails 4.x
This wiki aims to highlight all the security features in a popular web application framework: Rails 4.x
Threats Against Web Applications
The threats against web applications include
user account hijacking
Session Hijacking
Cross-Site Request Forgery (CSRF)
bypass of access control
reading or modifying sensitive data
presenting fraudulent content
Trojan horse
Security Enhancements
CSRF via Leaky #match Routes
Regular Expression Anchors in Format Validations
Clickjacking
User-Readable Sessions
Unresolved Issues
Verbose Servers Headers
Binding to 0.0.0.0
Versioned Secret Tokens
Logging Values in SQL statements
Offsite Redirects
Reference
http://blog.codeclimate.com/blog/2013/03/27/rails-insecure-defaults/