CSC/ECE 517 Fall 2014/ch1a 23 ss: Difference between revisions

From Expertiza_Wiki
Jump to navigation Jump to search
Line 11: Line 11:
==Cookie Management==
==Cookie Management==
Cookies are used to maintain stateful sessions in HTTP. The cookies typically contain the user's session id which is used to identify the user. By stealing it, the attacker can use the application in the victim's name.
Cookies are used to maintain stateful sessions in HTTP. The cookies typically contain the user's session id which is used to identify the user. By stealing it, the attacker can use the application in the victim's name.
Hence programmers should not store sensitive data in cookies.
The fix is
The fix is
===Use SSL ===
===Use SSL ===
Line 16: Line 17:
config.force_ssl = true
config.force_ssl = true


===No sensitive data===
===New Session Identifier===
Bad programming to store sensitive data. Ruby does provide a "CookieStore" that uses a hash to detect tampering.
Configure Rails to issue a new session identifier and declare the old one invalid after a successful login. This prevents "Session Fixation".
 
===Timeout Cookies===
Set the expiry time stamp of the cookie to a small value.


==Session Hijacking==
==Session Hijacking==

Revision as of 21:45, 17 September 2014

Security Features in Rails 4.x

This wiki aims to highlight all the security features in a popular web application framework: Rails 4.x


Threats Against Web Applications

The threats against web applications include

Cookie Management

Cookies are used to maintain stateful sessions in HTTP. The cookies typically contain the user's session id which is used to identify the user. By stealing it, the attacker can use the application in the victim's name. Hence programmers should not store sensitive data in cookies. The fix is

Use SSL

SSL prevents the attacker from sniffing the cookie from the network. config.force_ssl = true

New Session Identifier

Configure Rails to issue a new session identifier and declare the old one invalid after a successful login. This prevents "Session Fixation".

Timeout Cookies

Set the expiry time stamp of the cookie to a small value.

Session Hijacking

In order to track and maintain the proper state for a user, web applications typically use sessions. These sessions provide consistency for the user, and keeps the user from needing to authenticate for each request.

There is typically a session hash and a session id.

Vulnerabilities

Session Hijacking Replay Attacks for CookieStore Sessions

Guide to Mitigation

Do not store large objects in a session. Critical data should not be stored in session.

bypass of access control

reading or modifying sensitive data

presenting fraudulent content

Trojan horse

Security Enhancements

CSRF via Leaky #match Routes

Regular Expression Anchors in Format Validations

Clickjacking

User-Readable Sessions

Unresolved Issues

Verbose Servers Headers

Binding to 0.0.0.0

Versioned Secret Tokens

Logging Values in SQL statements

Offsite Redirects

Reference

http://blog.codeclimate.com/blog/2013/03/27/rails-insecure-defaults/

http://guides.rubyonrails.org/security.html