CSC/ECE 517 Fall 2014/ch1a 23 ss: Difference between revisions

From Expertiza_Wiki
Jump to navigation Jump to search
Line 12: Line 12:


==Session Hijacking==
==Session Hijacking==
Vulnerabilities
 
-Session Hijacking
===Vulnerabilities ===
 
Session Hijacking
-Replay Attacks for CookieStore Sessions
-Replay Attacks for CookieStore Sessions


Guide to Mitigation
Guide to Mitigation
-Do not store large objects in a session.
-Do not store large objects in a session.
-Critical data should not be stored in session.  
-Critical data should not be stored in session.


==bypass of access control==
==bypass of access control==

Revision as of 02:26, 17 September 2014

Security Features in Rails 4.x

This wiki aims to highlight all the security features in a popular web application framework: Rails 4.x


Threats Against Web Applications

The threats against web applications include

user account hijacking

Session Hijacking

Vulnerabilities

Session Hijacking -Replay Attacks for CookieStore Sessions

Guide to Mitigation -Do not store large objects in a session. -Critical data should not be stored in session.

bypass of access control

reading or modifying sensitive data

presenting fraudulent content

Trojan horse

Security Enhancements

CSRF via Leaky #match Routes

Regular Expression Anchors in Format Validations

Clickjacking

User-Readable Sessions

Unresolved Issues

Verbose Servers Headers

Binding to 0.0.0.0

Versioned Secret Tokens

Logging Values in SQL statements

Offsite Redirects

Reference

http://blog.codeclimate.com/blog/2013/03/27/rails-insecure-defaults/

http://guides.rubyonrails.org/security.html

Retrieved from "https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1a_23_ss&oldid=85901"