CSC/ECE 517 Fall 2014/ch1a 23 ss: Difference between revisions

From Expertiza_Wiki
Jump to navigation Jump to search
Line 16: Line 16:


Session Hijacking
Session Hijacking
-Replay Attacks for CookieStore Sessions
Replay Attacks for CookieStore Sessions


Guide to Mitigation
===Guide to Mitigation===
-Do not store large objects in a session.
Do not store large objects in a session.
-Critical data should not be stored in session.
Critical data should not be stored in session.


==bypass of access control==
==bypass of access control==

Revision as of 02:26, 17 September 2014

Security Features in Rails 4.x

This wiki aims to highlight all the security features in a popular web application framework: Rails 4.x


Threats Against Web Applications

The threats against web applications include

user account hijacking

Session Hijacking

Vulnerabilities

Session Hijacking Replay Attacks for CookieStore Sessions

Guide to Mitigation

Do not store large objects in a session. Critical data should not be stored in session.

bypass of access control

reading or modifying sensitive data

presenting fraudulent content

Trojan horse

Security Enhancements

CSRF via Leaky #match Routes

Regular Expression Anchors in Format Validations

Clickjacking

User-Readable Sessions

Unresolved Issues

Verbose Servers Headers

Binding to 0.0.0.0

Versioned Secret Tokens

Logging Values in SQL statements

Offsite Redirects

Reference

http://blog.codeclimate.com/blog/2013/03/27/rails-insecure-defaults/

http://guides.rubyonrails.org/security.html