CSC/ECE 517 Fall 2014/ch1a 23 ss
Security Features in Rails 4.x
This wiki aims to highlight all the security features in a popular web application framework: Rails 4.x
Threats Against Web Applications
The threats against web applications include
Cookie Management
Cookies are used to maintain stateful sessions in HTTP. The cookies typically contain the user's session id which is used to identify the user. By stealing it, the attacker can use the application in the victim's name. Hence programmers should not store sensitive data in cookies. The fix is
Use SSL
SSL prevents the attacker from sniffing the cookie from the network. config.force_ssl = true
New Session Identifier
Configure Rails to issue a new session identifier and declare the old one invalid after a successful login. This prevents "Session Fixation".
Timeout Cookies
Set the expiry time stamp of the cookie to a small value.
Session Hijacking
In order to track and maintain the proper state for a user, web applications typically use sessions. These sessions provide consistency for the user, and keeps the user from needing to authenticate for each request.
There is typically a session hash and a session id.
Vulnerabilities
Session Hijacking Replay Attacks for CookieStore Sessions
Guide to Mitigation
Do not store large objects in a session. Critical data should not be stored in session.
bypass of access control
reading or modifying sensitive data
presenting fraudulent content
Trojan horse
Security Enhancements
CSRF via Leaky #match Routes
Regular Expression Anchors in Format Validations
Clickjacking
User-Readable Sessions
Unresolved Issues
Verbose Servers Headers
Binding to 0.0.0.0
Versioned Secret Tokens
Logging Values in SQL statements
Offsite Redirects
Reference
http://blog.codeclimate.com/blog/2013/03/27/rails-insecure-defaults/