CSC/ECE 517 Fall 2009/wiki1b 8 rubysecurity

From Expertiza_Wiki
Revision as of 21:52, 21 September 2009 by Hunter (talk | contribs) (Initial stage entry)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

This article explores how the Ruby on Rails framework handles common dangerous programming errors committed in a web application and how it compares with other web application frameworks in terms of handling of these errors.

Introduction

Almost all real world data and transactions are now available as web services which are created in some web application framework. As the number of such services increase, so do the possibility that attackers might try to exploit new loopholes in the application that is developed. The consequences of such attacks are far reaching and destructive in terms of business and security perspective. The danger is so grave that during January this year that experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. Ruby on Rails [citation needed], a web framework which is used for designing web applications using Ruby language, comes with some features which can handle some of the common programming errors cited. In the next section we will see how each of these errors are handled according to their classification and in the third section we will see how Rails compares with other application framework in handling these errors.

Ruby on Rails's handling of the common programming errors

Synchronous to the classifiation of programming errors as cited in [citation], this section has three sub divisions or categories.

Insecure communication between components

This section contains the programming errors such as Improper Input validation, improper encoding of output,SQL injection etc.,

Improper Input Validation

Authorization is the process of checking whether a user has access to do what he wants to do. This automatically brings the issue of handling roles in the web application. If roles are not properly defined and implemented, an attacker can login as a genuine user by registering with your application and can perform unwanted reads / write which can lead to loss of sensitive information.

Validation in Rails is very simple and short. We have to use the function validates. To check that a variable in the model is not null, we use validates_presence_of: followed by the field names that need to be validated. To check the length of a variable we use validates.lengthof: function.

[citation for : http://biodegradablegeek.com/2008/02/introduction-to-validations-validation-error-handling-in-rails/]

Improper Encoding or Escaping of Output

Retrieved from "https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2009/wiki1b_8_rubysecurity&oldid=21401"