CSC/ECE 517 Fall 2014/ch1a 23 ss

From Expertiza_Wiki
Jump to navigation Jump to search

Security Features in Rails 4.x

This wiki aims to highlight all the security features in a popular web application framework: Rails 4.x


Threats Against Web Applications

The threats against web applications include

user account hijacking

Session Hijacking

In order to track and maintain the proper state for a user, web applications typically use sessions. These sessions provide consistency for the user, and keeps the user from needing to authenticate for each request.

There is typically a session hash and a session id.

Vulnerabilities

Session Hijacking Replay Attacks for CookieStore Sessions

Guide to Mitigation

Do not store large objects in a session. Critical data should not be stored in session.

bypass of access control

reading or modifying sensitive data

presenting fraudulent content

Trojan horse

Security Enhancements

CSRF via Leaky #match Routes

Regular Expression Anchors in Format Validations

Clickjacking

User-Readable Sessions

Unresolved Issues

Verbose Servers Headers

Binding to 0.0.0.0

Versioned Secret Tokens

Logging Values in SQL statements

Offsite Redirects

Reference

http://blog.codeclimate.com/blog/2013/03/27/rails-insecure-defaults/

http://guides.rubyonrails.org/security.html

Retrieved from "https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1a_23_ss&oldid=85904"