This link has been bookmarked by 65 people . It was first bookmarked on 25 Sep 2007, by Joel Liu.
-
12 Oct 10
-
04 May 09
Rodrigo de OliveiraLista de itens pra ficar ligado ao desenvolver aplicações Ruby on Rails, de maneira segura
cheat_sheet compilação csrf dica rails ruby segurança from_delicious
-
15 Jul 08
-
07 Jul 08
-
26 May 08
-
26 Mar 08
-
21 Mar 08
-
09 Feb 08
-
24 Jan 08
-
22 Jan 08
-
30 Dec 07
-
16 Dec 07
-
09 Dec 07
-
- CNBC Stock Trading Contest Hacked
- A new form of attacks: Tailor-made trojans
- Rails was at risk already once: Anatomy of an attack against 1.1.4
- How: Sniffing in an insecure network such as Wireless LAN, Internet café
- Countermeasures
- Encrypt the traffic using SSL (although HTTPS is slower). However, if parts of the web site are not encrypted, such as the login or index page, the cookie will be transmitted nevertheless. To instruct the browser only to send the cookie over encrypted HTTPS and never over normal HTTP, you have to include the following line in the environment file:
ActionController::Base.session_options[:session_secure] = true - Include additional information (user agent, IP address, …) in the cookie and verify it on each request. When saving the IP-address, you have to bear in mind that there are Internet access providers or large organizations that put their users behind proxies and these might change over the course of a session. Also, the attacker could be in the same local network and so both the victim and the attacker have the same external IP address.
Ruby on Rails Security Cheatsheet
Why security is important
If you are not yet convinced why you should secure your application, read this.
What can happen?
Sessions
Session hijacking: Session hijacking is a class of attacks where an attacker gets hold of a session identifier (cookie) of another user. Consequently, he gets access to the web application, because the session identifier serves as temporary login credential.
-
Ruby on Rails Security Cheatsheet
-
- CNBC Stock Trading Contest Hacked
- A new form of attacks: Tailor-made trojans
- Rails was at risk already once: Anatomy of an attack against 1.1.4
- How: Sniffing in an insecure network such as Wireless LAN, Internet café
- Countermeasures
- Encrypt the traffic using SSL (although HTTPS is slower). However, if parts of the web site are not encrypted, such as the login or index page, the cookie will be transmitted nevertheless. To instruct the browser only to send the cookie over encrypted HTTPS and never over normal HTTP, you have to include the following line in the environment file:
ActionController::Base.session_options[:session_secure] = true - Include additional information (user agent, IP address, …) in the cookie and verify it on each request. When saving the IP-address, you have to bear in mind that there are Internet access providers or large organizations that put their users behind proxies and these might change over the course of a session. Also, the attacker could be in the same local network and so both the victim and the attacker have the same external IP address.
- Create a new session when someone successfully logs in. Use reset_session to do that. However you have to copy all data from the old session to the new one (e.g. :user_id).
- Invalidate the session when someone logs out. For example session[:user_id] = nil
- Countermeasures
- Create a new session when someone successfully logs in (see above).
Ruby on Rails Security Cheatsheet
Why security is important
If you are not yet convinced why you should secure your application, read this.
What can happen?
Sessions
Session hijacking: Session hijacking is a class of attacks where an attacker gets hold of a session identifier (cookie) of another user. Consequently, he gets access to the web application, because the session identifier serves as temporary login credential.
Session fixation: These attacks focus on fixing a user's session identifier known to the attacker, and forcing the user's browser and the web application into using this identifier. That way the attacker can use the session, when the victim logs in (more…).
Generators and plugins for authentication.
-
-
21 Nov 07
-
15 Nov 07
-
14 Nov 07
-
11 Oct 07
-
09 Oct 07
-
06 Oct 07
-
03 Oct 07
-
27 Sep 07
-
26 Sep 07
manalanggood pointers on securing your rails app
security rails ruby rubyonrails cheatsheet programming reference documentation hacking
-
25 Sep 07
-
24 Sep 07
Would you like to comment?
Join Diigo for a free account, or sign in if you are already a member.