- Rails Security
- Sessions
- Session Id is 32 byte MD5 hash value
- Stealing session info
- sniff wire on insecure network
- failing to clear cookie info
- cross-site scripting
- plant a known id
- Guidelines
- Do not store large objects in session.
- Do not store critical data in session.
- Storage
- Cookies are limited to 4KB
- Do not store sensitive information as it is user readable.
- Configure a non-trivial session secret.
- Replay Attacks
- Editing sensitive data stored in a cookie and resubmitting.
- Including a nonce (random value) in session stops this attack.
- Session Fixation
- Uses a valid session id and forces a client to use this session before logging in, resulting in the hacker gaining access.
- Solution: reset the session after logging in.
- Session Expiry
- Use a fixed session lifespan. Expire after logging out.
- CSRF (cross site request forgery)
- Tricking a client to access possible existing sessions on other sites (amazon) and perform unintended actions.
- Solution: Use GET and POST properly and use a server-side, security token.
- Redirection and Files
- Sanitize code and paths for user entered content.
- Make sure non-public files are not publically accessible.
- Internet and Admin Security
- Prevent CSRF!
- Possibly use separate accounts for admin actions.
- Use a separate sub-domain for admin access.
- Possibly whitelist IP addresses.
- Mass Assignment
- Model.new(params[:model]) will allow a user to set any column value.
- Use attr_accessible to force manual setting of sensitive columns.
- User Management
- Require password to change sensitive info.
- Prevent CSRF.
- Use CAPTCHA or negative CAPTCHA (hidden text field to detect bots).
- Avoid logging passwords in log files via the controller statement: filter_parameter_logging :password
- Require strong passwords.
- When writing regex, use \A and \z to delineate beginning and end of a string instead of ^ and $.
- Verify user has access to objects (ids) they request.
- Injection
- Whitelist when possible.
- Sanitize SQL values before using.
- Prevent XSS with escapeHTML,or h(), to sanitize all output.
- Prevent XSS by using sanitize with whitelists.
- Don't allow custom, custom CSS since some browsers (ie) will process javascript.
- Use Textile 4 and sanitize with whitelists.
- Filter ajax values with h().
- Filter RJS values with escape_javascript and h() where appropriate.
- For CLI, use system with parametized parameters.
- Resources
