2007 April

Entries from April 2007

Cross Site Request Forgery (CSRF) and GET & POST

April 20th, 2007 · 4 Comments

The W3C advises when to use GET requests:
Use GET if:

The interaction is more like a question (i.e., it is a safe operation such as a query,read operation, or lookup).

Use POST if:

The interaction is more like an order, or
The interaction changes the state of the resource in a way that the user would perceive(e.g., a subscription […]

Bookmark to

Add 'Cross Site Request Forgery (CSRF) and GET & POST' to Del.icio.us

Add 'Cross Site Request Forgery (CSRF) and GET & POST' to digg

Add 'Cross Site Request Forgery (CSRF) and GET & POST' to Technorati

Add 'Cross Site Request Forgery (CSRF) and GET & POST' to Stumble Upon

[Read more →]

Tags: Rails

Ruby regular expression fun

April 16th, 2007 · 7 Comments

I found several regular expressions to validate all sorts of things, URLs, names, email addresses, et cetera. Here is an example for an email address validation, I found:

/^([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})$/i

How do you like the following email address, which validates fine with this filter?:

hre32443_d.@ter.com%0A<script>alert('hello')</script>

%0A is a line break.
^$ in Ruby match LINE begin and end, not the overall […]

Bookmark to

Add 'Ruby regular expression fun' to Del.icio.us

Add 'Ruby regular expression fun' to digg

Add 'Ruby regular expression fun' to Technorati

Add 'Ruby regular expression fun' to Stumble Upon

[Read more →]

Tags: Rails

Session fixation in Rails

April 15th, 2007 · 4 Comments

These attacks focus on fixing a user's session identifier known to the attacker, and forcing the user's browser and the web application into using this identifier. The first step in such attacks is to create a valid session identifier. While other session managements (in PHP, for example) accept arbitrary identifiers, and create a valid session […]

Bookmark to

Add 'Session fixation in Rails' to Del.icio.us

Add 'Session fixation in Rails' to Technorati

Add 'Session fixation in Rails' to Stumble Upon

[Read more →]

Tags: Rails

Session hijacking

April 12th, 2007 · 5 Comments

Session hijacking is a class of attacks where an attacker gets hold of a session identifer of another user. Consequently, he gets access to the web application, because the sessionidentifer serves as temporary login credential. The most popular way of hijacking a session is to steal the session identifer. There are several ways doing this.Most […]

Bookmark to

[Read more →]

Tags: Rails

Ruby on Rails sessions - introduction and expiry

April 10th, 2007 · 1 Comment

As the HTTP protocol is stateless, a logged in client, for example, would have to provide his login name and password for every request he makes, because the server cannot maintain the state during subsequent user's requests. The idea of adding a state to requests is to save information about the exchanged data on the […]

Bookmark to

Add 'Ruby on Rails sessions - introduction and expiry' to Del.icio.us

Add 'Ruby on Rails sessions - introduction and expiry' to digg

Add 'Ruby on Rails sessions - introduction and expiry' to Technorati

Add 'Ruby on Rails sessions - introduction and expiry' to Stumble Upon

[Read more →]

Tags: Rails

Don’t trust primary key parameters

April 2nd, 2007 · 1 Comment

By default Ruby on Rails URLs have the following format: http://www.domain.com/project/show/1, whereas "show" is the action to be performed and "1" is the project id, which is the primary key of the project table (i.e. a project's main identifier is the id, but it could be something else, such as the name). It will be […]

Bookmark to