Ruby on Rails Security Project

Exploring the Security of Rails and friends.

Ruby on Rails Security Project header image 2

Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask

June 19th, 2007 · 3 Comments

Here is an interesting general document about web application security, a list with frequently asked questions: http://www.owasp.org/index.php/OWASP_AppSec_FAQ

It gives good advice on how to design the login process. It describes a best practice for the "Lost Password" feature, which is especially important these days where there are an increasing number of attacks based on this feature. One thing I have to add in this context: You should not return a meaningful error message if the user name for the lost password existed. An attacker can use this to find valid user names, and did you know that a password cracker can check 30,000 passwords a minute over the Internet?

BTW, I'm glad that LoginSugar, the popular login system generator, has seen a security update after I published several security issues here. If you use it, please download the new version which is now also compatible with Rails 1.2.

Tags: Rails

3 responses so far ↓

  • 1 Dan Kubb // Jun 19, 2007 at 21:20

    Heiko, thanks for the reminder about the OWASP faq.

    One list people might not be aware of is the OWASP Top 10 list which is a top 10 list for common vulnerabilities in 2007. Heiko, if you want an idea for articles, how about a series of articles on how to avoid each one when writing Rails apps..

  • 2 Heiko // Jun 20, 2007 at 12:44

    Dan, I have a link to the Top Ten on the right side of the first page.

    I’m actually planning to write such a document for the OWASP, you’ll be hearing about it in July …

  • 3 Bill Barnard // Jul 17, 2007 at 16:48

    Thanks for publishing all the info & pointers. I’m just getting going on my first real RoR application, and this is a great help.

Leave a Comment