Here is an interesting general document about web application security, a list with frequently asked questions: http://www.owasp.org/index.php/OWASP_AppSec_FAQ
It gives good advice on how to design the login process. It describes a best practice for the "Lost Password" feature, which is especially important these days where there are an increasing number of attacks based on this feature. One thing I have to add in this context: You should not return a meaningful error message if the user name for the lost password existed. An attacker can use this to find valid user names, and did you know that a password cracker can check 30,000 passwords a minute over the Internet?
BTW, I'm glad that LoginSugar, the popular login system generator, has seen a security update after I published several security issues here. If you use it, please download the new version which is now also compatible with Rails 1.2.
3 responses so far ↓
1 Dan Kubb // Jun 19, 2007 at 21:20
Heiko, thanks for the reminder about the OWASP faq.
One list people might not be aware of is the OWASP Top 10 list which is a top 10 list for common vulnerabilities in 2007. Heiko, if you want an idea for articles, how about a series of articles on how to avoid each one when writing Rails apps..
2 Heiko // Jun 20, 2007 at 12:44
Dan, I have a link to the Top Ten on the right side of the first page.
I’m actually planning to write such a document for the OWASP, you’ll be hearing about it in July …
3 Bill Barnard // Jul 17, 2007 at 16:48
Thanks for publishing all the info & pointers. I’m just getting going on my first real RoR application, and this is a great help.
Leave a Comment