Cross Site Reference Forgery works by including malicious code or a link in a page that accesses a web application that the user is believed to have authenticated. If the session for that web application has not timed out, an attacker may execute unauthorized commands.
Most Rails applications use cookie-based sessions. Either they store the […]
Tags: Rails · WebAppSec · XSS and Rails
A security advisory has been released for libpng, the "official PNG reference library". Libpng is used by ImageMagick, "a software suite to create, edit, and compose bitmap images". Some Rails applications use it to convert, resize or to create thumbnails. The original security advisory was issued by oCERT:
Applications using libpng that install […]
Here are my slides for my talk at the RubyFools Conference in Copenhagen, home of Rails. It was about advanced Rails security topics, including:
Injection in different contexts
Whitelists vs. Blacklists
Cross-Site Reference Forgery (CSRF)
Intranet and Admin security
Session fixation
Login security
User management
CookieStore
Working with files
The idea of negative CAPTCHAs
Slides at Slideshare
Link to the slides
(You can even recommend me)
Bookmark to
Tags: Rails · WebAppSec · XSS and Rails
These days the intranet is coming back. I heard it a couple of times: Our intranet is safe, there's an authentication system and it can be accessed by hosts from our local IP range only, but no, there are no further security measures. If someone manages to get in, he will be able to do […]
Tags: Rails · XSS and Rails
There has been a discussion about whether to untaint or not. A string becomes tainted in Ruby when it comes from an external source, for example. The standard Ruby method untaint marks it as untainted. Plugins such as SafeErb do not allow the programmer to output tainted strings (in Erb) in order to protect the […]
Tags: Rails · Uncategorized · XSS and Rails
Rails 2.0 will include a new default session storage, the CookieStore (source source). What it does is store the clear text "marshalled" session object in a cookie which will be stored on the client side. Here is an example of a new cookie value:
BAh7BzoMdXNlcl9pZGkKIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpG%250AbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA–be9c1e802c6cf126c722c68002ccbd5684a96dd9
Well, it is actually not clear text, but Base64 encoding. […]
Tags: Rails · Uncategorized
There is a serious security leak in the restful_authentication plugin regarding the activation of an account. You can use it to log in w/o user credentials or impersonate someone else.
The "activate" method of the controller accepts an empty activation code parameter like this (depending on your routes):
http://localhost:3006/user/activate or http://localhost:3006/activate/?activation_code=
Which will create this SQL:SELECT * […]
Tags: Rails · Uncategorized
The release of Ruby on Rails 1.2.4 addresses some potential security issues, all users of earlier versions are advised to upgrade to 1.2.4.
The following issues have been addressed:
URL-based sessions are no longer enabled by default, as it allowed users to provide their session_id in the URL as well as cookies. The functionality could be […]
Tags: Rails · XSS and Rails
The Rails 2.0 Preview Release is available now, which is great news. The announcement includes a paragraph on security:
"we now ship we a built-in mechanism for dealing with CRSF attacks", yes it works fine
"The old TextHelper#sanitize method has gone from a black list (very hard to keep secure) approach to a white list approach." Very […]
Tags: Rails · XSS and Rails
Good news: The csrf_killer plugin has been merged by Rick for Rails 2.0, so it is available in the current trunk. Go here for the changeset, and here for some documentation.
Furthermore, the insecure text helper methods strip_links, strip_tags and sanitize have been updated, mostly to strip nested tags. Still, I don't recommend using them, as […]
Tags: Rails · XSS and Rails
