The Rails 2.0 Preview Release is available now, which is great news. The announcement includes a paragraph on security:
"we now ship we a built-in mechanism for dealing with CRSF attacks", yes it works fine
"The old TextHelper#sanitize method has gone from a black list (very hard to keep secure) approach to a white list approach." Very […]
Tags: Rails · XSS and Rails
Good news: The csrf_killer plugin has been merged by Rick for Rails 2.0, so it is available in the current trunk. Go here for the changeset, and here for some documentation.
Furthermore, the insecure text helper methods strip_links, strip_tags and sanitize have been updated, mostly to strip nested tags. Still, I don't recommend using them, as […]
Tags: Rails · XSS and Rails
Here is an interesting general document about web application security, a list with frequently asked questions: http://www.owasp.org/index.php/OWASP_AppSec_FAQ
It gives good advice on how to design the login process. It describes a best practice for the "Lost Password" feature, which is especially important these days where there are an increasing number of attacks based on this feature. […]
Tags: Rails
Several sources, for example this, state that Ajax applications are more complex due to their asynchronous nature, or that Ajax might cause more entry points for attackers, whileother sources claim the opposite. However, the classes of attacks stay largely the same,so the advices given herein apply to Ajax applications, as well, especially input and output […]
Tags: Rails
