Cross Site Reference Forgery works by including malicious code or a link in a page that accesses a web application that the user is believed to have authenticated. If the session for that web application has not timed out, an attacker may execute unauthorized commands.
Most Rails applications use cookie-based sessions. Either they store the […]
Tags: Rails · WebAppSec · XSS and Rails
Here are my slides for my talk at the RubyFools Conference in Copenhagen, home of Rails. It was about advanced Rails security topics, including:
Injection in different contexts
Whitelists vs. Blacklists
Cross-Site Reference Forgery (CSRF)
Intranet and Admin security
Session fixation
Login security
User management
CookieStore
Working with files
The idea of negative CAPTCHAs
Slides at Slideshare
Link to the slides
(You can even recommend me)
Bookmark to
Tags: Rails · WebAppSec · XSS and Rails
Spam and automatic submitters really are a problem. One idea to defend this are CAPTCHAs. CAPTCHAs are noisy images and the user (usually) has to recognize the text in the image and enter it in a field. Although some weak algorithms are already broken, this is a good way to keep junk content away. But […]
Tags: WebAppSec
There's a new sign-in seal on the Yahoo! login page, which is intended to make phishing attacks more unlikely.
A sign-in seal is a secret message or photo that Yahoo! will display on this computer only. Look for it every time you sign in to make sure you're on a genuine Yahoo! site. If the message, […]
Tags: WebAppSec
