Cross Site Reference Forgery works by including malicious code or a link in a page that accesses a web application that the user is believed to have authenticated. If the session for that web application has not timed out, an attacker may execute unauthorized commands.
Most Rails applications use cookie-based sessions. Either they store the […]
Tags: Rails · WebAppSec · XSS and Rails
Here are my slides for my talk at the RubyFools Conference in Copenhagen, home of Rails. It was about advanced Rails security topics, including:
Injection in different contexts
Whitelists vs. Blacklists
Cross-Site Reference Forgery (CSRF)
Intranet and Admin security
Session fixation
Login security
User management
CookieStore
Working with files
The idea of negative CAPTCHAs
Slides at Slideshare
Link to the slides
(You can even recommend me)
Bookmark to
Tags: Rails · WebAppSec · XSS and Rails
These days the intranet is coming back. I heard it a couple of times: Our intranet is safe, there's an authentication system and it can be accessed by hosts from our local IP range only, but no, there are no further security measures. If someone manages to get in, he will be able to do […]
Tags: Rails · XSS and Rails
There has been a discussion about whether to untaint or not. A string becomes tainted in Ruby when it comes from an external source, for example. The standard Ruby method untaint marks it as untainted. Plugins such as SafeErb do not allow the programmer to output tainted strings (in Erb) in order to protect the […]
Tags: Rails · Uncategorized · XSS and Rails
There is another security release which addresses once again the to_json vulnerability. It now has a CVE. If you used to_json in a page you generate:
<script type="text/javascript"> var customers = <%= @customers.to_json %>; </script>
you should upgrade to 1.2.5. Besides it fixes some bugs from 1.2.4.
Bookmark to
Tags: Uncategorized · XSS and Rails
The release of Ruby on Rails 1.2.4 addresses some potential security issues, all users of earlier versions are advised to upgrade to 1.2.4.
The following issues have been addressed:
URL-based sessions are no longer enabled by default, as it allowed users to provide their session_id in the URL as well as cookies. The functionality could be […]
Tags: Rails · XSS and Rails
The Rails 2.0 Preview Release is available now, which is great news. The announcement includes a paragraph on security:
"we now ship we a built-in mechanism for dealing with CRSF attacks", yes it works fine
"The old TextHelper#sanitize method has gone from a black list (very hard to keep secure) approach to a white list approach." Very […]
Tags: Rails · XSS and Rails
Good news: The csrf_killer plugin has been merged by Rick for Rails 2.0, so it is available in the current trunk. Go here for the changeset, and here for some documentation.
Furthermore, the insecure text helper methods strip_links, strip_tags and sanitize have been updated, mostly to strip nested tags. Still, I don't recommend using them, as […]
Tags: Rails · XSS and Rails
Often times RedCloth is used to prevent Cross Site Scripting, because it uses a markup other than HTML to format text. "RedCloth is a module for using Textile in Ruby. Textile is a text format. A very simple text format. Another stab at making readable text that can be converted to HTML." For example *a […]
Tags: XSS and Rails
Update: This is about earlier releases, Rails 2.0 provides a new sanitize method which uses a white list. Also, strip_tags and strip_links have been updated, the attack vectors below do not work anymore.
Rails includes several insecure text helpers, especially strip_tags, strip_links and sanitize. Do not rely on the these as they do not fulfill what […]
Tags: XSS and Rails
