8. Session Hijacking
● Sniff the cookie in an insecure network.
● Most people don’t clear out the cookies after
working at a public terminal
● Cross-Site Scripting (XSS)
● CSS Injection
● Header Injection
9. config.force_ssl = true
● If you have http assets on an https page, the
user’s browser will display a mixed-content
warning in the browser bar.
● Rails does most of the work for you, but if you
have any hard-coded “http://” internal-links or
images, make sure you change them.
10. Session Expiry
class Session < ActiveRecord::Base
def self.sweep(time = 1.hour)
if time.is_a?(String)
time = time.split.inject { |count, unit| count.to_i.send(unit) }
end
delete_all "updated_at < '#{time.ago.to_s(:db)}' OR
created_at < '#{2.days.ago.to_s(:db)}'"
end
end
11. Provide the user with a log-out
button in the web application,
and make it prominent.
17. CSRF Countermeasures
Be RESTful
Use GET if:
● The interaction is more like a question (i.e., it is a safe operation such as a
query, read operation, or lookup).
Use POST if:
● The interaction is more like an order, or
● The interaction changes the state of the resource in a way that the user
would perceive (e.g., a subscription to a service), or
● The user is held accountable for the results of the interaction.
protect_from_forgery :secret => "123456789012345678901234567890..."
20. SQL Injection
● Project.where("name = '#{params[:name]}'")
SELECT * FROM projects WHERE name = '' OR 1'
● User.first("login = '#{params[:name]}' AND
password = '#{params[:password]}'")
SELECT * FROM users WHERE login = '' OR '1'='1' AND
password = '' OR '2'>'1' LIMIT 1
22. Tools
● Brakeman - A static analysis security
vulnerability scanner for Ruby on Rails
applications
● RoRSecurity – explore Rails security
● Techniques to Secure your Website with RoR
23. Summary
The security landscape shifts and
it is important to keep up to date,
because missing a new vulnerability
can be catastrophic.