Skip to main content

Security Checklist of Ruby on Rails - Pre and Post Project Delivery

This manual describes common security problems in web applications and how to avoid them with Rails.

Secure coding checklist: Ruby on Rails

Session fixation :
Attack Vector/Vulnerability
Solution
input/output validation
  • white-list filtering as early as possible
  • use safeERBXSSshield, etc.
  • use .find(params[:id]) only with additional parameters or @user.order.find(id)
  • SQL injections
    • use bind variables and an array for SQL queries using .find
    • use sanitize_sql() or prepared statement for remote SQL queries
  • use protect_from_forgery (CSRF)
  • use escape methods for
    • Shell
    • LDAP
    • ...
  • Mass Assignment
    • use attr_accessible
    • don't pass user-data to .new or .create
  • take care with redirect_to
session handling
  • use SSL
  • use strong passwords only
    • 6 characters
    • numbers and letters
    • verify with cracklib-ruby
  • use password salt
  • use key derivation function for further processing (RFC 2898)
  • use a random+changing :secret for the Cookies
  • all controller actions are public
  • reset_session at login
  • limit admin interface to sub-net or localhost
  • ActionController::Base.session_options[:session_secure] = true
  • Cookie life-time has to be enforced on server-site
  • do NOT store secret information in a Cookie (only base64 encoded)
  • use CAPTCHAs to stop scripted attacks
  • bind IP address to Session-ID
  • re-authenticate before executing security- relevant actions
    • changing password
    • changing email address
    • changing repo URL
    • ...
very dangerous methods/functions
  • system()
  • popen()
  • `` (backticks)
  • eval()
  • deserialize()
information leak
  • short error message no full back-trace!
  • filter_parameter_logging
  • remove backup files periodically
  • use .find(params[:id]) only with additional parameters or @user.order.find(id)
  • use bind variables or alike for SQL queries using .find
file uploads and downloads
  • use hash of filename instead of real name
  • put them in a DB and use an ID
  • deny direct download of files
    • put them outside of DocumentRoot
  • deny suffixes like: rb, cgi, php, erb, html, ..
  • deny ../ and / in name
  • always set correct Content-Type
sensitive information
  • standards and acts: PCI DSS, HIPAA, SOX, ...
  • encrypt
  • keep them in memory as short as possible
  • create audit records for access
  • do not log the data itself to avoid leaking
cryptography
  • use OpenSSL
  • no hard-coded algorithms etc.
  • use only
    • AES with 256 bit key
    • SHA-2 with 512 bit
    • RSA, DSA, DH with 2048 bit key
    • CTR or CBC mode
  • fresh random numbers from /dev/random or /dev/urandom
  • avoid stream ciphers


References :: 
http://guides.rubyonrails.org/security.html              http://en.opensuse.org/SDB:Secure_coding_checklist:_Ruby_on_Rails

Comments

Post a Comment

Popular posts from this blog

World largest data sets open to the public | Business Intelligence | Data Warehouse | Data Mining

World largest data sets open to the public | Business Intelligence | Data Warehouse | Data Mining Data Sets available for different sectors as follows: Science & Technology    - World largest data sets open to the public | Business Intelligence | Data Warehouse | Data Mining Agricultural Experiments:  agridat {agridat}  (R) Climate data:  Temperature data (HadCRUT4)  and ftp://ftp.cmdl.noaa.go v/ Gene Expression Omnibus:  Home - GEO - NCBI Geo Spatial Data:  Data | GeoDa Center Human Microbiome Project:  Microbial Reference Genomes MIT Cancer Genomics Data:  Page on broadinstitute.org NASA:  Obtaining Data From the NSSDC NIH Microarray data:    ftp://ftp.ncbi.nih.gov/pu b/geo/D...  (R) Protein structure:  PSP benchmark Public Gene Data:  Browse literature or sequence neighbours Stanford Microarray Data:  Page on stanford.edu Social Sciences   - ...
Post a Comment
Read more

AWS Cloud Architecture for Web Hosting | Key Components of an AWS Web Hosting Architecture

Security Architecture of AWS | Amazon Web Server Working of AWS Architecture. Content Delivery Edge caching is still relevant in the Amazon Web Service cloud computing infrastructure. Any existing solutions in your web application infrastructure should work just fine in the AWS cloud. One additional option, however, is made available when using AWS, which is to utilize the Amazon CloudFront service1 for edge caching your website Like other Amazon Web Services, there are no contracts or monthly commitments for using Amazon CloudFront – you pay only for as much or as little content as you actually deliver through the service. Managing Public DNS  Moving a web application to the AWS cloud requires some DNS changes to take advantage of the multiple availability zones that AWS provides. To help you manage DNS routing, AWS provides Amazon Route 534 , a highly available and scalable DNS web service. Queries for your domain are automatically routed to the nearest DNS server an...
1 comment
Read more

Simple way 2 secure ur Privacy

Essential Checks Before Launching Your Website As ‘digital professionals’ –  Web Designers , Developers and Marketers – launching a new website is a daunting task, no matter how often you do it (like B.A.S.E. jumping). There’s lots that can go wrong, and the list of ‘ gotchas ‘ scales to the size and complexity of the project. This article is a checklist of common tasks that need to be completed before you hit the “GO” button.  A little preparation goes a long way  and could save you time and avoid unnecessary costs after you release your website. Upload a Favicon The ‘favicon’ appears to the left of the page title in the web browser, and your users will notice if your website doesn’t have one. They give your website credibility and help users navigate to your site when it’s open amongst their other tabs and bookmarks. Ensuring that your website has a favicon is probably the most basic of any task known to humanity, and yet it’s so frequently overlooked. ...
3 comments
Read more