In web world security matters most weather you are working on small scale application or multi module large scale application.Ruby on Rails framework provides security what any application needs but if you need Ruby on Rails (RoR) way.Here some information how can better use of security with MVC structure.
When metacharacters are injected into your queries to database it’s security issue.RoR has support to avoid SQL injection if you follow conventions in issuing queries to your database.
— Injection is a class of attacks that introduce malicious code or parameters into a web application in order to run it within its security context. Prominent examples of injection are cross-site scripting (XSS) and
Injection is very tricky, because the same code or parameter can be malicious in one context, but totally harmless in another. A context can be a scripting, query or programming language, the shell or a Ruby/Rails
method. The following sections will cover all important contexts where injection attacks may happen. The first section, however, covers an architectural decision in connection with Injection.
Before data save to database it need verification based on appplication’s requirment.
- Its easy to manage ‘nil’ values using :allow_nil, its quite handy. For ex: set :allow_nil => true in validates_uniqueness_of to check uniqueness of non-nil values and ignore nil values
- validates_presence_of is not required if you are using validates_format_of, unless regular expression accepts empty string.
Creating records directly from parameters
While creating database records directly from form params, a malicious user can add extra fields into the params and manually submit the web page which will set values of fields which you do not want user to set.
Use private and protected in controller for methods which should not be actions. Actions are pubic methods and can be invoked from the browser.
Always authorize user request. By tweaking form parameters or url a user can send request to view/modify other users information if there is no proper authorization of parameters.
Eg, @post= User.find(:all) (Incorrect)
@post= @user.posts.find(:all) (Correct)
Filter sensitive logs
Prevent logs of sensitive unencrypted data using #filter_parameter_logging in controller. The default behavior is to log request parameters in production as well as development environment, and you would not like logging of password, credit card number, etc.
Cross Site Reference(or Request) Forgery (CSRF)
In a CSRF attack, the attacker makes victim click on a link of his choice which would contain a GET/POST request and causes web application to take malicious action. The link could be embedded in a iframe or an img tag. Its
recommended to use secret token while communicating with user to avoid this attack.
Minimize session attacks
If an attacker has session-id of your user, he can create HTTP requests to access user account. An attacker can get session-id by direct access to user machine or is able to successfully run malicious scripts at user machine. In this section we will talk about how to avoid or minimize the risk if attacker has user session-id. Following steps are helpful:
1. Store IP Address, but creates problem if user moves from one network to another.
2. Create a new session everytime someone logs in.
3. Expire session on user logout, user is idle for a time period or on closing of browser/tab. For maximum security expire sessions on all the three conditions.
Stop spam on your website from DNS Blacklist
Avoid access to your website from IP addresses which are present in DNS Blacklist(DNSBL).
Plugin – DNSBL check
Caching authenticated pages
Page caching does bypass any security filters in your application. So avoid caching authenticated pages and use action or fragment caching instead.
Cross site scripting(XSS) attack
to escape HTML meta characters.
Plugin – White_list
Anti-spam form protection
1. Images are rendered on webpage using send_data and are not stored at the server, because its not required to store images and are redundant.
2. Avoid using algorithm used by standard Catpcha plugins as they can easily be hacked, instead tweak an existing algorithm or write your own.
3. Use a Captcha which does not store secret code or images in filesystem, as you will have trouble using Captcha with multiple servers.
Hide mailto links
Mailto links in a webpage can be attacked by e-mail harvesting bots. Use the plugin CipherMail to generate a 1024 bit random key and obfuscate the mailto link.
Plugin – CipherMail