MVC security for Rails

In web world security matters most weather you are working on small scale application or multi module large scale application.Ruby on Rails framework provides security  what any application needs but if you need Ruby on Rails (RoR) way.Here some information how can better use of security with MVC structure.

Model

SQL Injection

When metacharacters are injected into your queries to database it’s security issue.RoR has support to avoid SQL injection if you follow conventions in issuing queries to your database.

— Injection is a class of attacks that introduce malicious code or parameters into a web application in order to run it within its security context. Prominent examples of injection are cross-site scripting (XSS) and
SQL injection.

Injection is very tricky, because the same code or parameter can be malicious in one context, but totally harmless in another. A context can be a scripting, query or programming language, the shell or a Ruby/Rails
method. The following sections will cover all important contexts where injection attacks may happen. The first section, however, covers an architectural decision in connection with Injection.
Source [http://guides.rubyonrails.org/security.html#injection]

Activerecord Validation
Before data save to database it need verification based on appplication’s requirment.

Useful Tips

– Its easy to manage ‘nil’ values using :allow_nil, its quite handy. For ex: set :allow_nil => true in validates_uniqueness_of to check uniqueness of non-nil values and ignore nil values

– validates_presence_of is not required if you are using validates_format_of, unless regular expression  accepts empty string.

Source [http://www.quarkruby.com/2007/9/20/ruby-on-rails-security-guide#validation]

Creating records directly from parameters
While creating database records directly from form params, a malicious user can add extra fields into the params and manually submit the web page which will set values of fields which you do not want user to set.

source [http://www.quarkruby.com/2007/9/20/ruby-on-rails-security-guide#crdfp]

Controller

Exposing methods

Use private and protected in controller for methods which should not be actions. Actions are pubic methods and can be invoked from the browser.

Authorize parameters

Always authorize user request. By tweaking form parameters or url a user can send request to view/modify other users information if there is no proper authorization of parameters.

Eg,  @post= User.find(:all) (Incorrect)
@post= @user.posts.find(:all) (Correct)

Filter sensitive logs

Prevent logs of sensitive unencrypted data using #filter_parameter_logging in controller. The default behavior is to log request parameters in production as well as development environment, and you would not like logging of password, credit card number, etc.

Cross Site Reference(or Request) Forgery (CSRF)

In a CSRF attack, the attacker makes victim click on a link of his choice which would contain a GET/POST request and causes web application to take malicious action. The link could be embedded in a iframe or an img tag. Its
recommended to use secret token while communicating with user to avoid this attack.

Minimize session attacks

If an attacker has session-id of your user, he can create HTTP requests to access user account. An attacker can get session-id by direct access to user machine or is able to successfully run malicious scripts at user machine. In this section we will talk about how to avoid or minimize the risk if attacker has user session-id. Following steps are helpful:

1. Store IP Address, but creates problem if user moves from one network to another.
2. Create a new session everytime someone logs in.
3. Expire session on user logout, user is idle for a time period or on closing of browser/tab. For maximum security expire sessions on all the three conditions.

Stop spam on your website from DNS Blacklist

Avoid access to your website from IP addresses which are present in DNS Blacklist(DNSBL).

Plugin – DNSBL check

Caching authenticated pages

Page caching does bypass any security filters in your application. So avoid caching authenticated pages and use action or fragment caching instead.

Source [ttp://www.quarkruby.com/2007/9/20/ruby-on-rails-security-guide#controller]

View

Cross site scripting(XSS) attack

Cross Site Scripting is a technique found in web applications which allow code injection by malicious web users into the web pages viewed by other users. An attacker can steal login of your user by stealing his cookie. The most common method of attack is to place javascript code on a website that can receive the session cookie. To avoid the attack, escape HTML meta characters which will avoid execution of malicious Javascript code. Ruby on Rails has inbuilt methods like escape_html() (h()), url_encode(), sanatize(), etc
to escape HTML meta characters.

Plugin – White_list

Anti-spam form protection

Use Captcha or Javascript based form protection techniques to ensure only human can submit forms successfully.When using Captcha do ensure the following :

1. Images are rendered on webpage using send_data and are not stored at the server, because its not required to store images and are redundant.
2. Avoid using algorithm used by standard Catpcha plugins as they can easily be hacked, instead tweak an existing algorithm or write your own.
3. Use a Captcha which does not store secret code or images in filesystem, as you will have trouble using Captcha with multiple servers.

Hide mailto links

Mailto links in a webpage can be attacked by e-mail harvesting bots. Use the plugin CipherMail to generate a 1024 bit random key and obfuscate the mailto link.

Plugin – CipherMail

Source [http://www.quarkruby.com/2007/9/20/ruby-on-rails-security-guide#view]

One thought on “MVC security for Rails

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s