Using HTTP

To Documents

Rails Security

The Top 10 Reasons Web Sites Get Hacked

Reference: www.networkworld.com/article/2286560/lan-wan/
the-top-10-reasons-web-sites-get-hacked.html

Here are the 10 methods that this article lists:

Cross site scripting (XSS)
SQL Injection attacks
Malicious file execution
Cross site request forgery
Insecure direct object reference
Information leakage through error messages
Broken authentication and session management
Insecure crypographic storage
Insecure communications
Failure to restict URL access

Let's examine some of these methods in more detail.

Cross Site Scripting (XSS)

Cross site scripting can occur when a user uploads content, to be displayed on a website, such as a social media site.
A normal comment would be something like
```
I love puppies.
```

A more devious comment might be

I love puppies.<script type="text/javascript" 
   src="<a href='http://malicious-site.js'>"</script>

When the script is encountered on the page, it is executed.

Such a comment can be obfuscated by translating some or all of the characters to hex:

I love puppies.%3Cscript%25%20type%3D%22text/javascript%22 
   src%3D"%3Ca href%3D%22http%3A%2F%2Fmalicious-site.js%22%3E%3C%2Fscript%3E

The key to preventing XSS attacks is to sanitize the user input HTML code, for example, by stripping HTML tags entirely, or by replacing tags with their literal representation. For example,
```
<script
```
would be replaced by
```
&lt;script
```
However, some sites want to allow the user to input HTML code to style their content, for example
```
I <b>love</b> puppies.
```
In this situation, sanitizing HTML code is more complicated.
On older browsers, Javascript code could be executed in unexpected places:
```
<img src="javascript:alert('Gotcha!');">
```
This doesn't work on the latest browsers. However, more sophisticated attacks will still work.

SQL Injection

SQL injection means entering SQL statements into an input form field where a simple piece of data is expected.

This ActiveRecord statement is risky:

a = Project.where("name = '#{params[:name]}'")    (*)

Enter the following as the "name":
```
OR 1 --
```

This generates the SQL query

SELECT * FROM projects WHERE name = '' OR 1

The -- starts a comment so anything after it is ignored; the 1 is interpreted as true, so all records are selected.

A better way to write the ActiveRecord statement in (*) is

a = Project.where("name = ?", params[:name])

a = Project.where(name: params[:name])

Cross Site Request Forgery (CSFR)

Reference: CSRF Demistified, http://www.gnucitizen.org/blog/csrf-demystified/, 11/21/07.
Suppose that a user logs in to use a password protected site. While still logged she checks her email. One of the messages contains a script that fires an HTTP request that runs a malicious script that aimed at her password protected site. This script executes with her privileges as long as she is still logged in.

Suppose she responds to an email with this image tag:

img src="https://malicious-site.com/change_account?paytype=debit&paytype_id=1234&
paytype_field_1=123456789&paytype_field_2=12345678&paytype_field_3=Richie+Rich&
paytype_field_4=BankOfHappiness&op=editpaytype.save&confirmmode="/>

Such an attack is more difficult when the password protected site uses POST instead of GET to submit requests.
The longer the user's session lasts without timing out, and the more untrusted sites the user visits, the greater the risk of a CSFR attack.
Rails automatically includes two precautions that protect against CSFR:
1. It includes the following statement in app/controllers/application_controller.html.erb:
```
protect_from_forgery with: :exception
```
  This displays an error message if a CSFR attack is detected.
2. Rails also includes the following line in app/views/layouts/application_controller.html.erb:
```
<%= csrf_meta_tags %>
```
  Calling the csrf_meta_tags method inserts a digital signature onto the page. Requests from scripts on a different page or site are discarded if they do not have a digital signature that matches the one generated by the method.