Highest Voted 'rails' Questions - IT Security Stack Exchange

21

votes

2 answers

Rails - protection against code injection and XSS

I've started using Ruby on Rails, and I was wondering if there were any security gotchas to watch out for with Rails, particularly regarding code injection and XSS? I know Rails tries to prevent such attacks by sanitizing inputs but I guess this…

asked Nov 11 '10 at 21:31

Magnus

1,154
10
18

12

votes

2 answers

XSS via JSON: Why does a web application not sanitize either its incoming params hash or its outgoing JSON values of malicious tags like Script?

Recently working on a Rails-based web application for a company, I had to look into XSS vulnerability. It turns out that the application, in some places, could take an HTML tag (e.g., directly as a parameter in GET or…

web-application xss injection json rails

asked Dec 19 '15 at 09:05

rcd

343
1
3
7

6

votes

3 answers

How can I defend against malicious GET requests?

My server is getting hit with a variety if requests like the following: Started GET "/key/values" ActionController::RoutingError (No route matches [GET] "/key/values") Started GET "/loaded" ActionController::RoutingError (No route matches [GET]…

http apache denial-of-service ubuntu rails

asked Jul 28 '15 at 05:24

MicFin

201
2
6

6

votes

1 answer

Password security when connecting to ldap with rails application

How do you store a username/password securely in a rails app when using it for many ldap searches? The connection in the app requires ldap_bind_authenticate(Net::LDAP.new, username, password) each time a search is made, and the credentials of the…

passwords password-management ldap ruby rails

asked Mar 24 '15 at 22:01

essefbx

172
12

6

votes

3 answers

How I can prove that SSH attacks are not from my application?

My ruby on rails web application is hosted on Linode. Linode opened a ticket and blamed my Linode server for attacking other servers. The logs revealed that it's a SSH brute force attack which originated from my server. I have studied my source…

linux attacks ssh incident-response rails

asked May 29 '13 at 05:32

Pratik Ganvir

161
1

6

votes

1 answer

Ruby Devise salt exposed

The remember_user_token cookie token generated by the Ruby Devise authentication component reveals part of a bcrypt salted credential when decoded. For…

bcrypt credentials ruby rails

asked Mar 26 '18 at 05:25

user1330734

389
7
16

5

votes

1 answer

Security of rails user access/permissions plugins

I was wondering if anyone knows what the most secure user access plugin for Rails is, and if any of them prevent session fixation?

appsec web-application session-management rails

asked Dec 05 '10 at 22:03

Magnus

1,154
10
18

4

votes

2 answers

Can anybody recommend any gems for checking security vulnerabilities?

I want to check one of my RoR projects for security vulnerabilities. So can anybody recommend any gems for my needs?

xss sql-injection csrf rails ruby

asked Jul 15 '12 at 22:06

egoholic

75
4

4

votes

2 answers

Is my current method of handling session cookies insecure?

I'm writing a multi-tenant application where accounts are scoped by subdomains. This adds considerable complexity and I'm starting to worry about security. Each user can have several accounts. For example, assuming acme.com is my app, elmer.acme.com…

cookies session-management rails

asked Jun 06 '12 at 17:26

Mohamad

467
1
6
11

4

votes

2 answers

Is dereferencing a null pointer in C a security risk if the program isn’t a daemon, but a small script lauched as a separate process for each request?

The following code is part of a program that is spawned at every request by the nginx’s ruby on rails script : static void time_t_to_dos_time(time_t user_supplied_time_t, int *dos_date, int *dos_time) { struct tm *t =…

c ubuntu rails x86

asked Jun 28 '16 at 13:02

user2284570

1,402
1
14
33

3

votes

2 answers

Possible attack on website

I am a developer and I therefor I have very little knowledge on security. So I need some help understanding the attack on website which we launched recently for one of our client. Website is built on Ruby on Rails and hosted on EC2 Ubuntu. In…

php javascript rails

asked Mar 03 '14 at 05:28

Pramodtech

141
5

3

votes

0 answers

How does the Ruby on Rails CSRF Protection Work?

I am not sure i completely understand how Ruby on Rails handles CSRF protection. My understanding was that a token is generated and embedded in the HTML markup as a meta tag, and at the same time encrypted in the session cookie. When performing a…

web-browser csrf ruby rails

asked Jul 12 '18 at 14:24

daniel f.

281
1
6

3

votes

1 answer

How to find the origin of some invasive html?

I've been working on the site https://founderspledge.com/ and just noticed that if you go to the main page, and open the Chrome console to view the source, there's an element that I certainly didn't put there:

rails

asked Jan 12 '18 at 12:42

Arepo

133
3

3

votes

3 answers

Plain text Rails environment variables and security

I work for a healthcare company that emphasizes security, due to the sensitivity of the data that we work with. Recently, we've been doing a lot of auditing (internal and external) of our current "stack" to ensure that we're compliant with various…

encryption ruby rails environment-variables

asked Jan 12 '17 at 16:56

RonMexico

31
1

3

votes

2 answers

Is sending IP Address as a parameter with a POST request from a client to a rails server safe?

I am trying to get the IP address and send it to my rails server as a parameter of a POST request. Is this action safe?

ip rails

asked Nov 03 '16 at 22:35

cengo

31
1

1

2 3 Next

Questions tagged [rails]