Questions tagged [rails]
45 questions
21
votes
2 answers
Rails - protection against code injection and XSS
I've started using Ruby on Rails, and I was wondering if there were any security gotchas to watch out for with Rails, particularly regarding code injection and XSS?
I know Rails tries to prevent such attacks by sanitizing inputs but I guess this…
Magnus
- 1,154
- 10
- 18
12
votes
2 answers
XSS via JSON: Why does a web application not sanitize either its incoming params hash or its outgoing JSON values of malicious tags like Script?
Recently working on a Rails-based web application for a company, I had to look into XSS vulnerability. It turns out that the application, in some places, could take an HTML tag (e.g., directly as a parameter in GET or…
rcd
- 343
- 1
- 3
- 7
6
votes
3 answers
How can I defend against malicious GET requests?
My server is getting hit with a variety if requests like the following:
Started GET "/key/values"
ActionController::RoutingError (No route matches [GET] "/key/values")
Started GET "/loaded"
ActionController::RoutingError (No route matches [GET]…
MicFin
- 201
- 2
- 6
6
votes
1 answer
Password security when connecting to ldap with rails application
How do you store a username/password securely in a rails app when using it for many ldap searches?
The connection in the app requires
ldap_bind_authenticate(Net::LDAP.new, username, password)
each time a search is made, and the credentials of the…
essefbx
- 172
- 12
6
votes
3 answers
How I can prove that SSH attacks are not from my application?
My ruby on rails web application is hosted on Linode. Linode opened a ticket and blamed my Linode server for attacking other servers. The logs revealed that it's a SSH brute force attack which originated from my server. I have studied my source…
Pratik Ganvir
- 161
- 1
6
votes
1 answer
Ruby Devise salt exposed
The remember_user_token cookie token generated by the Ruby Devise authentication component reveals part of a bcrypt salted credential when decoded.
For…
user1330734
- 389
- 7
- 16
5
votes
1 answer
Security of rails user access/permissions plugins
I was wondering if anyone knows what the most secure user access plugin for Rails is, and if any of them prevent session fixation?
Magnus
- 1,154
- 10
- 18
4
votes
2 answers
Can anybody recommend any gems for checking security vulnerabilities?
I want to check one of my RoR projects for security vulnerabilities.
So can anybody recommend any gems for my needs?
egoholic
- 75
- 4
4
votes
2 answers
Is my current method of handling session cookies insecure?
I'm writing a multi-tenant application where accounts are scoped by subdomains. This adds considerable complexity and I'm starting to worry about security.
Each user can have several accounts. For example, assuming acme.com is my app, elmer.acme.com…
Mohamad
- 467
- 1
- 6
- 11
4
votes
2 answers
Is dereferencing a null pointer in C a security risk if the program isn’t a daemon, but a small script lauched as a separate process for each request?
The following code is part of a program that is spawned at every request by the nginx’s ruby on rails script :
static void time_t_to_dos_time(time_t user_supplied_time_t, int *dos_date, int *dos_time)
{
struct tm *t =…
user2284570
- 1,402
- 1
- 14
- 33
3
votes
2 answers
Possible attack on website
I am a developer and I therefor I have very little knowledge on security. So I need some help understanding the attack on website which we launched recently for one of our client. Website is built on Ruby on Rails and hosted on EC2 Ubuntu.
In…
Pramodtech
- 141
- 5
3
votes
0 answers
How does the Ruby on Rails CSRF Protection Work?
I am not sure i completely understand how Ruby on Rails handles CSRF protection.
My understanding was that a token is generated and embedded in the HTML markup as a meta tag, and at the same time encrypted in the session cookie. When performing a…
daniel f.
- 281
- 1
- 6
3
votes
1 answer
How to find the origin of some invasive html?
I've been working on the site https://founderspledge.com/ and just noticed that if you go to the main page, and open the Chrome console to view the source, there's an element that I certainly didn't put there:
Arepo
- 133
- 3
3
votes
3 answers
Plain text Rails environment variables and security
I work for a healthcare company that emphasizes security, due to the sensitivity of the data that we work with. Recently, we've been doing a lot of auditing (internal and external) of our current "stack" to ensure that we're compliant with various…
RonMexico
- 31
- 1
3
votes
2 answers
Is sending IP Address as a parameter with a POST request from a client to a rails server safe?
I am trying to get the IP address and send it to my rails server as a parameter of a POST request. Is this action safe?
cengo
- 31
- 1