Highest Voted 'rails' Questions - IT Security Stack Exchange

1

vote

2 answers

Session-storing an encryption key password

For a webapp which stores encrypted files, a public key is used to encrypt random key/ivs, which are used to encrypt the stored files. The private key, used for decryption, is guarded with a password that must be supplied by the user to access the…

public-key-infrastructure rails

asked Nov 10 '17 at 18:21

frostcoinage

11
1

1

vote

1 answer

SQL injection in find_by Active Record RoR 4

I was trying to understand the possibility of SQLi in a Rails Application, that I am currently auditing for a client, that uses Active Record 4.2.0. Now, I have limited experience with RoR so please bear with me on this. While looking through a…

web-application sql-injection ruby rails

asked May 23 '16 at 11:20

qre0ct

1,492
3
19
30

0

votes

1 answer

Is sharing a CSRF token between Rails apps secure?

We use an nginx reverse proxy to host two Rails apps under the same domain (one /path leads to another 'secondary' app). The 'secondary' app that lives under a path consumes REST APIs from the 'main' app on the domain with a javascript single-page…

csrf rest rails api

asked Aug 17 '15 at 17:33

Alex Mcp

103
4

0

votes

1 answer

Authorization/authentication strategy for micro service apps

How can one enforce authorization/authentication for micro service apps? And also, how to achieve SSO (single sign-on) from an end user's perspective? E.g: Assume a shopping site which has many micro services. Once a user is authenticated in one…

oauth sso saml rails

asked Jul 19 '15 at 09:43

user1222729

11
1

0

votes

0 answers

Rails API Session Security and CSRF

I am doing an api with Rails(api-only). Security is so importand for me. I got 2 question. 1-) I am keeping user's id in session[:authID], is it safe to use like this? 2-) Do i need CSRF protection for api-only? I'm using Next.js for client. If it…

account-security csrf api content-security-policy rails

asked Apr 09 '22 at 10:15

winens

1

0

votes

0 answers

In Ruby, can request.host be trusted to differentiate between a staging environment and production?

Let's say I have two environments: https://qa.example.com and https://example.com. In QA, I want to allow access to something insecure, like a special route that allows logging in without a password. What are the security concerns of checking…

ruby rails

asked Feb 17 '22 at 17:51

Prime

472
6
14

0

votes

1 answer

How to send a password securely as part of a GET request in rails?

I'm curious to check what could be some possibly secure and recommended ways through which I could send a password as part of a GET request in rails? Just to be explicit, we're using HTTPS in general. High level overview of the use case: Our app…

tls passwords encoding rails

asked Jan 19 '22 at 07:34

boddhisattva

103
3

0

votes

0 answers

Was rails issue ever fixed - Unsafe Query Risk in Active Record?

I was trying to figure out whether this issue has ever been fixed in Rails but my searches yielded nothing. A vulnerable application will either contain columns named identically to their table, or have column names which conflict with join…

vulnerability rails

asked Oct 28 '21 at 22:01

akostadinov

555
3
8

0

votes

1 answer

How do I prevent my Rails application from attack?

My website is being nuked by new signups and new posts some of which don't even have user.id associated with. How do I solve this? What code should I add to the user#new page and/or post#new page. If it would help, please check my repo:…

authentication penetration-test html rails ruby

asked Dec 01 '12 at 22:53

Tanapuch Touchdown

3
2

0

votes

1 answer

How to prevent an user from tampering a request using Burp

Our rails application has a feature where admin can from trigger sending verify email to users that haven't been verified yet but not to verified ones. However, it was pointed out that by intercepting this PUT request and modifying the id to…

web-application rails

asked Oct 21 '19 at 11:11

thebenman

101
2

0

votes

1 answer

Rails File.open(#{Rails.root}) is vulnerable to LFI?

I am performing White Box testing on Rails application with static code analyzing tools like brakeman, I came across an instance where the developer is loading images using file.open. file = File.open("#{Rails.root}/app/assets/path/image.jpg") Due…

audit ruby rails file-inclusion

asked Oct 07 '19 at 06:18

Captain-Robot

3
1

0

votes

0 answers

Is it safe to pass user input through rails gsub?

Are there risks associated with using gsub on user input? Can it be used for regular expression DoS?

denial-of-service rails regex

asked Sep 10 '19 at 13:41

Tim Abell

101
3

0

votes

1 answer

How to fix XSS in rails

I am able to inject javascript:alert `1` or javascript:alert(1) into the href field of the rails app and it is getting executed as JavaScript. Html encoding is already implemented but it doesnt encode brackets and back quotes. How to solve this?…

xss encoding rails

asked Jul 30 '19 at 14:01

Anonymous Platypus

1,392
3
18
33

0

votes

1 answer

is there any need to encrypt sensitive images in a database?

I have a project that requires users to submit a photo of a driver's license as proof of identity. This image just needs to be seen once by an administrator, and has no use after their id is verified. This project uses AWS to store data. Data sent…

encryption aws ruby rails

asked May 04 '19 at 19:36

calyxofheld

103
2

0

votes

1 answer

Where should the authorization logic go in an api based application?

I have a brand new Rails api based application, where i need to implement authorization. Overall Architecture: React frontend -> Rails API layer -> Rails model/server layer While exploring different approaches, I have got a confusion. Should we…

authentication authorization api rails

asked Jun 07 '17 at 03:36

Deepak Kumar Padhy

1,178
2
8
7

Questions tagged [rails]