Ruby On Rails Security Thoughts

Posted on August 24, 2014 by Carmelo


Security questions in the video start at 2:25
Like any other framework, the Rails app needs to be kept up to date. From time to time security issues are reported in the Rails app. Developers of Ruby applications should keep the OWASP Top 10 in mind. Ruby on Rails developers should test for:

  • Injection
  • Cross-Site Scripting (XSS)
  • Broken Authentication and Session Management
  • Insecure Direct Object References
  • Cross-Site Request Forgery (CSRF)
  • Security Misconfiguration
  • Insecure Cryptographic Storage
  • Failure to Restrict URL Access
  • Insufficient Transport Layer Protection
  • Unvalidated Redirects and Forwards

Here is the Ruby on Rails Security Guide

Preventing SQLi in Ruby
Ruby on Rails has a built-in filter for special SQL characters, which will escape ’ , ” , NULL character and line breaks. Using Model.find(id) or Model.find_by_some thing(something) automatically applies this countermeasure.

  • Adopt an input validation technique whereby user input is checked against business rules and a set of defined rules for length, type, and syntax
  • Ensure that users with permission to access the database have the least privileges
  • Do not use system administrator accounts like “sa” for Web applications
  • Create application-specific database user accounts
  • Remove all stored procedures
  • Use strongly types parameterized query APIs with placeholder substitution markers, even when calling stored procedures
  • Make it a habit to think about the security consequences when using an external string in SQL.

Preventing XSS in Ruby
Rails provides helper methods to fend off XSS attacks.

  • HTML encode all user input returned as part of HTML
  • URL encode all user input returned as part of URLs(convert ?, &, /, <, >, and spaces to their respective URL encoded equivalents)
  • Convert all user input to a single character encoding before parsing
  • Preventing Ruby Logging Vulnerabilities
  • Rails logs all requests being made to the web application. Log files can be a huge security issue and should not contain sensitive information such as login credentials and credit card numbers. Ruby allows you to filter certain request parameters from your log files by appending them to config.filter_parameters in the application configuration. These parameters will be marked [FILTERED] in the log.

Veracode can assist in Security Development Reviews. They also are the ones I borrowed this information from.

This entry was posted in Security Blog and tagged , , , . Bookmark the permalink.