Home

Awesome

Rails Security Audit List

0. Security Gems

1. Unencrypted data in transit

All sensitive data (e.g., login credentials, PII, corporate data) should be encrypted or hashed while in motion.

2. Cross-site scripting

Be sure to always prevent XSS attack exploits.

# unsafe code
"#{first_name} #{last_name} #{link_to(phone, 'tel:'+phone)}".html_safe
# safe code
"".html_safe + "#{first_name} #{last_name} " + link_to(phone, 'tel:'+phone)

3. Injection flaws

Injection flaws exploit vulnerabilities in web-based applications that fail to properly validate or sanitize input and/or use input securely.

# unsafe code 1
@projects = Project.find(:all, :conditions => "name like '%#{params[:name]}%'")

# safe code 1
@projects = Project.find(:all, :conditions => ["name like ?", "%#{params[:name]}%"] )

# unsafe code 2
name = params[:name]
@projects = Project.where("name like '%" + name + "%'");

# safe code 2
 @projects = Project.where("name like ?", "%#{params[:name]}%")

4. Forceful browsing

Authorisation checks should be performed on the server to allow or restrict access to application data and functionality.

# This is bad!
def show
  render params[:view]
end

5. Parameter tampering

Users should not be given access to parameters which may affect application functionality such as access control and business logic.

6. Account & password management

A set of protocols or systems to protect user's credentials or session tokens throughout their lifecycle.

7. Session & configuration management

Session or cookie management to prevent session hijacking or session fixation

8. Unrestricted file upload

Filter / validate uploaded attachment that may be a malicious file.

9. Information leakage

Any potential to leak information for attacker to exploit.

10. Request replay

A mechanism to prevent automated submission of data.

Resources: