Ruby on Rails Security – XSS

Analysis:

An entry point to this kind of attack is a vulnerable URL and its parameters where an attacker can start attack. An attacker injects some code, the web application saves it and displays it on a page. XSS can steal the cookie, hijack the session, redirect the victim to a fake website, display advertisements, change elements on the web site or install malicious software through security holes in the web browser. The most common XSS language is of course the most popular client-side scripting Javascript, often in combination with HTML. Escaping the user input is essential.

Solution and Fix:

Multiple fixes is needed for this, 1) Escaping on the parameters and 2) Escaping on the output values.

1)      Escaping on the parameters (Refer:- https://selvaonrails.wordpress.com/2012/04/03/ruby-on-rails-sanitize-4/)

A check has to be done for escaping the malicious scripts in the parameters with the help of ‘Sanitize’ gem. For example, an attacker can pass some script like below in the scope parameter.

https://www.domain.com/user/login?scope=<script>document.write(document.cookie);</script>.

If the above is executed successfully means, the attacker will stole the cookie from the web page. To avoid this, parameters needs to be checked and the scripts needs to be escaped. This can be achieved with the help of ‘Sanitize’ gem with some code like below.

Sanitize.clean(“//value goes here//”)

The above will check for the value of the parameters and escape the scripts, if any.

2)      Escaping on the output values

As a second step, it is good practice to escape all output of the application, especially when re-displaying user input, which hasn’t been input-filtered using escapeHTML() or it’s alias h() method to replace the HTML input characters &,”,<,> by their uninterpreted representations in HTML.

Ex:- <%=h @value_to_be_displayed %>

Links for References:

1)   http://guides.rubyonrails.org/security.html#cross-site-scripting-xss

Advertisements

1 thought on “Ruby on Rails Security – XSS”

Comments are closed.