Tag Archives: XSS in ror

Selvakumar Chokalingam 10:03 AM on April 3, 2012
Tags: , CSRF in rails, CSRF in ror, Filtering of parameters in log, HttpOnly in rails, , ror security best practices, ror security guide, ruby on rails, ruby on rails security guide, , security guide for rails, security guide for ror, security guide for ruby on rails, , XSS in ror   

Ruby on Rails Security Guide

Please refer the following for Ruby on Rails best practices on the security. CSRF and XSS are the most important ones:-

 

1) CSRF – https://selvaonrails.wordpress.com/2012/04/03/ruby-on-rails-security-csrf-3/

2) XSS – https://selvaonrails.wordpress.com/2012/04/03/ruby-on-rails-security-xss-2/

3) Protection flags on cookies – https://selvaonrails.wordpress.com/2012/04/03/ruby-on-rails-security-protection-flags-on-session-cookies/

4) Filter parameter logging – https://selvaonrails.wordpress.com/2012/04/03/ruby-on-rails-security-filtering-parameter-logging/

Selvakumar Chokalingam 9:30 AM on April 3, 2012
Tags: Seucuity for ruby on rails, XSS, , XSS in ror, XSS in ruby, XSS in ruby on rails   

Ruby on Rails Security – XSS

Analysis:

An entry point to this kind of attack is a vulnerable URL and its parameters where an attacker can start attack. An attacker injects some code, the web application saves it and displays it on a page. XSS can steal the cookie, hijack the session, redirect the victim to a fake website, display advertisements, change elements on the web site or install malicious software through security holes in the web browser. The most common XSS language is of course the most popular client-side scripting Javascript, often in combination with HTML. Escaping the user input is essential.

Solution and Fix:

Multiple fixes is needed for this, 1) Escaping on the parameters and 2) Escaping on the output values.

1)      Escaping on the parameters (Refer:- https://selvaonrails.wordpress.com/2012/04/03/ruby-on-rails-sanitize-4/)

A check has to be done for escaping the malicious scripts in the parameters with the help of ‘Sanitize’ gem. For example, an attacker can pass some script like below in the scope parameter.

https://www.domain.com/user/login?scope=<script>document.write(document.cookie);</script>.

If the above is executed successfully means, the attacker will stole the cookie from the web page. To avoid this, parameters needs to be checked and the scripts needs to be escaped. This can be achieved with the help of ‘Sanitize’ gem with some code like below.

Sanitize.clean(“//value goes here//”)

The above will check for the value of the parameters and escape the scripts, if any.

2)      Escaping on the output values

As a second step, it is good practice to escape all output of the application, especially when re-displaying user input, which hasn’t been input-filtered using escapeHTML() or it’s alias h() method to replace the HTML input characters &,”,<,> by their uninterpreted representations in HTML.

Ex:- <%=h @value_to_be_displayed %>

Links for References:

1)   http://guides.rubyonrails.org/security.html#cross-site-scripting-xss