Ruby On Rails Application Vulnerabilities

4 Min. Read
Sep 1, 2019

Introduction

The growth of the Web Application has benefited to various business sectors as e-commerce, banking, etc as well as to the end-user. However, the sharing of the data over the internet has also attracted the malicious hackers. Generally, the different level of sensitive data of the user is shared to particular application for the transaction over the internet and sometimes the security vulnerability over the application can cause the great harm to the business proprietor as well as to the customers. The Ruby on Rails framework is consider to highly secure for building the web applications. However, it is necessary to understand what kind of vulnerabilities a rails application might have.

Common Security Vulnerabilities

  • Cross Site Scripting(XSS)
  • Cross Site Request Forgery
  • SQL Injection
  • Mass Assignment And Parameter Injection
  • Sensitive Files
  • Denial Of Service

Cross Site Scripting(XSS)

It is one of the most destructive security vulnerabilities in web application in which the attacker can insert the JavaScript code that get run in the application’s content. The most common entry points are message posts, user comments etc. XSS can steal the cookie, hijack the session, redirect the victim to a fake website, display advertisiments for the benefit fo the attacker or install malicious software through security holes in the web browser. For e.g

1

 link_to "My Website", @user.website

If @user.website contains Javascript code, someone can steal data from the browser.

Countermeasure:

We can use sanitize method to any unsafe input tags to filter the unwanted markup tags inside your input field. for e.g

1

  sanitize @comment.body

Cross Site Request Forgery

CSRF is the method of attacking the user running a particular application by sending them links which unwantedly redirect to destructive URL executing the unwanted commands. For e.g

1

    <img src = "http://www.webapp.com/project/1/destroy">

If the user’s session in the www.webapp.com is still alive. And suddenly the image link appears, by clicking on the above link the user unknowingly has deleted his project number one.

Countermeasure:

One of the most used method in safeguarding against Cross-site Request Forgery attack is the used of an authentication token that is associated with the user and is sent with every state-changing request. for e.g

1

  <input type="hidden" name="authenticity_token" value=" form_authenticity_token ">

What this code does is to randomly generate csrf_token that is hidden in each form. When a POST request is made, such token will be sent with the session data and the application will compare the token that it stored against the one that is sent with the request. In order to make a successful request, the attacker must guess the same token that is stored in the current user session to be able to trick the server into handling the false request.

SQL Injection

Ruby On Rails uses ActiveRecord ORM for communication with database. We query for some data from the database and to build that query we also take input from the user such as search form. This way a user can give any input including the malicious code which can directly affect our DB. Here is an example of how not to use user input data in a query:

1

    Project.where("name = '#{params[:name]}'")

If a malicious user enters ‘ OR 1 –, the resulting SQL query will be:

1

    SELECT * FROM projects WHERE name = '' OR 1 --'

The two dashes start a comment ignoring everything after it. So the query returns all records from the projects table including those blind to the user. This is because the condition is true for all records.

Countermeasure

1

  link_to "My Website", @user.website

Ruby on Rails has a built-in filter for special SQL characters, which will escape ’ , “ , NULL character, and line breaks. Using Model.find(id) or Model.find_by_some thing(something) automatically applies this countermeasure.

Mass Assignment

It is the process of assigning the multiple value during the construction of an object. It allows to create record from the value of a hash. For e.g

1

  @establishment = Establishment.create(:name, :address, :phone )

The above code creates the establishment from the params hash values. If the user creates and fll his/her own input field in the views/layout, then the user can pass additional field despite the user’s limited authority. Hence. to avoid these circumstances, strong parameter is used.

1
2
3
4
5
6
7
8
9
10

  def create
    @establishment = current_user.establishments.create(establishment_params)
  end


 private

    def establishment_params
      params.require(:establishment).permit(:name, :address, :phone )
    end

It allows to assign only the input values which the user is permitted to fill. Only the permitted scalars pass the filter through the permit method.

Sensitive Files

Any application includes some fragile and sensitive data as application_key, SECRET_API_KEY, etc which needs to be keep safe and hidden from the harmful users. Also, when the project is hosted on Github or any other servers, these files needs to be hidden and should not be part of version controlling. For that, you need to create the .gitignore file and keep the confidential file into that folder.

Denial Of Service

It is the process of keeping the server busy in processing the malicious requests created by a user which ultimately makes the server to crash. During that period the server won’t be able handle the genuine/authorized requests.