Information security

XSS (Cross-Site Scripting)

Can attack with all actions that can be done with java Rails has security settings by default, so you can use it safely against this attack. If you get into your app in any way and the security settings are disabled Cookies are stolen, information is leaked, malware is accessed, and viruses are infected.

SQL injection

Inserting SQL statements from outside the application. By being inserted, all the information in the DB can be stolen or the account can be hijacked. As a countermeasure, use the escape characters of ""'and "/", and use the binding mechanism.

The binding mechanism is a mechanism that issues a SQL statement from the DB side and allows you to enter only the necessary information in it.

sql.rb


SELECT * FROM user WHERE user_id=? AND password=?

The above SQL statement is issued from the DB. In this sentence? Only the value of can be entered. In rails, it is input so far by default.

If you have to enter it yourself Using the find_by_sql method ,? It is necessary to specify the input value by.

CSRF (Cross Site Request Forgery)

Protect against attacks when performing important processes such as changing passwords and purchasing on EC sites. The countermeasure is to use the embedding (token) of confidential information that only the person knows. Setting a screen that prompts you to re-enter your password, Referrer check (how the site was accessed).

Use this only when doing important things. (If you apply it in all cases, you will have to enter it many times. The operation will be slow because there will be a lot of interaction with the DB.)

Session hijacking

The session ID is hijacked. If this is hijacked, you can view personal information, send money, purchase, etc. As a countermeasure, enable SSL. on rails

Folder name/confing/environment/production.rb


config.force_ssl = true

SSL can be used by enabling.

Recommended Posts

Information security
Summary of information security
Information Security Supporter Examination (SC) Fall 2017 2 AM Keywords