via confreaks.tv
What Rails provides
- XSS protection, but make sure you know how it works
- CSRF protection
- Mass assignment protection with strong parameters in Rails 4
- Encrypted session cookies in Rails 4
- SQL injection protection by escaping
- New default security HTTP headers
What it doesn’t provide
- .html_safe doesn’t make a string safe
- You’ll have to remember what context you’re in and encode according to it: j(), h(), json_escape(), …
- Sessions are not server-side
- Pre-Rails 4 session cookies can be decoded
- No directory-traversal protection (until recently): render(params[:view]), send_file(params[:file])
- SQL injection protection could be more strict
- No rate limiting directly in Rails
- Redirect could be more protected
- No protocol filtering for links
Countermeasures
- Learn!
- Some missing features can be found in gems
- Static code analysis tools
- Don’t fix vulnerabilities, prevent them from happening
