Category: Ruby on Rails

1

Time modeling

Posted on April 21, 2018 by Karlo Smid

TL;DR When I test feature that involve time, depicted graph helps me to understand that feature. I found features that involve time tricky to test because time is abstract attribute and I can not put my hands on it. What… Continue Reading →

0

Ruby on Rails bottom up security – sensitive data exposure

Posted on November 25, 2017 by Karlo Smid

TL;DR This post is about risk sensitive data exposure in your Ruby on Rails application. It will cover unauthorized access and cross site request forgery check (CSRF). Unauthorized access risk is simple. User can access data that it is not… Continue Reading →

0

Ruby on Rails bottom up security – mass assignment

Posted on November 4, 2017 by Karlo Smid

TL;DR Mass assignment is security risk where user can create/update data attributes that is not allowed to update. Here is an example. Imagine application that registers your employees working hours. When user logs in it sets start time, and when… Continue Reading →

0

Ruby on Rails bottom up security – Cross site scripting (XSS) check

Posted on October 14, 2017 by Karlo Smid

TL;DR This post explains how to check your Rails application source code for cross site scripting (XSS) attack. Cross site scripting means that your application accepts html code as user input. Biggest issue is <script> tag, that allows user to… Continue Reading →

0

Ruby on Rails bottom up security – authentication and session management check

Posted on September 30, 2017 by Karlo Smid

TL;DR This post is about checking “The Gates” of your Rails application. Every web application is a set of urls. Some of them are publically available and some are available only to you (e.g. your bank account page should be… Continue Reading →

0

Ruby on Rails bottom up security – sql injection check

Posted on September 9, 2017 by Karlo Smid

TL;DR This post will explain how to check your Ruby on Rails code base against sql injections [Wikipedia]. After you have read Wikipedia source link about sql injections, you are ready to proceed. It is important to state that Ruby… Continue Reading →

0

Ruby on Rails bottom up security – daily server check

Posted on August 26, 2017 by Karlo Smid

TL;DR This is next post in series about Ruby on Rails security. In previous post I explained how to harden other servers. This time I will explain daily security check for CentOS servers. After you securely set up your Ruby… Continue Reading →

1

Ruby on Rails bottom up security – other servers

Posted on August 5, 2017 by Karlo Smid

TL;DR In previous post I described how to do security hardening for your Ruby on Rails web server. In this post I will talk about other servers: database, openvpn, cache and job. Database server holds web application data so hacker… Continue Reading →

1

Ruby on Rails bottom up security – web server

Posted on July 29, 2017 by Karlo Smid

TL;DR In previous post I explained security hardening for linux server. This post will describe hardening based on server purpose. Modern web application typically consists from following components: web server database server job server cache server Security hardening for those… Continue Reading →

1

Ruby on Rails bottom up security – hardening the servers

Posted on July 22, 2017 by Karlo Smid

TL;DR Next series of blog posts is about Ruby on Rails bottom up security. I will cover all aspects of web application written in Ruby on Rails framework. Described security concepts could be applied to any other modern web framework… Continue Reading →