Ruby on Rails bottom up security – Cross site scripting (XSS) check

Reading Time: 1 minute

TL;DR

This post explains how to check your Rails application source code for cross site scripting (XSS) attack.

Cross site scripting means that your application accepts html code as user input. Biggest issue is <script> tag, that allows user to execute javascript code in the context of your application. Second one is <img> tag that can also be used for code execution.

Rails by default escapes all input, which means that html code will be transformed, so browser will not interpret it as html:

<script>alert("Session based test management");</script>` => `&lt;script&gt;alert(&quot;Session based test management&quot;);&lt;/script&gt;

But some applications, such as github, allow users to have text formatting options.

Dirty way is to allow html input (github is using markdown language), and Rails have api methods for that:

html_safe

raw

This is ok as long there is not direct user input as parameter of that method (for your editor implementation, you also want to use markdown). Never trust your users!

Use this for code check:

grep -H -r 'html_safe' * | less

grep -H -r 'raw' * | less

There is one more important xss security attack vector. When you open link in new tab, application from that new tab can control, using javascript, application in original tab.

Use this for source code check:

grep -H -r 'target="_blank"' * | less

and make sure that link tag also has this option:

rel="noopener"

 

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *