diff options
| author | Aaron Patterson <aaron.patterson@gmail.com> | 2013-06-17 10:47:08 -0700 |
|---|---|---|
| committer | Aaron Patterson <aaron.patterson@gmail.com> | 2013-06-17 10:47:08 -0700 |
| commit | 252d11321f8ca0c47111304ffe37d9bf69cad77b (patch) | |
| tree | 301a28faa688f421a353df15cc16f1ae558e8deb /guides/source/security.md | |
| parent | 89c9ff8d8b70bb5b0bc56576be94f27f87996bbe (diff) | |
| parent | ad707a1f16dea6a93f37feed711ec0b51c2d3ab6 (diff) | |
| download | rails-252d11321f8ca0c47111304ffe37d9bf69cad77b.tar.gz rails-252d11321f8ca0c47111304ffe37d9bf69cad77b.tar.bz2 rails-252d11321f8ca0c47111304ffe37d9bf69cad77b.zip | |
Merge branch 'master' into mrbrdo-fixserialization
* master: (142 commits)
Use Colspan in th Tags
Added test for link_to_unless to make sure the result consistency.
Escape the string even when the condition of link_to_unless is not satisfied.
Add CHANGELOG entry for #10969
Use a case insensitive URI Regexp for #asset_path
collection tags accept html attributes as the last element of collection
Rewind StringIO instances before be parsed again
Use xml instead already parsed xml
Updated the doc for const_regexp [ci skip]
Make test name descriptive and add reference to original regression commit
fixture setup does not rely on `AR::Base.configurations`.
regression test + mysql2 adapter raises correct error if conn is closed.
cleanup, remove trailing whitespace from AR changelog
'json' gem is no more required under JRuby
fix typos
Fix AS changelog [ci skip]
Update the HTML boolean attributes per the HTML 5.1 spec
Changing const_regexp to check for constant name.
valid_app_const? -> valid_const?
Add CHANGELOG entry for #10740
...
Diffstat (limited to 'guides/source/security.md')
| -rw-r--r-- | guides/source/security.md | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/guides/source/security.md b/guides/source/security.md index f04129acdb..ad0546810d 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -346,13 +346,13 @@ Intranet and administration interfaces are popular attack targets, because they In 2007 there was the first tailor-made trojan which stole information from an Intranet, namely the "Monster for employers" web site of Monster.com, an online recruitment web application. Tailor-made Trojans are very rare, so far, and the risk is quite low, but it is certainly a possibility and an example of how the security of the client host is important, too. However, the highest threat to Intranet and Admin applications are XSS and CSRF.
-**XSS** If your application re-displays malicious user input from the extranet, the application will be vulnerable to XSS. User names, comments, spam reports, order addresses are just a few uncommon examples, where there can be XSS. +**XSS** If your application re-displays malicious user input from the extranet, the application will be vulnerable to XSS. User names, comments, spam reports, order addresses are just a few uncommon examples, where there can be XSS. Having one single place in the admin interface or Intranet, where the input has not been sanitized, makes the entire application vulnerable. Possible exploits include stealing the privileged administrator's cookie, injecting an iframe to steal the administrator's password or installing malicious software through browser security holes to take over the administrator's computer. Refer to the Injection section for countermeasures against XSS. It is _recommended to use the SafeErb plugin_ also in an Intranet or administration interface. -**CSRF** Cross-Site Reference Forgery (CSRF) is a gigantic attack method, it allows the attacker to do everything the administrator or Intranet user may do. As you have already seen above how CSRF works, here are a few examples of what attackers can do in the Intranet or admin interface. +**CSRF** Cross-Site Reference Forgery (CSRF) is a gigantic attack method, it allows the attacker to do everything the administrator or Intranet user may do. As you have already seen above how CSRF works, here are a few examples of what attackers can do in the Intranet or admin interface. A real-world example is a [router reconfiguration by CSRF](http://www.h-online.com/security/Symantec-reports-first-active-attack-on-a-DSL-router--/news/102352). The attackers sent a malicious e-mail, with CSRF in it, to Mexican users. The e-mail claimed there was an e-card waiting for them, but it also contained an image tag that resulted in a HTTP-GET request to reconfigure the user's router (which is a popular model in Mexico). The request changed the DNS-settings so that requests to a Mexico-based banking site would be mapped to the attacker's site. Everyone who accessed the banking site through that router saw the attacker's fake web site and had his credentials stolen. |