diff options
author | Jon Moss <maclover7@users.noreply.github.com> | 2016-05-17 14:51:38 -0400 |
---|---|---|
committer | Jon Moss <maclover7@users.noreply.github.com> | 2016-05-17 14:51:38 -0400 |
commit | 7e803d8b41c6ebbeabfff430a07c6a2d2d68e3ef (patch) | |
tree | 6b675e20b7a324eca78afc64d3f358da0e7ed7a9 /guides | |
parent | d6bac046922fcee05366d26d75349dde70d25f6b (diff) | |
parent | 0966738763b73acf4abcc38404d79cd7dec556bc (diff) | |
download | rails-7e803d8b41c6ebbeabfff430a07c6a2d2d68e3ef.tar.gz rails-7e803d8b41c6ebbeabfff430a07c6a2d2d68e3ef.tar.bz2 rails-7e803d8b41c6ebbeabfff430a07c6a2d2d68e3ef.zip |
Merge pull request #25052 from matkoniecz/2008_is_not_recent
update to make it less obvious that this guide is from 2008/2009
Diffstat (limited to 'guides')
-rw-r--r-- | guides/source/security.md | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/guides/source/security.md b/guides/source/security.md index 58d1a21cd9..c6bc1f3878 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -677,14 +677,12 @@ INFO: _The most widespread, and one of the most devastating security vulnerabili An entry point is a vulnerable URL and its parameters where an attacker can start an attack. -The most common entry points are message posts, user comments, and guest books, but project titles, document names and search result pages have also been vulnerable - just about everywhere where the user can input data. But the input does not necessarily have to come from input boxes on web sites, it can be in any URL parameter - obvious, hidden or internal. Remember that the user may intercept any traffic. Applications, such as the [Live HTTP Headers Firefox plugin](http://livehttpheaders.mozdev.org/), or client-site proxies make it easy to change requests. +The most common entry points are message posts, user comments, and guest books, but project titles, document names and search result pages have also been vulnerable - just about everywhere where the user can input data. But the input does not necessarily have to come from input boxes on web sites, it can be in any URL parameter - obvious, hidden or internal. Remember that the user may intercept any traffic. Applications or client-site proxies make it easy to change requests. There are also other attack vectors like banner advertisements. XSS attacks work like this: An attacker injects some code, the web application saves it and displays it on a page, later presented to a victim. Most XSS examples simply display an alert box, but it is more powerful than that. XSS can steal the cookie, hijack the session, redirect the victim to a fake website, display advertisements for the benefit of the attacker, change elements on the web site to get confidential information or install malicious software through security holes in the web browser. During the second half of 2007, there were 88 vulnerabilities reported in Mozilla browsers, 22 in Safari, 18 in IE, and 12 in Opera. The [Symantec Global Internet Security threat report](http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiii_04-2008.en-us.pdf) also documented 239 browser plug-in vulnerabilities in the last six months of 2007. [Mpack](http://pandalabs.pandasecurity.com/mpack-uncovered/) is a very active and up-to-date attack framework which exploits these vulnerabilities. For criminal hackers, it is very attractive to exploit an SQL-Injection vulnerability in a web application framework and insert malicious code in every textual table column. In April 2008 more than 510,000 sites were hacked like this, among them the British government, United Nations, and many more high targets. -A relatively new, and unusual, form of entry points are banner advertisements. In earlier 2008, malicious code appeared in banner ads on popular sites, such as MySpace and Excite, according to [Trend Micro](http://blog.trendmicro.com/myspace-excite-and-blick-serve-up-malicious-banner-ads/). - #### HTML/JavaScript Injection The most common XSS language is of course the most popular client-side scripting language JavaScript, often in combination with HTML. _Escaping user input is essential_. |