In this conclusion to a four-part series covering security for a Ruby on Rails ecommerce application, you'll learn how to protect the application against SQL injection, cross-site request forgery, and more. This article is excerpted from chapter eight of the book Practical Rails Projects, written by Eldon Alameda (Apress; ISBN: 1590597818).
Protecting Your Rails Ecommerce Application - Cross-Site Request Forgery (Page 5 of 5 )
Cross-site request forgery is an attack where, for example, George is tricked into visiting a page where some code attacks Emporium, a site where he is logged in as an administrator. Let’s say that George browses to Dirty Harry’s site, dirty-harrys.com, where Harry has the following image tag:
The only way to protect from these kinds of attacks is to use some kind of transient (for example, session-specific) token, in addition to the session cookie, that will be verified upon form postings. You can use a Rails plugin called Security Extensions (http://wiki.rubyonrails.com/ rails/pages/Security+Extensions+Plugin) to tackle this problem; see its homepage for details. This defense is also effective against the form manipulation threat described earlier.
In this chapter, we showed you how to integrate a security plugin into your Rails application and how to extend it to reset forgotten passwords. Using the acts_as_authenticatedplugin, we added support for user authentication. In implementing the reset password functionality, you saw how to use an ActionMailer mailer to send e-mail from your Rails application, as well as how observers can follow the life cycle of ActiveRecord objects and act on events like creating, updating, or deleting an object. Finally, we covered some security problems common to web applications and how to protect your Rails application from them.
In the next chapter, we will finish up the process of buying books from Emporium, by implementing checkout functionality and integration with credit card processing services.
DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.