Home arrow Ruby-on-Rails arrow Page 5 - Protecting Your Rails Ecommerce Application

Protecting Your Rails Ecommerce Application

In this conclusion to a four-part series covering security for a Ruby on Rails ecommerce application, you'll learn how to protect the application against SQL injection, cross-site request forgery, and more. This article is excerpted from chapter eight of the book Practical Rails Projects, written by Eldon Alameda (Apress; ISBN: 1590597818).

Author Info:
By: Apress Publishing
Rating: 5 stars5 stars5 stars5 stars5 stars / 3
June 24, 2010
  1. · Protecting Your Rails Ecommerce Application
  2. · Protecting Your Application
  3. · URL and Form Manipulation
  4. · SQL Injection
  5. · Cross-Site Request Forgery

print this article

Protecting Your Rails Ecommerce Application - Cross-Site Request Forgery
(Page 5 of 5 )

Cross-site request forgery is an attack where, for example, George is tricked into visiting a page where some code attacks Emporium, a site where he is logged in as an administrator. Let’s say that George browses to Dirty Harry’s site, dirty-harrys.com, where Harry has the following image tag:

<img src="http://emporium.com/admin/ give_admin_access_to_user/666" />

When George visits the page, his browser will try to load an image from the given URL. It won’t find an image, but requesting that address gives administrator access to user 666. Note that even though this example uses theGET protocol, restricting the URL toPOSTrequests doesn’t help, because JavaScript can be used to sendPOSTrequests.

The only way to protect from these kinds of attacks is to use some kind of transient (for example, session-specific) token, in addition to the session cookie, that will be verified upon form postings. You can use a Rails plugin called Security Extensions (http://wiki.rubyonrails.com/ rails/pages/Security+Extensions+Plugin) to tackle this problem; see its homepage for details. This defense is also effective against the form manipulation threat described earlier.


In this chapter, we showed you how to integrate a security plugin into your Rails application and how to extend it to reset forgotten passwords. Using the acts_as_authenticatedplugin, we added support for user authentication. In implementing the reset password functionality, you saw how to use an ActionMailer mailer to send e-mail from your Rails application, as well as how observers can follow the life cycle of ActiveRecord objects and act on events like creating, updating, or deleting an object. Finally, we covered some security problems common to web applications and how to protect your Rails application from them.

In the next chapter, we will finish up the process of buying books from Emporium, by implementing checkout functionality and integration with credit card processing services.

DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.

blog comments powered by Disqus

- Ruby-on-Rails Faces Second Security Flaw in ...
- Ruby 2.0 Prepped for February 2013 Release
- Why LinkedIn Switched from Ruby on Rails
- Adding Style with Action Pack
- Handling HTML in Templates with Action Pack
- Filters, Controllers and Helpers in Action P...
- Action Pack and Controller Filters
- Action Pack Categories and Events
- Logging Out, Events and Templates with Actio...
- Action Pack Sessions and Architecture
- More on Action Pack Partial Templates
- Action Pack Partial Templates
- Displaying Error Messages with the Action Pa...
- Action Pack Request Parameters
- Creating an Action Pack Registration Form

Watch our Tech Videos 
Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Weekly Newsletter
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 

Developer Shed Affiliates


© 2003-2019 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials