04 Mar '12, 8pm

que

The attacker creates a valid session id: He loads the login page of the web application where he wants to fix the session, and takes the session id in the cookie from the response (see number 1 and 2 in the image). He possibly maintains the session. Expiring sessions, for example every 20 minutes, greatly reduces the time-frame for attack. Therefore he accesses the web application from time to time in order to keep the session alive. Now the attacker will force the user’s browser into using this session id (see number 3 in the image). As you may not change a cookie of another domain (because of the same origin policy), the attacker has to run a JavaScript from the domain of the target web application. Injecting the JavaScript code into the application by XSS accomplishes this attack. Here is an example: <script>
document.cookie="_session_id=16d5b78abb28e3d6206b60f22a03c8d9...

Full article: http://guides.rubyonrails.org/security.html#mass-assignment

Tweets

Preventing mass assignment vulns in RoR: Good l...

edgeguides.rubyonrails.org 04 Mar '12, 6pm

Web application frameworks are made to help developers building web applications. Some of them also help you with securing...

In the world of web app frameworks good feature...

guides.rubyonrails.org 05 Mar '12, 12am

Web application frameworks are made to help developers building web applications. Some of them also help you with securing...

Super excited about , which just landed on Rail...

edgeguides.rubyonrails.org 05 Mar '12, 12pm

Resourceful Routing: If you’re building a RESTful JSON API , you want to be using the Rails router. Clean and conventional...

A Fresh Cup - Home - What's New in Edge Rails #11

afreshcup.com 05 Mar '12, 11am

Monday, March 5, 2012 at 5:51AM Week of February 26-March 3, 2012 The big news this week is the switch to requiring whitel...

“Rail Spikes: Is your Rails application safe?”

railspikes.com 05 Mar '12, 12am

Tarantula : A fuzzing plugin that spiders your application looking for problems. Via Stuart Halloway’s post on Revelance’s...

link: Ruby on Rails Guides: Ruby On Rails Secur...

edgeguides.rubyonrails.org 14 Mar '12, 9pm

The threats against web applications include user account hijacking, bypass of access control, reading or modifying sensit...

Ruby on Rails Guides: A Guide to Testing Rails ...

guides.rubyonrails.org 09 Mar '12, 6pm

Testing support was woven into the Rails fabric from the beginning. It wasn’t an “oh! let’s bolt on support for running te...

@matthewlang not sure if you've seen/used this ...

apidock.com 09 Mar '12, 11am

The Model layer represents your domain model (such as Account, Product, Person, Post ) and encapsulates the business logic...

2012 Buyer's Guide Shoes And Accessories - Golf...

golftipsmag.com 04 Mar '12, 12am

2012 Buyer's Guide Shoes And Accessories Who says the game is played with just clubs and balls? By The Editors Labels: Sho...

A Guide to Singapore's online restaurant bookin...

food.insing.com 29 Feb '12, 2am

All these sites are free and available 24/7, so you don’t have to wait for a restaurant to open to make a booking. This ca...

A Guide to Singapore's online restaurant bookin...

food.insing.com 29 Feb '12, 2am

All these sites are free and available 24/7, so you don’t have to wait for a restaurant to open to make a booking. This ca...

Ruby on Rails Guides: Getting Started with Rails:

guides.rubyonrails.org 08 Mar '12, 5am

Rails is a web application development framework written in the Ruby language. It is designed to make programming web appl...

6 Steps To Refactoring Rails (for Mere Mortals)...

engineyard.com 02 Mar '12, 8pm

Since December, Rails has undergone a fairly significant internal refactoring in quite a number of areas. While it was qui...

#OWASP Redmine is still vulnerable against CSRF...

redmine.org 29 Feb '12, 4pm

It seems that Redmine is still vulnerable against CSRF. Scenario: - user is logged in at the redmine server - user follows...

はじめる!Rails3 第3巻について(経過報告) - Rails 雑感 - Ruby on ...

oiax.jp 06 Mar '12, 11am

はじめる!Rails3 第3巻について で「あと半月ぐらいで書き上がるかな」と書いてから2ヶ月が経過してしまいました…。 本業である技術コンサルティングとWeb開発の方で急に忙しくなっていたところへ、『改訂新版 基礎Ruby on Rails』...