Geek Answers Handbook

Prevention of session fixation in ruby ​​sinatra

Most session fixation topics in ruby ​​are mainly related to rails. Are there any vulnerabilities in sinatra? On rails, we are most often advised to reset_session before assigning sessions. How can we prevent session fixation in sinatra?

+7
source share
1 answer

Sinatra uses the Rack :: Protection stone by default, which protects against many common vulnerabilities. You may be especially interested in protecting your captures. Here are some of the things Rack :: Protection Stone protects:

Firewall request fake

authentication token: Accepts unsafe HTTP requests if this access token matches the token included in the session. Form icon: Accepts only submitted forms if the given access token matches the token included in the session. Does not expect such a token from an Ajax request. Remote token: Accepts unsafe HTTP requests if this access token matches the token included in the session, or the request comes from a single source. JSON CSRF: JSON GET APIs are vulnerable to being embedded as JavaScript, while the Array prototype has been fixed to track data. The referrer checks even for GET requests if the content type is JSON. Remote referrer: Does not accept unsafe HTTP requests if the Referer [sic] header is set to another host.

Scripts on the site:

XSS Header: Sets the X-XSS-Protection header to inform the browser of blocking attacks. ClickJacking. Excluded Pairs: Automatically removes Rack :: Request # parameters so that they can be embedded in HTML or JavaScript without any additional problems. Calls html_safe on escaped strings, if defined, to avoid double escaping in Rails.

Clickjacking

Frame Options: Sets the X-Frame-Options header to tell the browser to avoid embedding the page in the frame.

Directory Bypass

Unescapes '/' and '.', Extends path_info. Thus, GET / foo /% 2e% 2e% 2fbar becomes GET / bar.

Session capture

Monitors query properties, such as the user agent in a session, and frees the session if these properties change. This significantly prevents attacks with Firesheep. Since all headers taken into account can also be tampered with, this will not interfere with all hijacking attempts.

IP Spoofing

Detect (some) IP spoofing attacks.

As with most security issues, it’s nice to have general knowledge of Internet security. Unfortunately, there are not many good tutorials that specifically relate to Sinatra security.

+4
source

More articles:


All Articles