Koren Leslie Cohen

  • About
  • Blog
  • Contact

1 comment

Ruby / Rails

The Importance of Web Application Security

July 9, 2014 by Koren Leslie Cohen

preloader

Last week, I deployed my first web applications, a big moment in any developer’s life.  One app, a guestbook for my friend’s wedding, was written in Ruby, dependent on the Sinatra gem  and deployed through Heroku.  It consisted of a simple form where friends and family could leave messages for the happy couple.

html5 css3 ruby sinatra

I excitedly posted a link to the application on Twitter, and moments later my app was hacked. Silly me, I forgot to secure my web form:

web application security

In my case, I was lucky.  My app was hacked by someone I knew, and all they did was drop an HTML <div> into the form which changed the CSS properties of my website.  Without form security, I was also vulnerable to more dangerous html injections such as script injections.  Silver lining.

Injections

An injection is any code injected into an application.  Instead of inputting the intended text, code can be injected into a form which the browser or web application will read and render as part of the program.  Injections can come in three general forms: (1) HTML injections, including script injections, (2) SQL injections and (3) mass assignment.

SQL Injections

SQL injections are used to attack data-driven applications which use a database.  A SQL command can be entered which will manipulate the application’s database.  This cartoon, ironically the same cartoon that took over my web application, depicts one of the many risks associated with SQL injections:

SQL injection

SQL injections can not only drop databases; they can be used to steal the personal information stored in those databases.  If you haven’t been living under a rock for the past decade, you’ve probably read about well known SQL injection attacks to Yahoo, Target and many large retailers. Even MySQL has been the victim of a SQL injection attack.  Due to the number of attempted SQL injections, web applications should not be left unsecured for even a short period of time.

SQL injections can be complicated. If you’d like to learn more about how SQL injections are carried out, the following resources can help:

SQL Injection

SQL Injection: What is it?

Sanitizing Data

The first step to securing your forms is to sanitize data.  This can be difficult, but there are certain steps that should always be taken, including escaping user input, regular testing for vulnerabilities and stricter password policies.

Escaping User Input

Escaping user input is the process of sanitizing the data input into your application. In the case of my Sinatra application, instead of reading the text included in the message form, the strong_params and html_safe methods are now called (see below).

post '/messages' do 
  @message = Message.new(strong_params)
  if @message.save
    redirect to("/messages/#{@message.id}")
  else
    erb :"messages/new"
  end
end

def strong_params
  params[:message].each_with_object({}) do |pair,hash|
    hash[html_safe(pair[0])] = html_safe(pair[1])
  end
end

def html_safe(text)
  Rack::Utils.escape_html(text)
end

To learn more about sanitizing user input for Sinatra applications, see the Frequently Asked Questions.

  • About
  • Latest Posts
Connect
Koren Leslie Cohen
Product manager at Facebook. Former senior product manager at Dollar Shave Club in Los Angeles and software engineer at J.Crew / Madewell in New York City. Recovering trial lawyer.
Connect
Latest posts by Koren Leslie Cohen (see all)
  • PM Career Story - April 28, 2022
  • How to Transition into Product Management - December 26, 2017
  • What I’ve Learned in My First Few Months as a Product Manager - October 14, 2015

Related Posts

Creating a Simple Search in Rails 4
Adding a Static Page to a Rails Application

Share

Facebook Google+ Twitter Pinterest Email

Comments Cancel reply

Your email address will not be published. Required fields are marked *

*

code

  1. Giggles says

    May 10, 2016 at 10:11 am

    Thanks for writing such an eatn-so-understayd article on this topic.

    Reply

Back to Blog

  • GitHub
  • Instagram
  • LinkedIn
  • RSS
  • Twitter

Looking for something?

Copyright 2023 Koren Leslie Cohen